Industry IT Security Certification Proposed

Roberto123 writes "The US can build defenses against 'cyberwar' by having government and the private sector work together to confront the threat, a panel of experts said at RSA Conference 2011 in San Francisco this week. 'Chertoff called for a regulatory framework where company executives and board members sign on the dotted line, certifying what steps they have taken to secure their network, what backup systems they have in place and what level of resiliency is built into their IT system. “People take that seriously. Is it dramatic? No, but it moves the ball down the field,” Chertoff said. Schneier concurred, noting that holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley, the post-Enron law that requires directors and executives to certify their financial results.'"

Oh good.

This will change nothing, and push us further towards a "Standards and Compliance" posture, and not a real security posture.

-Someone who does this for a living

Re:Oh good.

[causality]

This will change nothing, and push us further towards a "Standards and Compliance" posture, and not a real security posture.

-Someone who does this for a living

Organizational types, suits, institution men, whatever you want to call them just love bureaucratic measures of compliance. They honesty believe the world is a better place when you do what you're told because the policy says so, and not when you take action because as a thinking man you can see that it's a reasonable step towards a worthy goal. That way they can measure down to fractions of a percentage point just how obedient you are and sanction you accordingly.

Is it any surprise that whenever government systems are audited for security they tend to do so poorly? Security is something that simply has to be right and declaration by fiat won't change what the right thing is. More than most other subjects, it exposes the crippling weaknesses of the top-down authoritarian approach and reveals the strengths of hiring people for their expertise and then listening to them so long as they remain reasonable.

Re:Oh good.

Exactly. Very nice for people to sign on to something they do not understand. It just makes people scapegoats. But I guess US needs to bump that "world largest prison population" a few more points, just for a "feel better" position.

Re:Oh good.

[nurb432]

It will raise costs for IT services and create another ecosystem for 'certification holders' to milk.

Reminds me of iso9000..

Re:Oh good.

[PCM2]

Organizational types, suits, institution men, whatever you want to call them just love bureaucratic measures of compliance. They honesty believe the world is a better place when you do what you're told because the policy says so, and not when you take action because as a thinking man you can see that it's a reasonable step towards a worthy goal. That way they can measure down to fractions of a percentage point just how obedient you are and sanction you accordingly.

Not quite. Suits like it when government sets a bar because it gives them a bar to aim for, no matter how meaningless that bar might be. When your goal is to defend your company from lawsuits, it helps to have boxes you can check off that can be admitted as evidence. It's not about being "obedient." It's about being able to do what you like, but having a pass in your back pocket that exonerates you in the event of a legal challenge. Vague "best practices" and "reasonable steps" in the eyes of "a thinking man" do no good to anybody in the current legal environment.

Also, companies generally hire outside consultants to verify regulatory compliance. If consultants are aiming for a government-mandated benchmark, then you can hire them under the tacit assumption that they have been sanctioned by the U.S. government. Then, when your compliance measures prove to be utterly futile and misguided, it's the consultant's fault, and you sue. You sue and win, because the government let you down.

It's all a game, basically.

Re:Oh good.

[DeathFromSomewhere]

Thank you for posting your expert opinion on the subject. No doubt you have a long list of credentials validating your immense expertise in all things IT. I wish I could tell but you posted AC. I guess I will just have to move forward with your expertly provided expert knowledge of everything.

Re:Oh good.

[ozmanjusri]

push us further towards a "Standards and Compliance" posture, and not a real security posture.

There's a reason for that.

Echoing the comments of Microsoft security chief Scott Charney from his Tuesday keynote calling for a “collective defense” of the Internet

The manufacturer of the deeply flawed system at the hear of most security problems wants everybody else to pay for the consequences, so they're lobbying lawmakers. They'd also be pretty happy if it props up a few buggy whip businesses on the way.

What's the bet the certification requirements will read like:

1. Microsoft IIS Server (TM) is current and patched.
2. McAfee Antivirus (TM) installed and updated.
3. Microsoft .NET (TM) registered with Microsoft update and verification tool.
4. All online systems systems pass Microsoft WGA (TM) checks.
5. ...
6. Profit.

Re:Oh good.

[causality]

Not quite. Suits like it when government sets a bar because it gives them a bar to aim for, no matter how meaningless that bar might be. When your goal is to defend your company from lawsuits, it helps to have boxes you can check off that can be admitted as evidence. It's not about being "obedient." It's about being able to do what you like, but having a pass in your back pocket that exonerates you in the event of a legal challenge. Vague "best practices" and "reasonable steps" in the eyes of "a thinking man" do no good to anybody in the current legal environment.

And what is "the current legal environment" if not a top-down approach of mandating the way things should be, largely by those who have no expertise in the field of computer and network security? You are actually affirming my point. When speaking of a legal system, obedience is everything because disobedience is severely punished.

For what it's worth, I was speaking in terms of an IT worker who must relate to corporate management. You expanded the scope of the idea to include the larger legal framework but I maintain that the general concept applies there as well. As above, so below.

Re:Oh good.

[Seumas]

And to keep in line with ignorant idiots like Vivek Kundra (National CIO) who talk in meaningless non-sense phrases and don't know what they're talking about and approve $20mm Drupal websites that are half broken, the certification will be $50,000 per person and re-certification every two years will be another $25,000. And practicing technology services without a certification will be punishable by five years in prison.

Re:Oh good.

[PCM2]

For what it's worth, I was speaking in terms of an IT worker who must relate to corporate management.

That much was obvious. And as such, I maintain that you're looking at it backwards. You're looking at it from the perspective of an employee, looking up, who's asked to "obey." But the laws themselves are drafted for the benefit of the business owner, who never knows when his employees might screw up, leaving him exposed to legal liability. By codifying practices that business can "certify" against, laws like this put legal tools in the hands of business owners that can shield them from lawsuits. The point of the law is not to make businesses more secure. The point of the law is to create a legal framework by which businesses can reduce risk.

Re:Oh good.

If it doesn't make things more secure, it shouldn't reduce liability. That is in a legal system that actually cares about reality rather than one that is increasingly getting wrapped up in it's own uniqueness (i.e. lawyer or GTFO).

Re:Oh good.

[Anthony+Mouse]

And what is "the current legal environment" if not a top-down approach of mandating the way things should be, largely by those who have no expertise in the field of computer and network security? You are actually affirming my point. When speaking of a legal system, obedience is everything because disobedience is severely punished.

