March 17, 2010 at 1:38 pm
I much prefer a voluntary, industry-sponsored approach. If you want to play with the big boys, here are the rules.....
The trouble with govt. regulations, even voluntary guidelines, is that they tend to morph into requirements with penalties for failure to comply. (Remember - Social Security? Supposed to be voluntary. My son has a SSN and he's not even born yet).
While you (and I) may be impatient for the market to get it done, I believe the result is much more robust and tenable than anything the govt. can do. Simply put: how is Amazon (or google) doing in the Wild-wild-West of the internet? How many start-ups are there? How about TJMaxx? Those that believe in the market, and respond to it, stick around. Those that don't tend to vanish.
Let's apply the same thing to security standards. Establish standards. Make them clear, and let folks test themselves. Let some security company start selling certificates indicating "verified" compliance with an industry standard.
There have got to be tools out there to help. Heck, even Belarc Advisor is a good start.
Jim
March 17, 2010 at 1:44 pm
GSquared (3/17/2010)
If there's to be government-induced security on the internet, I'd rather see it in terms of encouragement than regulation.If, for example, antivirus software were tax-deductible, for both corporations and individuals, that would be better than some complex set of rules on whether your computer should be allowed to connect.
Set up a certification standard, allow private companies to create sites that will test your computer for compliance, and if you pass certification every month or every quarter or whatever, you get $1000 off your tax bill, or added to your refund. Companies like Symantec already have sites that will test this stuff for you.
Would almost certainly result in a lot more secure computers. Wouldn't get everyone, but nothing will.
I like this idea.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
March 17, 2010 at 1:45 pm
Ben Moorhouse (3/17/2010)
technophobe parents not wanting their kids to risk having their household fined.
Is it technophobe parents, or cautious parents trying to protect their children?
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
March 17, 2010 at 1:53 pm
john.campbell-1020429 (3/17/2010)
Just going over my lecture notes on Citizenship in the Nation, which deals mainly with the US Constitution I somehow failed to find any reference to the federal govt.'s authority to regulate my computer. Please let me know which Article or Amendment this is so that I can point it out to the guys, since it sounds like they really need to know this.Somehow I am a little skeptical of some "political entity" making rules for me to follow, for my own good. How many of us have seen the truckloads of money going down the drain for government regulated policies that we have to document and follow, and how easily they circumvented..... Anyone ever work in a place where credit card numbers were kept because "Accounting Needed the information"???
John.
No article or amendment necessary. That is why they start out as bills and then get voted on to become law.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
March 17, 2010 at 2:01 pm
Steve Jones - Editor (3/17/2010)
...It's not a police force that's demanding to get into your house/company/computer. I certainly don't want anyone to have rights to connect or view what's on your computer. But if you can't safely interconnect, or safely compute, perhaps you shouldn't be causing issues for the rest of us.
I would also agree that we should disconnect or penalize anyone that is maliciously causing issues, but what about those that unintentionally do it? I think that is the intention of the proposal. Require standards for interconnection, which in this case, include having some type of firewall.
BTW, a firewall dramatically cuts down on any internal vulnerabilities being exposed.
I agree on these points. Part of government and police is to serve and protect. I may have the right to not protect my computer or freedom of speech. However, that right does not extend to the willful endangerment of somebody else (i.e. yelling Fire in a crowded theatre). By getting on the internet with an unprotected computer, can it not be akin to willful endangerment? My time is valuable and fixing corruption on somebody else's (which recently just consumed several personal hours) computer is pretty close to willful endangerment to me.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
March 17, 2010 at 2:03 pm
I agree with the industry-wide best practice solution and certification agruments. The free market has done fairly well guarding against problems. There's no Utopian solution. Security takes vigilance. Taxing (aka fining) doesn't create vigilance.
As soon as Congress creates a nice slow moving bureaucracy to set IT standards then all people have to do is comply with the standards. Then the hackers find there way around the standards. But the companies are "in compliance." Commercial enterprise has been much more effective at policing itself. For instance PCI DSS are private standards.
The few things the government does ok at it doesn't do efficiently. 50% of ever dollar you make is taxed. 35% of every dollar you spend goes to corporate taxes or compliance with government regulations. Companies don't pay those costs, consumers do.
And as far as the federal government is concerned The Constitution no longer exists. They are trying to pass health care in the house without voting on it. Congress recognizes no limits on it's power.
