Slashdot Mirror

← Back to Stories (view on slashdot.org)

US DOJ Lays Out Cybersecurity Basics Every Company Should Practice

Posted by samzenpus on from the protect-ya-neck dept.

coondoggie writes "The mantra is old, grant you, but worth repeating since it's obvious from the amount of cybersecurity breaches that not everyone is listening. Speaking at the Georgetown Cybersecurity Law Institute this week, Deputy Attorney General of the United States James Cole said there are a ton of things companies can do to help government and vice-versa, to combat cyber threats through better prevention, preparedness, and incidence response."

10 of 58 comments (clear)

  1. Incentives by Okian+Warrior · · Score: 4, Insightful

    Making a book of "best practices" is a good first step, but incentives are also needed.

    For example, suppose the government set penalties for security breaches which result from not following best practices. The penalties would not trigger until an actual breach, but if one *does* happen then the company is fined for breach of trust.

    The fines should be structured to encourage businesses to reduce risk, by artificially creating proportional risk.

    If someone steals CC numbers because the company kept them in the clear, and kept them beyond the time necessary to complete a transaction, the company is fined $5 each number. If passwords are not encrypted and salted, $1 for each stolen password. If web form data is not sanitized and customer information is stolen, $3 for each record. If the power station control computers are on the net with default passwords - half a mil.

    The government could also set up incentives and rewards for white-hat hackers who find vulnerabilities. If 1/10 of the potential fine goes to the white-hat hacker who discovers it, security practices would come into line very quickly. Perhaps with a cap of $50,000: enough for incentive to the hacker and the company, but not enough to affect the business.

    (... tempered by common sense. The company can argue that a different action is just as secure as "best practice" - but this should be done in court as response to a data breach investigation. Also, security breaches which are the result of something not covered by "best practices" are exempt.)

    Government can tweak and tune things for the betterment of society, but it has to be structured in the manner of game theory. People have to want to follow procedures.

    1. Re:Incentives by Anonymous Coward · · Score: 2, Insightful

      Oh, I see. You want to monetize security breaches and have the government provide price supports, sort of like the DEA does with drugs.

      Then a whole army of bureaucrats and police will be created to make sure security breaches remain a profit center for their continued existence.

      That will solve the problem!

    2. Re:Incentives by gl4ss · · Score: 3

      Many of the things you suggest with regards to CC info are already in place due to PCI-DSS compliance specs, but I don't disagree in general.

      yeah.. but you know what? BIG COMPANIES ARE NOT PENALIZED AS THEY SHOULD BE FOR BREACHING THOSE TERMS/CONTRACTS! was stratfor put into it's place for hoarding the numbers? fuck no. ..and well, we get just vague "your information may be compromised" messages from companies instead of them fessing up that they stored the information in plain text.

      --
      world was created 5 seconds before this post as it is.
    3. Re:Incentives by Decker-Mage · · Score: 3, Interesting
      Sadly PCI-DSS is an example of security theater. VISA/Mastercard set up the standard to protect themselves, not the 'stakeholders': credit card users, processing firms, banks.... They've held that up as the Standard by which all things are measured and when their practices are questioned they blame everyone else but themselves.

      There have been firms who have suffered breaches directly after audits demonstrating compliance that have been fined for non-compliance. Why? Because they were breached so they can't have been in compliance. Nice example of ex-post facto there. Then there have been firms undergoing and audit that have been breached and therefor fined, even when the breach was discovered after the audit was completed and compliance was assured. Pure and simple, if you are breached, you must not be in compliance.

      If I were the only one dealing with security saying this, it might be personal. I'm not. It's just one of those meaningless standards that exist solely to provide butt-cover. As for government doing the job, I used to ensure compliance with all the various safety regulations (military, environmental, OSHA,... that list is almost endless) and I literally lost count. Counting is something I do real good. That and an eidetic memory. It was simply impossible to comply with them all, not from the standpoint of time and money; it was impossible as they often contradicted themselves. If you fed them all to an expert system it would have a seizure. Me? I used to laugh out loud, a lot, and everyone thought I was weird for laughing at the regs.

      The only way to get things right is to vote with our wallets but that's damn hard to do when dealing with a duopoly. And impossible when you're dealing with government. Corps have much bigger wallets than ours. They ought to since any costs they incur come out of our wallet.

      --
      "[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
    4. Re:Incentives by kermidge · · Score: 2

      As I was reading the article I saw many references to companies and shareholders; the only reference to customers was regard their perception of the company. Nice priorities. Was time a company understood that with no customers there was no company. Now they presume the presence of plenty of unthinking consumers.

  2. Not working well? Do it EVEN MORE! by Anonymous Coward · · Score: 5, Interesting

    The article advocates more passwords, and stronger passwords, saying it is less of a pain than having everything stolen by hackers.

    But....

    When your password rules are too onerous, people start rebelling against them out of practical necessity. People write them down on post-its or store them in files on the hard drive because there are too many to remember (and they are too hard to remember). The few people who don't do this suffer frequent lock-outs, costing the company time and money (over and over again) in password resets. And, invariably, your CEOs exclude themselves from the policies. These same CEOs tend to have way more access than they actually need, and as such are the primary targets for hackers.

    So, rather than requiring a few more special characters in the min of 20 character passwords that lock out after the second failed attempt, must be changed every 10 days, have an infinite history to prevent re-use, and each of which grants you access to between five and ten percent of the subsystems you use on a daily basis...perhaps we should work smarter instead of harder.

    Use two factor authentication for the core systems (everyone has a cell phone these days, and good systems can work on the employee's office landline anyway). Passwords lock out after 10 attempts (seriously, those extra 7 attempts are NOT what will give a dictionary attack its edge). Require long passwords with a minimum "variety factor" in the letters rather than specific number and special character minimums (the variety factor and length are far more cryptographically strong than adding a 123 at the end). Train employees to recognize phish. And, of course, don't give people access to stuff they don't need.

  3. Make up their damned mind. by Anonymous Coward · · Score: 4, Insightful

        Do I secure my network or backdoor it to comply with the demans of the Surveillance State?

  4. The DOJ by Kirth · · Score: 2

    The DOJ, which illegally seizes domains from foreign holders? The DOJ which orchestrates illegal raids in New Zealand? The DOJ which is the bully of the Content Mafia?

    It seems that these are not really the most technical-minded people, and you expect them to advise on Computer Security?

    I'd rather follow the NSA Guidelines http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml

    --
    "The more prohibitions there are, The poorer the people will be" -- Lao Tse
  5. Re:Thanks for suggesting I go bankrupt by chrismcb · · Score: 2

    How about making it illegal to hack into my property; and then why don't you go about aresting and prosecuting criminals?

    It is, and they do... But there is also only so much they can do to arrest and prosecute foreigners.
    Do you have locks on your doors at home? Do you use them, or do you expect the government to make trespassing illegal and to arrest and prosecute criminals?

  6. Re:Not working well? Do it EVEN MORE! by chrismcb · · Score: 2

    The article advocates more passwords, and stronger passwords,

    Why do companies have archaic password limitations? Must be less than 12 characters (or 16 or some other arbitrary short length) Must NOT be the following characters... Why is there a limit on the characters I use? Whenever I see boneheaded rules like this, I assume someone is incompetent, and I wonder what other security holes there are.