You know, it warms my heart to see that most everyone sees through the fact that this is a wasteful scam and the arguments are about why it is a scam.

This gives me hope that we can defeat this proposal the same way we thwarted other unproductive and harmful policies like the DMCA ban on circumvention tools, the Patriot Act and software patents. ...

Damn it.

Re:Oh good.

[causality]

That much was obvious.

I was really hoping so, though I have to balance that with how many times I've had to explain such things. Not so many folks are willing to decide "if it doesn't fit the scenario I first conceptualized, perhaps another valid scenario is a better fit"; they'd rather assume you're a moron. So I erred on the side of giving you redundant information.

 

You're looking at it from the perspective of an employee, looking up, who's asked to "obey." But the laws themselves are drafted for the benefit of the business owner, who never knows when his employees might screw up, leaving him exposed to legal liability. By codifying practices that business can "certify" against, laws like this put legal tools in the hands of business owners that can shield them from lawsuits. The point of the law is not to make businesses more secure. The point of the law is to create a legal framework by which businesses can reduce risk.

Two points here. First of all, any such "risk" is caused by the very same legal system in the form of otherwise frivolous lawsuits that may still succeed. That's the location of the problem and it is there that any solution needs to be applied. You are admitting that such laws have nothing whatsoever to do with actual security, only compliance. The real crux of the problem is that compliance with the laws and real security are two different things. That's the fault. The mandate should be consistent with what actually provides security.

Second, the business owners already have a method to shield themselves from lawsuits. It's called the corporate veil. They are not personally liabile for the honest mistakes and failures of their corporation. So that part is taken care of.

Here is how things are supposed to work: the government is by The People and for The People. Said government grants a corporate charter to a business because a responsibly operated business also serves The People by providing a useful good/service at a price they are willing to bear (i.e. without force or fraud). The People as customers benefit when a business does not lose control over sensitive customer data. The People as shareholders benefit when a business does not lose control over sensitive management/shareholder data. No one benefits ultimately from insecure systems that somehow manage to meet all the legal requirements. A government of The People would not so grossly fail to meet the real security needs of The People while satisfying some fictitious legal need.

That's why the security requirements need to start from first principles (bottom-up) and not from authoritarian fiat to meet some arbitrary set of legal requirements (top-down). The former comes from experts in the field who can make a solid case for their position. The latter comes from what is politically expedient which, in turn, mostly boils down to who has clout, money, and lobbyists. I know which one I'd want to guard my data.

Look, if we're no longer willing to expect things to work this way, then let's give up all principle entirely and just admit that the corporatocracy has won and we are no longer a representative republic. If we're not yet prepared to do that then let's recognize such tendencies as failures and try to fix them with an awareness of why they are flawed.

Re:Oh good.

[PCM2]

Well sure, and to clarify, it's not like I'm arguing more laws will be the answer here.

Re:Oh good.

[PCM2]

Two points here. First of all, any such "risk" is caused by the very same legal system in the form of otherwise frivolous lawsuits that may still succeed. That's the location of the problem and it is there that any solution needs to be applied.

We don't disagree here, yet this is one form of legal solution. It's probably about as effective as the proverbial finger in the dike, but it's one way to tackle the problem.

That's why the security requirements need to start from first principles (bottom-up) and not from authoritarian fiat to meet some arbitrary set of legal requirements (top-down). The former comes from experts in the field who can make a solid case for their position.

To give a recent example of why that isn't sufficient, look at the HBGary hack. These guys were self-proclaimed security "experts," who were summarily stomped by a combination of SQL injection, lousy passwords, lousy encryption, unpatched servers, and social engineering. Some expertise.

Mind you, which is the more likely outcome of this certification? That companies who hire security consultants will be able to demand a certain quality of service? Or that security consultants will be able to hide their incompetence behind a government rubber stamp? I think we both know the answer to that one.

Re:Oh good.

[causality]

To give a recent example of why that isn't sufficient, look at the HBGary hack. [arstechnica.com] These guys were self-proclaimed security "experts," who were summarily stomped by a combination of SQL injection, lousy passwords, lousy encryption, unpatched servers, and social engineering. Some expertise.

My very point is this: suppose there were security regulations that came not from security experts, but rather from politicians. How would that have prevented HBGary from having such glaring flaws? The only difference it would make is that when they claim to have expertise, they could add "according to the government" to the statement. If the politicians admitted they know nothing about computer security and instead responded to the actual experts in the industry, perhaps HBGary would have been a tougher target.

 

Mind you, which is the more likely outcome of this certification? That companies who hire security consultants will be able to demand a certain quality of service? Or that security consultants will be able to hide their incompetence behind a government rubber stamp? I think we both know the answer to that one.

I fully agree with you. However, I don't think it has to be this way. I believe it got to be this way because of a lot of ignorance and complacency. Both of those are curable. Both of those also acquire inertia, so the sooner they are addressed the less of an effort the change needs to be.

Re:Oh good.

[ciabs]

I think the bigger picture here is the time, money and resources being wasted.

If I want to sell something on the web, I don't need the fucking government telling me I need jack shit for certification. All this does is make me not want to be on the web at all, we have enough financial problems in our lives now, to have to be constantly be fucking with the latest new government regulation. It's literally getting to the point where this fucking war on terror is domestic terrorism in and of itself. Which if enough people think this way, it crashes our already fucked up markets, economy and monetary system. In short, this is just more thugs turning the lights out on Americans. It's also a control mechanism where big foreign corporations can squeeze out the little mom and pops who can't get certified to whatever bullshit standard de jour of the week, the government says.

The government needs to get out of everyone's business. They disrupt it by being here. They need to go after the banks and get the fuck off the web.

Dear Government,
Shut the fuck up about all this bullshit and go lock some banksters up, before the people through your fucking ass out of office.

Re:Oh good.

[Bert64]

You will find that a lot of so call security standards get watered down because microsoft is unable to comply with them...

For instance requiring AES encryption, microsoft only implemented that in windows 2008 and vista despite it existing for many years on other platforms...

Similarly requirements for removing unnecessary software, microsoft made it very difficult to remove stuff, so this basic requirement gets dropped too.

Re:Oh good.

