Slashdot Mirror
US DOJ Lays Out Cybersecurity Basics Every Company Should Practice
coondoggie writes "The mantra is old, grant you, but worth repeating since it's obvious from the amount of cybersecurity breaches that not everyone is listening. Speaking at the Georgetown Cybersecurity Law Institute this week, Deputy Attorney General of the United States James Cole said there are a ton of things companies can do to help government and vice-versa, to combat cyber threats through better prevention, preparedness, and incidence response."
n/t
Support a Europe-related section on Slashdot!
Valid HTML is secure HTML. Well, not really, but it's a start.
Are you fucking kidding me samzenpus?
then smoke crack
bæ8Ã0sÃOE?5r©oÂÃ?âz:ÃÃAÃ?ÃOEÂ6fXÃ?]Â
The US DoJ is corrupt and untrustworthy.
Use any advise with great caution.
John Brennan says there are tons of things companies can do to help spy on the populace^H^H^H^H^H^H^H^H terrorists.
Silence is a state of mime.
Making a book of "best practices" is a good first step, but incentives are also needed.
For example, suppose the government set penalties for security breaches which result from not following best practices. The penalties would not trigger until an actual breach, but if one *does* happen then the company is fined for breach of trust.
The fines should be structured to encourage businesses to reduce risk, by artificially creating proportional risk.
If someone steals CC numbers because the company kept them in the clear, and kept them beyond the time necessary to complete a transaction, the company is fined $5 each number. If passwords are not encrypted and salted, $1 for each stolen password. If web form data is not sanitized and customer information is stolen, $3 for each record. If the power station control computers are on the net with default passwords - half a mil.
The government could also set up incentives and rewards for white-hat hackers who find vulnerabilities. If 1/10 of the potential fine goes to the white-hat hacker who discovers it, security practices would come into line very quickly. Perhaps with a cap of $50,000: enough for incentive to the hacker and the company, but not enough to affect the business.
(... tempered by common sense. The company can argue that a different action is just as secure as "best practice" - but this should be done in court as response to a data breach investigation. Also, security breaches which are the result of something not covered by "best practices" are exempt.)
Government can tweak and tune things for the betterment of society, but it has to be structured in the manner of game theory. People have to want to follow procedures.
The article advocates more passwords, and stronger passwords, saying it is less of a pain than having everything stolen by hackers.
But....
When your password rules are too onerous, people start rebelling against them out of practical necessity. People write them down on post-its or store them in files on the hard drive because there are too many to remember (and they are too hard to remember). The few people who don't do this suffer frequent lock-outs, costing the company time and money (over and over again) in password resets. And, invariably, your CEOs exclude themselves from the policies. These same CEOs tend to have way more access than they actually need, and as such are the primary targets for hackers.
So, rather than requiring a few more special characters in the min of 20 character passwords that lock out after the second failed attempt, must be changed every 10 days, have an infinite history to prevent re-use, and each of which grants you access to between five and ten percent of the subsystems you use on a daily basis...perhaps we should work smarter instead of harder.
Use two factor authentication for the core systems (everyone has a cell phone these days, and good systems can work on the employee's office landline anyway). Passwords lock out after 10 attempts (seriously, those extra 7 attempts are NOT what will give a dictionary attack its edge). Require long passwords with a minimum "variety factor" in the letters rather than specific number and special character minimums (the variety factor and length are far more cryptographically strong than adding a 123 at the end). Train employees to recognize phish. And, of course, don't give people access to stuff they don't need.
Do I secure my network or backdoor it to comply with the demans of the Surveillance State?
Kinda like you should brush your teeth before going to bed. You dont see articles written about that! Well, it's because you don't brush your teeth ON A COMPUTER!!!! Move along nothing to see here (That slashdot crowd dont already know!).
Tomorrow is another day...
Don't trust the DOJ on what it states as "best rules."
Om, nomnomnom...
Key passwords (maybe mail, the password managers ones, places where you must type your password frequently) should be easy to remember, and hard to crack (hint), the rest (there are always a lot of them) should be in one or more password managers (i.e. your browser, with a master password, but also more portable ones like KeePassX) where as are not meant to be remembered are easier to change, to put hardest complexity, and of course, to have all different. And try to avoid automated password trying, specially at fast speed, like using fail2ban or similar when possible or having a keyphrase in your private ssh certficate with PKCS #8 to slow down cracking,
But passwords are just a part of the equation, what run as your user usually have access as the same resources as you (i.e. could read your files, your clipboard, your keyboard input, so could capture passwords, no matter how complex they are), access sites to where you are identified on (i.e. single sign-on systems that enables the IP you are on means that a trojan running in your PC have your privileges, same for vpns, or internal systems not safe from xss attacks). And antivirus aren't as good as protection as they claim to be (Red October was active 5 years before being detected, they can be forced to contain backdoors). Using more secure OSs and browsers (at least, ones with no such overabundance of malware), and security practices (only install from official repositories, stop at mail server level things that don't come from where they claim to come, etc).
