Slashdot Mirror
Industry IT Security Certification Proposed
Roberto123 writes "The US can build defenses against 'cyberwar' by having government and the private sector work together to confront the threat, a panel of experts said at RSA Conference 2011 in San Francisco this week. 'Chertoff called for a regulatory framework where company executives and board members sign on the dotted line, certifying what steps they have taken to secure their network, what backup systems they have in place and what level of resiliency is built into their IT system. “People take that seriously. Is it dramatic? No, but it moves the ball down the field,” Chertoff said. Schneier concurred, noting that holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley, the post-Enron law that requires directors and executives to certify their financial results.'"
As a nation, we are fighting either politically or violently on too many fronts here. We have too many wars going on. To name a few:
Now there's "cyberwar". There should be no new wars until we declare victory or admit defeat on some of the existing ones. Actually when I consider how successful the ones in the (incomplete) list above have been, I think we can save a great deal of time just admitting defeat on all of them. Then, instead of a retaliatory "cyberwar" we can do something rational like secure our systems.
Is that really so much to ask? It'd be easier than what we are doing now.
It is a miracle that curiosity survives formal education. - Einstein
This will change nothing, and push us further towards a "Standards and Compliance" posture, and not a real security posture.
-Someone who does this for a living
Organizational types, suits, institution men, whatever you want to call them just love bureaucratic measures of compliance. They honesty believe the world is a better place when you do what you're told because the policy says so, and not when you take action because as a thinking man you can see that it's a reasonable step towards a worthy goal. That way they can measure down to fractions of a percentage point just how obedient you are and sanction you accordingly.
Is it any surprise that whenever government systems are audited for security they tend to do so poorly? Security is something that simply has to be right and declaration by fiat won't change what the right thing is. More than most other subjects, it exposes the crippling weaknesses of the top-down authoritarian approach and reveals the strengths of hiring people for their expertise and then listening to them so long as they remain reasonable.
It is a miracle that curiosity survives formal education. - Einstein
Ok. If you're proposing something that will be as good as Sarbanes-Oxley... you probably need to find a better idea. Sarbox was a knee jerk response to Enron and has done nothing but drive up costs.
Good thing that those tight accountability rules prevented the massive credit / derivatives bubble.
It will raise costs for IT services and create another ecosystem for 'certification holders' to milk.
Reminds me of iso9000..
---- Booth was a patriot ----
All "certifications" are scams at some level. Some worse than others, but at some point it's about wanting to get your money while doing very little. It will create a nice new market for testing centers, book writers and publishers, and study material makers, but will ultimately do very little. Think how much Microsoft Certified Engineer....
Hey, I bet HB Gary will want to get a piece of this action!
Sure. Ask all those shareholders left holding the bag of excrement at Lehman Brothers, Countrywide Financial, GMAC, Wachovia, CitiBank, ... even though the SarbOx forms were filled out and signed by the respective CEO (not one of which has been "held accountable").
Obi-Wan: "I felt a great disturbance in the Force, as if millions of voices suddenly cried out in terror and were sudden
Organizational types, suits, institution men, whatever you want to call them just love bureaucratic measures of compliance. They honesty believe the world is a better place when you do what you're told because the policy says so, and not when you take action because as a thinking man you can see that it's a reasonable step towards a worthy goal. That way they can measure down to fractions of a percentage point just how obedient you are and sanction you accordingly.
Not quite. Suits like it when government sets a bar because it gives them a bar to aim for, no matter how meaningless that bar might be. When your goal is to defend your company from lawsuits, it helps to have boxes you can check off that can be admitted as evidence. It's not about being "obedient." It's about being able to do what you like, but having a pass in your back pocket that exonerates you in the event of a legal challenge. Vague "best practices" and "reasonable steps" in the eyes of "a thinking man" do no good to anybody in the current legal environment.
Also, companies generally hire outside consultants to verify regulatory compliance. If consultants are aiming for a government-mandated benchmark, then you can hire them under the tacit assumption that they have been sanctioned by the U.S. government. Then, when your compliance measures prove to be utterly futile and misguided, it's the consultant's fault, and you sue. You sue and win, because the government let you down.
It's all a game, basically.
Breakfast served all day!
I fully support this - as long as we can hold policy makers to the exact same standards of punishment when things go wrong (like recessions, budget shortfalls, and other issues).
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
... I will be busy building a new wooden fence around my property to keep out flies. I think that I will be about as successful ...
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
push us further towards a "Standards and Compliance" posture, and not a real security posture.
There's a reason for that.