[iivel]

And funny enough, the Microsoft implementation of the Rijndael algorithm still hasn't been verified as FIPS 140-2 compliant - so you have to run 3DES (even on a server 2008 system). Try enabling it sometime and running a .NET website ... great and useless precompilation messages. HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled

Check em'

First post AND dubs? I must be a god!

Re:Check em'

[couchslug]

"First post AND dubs? I must be a god!"

And a E-Standards Compliant one at that!

War Cap

[causality]

As a nation, we are fighting either politically or violently on too many fronts here. We have too many wars going on. To name a few:

• War on (some) Drugs
• War on Poverty
• War on Terror
• War on Obesity

Now there's "cyberwar". There should be no new wars until we declare victory or admit defeat on some of the existing ones. Actually when I consider how successful the ones in the (incomplete) list above have been, I think we can save a great deal of time just admitting defeat on all of them. Then, instead of a retaliatory "cyberwar" we can do something rational like secure our systems.

Is that really so much to ask? It'd be easier than what we are doing now.

Re:War Cap

[ColdWetDog]

You're right. America has a bad case of corporate ADHD. We need to cut out the sugar, turn off our computers and TVs, drop a couple tabs of Ritalin and solve one war at a time. We can call it Focus America! Now we just need a Focus Czar.

Re:War Cap

[spydum]

To be fair, we have always been combating these things.. It's just in the last 20 years, media has begun to slop catchy nick names to them to sell more eyeballs.

Re:War Cap

[Thing+1]

While I completely agree with you, I feel that you're attacking the problem from the wrong angle. I mean, within our bodies, we may be fighting off multiple infections at once, so there's a biological analogy that perfectly matches the US government's behavior. Not that it's right; the US government is fighting off beneficial bacteria as well as detrimental. But it is entirely possible and logical to fight multiple wars on multiple fronts. Again, I agree that these "wars on existence" should be stopped.

Re:War Cap

The War on Poverty is from the 60s so this has been going on a lot longer than 20 years. In fact, most of this insanity seems to be born of Roosevelt liberalism and the aftermath of ww2.

Re:War Cap

[causality]

While I completely agree with you, I feel that you're attacking the problem from the wrong angle. I mean, within our bodies, we may be fighting off multiple infections at once, so there's a biological analogy that perfectly matches the US government's behavior. Not that it's right; the US government is fighting off beneficial bacteria as well as detrimental. But it is entirely possible and logical to fight multiple wars on multiple fronts. Again, I agree that these "wars on existence" should be stopped.

Yeah, but have you looked at these "wars" critically?

Let's take the easiest one to deconstruct: the War on (some) Drugs. Both the drug dealers and the drug users are willing participants. There is no victim. No victim of force or fraud means no legitimate reason to involve law enforcement. Yet law enforcement is involved and the result is that the worst criminal elements have a ready source of black-market funding.

How about the War on Obesity? Personally, I think parents of obese children should be charged with child abuse unless a licensed physician can demonstrate that there is a thyroid disorder or other reason why obesity cannot be remedied. Otherwise, when dealing with adults, it is terrible decision-making but they are entitled to damage their own bodies if that's really what they wish to do. They can even adopt and defend a victim mentality where it's always the fault of genetics, big bones, McDonalds, or some other excuse for why they repeatedly and consistently choose to consume more calories than they burn (basic thermodynamics -- if you burn more calories than you eat you absolutely will lose weight, otherwise you just disproved all of modern physics). They have that right as adults. What is there to fight? How do you make a case for the legislature and law enforcement powers of government to become involved in this?

Ok then, how about the War on Terror? Well, let's see now. We have a long history of using our intelligence agencies to overthrow democratically elected leaders and replace them with dictators more willing to play ball with the US's interests. Think that might create some enemies? Think some of those enemies might be desperate? No, they hate us for our freedoms, yeah, sure, ok. It's an easy line to buy for the patriotic egotist, that we are so great that others would envy us so much that they'd want to attack us out of spite and for no other reason. The problem is, it ignores the cause-and-effect. So what do we do about this? Oh yeah, we invade a sovereign nation (Iraq) and demolish its government, kill many of its civilians, and act shocked when the natives treat us like the uninvited invaders that we are and fight back, as if we wouldn't do the same to an Iraqi army that marched on American soil. Whoopsy, turns out we had "bad intelligence" and didn't actually have a reason to invade, so uh, uhm ... uh ... yeah, well we just wanted to liberate them from Saddam, sure that was our intent all along, we just uhm forgot to mention that from the beginning.

The immune system within our own bodies is not nearly as stupid, not nearly as psychopathic. It's almost an insult against nature to equate the two. Hell, I could remove the word "almost" from that previous sentence and retain accuracy.

Re:War Cap

[Thing+1]

Just finding parallels. Like I said, I agree with you. Many of these wars could be easily solved legislatively: the illegality of drugs is unconstitutional; see the 1920s for the test. The war on obesity can be won by eliminating the government subsidy for the corn growers (HFCS, to spell it out). The war on terror can be won by keeping our troops on domestic soil.

The immune system within our own bodies is not nearly as stupid, not nearly as psychopathic.

And, I agree, our current behavior does not engender the long-term benefit of the host organism.

Re:War Cap

So you don't want to play the ball that Chertoff said would move down the field? Beware, next he will sell backscatter machines for ISP gateways and frisk your packets with his own two hands if they refuse to be scanned.

Terrorist (n): person who terrorises people

Chertoff (n) terrorises a lot of people

Re:War Cap

[Zedrick]

And the funny thing is that the US is losing all those wars. Perhaps it's time to beg for a ceasefire?

Re:War Cap

[The+Wild+Norseman]

so there's a biological analogy that perfectly matches the US government's behavior.

Schizophrenia or psychosis?

Re:War Cap

[cjonslashdot]

Agree.

The "war on drugs" is a failure. And besides, it violates our civil rights. If someone wants to use drugs, who is the Federal government to tell them that they can't???

It is one thing to provide education and have treatment programs. It is another thing to outlaw personal behavior.

And it is counter-productive. All it has done is created a huge illegal industry. If drugs of all kinds were legal, that industry would be in the daylight, and it could be regulated and taxed, and the proceeds directly used to fund education and treatment programs. (We will never win the war in Afghanistan because we will not allow them to grow poppies, despite the fact that demand comes from the US and Europe.) And drugs could still be illegal for sale to _minors_ - and the companies would comply with that, because they would be legitimate businesses that would not want to lose their license to do business.

