March 16, 2010 at 10:25 pm
Comments posted to this topic are about the item Security Regulations
March 17, 2010 at 2:32 am
Whilst I agree that on one hand this would reduce the number of viruses and botnets floating around, it would also put rather large barrier on people connecting to the internet.
Both with older people not understanding it, and technophobe parents not wanting their kids to risk having their household fined.
March 17, 2010 at 6:25 am
I find it difficult to believe that anyone would suggest that implementing security is a good idea, whatever one may mean by security. But I guess I look at it this way.
I wouldn't want my mortgage lender to come up with the detailed plan for wiring my house. I suspect they'd have good ideas, but I'd prefer to leave the details to my own electrician.
Neither do I appreciate government crafting the plans for computer security, for the reasons that you stated, Steve, and because it's outside the scope of what government is good for... in my humble opinion 🙂
March 17, 2010 at 6:34 am
For one thing enforcing a 'patch level' for all machines on the internet will be entirely impossible.
Millions and millions of machines in different countries. Won't happen.
It's not easy even to accurately identify 'patch level' on machines (even in our corporate LAN there are many discrepancies). And of course, this assumes that everyone is running one of the 'official' operating systems. And what about internet connected appliances? How would you go about patching and checking these? How would you even KNOW what patches were appropriate or needed?
And relying on user machines for providing safety is inviting problems. The control must be at the gateway to the machines being protected.
Now as for standards organizations, there is definitely a place for voluntary standards that an organization or company can apply (similar to ISO9001) to assure their customers and others that they have met reasonable standards.
...
-- FORTRAN manual for Xerox Computers --
March 17, 2010 at 6:36 am
If there's to be government-induced security on the internet, I'd rather see it in terms of encouragement than regulation.
If, for example, antivirus software were tax-deductible, for both corporations and individuals, that would be better than some complex set of rules on whether your computer should be allowed to connect.
Set up a certification standard, allow private companies to create sites that will test your computer for compliance, and if you pass certification every month or every quarter or whatever, you get $1000 off your tax bill, or added to your refund. Companies like Symantec already have sites that will test this stuff for you.
Would almost certainly result in a lot more secure computers. Wouldn't get everyone, but nothing will.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
March 17, 2010 at 6:39 am
This is not unexpected. Ninety percent of the "Internet" in the U.S. is privately owned as opposed to when it was born and the federal government was the owner. If businesses were taking care of business (Sarbanes Oxley anyone?) then there would be no need for the federal government to even hint at enforcing IT security.
The are a large number of NIST documents are all security related and are worth the perusal. They contain nothing draconian. But as guidelines, many business will ignore their content even if they are aware that these documents exist. Yes, Oracle and Microsoft have, in the past, issued problematic patches but I fail to see how that becomes an argument for not patching. I also fail to see the rationale for abdicating "patchiness" to a SANS Institute if the only point in their favor is that they are "private". Private yes, free no.
DBAs need to be aware of how their role fits into the overall "defense in depth" of their organization in ensuring confidentiality, integrity, and availability of corporate computing resources. Check out NIST Special Publication 800-30 and do your own risk assessment.
At the end of the day, if business doesn't take care of business, the federal government will.
March 17, 2010 at 6:59 am
Just going over my lecture notes on Citizenship in the Nation, which deals mainly with the US Constitution I somehow failed to find any reference to the federal govt.'s authority to regulate my computer. Please let me know which Article or Amendment this is so that I can point it out to the guys, since it sounds like they really need to know this.
Somehow I am a little skeptical of some "political entity" making rules for me to follow, for my own good. How many of us have seen the truckloads of money going down the drain for government regulated policies that we have to document and follow, and how easily they circumvented..... Anyone ever work in a place where credit card numbers were kept because "Accounting Needed the information"???
John.
March 17, 2010 at 7:03 am
What's wrong with a private group offering low-cost or free "certification" of a site. When I was in industry, ISO 9000 was the big thing, and companies jumped to be ISO certified.
QS9000 (?) for automotive.
Why not a security standard, voluntarily supported and independently verified, such as Verisign does with SSL certificates?
No, I don't want government regulations imposed. THAT means more paperwork and overhead than is needed. I would MUCH rather deal with a vendor who proudly displays his "ISS9000" certification on his web site. THEN I would have confidence that the vendor WANTS to be secure, and is willing to take the steps to certify his qualifications.
Jim
March 17, 2010 at 7:06 am
While I am all in favor of security, I just don't want government involved on deciding what I can do and cannot do or must do. Remember this is the same government where the IRS took over a brothel in Nevada for back taxes and it subsequently went broke :(. And you want the same bureaucracy to regulate our databases!
I think the private market will self-regulate itself -- after all you get what you pay for.
Mike Byrd
March 17, 2010 at 7:17 am
Jim Lang, I love that idea... I'm assuming you're thinking along the lines of the WCAG stuff for web design?
March 17, 2010 at 7:19 am
I'm with Jim too, but wouldn't the cert need to include your entire organizations' machines?
March 17, 2010 at 7:26 am
Well if it did follow the same idea as WCAG, you would have a rating rather than a pass/fail.
So for some companies, a C rating would be fine. Others who hold everything about a person's life might prefer to have an A* rating.
March 17, 2010 at 7:34 am
1. Our government could not handle Internet Security effectively. We would probably see far worse security breaches (at least initially and for sometime thereafter).
2. Keeping everyone up on the latest patches? Impossible.
3. If our government COULD handle security, then privacy rights would definitely be violated.
5. Who's paying for it???? Don't we have troops deployed, a health care bill debate, and green initiatives???
4. At my company, we do NOT apply patches immediately, sometimes never. We've had too many conflicts with 3rd party software/drivers where an MS update wreaked untold havoc.
5. That fact that anyone's contemplating this has me VERY worried.
March 17, 2010 at 7:36 am
Oops forgot to renumber above.... Good thing I don't work for BBIS (Big Brother Internet Security) - I could have brought down the banking industry...
March 17, 2010 at 7:51 am
Well, I had to look up WCAG...
But yes, something like that would be a good start, I think. A couple of 'bots, one on the outside of a network, one inside the firewall, set to "attack" the network, and report vulnerabilities would be a good basic tool, I think. At the very least, a company could self-test to determine their weaknesses before actually spending money on third-party validation.
Voluntary (company-wise) compliance with security standards, established for the public to review can lead to a lot of peer pressure and a sense that it's the right thing to do. Self-regulation would be preferable to outside, one-size-fits-all regulations that don't quite fit.
Viewing 15 posts - 1 through 15 (of 52 total)
You must be logged in to reply to this topic. Login to reply