Echoing the comments of Microsoft security chief Scott Charney from his Tuesday keynote calling for a “collective defense” of the Internet
The manufacturer of the deeply flawed system at the hear of most security problems wants everybody else to pay for the consequences, so they're lobbying lawmakers. They'd also be pretty happy if it props up a few buggy whip businesses on the way.
What's the bet the certification requirements will read like:
"I've got more toys than Teruhisa Kitahara."
The tech guys and not some PHB should be singing this as the PHB can say our systems are fine and have no idea about what state they are in at the time.
And what is "the current legal environment" if not a top-down approach of mandating the way things should be, largely by those who have no expertise in the field of computer and network security? You are actually affirming my point. When speaking of a legal system, obedience is everything because disobedience is severely punished.
For what it's worth, I was speaking in terms of an IT worker who must relate to corporate management. You expanded the scope of the idea to include the larger legal framework but I maintain that the general concept applies there as well. As above, so below.
It is a miracle that curiosity survives formal education. - Einstein
You ARE aware that this will lead to a hotseat game, right? Here's how it works:
PHB: "Sign here!" ... but ... we're not secure!"
Techie: "But
PHB: "Sign here or you're fired!"
Techie: (gulp) Ok... let's hope...
When something happens, Techie gets fired and replaced. Nothing else changes. Start script at line one.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
And to keep in line with ignorant idiots like Vivek Kundra (National CIO) who talk in meaningless non-sense phrases and don't know what they're talking about and approve $20mm Drupal websites that are half broken, the certification will be $50,000 per person and re-certification every two years will be another $25,000. And practicing technology services without a certification will be punishable by five years in prison.
For what it's worth, I was speaking in terms of an IT worker who must relate to corporate management.
That much was obvious. And as such, I maintain that you're looking at it backwards. You're looking at it from the perspective of an employee, looking up, who's asked to "obey." But the laws themselves are drafted for the benefit of the business owner, who never knows when his employees might screw up, leaving him exposed to legal liability. By codifying practices that business can "certify" against, laws like this put legal tools in the hands of business owners that can shield them from lawsuits. The point of the law is not to make businesses more secure. The point of the law is to create a legal framework by which businesses can reduce risk.
Breakfast served all day!
OMFG . . . when cluelessness attacks. How can anyone say that the post-Enron regulatory framework was anything except a clusterfuck? Show me the goddamned accountability in terms of real jail time.
I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
Step 1: don't let your users write/modify your program (e.g. buffer overflows, SQL injection, XSS attacks, URL manipulation, etc,etc,etc)
That will cover about 90% of it right there
Two points here. First of all, any such "risk" is caused by the very same legal system in the form of otherwise frivolous lawsuits that may still succeed. That's the location of the problem and it is there that any solution needs to be applied.
We don't disagree here, yet this is one form of legal solution. It's probably about as effective as the proverbial finger in the dike, but it's one way to tackle the problem.
That's why the security requirements need to start from first principles (bottom-up) and not from authoritarian fiat to meet some arbitrary set of legal requirements (top-down). The former comes from experts in the field who can make a solid case for their position.
To give a recent example of why that isn't sufficient, look at the HBGary hack. These guys were self-proclaimed security "experts," who were summarily stomped by a combination of SQL injection, lousy passwords, lousy encryption, unpatched servers, and social engineering. Some expertise.
Mind you, which is the more likely outcome of this certification? That companies who hire security consultants will be able to demand a certain quality of service? Or that security consultants will be able to hide their incompetence behind a government rubber stamp? I think we both know the answer to that one.
Breakfast served all day!
I think the bigger picture here is the time, money and resources being wasted.
If I want to sell something on the web, I don't need the fucking government telling me I need jack shit for certification. All this does is make me not want to be on the web at all, we have enough financial problems in our lives now, to have to be constantly be fucking with the latest new government regulation. It's literally getting to the point where this fucking war on terror is domestic terrorism in and of itself. Which if enough people think this way, it crashes our already fucked up markets, economy and monetary system. In short, this is just more thugs turning the lights out on Americans. It's also a control mechanism where big foreign corporations can squeeze out the little mom and pops who can't get certified to whatever bullshit standard de jour of the week, the government says.
The government needs to get out of everyone's business. They disrupt it by being here. They need to go after the banks and get the fuck off the web.
Dear Government,
Shut the fuck up about all this bullshit and go lock some banksters up, before the people through your fucking ass out of office.
No patents will be enforceable when it comes to implementing Microsoft's proposed "collective cyberdefence".
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
You will find that a lot of so call security standards get watered down because microsoft is unable to comply with them...
For instance requiring AES encryption, microsoft only implemented that in windows 2008 and vista despite it existing for many years on other platforms...
Similarly requirements for removing unnecessary software, microsoft made it very difficult to remove stuff, so this basic requirement gets dropped too.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!