And the "war on terror": what terror? One attack on our soil in ten years, costing us 3000 people. Horrible as that is, we lose ten times that many every year in car accidents. Yet we are spending hundreds of billions annually on security in response to 9/11 and are still in a war, and giving up our civil liberties in the process. Our response is way, way, way overboard.

Back to the question at hand: Security "compliance" does not work. What works is (1) getting management to make security a requirement, by making them liable: that will then cause developers to learn about security; and (2) creating languages and tools that help to make systems secure by design.

Re:War Cap

You missed the War on Democracy - that's one you are winning.

Re:War Cap

are you kidding me? there is not a war on obesity, or poverty.

there IS an unspoken war on common sense.

our education system no longer teaches common sense, CIVICS is often being castrated, critical thinking is non-existent, and to top it off funding is asymmetrically distributed so that the rich districts will get a better education (super rich go private) while the poorer are lesser funded, which keeps feeding the cycle.

this just helps to keep private non-public interest agendas going forward like the war on terror, which really only helps to protect the elite from a rather low chance occurrence. TSA rules are different if you fly in a private jet, or have a congressional badge.

Re:War Cap

[plopez]

But unfortunately no "War on war"

Re:War Cap

[causality]

Just finding parallels. Like I said, I agree with you. Many of these wars could be easily solved legislatively: the illegality of drugs is unconstitutional; see the 1920s for the test.

I believe it is unconstitutional as well. I never understood how it is that a Constitutional amendment was required in order to give the government the authority to enact alcohol prohibition, was later repealed, yet somehow the government still has the authority to enact drug prohibition. There seriously needs to be a way for citizens to challenge the Constitutionality of laws, as in it should be assumed that since all citizens are subject to the law, all citizens have standing to challenge a law. We need something to counterbalance the fact that one friendly judge who thinks the Commerce Clause means "do whatever the hell you want" dooms us to nearly a century of suffering bad laws that can't even accomplish their stated goals.

 

The war on obesity can be won by eliminating the government subsidy for the corn growers (HFCS, to spell it out).

You're unusually well-informed to so unequivocally realize this. There is a tremendous amount of (bought and paid for) disinformation about this one. It's as bad as trying to research fluoride and possibly worse. Unfortunately yet quite deliberately, the public schools do not equip people to sort the truth from the disinformation and propaganda. If they did, well that would make them unsusceptible to advertising, radically change the nature of politics, and generally might upset the precious status quo.

 

The war on terror can be won by keeping our troops on domestic soil.

Agreed. Another step in the right direction would be to discard every "finding" of the 9/11 Commission and conduct a serious investigation into all of the unanswered questions about the 9/11 attacks. The two most important questions would be: why did a plane used as a fuel-air bomb produce a collapse that looked so much like a controlled demolition and how did the towers collapse faster than a free-fall from that height in a vacuum; and why did Building 7, which was not struck by any plane, also collapse in a way that looked so much like a controlled demolition?

A nice third question would be, why is it that other skyscrapers of similar construction have both been struck by jet aircraft, and had fires that burned for DAYS (not hours like 9/11) yet not one has ever collapsed? A nice fourth question would be, why were there no engines recovered from the "jet aircraft" that hit the Pentagon when such engines could easily survive atmospheric re-entry from space?

As a people we really have some fucking nerve to invade a sovereign nation before answering these questions and truly putting the matter to rest.

Re:War Cap

[Thing+1]

You're unusually well-informed to so unequivocally realize this.

Thanks for that. I feel the same way about you, reading the above. (Well, that is, you've been a friend for a while. :) And as for fluoride, it's a well-known waste product that they somehow convinced the government to purchase. I'm not sure foreign nations are the only sovereign ones needing invasion to save their peoples.

If they did, well that would make them unsusceptible to advertising, radically change the nature of politics, and generally might upset the precious status quo.

I've been married to a Brazilian. She said that her politicians promise "a fridge in every house" even though there's no realistic way to accomplish that. The ones that do (promise that), get elected, then stick their mitts in the government coffers (the ones that don't, waste their election campaign money). In that country, it is preferable to have a government job due to the grift. Here, it used to be that private-sector jobs were preferable; just today, I saw a Slashdot article asking "is government the next IT boom sector?" No, no it is not. If it is, it won't be for long. Back to the start of this paragraph: the Brazilian politicians were smart; they would promote education through their speech, and only their speech; when it came to allocations, education would take a back seat to everything else; politicians knew better than to let their competition be taught in the schools.

Republicans calling for bigger government

[Ice+Station+Zebra]

I wonder what company he has stock in that would profit from the increased BS.

like health inspections in the restaurant biz

Makes sense for the protection of the public. Unfortunately, since systems are largely intangible it wouldn't take much to bamboozle inspectors the way Enron convinced visitors that they had a roomful of busy pros trading energy futures.

cliche after cliche security

[turkeydance]

"moves the ball down the field"...what exactly and specifically does that mean? there are so many more...but, the "value of the company" being the upper limit of cyber-security (indeed, all security combined) expenditures is spot on, even if the breech involved threatens much more than the total value. i look forward to the day that a USA company declares Chapter 7 due to a security breech which threatens to exceed the value of the company.

About as effective as Sarbanes-Oxley?

[rta]

Ok. If you're proposing something that will be as good as Sarbanes-Oxley... you probably need to find a better idea. Sarbox was a knee jerk response to Enron and has done nothing but drive up costs.

Good thing that those tight accountability rules prevented the massive credit / derivatives bubble.

Re:About as effective as Sarbanes-Oxley?

Ok. If you're proposing something that will be as good as Sarbanes-Oxley... you probably need to find a better idea. Sarbox was a knee jerk response to Enron and has done nothing but drive up costs.

SOX wasn't only in response to Enron. There was a wave of massive fraud being perpetrated by CEOs of huge corporations starting near the end of the dotcom boom: WorldCom, Adelphia, Tyco, and HealthSouth were some of the others. Something needed to be done. BTW Enron wasn't some little known company, it had a stellar reputation as one of the most innovative companies in American business (all baloney, as it turned out).

Good thing that those tight accountability rules prevented the massive credit / derivatives bubble.

Apples and oranges. That was a different game, where the villains were the banks, mortgage companies, Wall Street traders and ratings agencies.