March 17, 2010 at 2:11 pm
I like that idea also
March 17, 2010 at 2:12 pm
Kevin Wood-419472 (3/17/2010)
I agree with the industry-wide best practice solution and certification agruments. The free market has done fairly well guarding against problems. There's no Utopian solution. Security takes vigilance. Taxing (aka fining) doesn't create vigilance.As soon as Congress creates a nice slow moving bureaucracy to set IT standards then all people have to do is comply with the standards. Then the hackers find there way around the standards. But the companies are "in compliance." Commercial enterprise has been much more effective at policing itself. For instance PCI DSS are private standards.
The few things the government does ok at it doesn't do efficiently. 50% of ever dollar you make is taxed. 35% of every dollar you spend goes to corporate taxes or compliance with government regulations. Companies don't pay those costs, consumers do.
And as far as the federal government is concerned The Constitution no longer exists. They are trying to pass health care in the house without voting on it. Congress recognizes no limits on it's power.
This is all fine and dandy, but this isn't up to the US government. Remember - there are a couple of users sneaking in from what I think we call "other countries". Making this a governmental responsibility means that all of a sudden there will be 100's of standards (each governement will come up with their own), murky jurisdiction, and that will drive up cost (of establishing and coordinating standards, nevermind enforcement and prosecution).
As to the government here in the US - they're already itching to start taxing and metering access. How about we not precipitate them instituting that (for no value whatsoever, since they won't be able to keep up or enforce these standards)?
There are already enough "chefs in the kitchen" - how about we not institute another (especially one with a track record as a bully)? Let the ISP's enforce their own access policies.
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
March 17, 2010 at 2:33 pm
Why not a security standard, voluntarily supported and independently verified, such as Verisign does with SSL certificates?
I recently find out in security the NIST is for sale that is security hardware vendors are paying for fancy implementation shallow standards.
I don't see how regulation will stop the VA from hiring an idiot to be a data analyst, I also don't think I should pay taxes as Microsoft suggested to police software Virus distributors using a security company issued HTTPS and Visa and Mastercard authorization gateway. I know if SET algebra is required for personal data analyst the probability of an idiot doing the job is limited.
Verisign, Visa and Mastercard are negligent every time Internetsecurity2010 virus forces a user to spend money. Where are the class action lawyers when they are needed?
Kind regards,
Gift Peddie
March 17, 2010 at 4:11 pm
CirquedeSQLeil (3/17/2010)
No article or amendment necessary. That is why they start out as bills and then get voted on to become law.
Really? So the Government tomorrow can abridge your right to Free Speech simply because they want to? They can mandate that if you criticize their actions you can be thrown in jail for life? They can demand that you turn over your home to a more needy family because they deem it too large for your personal use?
If not, why not?
I think you fall afoul of Amendment 10:
Amendment 10 - Powers of the States and People. Ratified 12/15/1791.
The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.
The Constitution is a LIMIT on Federal (and in some cases State) power. Any power not specifically mentioned in the Constitution as being granted to the Federal Government can NOT be exercised by the Federal Government. Just because you make a Bill and make it law does not mean it can be enforced upon the Citizens of the United States (though more and more often in the last 100 years, this has been done anyways). Each Bill must derive legitimacy from a specifically granted power in the Constitution. Any Bill that attempts to circumvent this risks being found unconstitutional and nullified by the States or the Supreme Court.
The only chance a Bill of this nature would have would be under the Interstate Commerce Clause (arguably THE most abused power in the document).
March 17, 2010 at 7:42 pm
If each CIO (or equivalent) were required to sign a statement on a 10-K that current patch levels had been met as of the document date, I suspect that more publicly traded organizations would take a more vigorous approach to patch management and IT risk assessments.
March 17, 2010 at 8:09 pm
John Langston (3/17/2010)
If each CIO (or equivalent) were required to sign a statement on a 10-K that current patch levels had been met as of the document date, I suspect that more publicly traded organizations would take a more vigorous approach to patch management and IT risk assessments.
You know, I like that idea a lot. I am fighting to get a standardized patching process implemented. The previous regime felt it unnecessary to patch. And when they patched it was spotty. If the CIO was signing on the 10K that it was done and their neck was on the line, it sure would clean up a lot of that kind of mess.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
March 18, 2010 at 2:35 am
CirquedeSQLeil (3/17/2010)
Ben Moorhouse (3/17/2010)
technophobe parents not wanting their kids to risk having their household fined.Is it technophobe parents, or cautious parents trying to protect their children?
