Forwarded from: matthew patton <pattonme@private> > "At first, I thought Washington needs a new association like a hole > in the head. there's a rare opinion... > The U.S. government isn't taking cybersecurity seriously enough, he > said, noting that it reduced research and development spending for > the area in its latest budget. Oh I'm sure R&D is useful and all but seriously, who cares about gov't funding? The security companies are where the R&D should be happening. Marcus' interview a little while ago said that there is scant little that is new or has been new in security for a couple of decades. I agree with him. What is sorely lacking is clue and caring about security right down to the system admins (users are IMO a hopeless cause). A certain organization I work for has all machines with full Internet IP's. Oh sure there is a border firewall way up the foodchain but given the size of the installation in question it's not exactly a one-way door. I found an IP330 that had been sitting on the shelf for over a year and call me crazy but I don't trust the tens of thousands of computers connected to this network space not to mention the users all across the world who don't have to come thru the choke-points. And the manager looks at me like I'm from Mars ("but we're behind XXX's firewall") when I suggest that not only should we be protecting our servers but also the oftimes highly sensitive material their people have stashed on servers hither and yon. > "As we've seen over the last few months, a lack of attention to > detail can spill into the papers," Kurtz said. But where are the crushing fines for sloppy data-handling? How about a $100/person fine? Mastercard would be out what, 4 Billion? That'll make them sit up and pay attention! Hospitals, banks, pharma companies likewise. Now wouldn't it make a whole lot of sense to do security RIGHT in the first place? Where is the legislation that revokes the notion that the companies own the data? It's MY information and life that hangs in the balance. If you want it, you PAY me to access it and you furthermore are prohibited from selling it unless I say you can. > "We need to raise these issues, but at the same time, we need to > make sure that the government doesn't overreact," Kurtz said. eh? The only thing the gov't does is overreact. And generally the results are intended to make the average citizen far worse off than before while rewarding those who line Congresscritter pockets. I seriously doubt the American economy will blow up if the identity industry is wiped off the planet. Banks used to do just fine issuing loans and mortgages to the townfolk and undertaking their own due-diligence to evaluate an applicant's credit worthyness. So what if the rediculously easy personal credit dries up? Wouldn't our society be a heck of a lot better off if people quit extending themselves far above their means to pay and then defaulting left and right? Weren't more strict rules passed to try to put a finger in the dam of bankruptcy that shouldn't have happened in the first place if the financial industry wasn't playing fast and loose with risk? > "There's a lot of debate about the roles and responsibility of > government and industry in information security. This is one of the > things we are trying to work out," he said. NIST has had some decent guidelines. SANS has a rather short list but a list nonetheless. DoD et. al. have various methods to "certify" an information system but most of it's bunk unfortunately and does little to nothing to actually provide for security engineering. Bad designs should not be tolerated, period. If we could make failure to comply and failure to execute leading to compromise = triggering big fines so much the better. There is a cost to doing security right. There is NO cost associated with doing security wrong if at all. And that is the problem. _________________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 23-28 - 2,000+ international security experts, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Fri Jul 01 2005 - 03:15:52 PDT