Re:About as effective as Sarbanes-Oxley?

[Tridus]

It's also driven new companies away from going public, because the requirements are less onerous on privately held companies.

I agree with you entirely. If this is what they're using as an example of what we're facing, this idea needs to die a swift death.

Re:About as effective as Sarbanes-Oxley?

[rta]

Good thing that those tight accountability rules prevented the massive credit / derivatives bubble.

Apples and oranges. That was a different game, where the villains were the banks, mortgage companies, Wall Street traders and ratings agencies.

It wasn't the same thing, but there are some important similarities. In both cases the responsible parties misrepresented their real risk exposure and they were then caught with their pants down when the market turned against them. In the case of mortgage brokers there was pretty clearly outright fraud; people lying on their applications at the brokers suggestion, etc. Presumably better "corporate governance" should have prevented that, but it didn't.

As far as the ratings agencies go... yeah... why they're still in business and have suffered no consequences (that i'm aware of) after they so massively failed in their one and only task is a mystery. Perhaps their SarBox violation is lying in claiming in their SEC filings that they actually offer a bond rating service when in fact they're a massive marketing company for bond issuers. Com to thing of it maybe they can be prosecuted under RICO statutes. Or perhaps for mail and wire fraud for disseminating their ratings across state lines. That's hyperbole of course, but man, they screwed up bad.

what I've learned from the I.T. industry...

[MickyTheIdiot]

All "certifications" are scams at some level. Some worse than others, but at some point it's about wanting to get your money while doing very little. It will create a nice new market for testing centers, book writers and publishers, and study material makers, but will ultimately do very little. Think how much Microsoft Certified Engineer....

Re:what I've learned from the I.T. industry...

[MickyTheIdiot]

yup. rtfa... It's a different certification, it's still a scam.

Re:what I've learned from the I.T. industry...

Also, the "security" in the form of extended warranties stores like Best Buy try to sell you when you buy a piece of electronics equipment is ridiculously overpriced. It's not surprising that the salespeople try to push it on the customers because it's almost pure markup for the store.

What a scam! Admittedly, this has nothing to do with TFA. But neither does parent, and the mods here rated that 4, Informative.

Re:what I've learned from the I.T. industry...

Add most forms of formal learning to the list + mod parent up.

another boondoggle?

[sribe]

Hey, I bet HB Gary will want to get a piece of this action!

Has half a chance of being useful--

[sillivalley]

This might work, if there are actually standards with teeth in them, such as (evolving) PCI standards (PA DSS, PCI DSS) and compliance.

The risk is that they provide a "get out of jail free" card, where complying with a set of minimal standards absolves an organization of liability and/or blame.

Re:Has half a chance of being useful--

[Sarten-X]

The "get out of jail free" card already exists in some situations. HIPAA and HITECH set forth huge penalties for losing track of personal medical data, unless that data's on an encrypted device, sufficiently separated from whatever makes it personal, or a few other exemptions I don't remember offhand. It makes sense to me. If the information can't be accessed or linked to any particular person, losing it really doesn't matter.

I think a certification could work similarly. If whatever's being protected (for example, storing usernames and passwords) is sufficiently mitigated by the minimum certification requirements (such as using a strong hash with a salt everywhere the password's kept), then it might be just fine to escape liability. If nothing else, being able to cut some liability provides a nice boost to the cost/benefit analysis, so the managers will decide it's worth the cost to follow decent security practices. Again, that's only if the minimum is sufficient for the situation.

Re:Has half a chance of being useful--

[causality]

The "get out of jail free" card already exists in some situations. HIPAA and HITECH set forth huge penalties for losing track of personal medical data, unless that data's on an encrypted device, sufficiently separated from whatever makes it personal, or a few other exemptions I don't remember offhand. It makes sense to me. If the information can't be accessed or linked to any particular person, losing it really doesn't matter.

I think a certification could work similarly. If whatever's being protected (for example, storing usernames and passwords) is sufficiently mitigated by the minimum certification requirements (such as using a strong hash with a salt everywhere the password's kept), then it might be just fine to escape liability. If nothing else, being able to cut some liability provides a nice boost to the cost/benefit analysis, so the managers will decide it's worth the cost to follow decent security practices. Again, that's only if the minimum is sufficient for the situation.

I really want to believe that it would work out as you describe.

However, experience teaches me that the well-funded guy in an expensive suit who can put on a compelling presentation will lobby the decision-makers to make certain that any requirements are thoroughly divorced from realistic practices that truly yield better security.

Unfortunately we do not live in anything like a meritocracy. Becoming one of the decision-makers means knowing the right people, knowing on which side your bread is buttered, saying the right catch-phrases when prompted, being impressed with a person's credentials or position and not with the person's expertise, and putting on a good show. It has nothing whatsoever to do with merit, technical skill, critical thought, logic, or anything like that. It is not a technical game of skill. It is a social game of presentation and a willingness to put aside one's integrity in order to play the game.

Re:Has half a chance of being useful--

[PopeRatzo]

Unfortunately we do not live in anything like a meritocracy.

Meritocracies do not exist, so it cannot be "unfortunate", any more than it being "unfortunate" that there are not endless supplies of candy for everyone.

Meritocracies are impossible. And considering that "merit" is a highly subjective measure, that might be a very fortunate thing.

Sometimes, reliable imperfection is preferable to an unreliable ideal. (Think: "Free Market")

Sarbanes-Oxley success???

[clyde_cadiddlehopper]

"holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley"

Sure. Ask all those shareholders left holding the bag of excrement at Lehman Brothers, Countrywide Financial, GMAC, Wachovia, CitiBank, ... even though the SarbOx forms were filled out and signed by the respective CEO (not one of which has been "held accountable").

Re:Sarbanes-Oxley success???

[causality]

"holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley"

Sure. Ask all those shareholders left holding the bag of excrement at Lehman Brothers, Countrywide Financial, GMAC, Wachovia, CitiBank, ... even though the SarbOx forms were filled out and signed by the respective CEO (not one of which has been "held accountable").

Are not the shareholders ultimately responsible for the management they permit and the company in which they have chosen to invest? Note, I don't dispute that CEOs should be more personally accountable for dishonest corporations. They absolutely should. But the CEO is the CEO because the board of shareholders has permitted it.

