[ISN] Cybersecurity group looks to Europe for help

InfoSec News isn at c4i.org
Fri Jul 1 05:40:14 EDT 2005


Forwarded from: matthew patton <pattonme at yahoo.com>

> "At first, I thought Washington needs a new association like a hole
> in the head.

there's a rare opinion...

> The U.S. government isn't taking cybersecurity seriously enough, he
> said, noting that it reduced research and development spending for
> the area in its latest budget.

Oh I'm sure R&D is useful and all but seriously, who cares about gov't
funding? The security companies are where the R&D should be happening.
Marcus' interview a little while ago said that there is scant little
that is new or has been new in security for a couple of decades. I
agree with him.

What is sorely lacking is clue and caring about security right down to
the system admins (users are IMO a hopeless cause). A certain
organization I work for has all machines with full Internet IP's. Oh
sure there is a border firewall way up the foodchain but given the
size of the installation in question it's not exactly a one-way door.
I found an IP330 that had been sitting on the shelf for over a year
and call me crazy but I don't trust the tens of thousands of computers
connected to this network space not to mention the users all across
the world who don't have to come thru the choke-points. And the
manager looks at me like I'm from Mars ("but we're behind XXX's
firewall") when I suggest that not only should we be protecting our
servers but also the oftimes highly sensitive material their people
have stashed on servers hither and yon.

> "As we've seen over the last few months, a lack of attention to
> detail can spill into the papers," Kurtz said.

But where are the crushing fines for sloppy data-handling? How about a
$100/person fine? Mastercard would be out what, 4 Billion? That'll
make them sit up and pay attention! Hospitals, banks, pharma companies
likewise. Now wouldn't it make a whole lot of sense to do security
RIGHT in the first place?

Where is the legislation that revokes the notion that the companies
own the data? It's MY information and life that hangs in the balance.
If you want it, you PAY me to access it and you furthermore are
prohibited from selling it unless I say you can.
 
> "We need to raise these issues, but at the same time, we need to
> make sure that the government doesn't overreact," Kurtz said.

eh? The only thing the gov't does is overreact. And generally the
results are intended to make the average citizen far worse off than
before while rewarding those who line Congresscritter pockets. I
seriously doubt the American economy will blow up if the identity
industry is wiped off the planet. Banks used to do just fine issuing
loans and mortgages to the townfolk and undertaking their own
due-diligence to evaluate an applicant's credit worthyness. So what if
the rediculously easy personal credit dries up? Wouldn't our society
be a heck of a lot better off if people quit extending themselves far
above their means to pay and then defaulting left and right? Weren't
more strict rules passed to try to put a finger in the dam of
bankruptcy that shouldn't have happened in the first place if the
financial industry wasn't playing fast and loose with risk?

> "There's a lot of debate about the roles and responsibility of
> government and industry in information security. This is one of the
> things we are trying to work out," he said.

NIST has had some decent guidelines. SANS has a rather short list but
a list nonetheless. DoD et. al. have various methods to "certify" an
information system but most of it's bunk unfortunately and does little
to nothing to actually provide for security engineering. Bad designs
should not be tolerated, period. If we could make failure to comply
and failure to execute leading to compromise = triggering big fines so
much the better. There is a cost to doing security right. There is NO
cost associated with doing security wrong if at all. And that is the
problem.





More information about the ISN mailing list