I think you took my comment out of context.
We're talking about fining people for not maintaining the security of their machines. By Technophobe parents, I meant parents who simply dont understand how the security should be implemented.
Please dont get me started on protecting children - I go to great lengths to educate and protect my kids whilst encouraging them to use computers and the internet.
March 27, 2010 at 9:07 pm
GSquared (3/17/2010)
If there's to be government-induced security on the internet, I'd rather see it in terms of encouragement than regulation.If, for example, antivirus software were tax-deductible, for both corporations and individuals, that would be better than some complex set of rules on whether your computer should be allowed to connect.
Seems pretty sensible to me - any kind of government regulation would be more likely to reduce than increase security, because (a) whatever was designated by the regulations would be assumed to be enough at the same time as becoming the main target for malware and (b) when government is allowed to regulate (as opposed to the legislature being allowed to legislate) we know, from experience, that it will generally screw up.
Set up a certification standard, allow private companies to create sites that will test your computer for compliance, and if you pass certification every month or every quarter or whatever, you get $1000 off your tax bill, or added to your refund. Companies like Symantec already have sites that will test this stuff for you.
I hope this doesn't happen. Outfits like Symantec(named only because you named them and because I regard them as typical in the field) or most of the others in this field would treat such a system as a license to print money, and certification would be run with the sole objective of deriving maximum profit out of the certification procedure: security would be a non-issue (this is perhaps quite proper, since each company's duty is to benefit its shareholders, not to do public good, but it does nothing to secure the internet).
Would almost certainly result in a lot more secure computers. Wouldn't get everyone, but nothing will.
Would it really get more than is already achieved by the 60 day Symantec or Whoever "free" license provided with just about every retail PC package achieves with all its renewal nagware?
There are several fairly decent outfits which already provide freeware AV and anti-spyware (AVG, Spyware S&D, and so on and so forth) but you can bet quite safely that no-one selling certifications would let their certicifation program take account of any freeware installed. So the likely effect is to take good and effective freeware out of the system and push second rate proprietary AV in, reducing overall security (for example I don't regard a system that doesn't run Spybot S&D - or something else as good - as secure at all: I've known it detect trojans that even Trend missed, and Trend is maybe the only big name I trust in this area, and it provides a few nice features that most of the commercial outfits don.t bother with).
Tom
March 27, 2010 at 9:58 pm
Joshua M Perry (3/17/2010)
Whether they realize it or not, most large companies are already following government guidance for security compliance - anyone ever hear of ITIL? That is the guidance that has been coming out of the UK's OGC for about 25 years now. And most large companies have been using it for at least the last 15 years, even if only because thier software vendors have been using it. The Microsoft MOF makes heavy use of it. I'm not advocating for forced regulations, but ITSM and governance is one thing that government actually has figured out and implemented quite well. Most governmental organizations will never be bitten by a bad security patch because they use lifecycle management and actually run the patch through development and test environments before dropping the patch into production. I can't say the same for most of the Fortune 500 copmanies I've worked at, but they are getting there as they adopt ITIL. I'm convinced that if companies simply implemented ITIL, there wouldn't be a need for government regulation. And there is no excuse for not implementing best practices with so much guidance available - http://technet.microsoft.com/en-us/library/bb687798.aspx
In my last job, I spent some time trying to get ITIL accepted. It didn't go anywhere, unfortunately. Our leading sysadmin left the company (despite having been offered the D. Ops position) at least partly because she believed strongly in ITIL and couldn't get it accepted in the company. I might agree that if all companies implemented ITIL there would be no need for regulation of comnpanies, but despite being in many ways an excellent place to be there was no imaginable way my last company was going to impliment ITIL, so without regulation you are not going to get every company implimenting it.
Even if we do get most companies implementing it, it won't be very useful: the majority of malware distribution is from home PCs (in robot nets, I guess - surely we can't have that many nasty guys with PCs at home) so company standards are not applicable, even when those home PCs have fixed IP addresses and act as http or ftp servers rather than just distributors of email.
Tom
Viewing 15 posts - 31 through 45 (of 52 total)
You must be logged in to reply to this topic. Login to reply