Re:Sarbanes-Oxley success???

The thing about fraud is that somebody is usually lying.

I fully support this

[the_Bionic_lemming]

I fully support this - as long as we can hold policy makers to the exact same standards of punishment when things go wrong (like recessions, budget shortfalls, and other issues).

Already happening,

[no-body]

And not for the best...

From: http://www.cjr.org/the_audit/audit_notes_hb_gary_federal_ba.php

For one thing, it turns out that the firms involved here are large, legitimate and serious, and do substantial amounts of work for both the U.S. Government and the nation’s largest private corporations (as but one example, see this email from a Stanford computer science student about Palantir).

and:

And perhaps most disturbing of all, Hunton & Williams was recommended to Bank of America’s General Counsel by the Justice Department — meaning the U.S. Government is aiding Bank of America in its defense against/attacks on WikiLeaks.

Professional licensure is what we need

I completely agree with the vast majority of certs being worthless. Experience, experience, experience is what it's all about.
In Canada, for example, you cannot call yourself an engineer unless you actually obtain the Professional Engineers' license in your actual field. I agree with this level of "experience + professional testing/certification". This is one example of when professional licensure is actually welcome and sets one apart.
I've been in IT for almost 15 years and I cannot tell you the number of so-called "certified" professionals that are only knowledgeable on paper. Most MCSEs and any other certified person cannot operate in the wild as well as expected.
Until IT has professional licensure, it's all worthless. I believe the respective IT subfields should have pro licensure exams on the level of difficulty of,say, the CCIE. If you know it, prove it. Otherwise...

Re:Professional licensure is what we need

[P1]

Agreed. I've been in the business 30+ years. I've taken the certs for fun (company pays them and thought they would impress me) and passed all of them and no, they didn't impress me. I tell people none of certs impress me with the possible exception of CCIE.

Re:Professional licensure is what we need

MCSE == Must Consult Someone Experienced

Re:Professional licensure is what we need

[germansausage]

I'm not disagreeing with you, but as a clarification, a Professional Engineer in Canada is registered when the Professional Association accepts him/her as a member. There is a test, but only to do with legal requirements of the profession, ethics and professional practice. No actual test of engineering knowledge is required. Registration is granted based on an engineering degree plus qualifying experience.

Re:Professional licensure is what we need

[Bert64]

The problem with MCSE and other similar vendor-provided certifications is that a product vendor is absolutely the wrong entity to be providing such certifications...
If they made the certification hard, then few people would pass it resulting in few people in the industry certified to use their products, bad for sales.
On the other hand if they make it easy, then they have more "certified" people out there helping them sell their products.

privacy too please

[StripedCow]

Can we have a similar certification for privacy protection ,please?

Then we can finally have insight into what big companies like Google and Facebook are doing to our data, by letting them comply to OUR rules, instead of the other way around.

and while they are busy doing that ...

[Zemran]

... I will be busy building a new wooden fence around my property to keep out flies. I think that I will be about as successful ...

How about a technical fix instead?

[ka9dgx]

I strongly believe that it's possible to reduce the treat of "cyber war" by actually fixing the security problem at it's source, our computers and servers. Imagine if it were possible to greatly reduce the number of security holes on the average pc or server. If this were the case, we wouldn't need to have politically motivated filtering and other types of control to "save us" from our own systems.

The internet is just a big network, and while BGP seems to have it's issues, with some work they can be solved. The network itself is just a "series of tubes", as it's been described in the past, and you don't have to guard the tubes if the ends are secured.

There is a deep design flaw in the operating systems and applications we use on a regular basis. Historically it's been possible to tightly control the code we run, so it was reasonable to trust the code to do its job. This assumption no longer is valid.

We can no longer afford the luxury of trusting our applications.

We can't even afford to trust our drivers with kernel mode.

We can't afford to trust the system processes to stick to their designated roles.

We have to trust some code, why not trust as little of it as possible? Micro-kernels present the smallest amount of code required to manage the operating system. There has been much research in this area, and recently there have been "proven" micro-kernels which theoretically have no flaws in their implementation of their specifications.

Now, the kernel needs device drivers and other system processes to make a usable operating environment for the user and programs. A kernel which doesn't trust its drivers must use a new strategy. One way forward is to use the concept of capabilities. A "capability" is a token / key (really, just a big number) which allows access to a resource. Each device driver, system process, etc... is given the appropriate set of keys to the resources that are required to do the job. If the key isn't present, the access is not allowed.

Thus a disk driver wouldn't get access to the internet. A clock driver wouldn't need to either. The system time demon would get access to a log file, a specific set of internet ports and addresses, and the clock. Any bug or vulnerability in one of these drivers would only affect it, and the capabilities it happened to have at the time.

Applications would have to be re-designed as well, for example, if you want to open a file in OpenOffice, the program opens a system dialog box to get the name and path to a file, it then opens the files as required. The new version would instead call a slightly different dialog box, which would them return the file handle (a capability) to only that file. The save dialog would also be modified in a similar fashion. If there are libraries required, etc... they can be included in the applications home folder. A capabilities based version of OpenOffice would thus work the same way, but be far more secure.

With this approach, we end up with secure systems that are still usable.

I think I've shown fairly well that we must re-design things from the ground, a decidedly non-trivial task, but it is the only way to avoid having government overlords telling us what code we can and can't use. If we wish to own our own systems as free men, we need to get our act together and fix things now, before it's too late and we loose the freedom to write our own code.

The path we are on ends with computers we merely have license to use, secured by the government, censored by the government, rented from big corporations, running applications we rent or buy from app stores. This is a future we need to avoid.

Thank you for your time, attention, and comments.

Re:How about a technical fix instead?

[Sarten-X]

This idea raises a few questions:

• What manages the microkernel keys? Another kernel?
• What prevents a disk driver from simply asking for the key to use the network?
• If a filesystem driver gets infected, can any other driver stored on that filesystem be trusted?
• Will the target micro-kernel validate the keys, or another system?
• Could an appropriately misrepresenting system overwrite a target system in memory with code of its own choosing?
• If every kernel call verifies a strong key, what effect will this have on system speed?
• What will happen to applications with custom save/load dialogs that offer extra functionality, like previewing files or selecting format options?
• Would an interpreter such as a JVM simply ask for every permission, and hope nothing goes wrong?
• Will this stop the user from choosing "12345" as their password?
• What happens when a USB device says it's a network device, gets the network key, then turns around and hands off that key to an untrusted program?