And of course, educate people. In real life you know things that are risky and dangerous (i.e. don't walk alone at night in high criminality rate neighbourhoods, drink and drive, touch electric wires, etc ), people should be able to understand what is dangerous or risky in internet too, including their private use at home (even if privacy is a lost cause, there are far more risks)
So will these "minimum standards" now become a de-facto definition of "good" and (in law) "negligent" behaviour. I.e. if you don't meet these standards, you will be held accountable for security breaches, maybe even have any insurance cover withheld.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Meantime, I'll keep my passwords in encrypted passwordsafe files, available via multiple pathways, and even on multiple tablets which are also thoroughly, and I do mean thoroughly, encrypted. Synching everyone is about my only complaint left.
And yes, I define paranoia.
"[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
The article basically says firewall firewalls firewalls, passwords passwords passwords, hire less gullible employees and trust the government. Four things that are not going to help any company.
I work in IT and while I will admit to turning any and all firewalls on, I know in the back of my mind that they don't do a whole lotta good. They do what they do which is to basically close down network access to all those extra services that we all run but don't really secure. That's not going to stop an attacker just give them a bit less to work with which is great but not a whole lot in the long run because....
Some employee (usually the company owner) is just going to give that attacker all his passwords because he was stupid enough to install the pr0n browser 2013 toolbar in IE 8 which he's still using because the government mandates its use so they don't have to re-factor their online services to eliminate stupid Active X controls.
Which brings us to trust the government? No really half the unpatched vulnerabilities on the systems I care for (which would be all the known vulnerabilities) are there because government can't be bothered to fix its stuff.
So my best rules for security... Don't trust the government. Eliminate Active X, Flash and Java. Turn off things you don't need. Regularly audit PC's and uninstall the junkware. Try to use fewer closed (Adobe, Apple, Google, Microsoft...) products whenever possible. Use wired networking if possible for important stuff and wireless as sparingly as possible. Use a keychain.
PS Microsoft, Apple has had the keychain for what 14-15yrs now what is taking you so long to copy it?
PPS Mozilla folks mainstream use of the Mac Keychain. Keychain Services Integration needs some work but also needs to be part of the Mac application.
PPPS If your service does not accept passwords longer than 8 characters you are part of the problem
PPPPS Google/Apple keychain sync to mobile devices needs to happen
It'd probably cost the equivalent of $50'000 per year for my small business to implement all of those. Thanks for the suggestions. I can't do any of them and remain profitable at all. So I'm going to do none of them.
Instead, I've got a suggestion for you. How about making it illegal to hack into my property; and then why don't you go about aresting and prosecuting criminals? In other words, how about you, my government, go about doing your job, instead of making me into a security task force unto myself.
Sure, it sucks getting hacked. It CAN mean losing money, losing clients, and losing my business. It sucks more to spend so much time and money securing against getting hacked that I WILL losing money, clients, and my business.
Welcome to laws. You don't want me to protect myself against criminals. That's not what we call a civilized society. I don't keep a suit of armour in the garage. I don't have a shield on-hand. I don't have chain-mail shirts -- ok, I do have one, but it's a halloween costume, and it's heavy.
Sounds about right. I also keep an offline copy, the encrypted password/passphrase list on a DVD-R, the decrypting software on the original CD, both of which live in my safe deposit box at the bank AND the fire-proof in the house. The decryption passphrase and instructions are in a tamper-noticable "Cookie" (heat-sealed plastic around paper). One copy of which is elsewhere in the house, and two more which are. . .somewhere else.
A backdoor in all your security protocols to enable easy snooping by three letter agencies.
It's the 'don the condom' mentality.
The Australian Department of Defense Top 35 Mitigation Strategies is a pretty good start for a corporate infosec framework.
http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
It gripped her hand gently. 'Regret is for humans,' it said.
Yeah, right.
-- Jimtown Kelly
The DOJ, which illegally seizes domains from foreign holders? The DOJ which orchestrates illegal raids in New Zealand? The DOJ which is the bully of the Content Mafia?
It seems that these are not really the most technical-minded people, and you expect them to advise on Computer Security?
I'd rather follow the NSA Guidelines http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml
"The more prohibitions there are, The poorer the people will be" -- Lao Tse
The article advocates more passwords, and stronger passwords,
Why do companies have archaic password limitations? Must be less than 12 characters (or 16 or some other arbitrary short length) Must NOT be the following characters... Why is there a limit on the characters I use? Whenever I see boneheaded rules like this, I assume someone is incompetent, and I wonder what other security holes there are.
One of my banks has "eight digit, numbers only, cannot repeat numbers", and each time I change it, it no digits must me replaced in the same place as the last password. No three digits must be consecutive numbers, or consecutive in reverse order. Amongst other conditions.
Generating a rememerable password is extremely hard. Even random numbers are of little use, since they tend to be rejected as well.
This results in me having to use keepassx (instead of MY BRAIN) to store my passwords.
Meanwhile, I can easily remember passwords for sites with free-form strings as password. I can even use unique ones everywhere. It would also take several centuries to brute force any of those.