SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


More Regulation Coming?


More Regulation Coming?

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (84K reputation)SSC Guru (84K reputation)SSC Guru (84K reputation)SSC Guru (84K reputation)SSC Guru (84K reputation)SSC Guru (84K reputation)SSC Guru (84K reputation)SSC Guru (84K reputation)

Group: Administrators
Points: 84257 Visits: 19223
Comments posted to this topic are about the item More Regulation Coming?

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Ralph Hightower
Ralph Hightower
Mr or Mrs. 500
Mr or Mrs. 500 (596 reputation)Mr or Mrs. 500 (596 reputation)Mr or Mrs. 500 (596 reputation)Mr or Mrs. 500 (596 reputation)Mr or Mrs. 500 (596 reputation)Mr or Mrs. 500 (596 reputation)Mr or Mrs. 500 (596 reputation)Mr or Mrs. 500 (596 reputation)

Group: General Forum Members
Points: 596 Visits: 1120
I think that data breaches should be reported publicly as soon as they happen. That way customers can take early steps to protect themselves.

From the news reports, Citibank sat on this data breach for a month before reporting it. That's too long!
Megistal
Megistal
SSCrazy
SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)

Group: General Forum Members
Points: 2186 Visits: 2555
This is a quite a subject regulations, but to make it short, as long as the wallet is not involved mankind do not move. Why should they (risk of a security issue cost disclosure versus the cost of implementing what's necessary to prevent it)? They still make money. It was, it is and it will be that way.

And restricting the "wallet" is not also the solution. Who's going to pay in the end?
OCTom
OCTom
Hall of Fame
Hall of Fame (3.5K reputation)Hall of Fame (3.5K reputation)Hall of Fame (3.5K reputation)Hall of Fame (3.5K reputation)Hall of Fame (3.5K reputation)Hall of Fame (3.5K reputation)Hall of Fame (3.5K reputation)Hall of Fame (3.5K reputation)

Group: General Forum Members
Points: 3499 Visits: 4152
Regulations regarding technology are always behind the curve. It takes a long time to get regulations passed through the system and technology changes dramatically.

A simple monetray penalty paid to each customer whose data was breached may help. Say, $100,000 per account? $1,000,000? Money talks and it may take large penalties to make companies pay attention to security.
blandry
blandry
Say Hey Kid
Say Hey Kid (681 reputation)Say Hey Kid (681 reputation)Say Hey Kid (681 reputation)Say Hey Kid (681 reputation)Say Hey Kid (681 reputation)Say Hey Kid (681 reputation)Say Hey Kid (681 reputation)Say Hey Kid (681 reputation)

Group: General Forum Members
Points: 681 Visits: 723
Good editorial, but you must realize and ultimately accept the absolute truth, proven time and time again throughout history - Anything that can be built, can be un-built.

If you waste your time in the panacea that somehow, some Wizard is going to come up with something that is so secure and yet accessible to those who need it, you are kidding yourself.

Think years back to Oracle 9i. Larry Ellison released 9i and touted it as "unbreakable". In less than 24 hours it had been broken. What did Ellison do? Issued a fix and charged people for it (good lesson in how to get wildly rich, but...)

Think about a different approach - How many times have you gone to your office during off-hours, broken into the front door, jimmied the elevators, used an axe to break down your company's office door, and then stolen a box of paperclips. (I hope the answer is "none").

Why dont you do that? Because you would likely wind up behind bars. And THAT is the answer. Make it SO painful for hackers that it isn't worth the risk.

Think about it - there used to be a company called Arthur Andersen. During the Enron debacle they lied, shredded documents and a number of their staff were caught, sent to jail, slapped with huge fines, and it all brought down the company (which re-emerged later as Accenture). But they don't do the "Enron" shuffle anymore. They learned a lesson.

Catch a few hackers, put them away for a very long time, and make it as public as possible. Do that and you would see a huge drop in hacking.

Whereas sitting around waiting for some unbreakable piece of code only inspires hackers to show you just how breakable ANY code is.

There's no such thing as dumb questions, only poorly thought-out answers...
roger.plowman
roger.plowman
SSCommitted
SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)

Group: General Forum Members
Points: 1602 Visits: 1292
We talk as if we know what security is, and this is a grave mistake. Sure, for any given problem we know how to secure against it.

The problem is, security *isn't* one problem, it's a googleplex of problems, each feeding on another to spawn millions of new ones.

There are certain broad practices (like encrypting passwords, Sony I'm looking at you!) but by and large a program is an unprovable mathematical construct with an astronomical number of possible code paths.

The problem is we're trying to secure against the "unknowable unknowns". We can handle the known problems, and even the known unknown problems, it's the unknown unknown problems that new hacks are made of.

And you will *NEVER* secure against those.

Having said that, most hacks are incredibly lame, and yes, we should have better solutions against those. Of course it would help if SQL Server was less mind-numbingly complex...
Michael Valentine Jones
Michael Valentine Jones
SSCertifiable
SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)

Group: General Forum Members
Points: 7754 Visits: 11793
I doubt more regulations would do any good.

Any new regulations are likely to be written in such a way as to increase the profits of various vendors selling security consulting services and software with very little impact on tha actual problem (SOX anyone?). Kind of like welfare for Accenture.
Eric M Russell
Eric M Russell
SSCoach
SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)SSCoach (17K reputation)

Group: General Forum Members
Points: 17006 Visits: 10949
I think that more regulation is needed. There are specific software and database design patterns that for decades have been known to be security vulnerabilities, and yet they continue to be repeated. How is it possible that the website for one of the largest banks in the US could be hacked simply by tampering with the browser URL?
Damn, this is 2011 not 1995, are we still developing data access frameworks for websites from scratch without following a standard design pattern? It's time we stopped treating Information Technology as it it were some magical realm that can't be regulated like other industries. For example, building codes specify how plumbing should be installed and what type of pipe materials are allowed. Thank you. The FDA bans certain medical procedures that proven ineffective and high risk. Thank you again.
Citibank hacked. By changing account numbers. In the URL -
Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser's address bar...

http://channel9.msdn.com/Forums/Coffeehouse/Citibank-hacked-By-changing-account-numbers-In-the-URL


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
Loner
Loner
SSCarpal Tunnel
SSCarpal Tunnel (4.2K reputation)SSCarpal Tunnel (4.2K reputation)SSCarpal Tunnel (4.2K reputation)SSCarpal Tunnel (4.2K reputation)SSCarpal Tunnel (4.2K reputation)SSCarpal Tunnel (4.2K reputation)SSCarpal Tunnel (4.2K reputation)SSCarpal Tunnel (4.2K reputation)

Group: General Forum Members
Points: 4212 Visits: 3354
Citibank outsourced their IT department to India. Poor coding and poor testing results in hacking.
They deserve what they get.
My advise is not to do any business with Citibank.
ray.rathburn
ray.rathburn
Forum Newbie
Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)

Group: General Forum Members
Points: 3 Visits: 30
I agree that regulation directing the how would not be effective. What is needed is to make data security a personal priority for CEO’s and Boards of Directors. When they have a personal interest in good data security the necessary resources will be provided to those that can actually do something about it. Maybe 10 minutes in jail for each account/record lost would be incentive enough. As someone else said money is what moves people. So maybe a $1,000 per record fine would work. Until it is cheaper to do business right than to do it wrong, it will be done wrong.

Ray R
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search