I'm not saying the idea is inherently bad, but it brings many more levels of complexity than even what we have now, without addressing a few key problems like user competence. The "write it all from scratch" approach has been tried before, to little success. Verifying that implementations are correct is fine and dandy, but that doesn't cover the myriad ways for systems to interact, and potentially break.

Re:How about a technical fix instead?

[ka9dgx]

Lots of interesting questions, which I can't answer (especially a 1:30 am)... the bit about how to ask for capabilities is the part that I'm still fuzzy about... not sure how that would work... mostly I assume they are given at runtime, and that's it, which doesn't cover these cases.

Thanks for the comments, I'll ponder them, and try to build a stronger case for this... we really need to fix this before it gets "fixed" for us in a bad way.

Re:How about a technical fix instead?

[magamiako1]

I'm sorry to point this out, but how exactly are you involved with kernel development? Do you have any experience or research in the area? Have you bothered to really sit down and take the time to compare what's out there and come up with something better? Have you had academic access to say, view the code in the NT kernel of modern Windows operating systems?

It's one thing to throw around words like "WE NEED MICROKERNELS!" and it's another thing to actually understand what it is you're talking about.

Re:How about a technical fix instead?

[ka9dgx]

I'm not involved in Linux Kernel development, nor am I ever likely to be.

I'm hoping to keep the option in people's minds as piece of the solution.

I'm trying to make a reasoned argument based on what appears logical to me. Attacking my credentials doesn't affect the validity of this argument.

In a micro-kernel system, the amount of code which runs in privileged mode is kept to the barest minimum to effectively do the job. The linux kernel includes drivers in protected mode, which means that literally millions of lines of code run in privileged mode, as opposed to the few thousand in a microkernel system. This alone makes the attack surface much smaller when considering threats. It also makes the probability of hung systems much lower because a well written microkernel system can restart a driver. QNX is such a system.

Micro-kernels are only a useful piece of the solution to computer security, the use of a default deny strategy is another, never trusting code is another.

Why do you dislike micro-kernels so much? There must be something specific which made it worth your time to comment. I'm curious to know.

Re:How about a technical fix instead?

[LordLimecat]

You essentially just described SE Linux / apparmor.

Re:How about a technical fix instead?

[ka9dgx]

Yeah... almost... except that SE Linux is a kernel patch, its not embedded all the way down into everything. It is definitely a step in the right direction.

It's also the way that our applications are written that needs to change as well. They need to stop relying on the ability to perform arbitrary actions.

horrible idea, but I bet the lawyers love it.

[eatvegetables]

I agree. What a horrible proposal this is. Really, the slow, creaky federal government thinks that it can possibly regulate something as dynamic as computer/network security. It's completely laughable. You know what happens when the government and "private" industry get together to regulate, don't you? You get fat-cat, lobbyist heavy companies paying off corrupt politicians to pass rules that benefit them at the expense of everyone else. Beyond this, every company with a computer network will be at the mercy of class action lawyers should they run afoul of the regulations. Humph.

The tech guys and not some PHB should be singing

[Joe+The+Dragon]

The tech guys and not some PHB should be singing this as the PHB can say our systems are fine and have no idea about what state they are in at the time.

Let me guess...

[ChromeBallz]

The requirement for this certificate will be a series of classes or a test, which in itself requires a 'nominal fee' to take. More bureaucratic nonsense serving no purpose other than fill the pockets of people who have no clue about what they're actually selling.

Worthless

[Opportunist]

That's the only word possibly describing such a "certificate". Worthless.

We're talking about an industry that reinvents itself every 3 months. I am neither kidding nor exaggerating. The average turnover of your knowledge is 3 months. 6 months tops. After a year, everything you knew is worthless because the threats are something completely different. There are of course timeless "best practice" rules (never give out passwords, verify your communication partner...), but a step by step guide to the tune of "do this and be secure" is a myth. You'll be secure NOW. It's by no means a given 3 months from now when new exploits emerge, new attack vectors become known and of course you can toss it out the window with the next generation of you hard- or software.

Now, I don't know whether you ever tried to get some "standard" approved. It takes 3 months 'til you find the guy that tells you it will take a year. So even if you manage to do it on time (which would be a first), you'd be a year behind.

Or, in IT security times, an eon.

Re:Worthless

[DigiShaman]

You're missing the entire point here. The US is primarily a service based nation. Obama knows this because of the high unemployment rate among new college graduates. His recent dinner meeting with Jobs, Zuckerberg and other industry giants is very revealing IMO. I predict that our federal gov is looking to create make-work IT employment boot strapped via bureaucracy. What they won't fucking understand is that this will do the exact 100% pure opposite. It will KILL the level of dynamic change and freedom that this industry has in effect, defined as a behavior.

Re:The tech guys and not some PHB should be singin

[Opportunist]

You ARE aware that this will lead to a hotseat game, right? Here's how it works:

PHB: "Sign here!"
Techie: "But ... but ... we're not secure!"
PHB: "Sign here or you're fired!"
Techie: (gulp) Ok... let's hope...

When something happens, Techie gets fired and replaced. Nothing else changes. Start script at line one.

lolz

[Charliemopps]

So the very first, and most important certification is: Everything's open source... right? right?
No?
How long do you think it will take for them to make one of the certs "Microsoft Genuine Advantage Certified"? A month?

It's reason for IT

[CmdrChaos]

The reason for IT is the aggregation of information. The problem is the aggregation of Information. It's like putting all your eggs in one basket. We need a fundamentally new way of aggregating the information and a new way of accessing it. But it will never be perfect as long as we aggregate the information.

Uh there is Cerification and then there is...

[vrythmax]

Certifying that you, the CEO know what the hell the nerds did to the system to make it safe and that you agree it is reasonable and sufficient. This won't do a damn thing to help the situation. What would help would be if after ANY security breach of any size, the company be forced to send a press release outlining all details of the breach including the technical details of what the hacker did and failings of their own system or policies. Post the same details to all known social networking sites as well as on their own home page. Post formal apologies to the American people on YouTube. Then the top three levels of executives, the board of directors and the top 5 shareholders would be required to stand in front of the company headquarters and cry out the details of their failure for 12 hours regardless of the weather. That would then drive the necessary "giving of a damn" at all levels necessary to actually empower the IT group to get the job done and secure our economy from enemies foreign and domestic.

