Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 1234»»»

More Regulation Coming? Expand / Collapse
Author
Message
Posted Tuesday, June 21, 2011 9:14 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 6:20 PM
Points: 33,078, Visits: 15,192
Comments posted to this topic are about the item More Regulation Coming?






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1129426
Posted Wednesday, June 22, 2011 6:03 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Friday, July 11, 2014 7:13 AM
Points: 375, Visits: 596
I think that data breaches should be reported publicly as soon as they happen. That way customers can take early steps to protect themselves.

From the news reports, Citibank sat on this data breach for a month before reporting it. That's too long!
Post #1129579
Posted Wednesday, June 22, 2011 6:10 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Friday, July 25, 2014 1:10 PM
Points: 1,407, Visits: 2,073
This is a quite a subject regulations, but to make it short, as long as the wallet is not involved mankind do not move. Why should they (risk of a security issue cost disclosure versus the cost of implementing what's necessary to prevent it)? They still make money. It was, it is and it will be that way.

And restricting the "wallet" is not also the solution. Who's going to pay in the end?
Post #1129583
Posted Wednesday, June 22, 2011 6:22 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Yesterday @ 2:15 PM
Points: 2,517, Visits: 3,712
Regulations regarding technology are always behind the curve. It takes a long time to get regulations passed through the system and technology changes dramatically.

A simple monetray penalty paid to each customer whose data was breached may help. Say, $100,000 per account? $1,000,000? Money talks and it may take large penalties to make companies pay attention to security.

Post #1129585
Posted Wednesday, June 22, 2011 6:40 AM


Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Monday, May 7, 2012 9:23 AM
Points: 304, Visits: 716
Good editorial, but you must realize and ultimately accept the absolute truth, proven time and time again throughout history - Anything that can be built, can be un-built.

If you waste your time in the panacea that somehow, some Wizard is going to come up with something that is so secure and yet accessible to those who need it, you are kidding yourself.

Think years back to Oracle 9i. Larry Ellison released 9i and touted it as "unbreakable". In less than 24 hours it had been broken. What did Ellison do? Issued a fix and charged people for it (good lesson in how to get wildly rich, but...)

Think about a different approach - How many times have you gone to your office during off-hours, broken into the front door, jimmied the elevators, used an axe to break down your company's office door, and then stolen a box of paperclips. (I hope the answer is "none").

Why dont you do that? Because you would likely wind up behind bars. And THAT is the answer. Make it SO painful for hackers that it isn't worth the risk.

Think about it - there used to be a company called Arthur Andersen. During the Enron debacle they lied, shredded documents and a number of their staff were caught, sent to jail, slapped with huge fines, and it all brought down the company (which re-emerged later as Accenture). But they don't do the "Enron" shuffle anymore. They learned a lesson.

Catch a few hackers, put them away for a very long time, and make it as public as possible. Do that and you would see a huge drop in hacking.

Whereas sitting around waiting for some unbreakable piece of code only inspires hackers to show you just how breakable ANY code is.


There's no such thing as dumb questions, only poorly thought-out answers...
Post #1129598
Posted Wednesday, June 22, 2011 7:06 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Monday, December 2, 2013 6:30 AM
Points: 346, Visits: 691
We talk as if we know what security is, and this is a grave mistake. Sure, for any given problem we know how to secure against it.

The problem is, security *isn't* one problem, it's a googleplex of problems, each feeding on another to spawn millions of new ones.

There are certain broad practices (like encrypting passwords, Sony I'm looking at you!) but by and large a program is an unprovable mathematical construct with an astronomical number of possible code paths.

The problem is we're trying to secure against the "unknowable unknowns". We can handle the known problems, and even the known unknown problems, it's the unknown unknown problems that new hacks are made of.

And you will *NEVER* secure against those.

Having said that, most hacks are incredibly lame, and yes, we should have better solutions against those. Of course it would help if SQL Server was less mind-numbingly complex...
Post #1129613
Posted Wednesday, June 22, 2011 7:25 AM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Yesterday @ 12:39 PM
Points: 3,122, Visits: 11,405
I doubt more regulations would do any good.

Any new regulations are likely to be written in such a way as to increase the profits of various vendors selling security consulting services and software with very little impact on tha actual problem (SOX anyone?). Kind of like welfare for Accenture.





Post #1129633
Posted Wednesday, June 22, 2011 7:34 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Wednesday, July 23, 2014 9:00 AM
Points: 1,595, Visits: 4,585
I think that more regulation is needed. There are specific software and database design patterns that for decades have been known to be security vulnerabilities, and yet they continue to be repeated. How is it possible that the website for one of the largest banks in the US could be hacked simply by tampering with the browser URL?
Damn, this is 2011 not 1995, are we still developing data access frameworks for websites from scratch without following a standard design pattern? It's time we stopped treating Information Technology as it it were some magical realm that can't be regulated like other industries. For example, building codes specify how plumbing should be installed and what type of pipe materials are allowed. Thank you. The FDA bans certain medical procedures that proven ineffective and high risk. Thank you again.
Citibank hacked. By changing account numbers. In the URL -
Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser's address bar...

http://channel9.msdn.com/Forums/Coffeehouse/Citibank-hacked-By-changing-account-numbers-In-the-URL
Post #1129640
Posted Wednesday, June 22, 2011 7:34 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Thursday, July 17, 2014 7:55 AM
Points: 2,805, Visits: 3,067
Citibank outsourced their IT department to India. Poor coding and poor testing results in hacking.
They deserve what they get.
My advise is not to do any business with Citibank.
Post #1129641
Posted Wednesday, June 22, 2011 7:41 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, April 1, 2014 10:11 AM
Points: 3, Visits: 30
I agree that regulation directing the how would not be effective. What is needed is to make data security a personal priority for CEO’s and Boards of Directors. When they have a personal interest in good data security the necessary resources will be provided to those that can actually do something about it. Maybe 10 minutes in jail for each account/record lost would be incentive enough. As someone else said money is what moves people. So maybe a $1,000 per record fine would work. Until it is cheaper to do business right than to do it wrong, it will be done wrong.

Ray R
Post #1129647
« Prev Topic | Next Topic »

Add to briefcase 1234»»»

Permissions Expand / Collapse