Re:Uh there is Cerification and then there is...

There is already a requirement for this in HIPAA regulations, to a certain degree. I know, for a fact, of a large state agency that has had breaches of this kind of information and they are not compliant with reporting regulations, regardless of what piece of paper the directors may sign off on. When this error was pointed out to the agency, the individual pointing out these errors was invited to "seek opportunities elsewhere." Said individual turned the information over to the agencies external auditors and is awaiting the agencies next external audit. With little hope anything will actually be done to secure their systems nor the information they handle with so little regard. Business as usual.

So, how far did you guys read?

[SheeEttin]

Roberto123 writes

"The US can build defenses against 'cyberwar'

Okay, show of hands. Who else stopped reading the summary when the hit the word "cyberwar"?
(Okay, I'll admit I scanned the rest of it, but saw "Chertoff" and really stopped reading.)

Sarbenes-Oxley? They cited S-O?

[SlappyBastard]

OMFG . . . when cluelessness attacks. How can anyone say that the post-Enron regulatory framework was anything except a clusterfuck? Show me the goddamned accountability in terms of real jail time.

Security in one easy step

[CapOblivious2010]

Step 1: don't let your users write/modify your program (e.g. buffer overflows, SQL injection, XSS attacks, URL manipulation, etc,etc,etc)

That will cover about 90% of it right there

Re:Security in one easy step

Don't know what you use but most useful programs I know of usually take an input of some sort

Re:Security in one easy step

[CapOblivious2010]

Exactly... and as long as the data stays DATA, you won't have any problems. For example, good old CALC.EXE has never had a security problem (though it's had some accuracy problems) because no combination of numbers and operations will cause it to execute the binary representation of those numbers.

If instead it delegated the calculations to a shell command (ok, pretend windows has a unix-like shell), like "dc " + num1 + "+" + num2; then you'd be in the (losing) business of trying to sanitize your inputs.

SQL has bound parameters, but only a small fraction of developers use them - leading to all sorts of attacks when the user's input is used to construct the query by string concatenation or interpolation or whatever.

HTML is also commonly put together by string concatenation/interpolation, but really ought to be done by... umm... oops, there IS no other way! That single fact is the reason that the web (at least as we know it today) will ALWAYS have rampant security problems.

How about Leaving Everyone the fuck alone

[Sulfate]

How about the government (and it's little FCC dog too) getting away from our networks and infrastructure, and leave people the fuck alone so we can try to survive this monetary terrorism, without all this fucking disruption and uncertainty of the future.

Fucking government better go after the banksters before the people rise up and go after this fucked up government since there's no jobs left except murder and war!

Re:How about Leaving Everyone the fuck alone

[magamiako1]

You mean so corporate overlords can be free to take our money while giving us the illusion of "choice"?

Coming From Microsoft ..

[AftanGustur]

To any idea calling for a "collective" something and coming from Microsoft or any of the other big Commercial IT players, I would like to add the requirement:

No patents will be enforceable when it comes to implementing Microsoft's proposed "collective cyberdefence".

ISO 27001

Because of this, what's required is not a standard for security controls, but a standard for security management. One has existed for some years, is widely used in Europe. It's called ISO 27001. Much ignored in the USA when it started life as a British Standard (BS7799).

And then...

[hitmark]

They start mandating that any computer that can read or write to a arbitrary area of ram or storage is a security tool, only to be sold to certified professionals. The rest will be sold something even more strictly controlled then the iOS devices, and if found jailbroken will be prosecuted as if trafficking in military grade hardware.

The corporations will be happy, the big brother government will be happy, the rest "fuck em".

Fighting symptoms won't cure the disease

The problem is that these are all just symptoms. The real problem is a society which does not value wisdom. And as a society, we're not wise enough to recognise the problem, much less invest in resolving it.

Terrific!

[tkrotchko]

Much in the same way a PMP certification ensures you get great project management, an IT security certification will ensure we have excellent security professionals out there.

Re:Terrific!

[CAIMLAS]

And even if:

1) The certification meant something
2) The certificate holder was competent
3) The certificate holder has the actual chops, beyond the certificate

You will still have problems if you do not give them the time and resources to get the job they need to get done. Too many places do the equivalent of handing an engineer a shovel, saying "build me a bridge". Or, sadly, handing their draftsman a pile of sticks and some baling twine and saying same.

Increase the requirements...

for security practitioners and there will be fewer security practitioners.

Reality Bites

[jasnw]

While I am not fond of, or supportive of, Government certification processes, I am sure than anyone working for a non-IT company as a sysadmin knows how seriously (NOT) most of the PHBs take the issue of making sure the company networks are secure. And not just from external Terrorists. I work for a scientific research firm that is run by a bunch of PhDs (the worst kind of PHBs) who have all the answers. Getting them to understand, and act on / pay for, the things necessary to secure our company network from script kiddies, or any bozo on the net who has a hanker to hack, is a task that even Hercules would think twice about taking on. Yes, the Government will do this all wrong and it will end up costing a mint, but that is not to say that there aren't unresolved problems under this particular rock.

Re:The tech guys and not some PHB should be singin

[WATist]

Ah, but it isn't supposed to be the techie signing the paper.

Re:The tech guys and not some PHB should be singin

[LordLimecat]

What do you suppose said disgruntled techie does after being fired? Keeps his mouth shut?

Chertoff - Backscatter radiation scanners redux?

[alexmin]

Is this the same dude who got rich by forced irradiation of flying public by TSA (which he recently lead?)

ISO paper chase

[plopez]

I smell another ISO paper chase brewing. A standard will be created and then there will be a surge of meetings, documents prepared, more meeting, certification classes, more meetings, etc. They will follow the standard on paper without knowing what it means in actual implementation.

If my previous experience with ISO holds true.

If Corporate America can fool the IRS...

[ibsteve2u]

...they can certainly fool Homeland Security. I imagine that "certification authorities" in the Cayman Islands capable of ginning up the requisite answers and documentation began organizing even as the breath left Chertoff's mouth as he made that statement

There is absolutely no evidence to support the hypothesis that Corporate America will not try to find a way to evade or defraud any regulatory requirement or "business standard" that costs them so much as a zinc penny.