Sony backs U.S. ineffective cybersecurity legislation
Image via Wikipedia
http://www.vancouversun.com/news/Sony+backs+cybersecurity+legislation/5030033/story.html
"If nothing else, perhaps the frequency, audacity and harmfulness of
these attacks will help encourage Congress to enact new legislation to
make the Internet a safer place for everyone," the Sony executive said."By working together to enact meaningful cybersecurity legislation we
can limit the threat posed to U.S. all," he said.
To people like us, IT Audit and InfoSec types, 'control' come in 3 forms
- preventative
- detective
- compensatory
It seems that this legislation focuses on the 3rd and not the first.
It might even be seen to discourage the second.
Related articles
- Sony backs U.S. cybersecurity legislation (canada.com)
- DOD Website Sells Public On Cybersecurity Strategy (informationweek.com)
- Companies To Spend $130 Billion On Cybersecurity In 2011 (teamshatter.com)
- Obama to Introduce Cybersecurity Proposal (circleid.com)
- White House to unveil cybersecurity proposal (theglobeandmail.com)
- What do we need to do to reach "cybersecurity awareness"? (nakedsecurity.sophos.com)
- White House Cybersecurity Plan: What You Need To Know (huffingtonpost.com)
- Microsoft Endorses White House Cybersecurity Plan (blogs.wsj.com)
Vulnerability Management – The Next Fad?
The article is at
http://securitywatch.eweek.com/flaws/vulnerability_management_payoff_requires_roadmap.html
but I find it ominous.
Vulnerability management may be the next big thing in terms of IT
security strategy, but deriving the maximum value out of your efforts
requires hard work and a comprehensive plan, industry insiders
recognize.
Well at least the author admits its not the next "Silver Bullet"!
Speaking at the SOURCE Boston conference this week, scanner maker
Tenable Security's Carole Fennelly outlined some of the best practices
that organizations should observe as they attempt to identify and
remediate security weaknesses that exist throughout their IT systems and
applications.
Well that sounds good, but where does it lead to?
Personally I find it deceptive and not a good use of resources.
At the bottom, its too much like reactive fire-fighting.
We've discussed - or at least some of the more outspoken of us security blogers and professionals - of techniques for compartmentalization, being proactive in protection and using architectural and strategic decisions rather than 'bug-hunting'.
We all know that you'll never find the last bug, but its often easier to build things so that the effect of bugs, or failures, or attacks, is minimized.
What makes me despair though is when the old shibboleths get spouted:
"Organizations need to create asset lists that define their critical
business systems to help prioritize their efforts;
Without wanting to sound like I have it in for Ko-ko and his little list (heck, I have my own to-do list and GTD page), this is still reactive rather than proactive. In the last 15 years I've seen such revolutionary concepts as firewalls and DMZ become accepted by the mainstream, but the we can still see many people "don't get it". As evidence of this I would point towards the PCI documents. Implicit in them is the subtext that there are IT shops that are too stupid (or recalcitrant) to implement very basic good practices without being lead though them by the nose.
... they need to have the
support of different internal groups to create these lists that will
help them mitigate their most critical problems," said Fennelly,
I wonder. Many security practitioners, and I think a lot of IT, would say that the most critical problems are not technical ones but rather have to do with people, management and strategy.
Scanners are useful tools, but they are also the kind of geek toy that can suck you in. This article touches on prioritizing those lists, but I'd say reality is that you have to deal with many things all at once, and getting stuck 'head down' with something like this and dealing reactively with the issues it raises will distract you from the more strategic matter that might just sweep away many of these problems.
Related articles by Zemanta
- Securing the corporation (theregister.co.uk)
- More on PCI and Tiers 1, 2 and 3 (pindebit.blogspot.com)
- Defending the U.S. Cyber Castle: Core Security's Tom Kellermann on Internet Attacks and Obama's Strategy (xconomy.com)
- New "Breach Driven" Compliance Rules for HIPAA (pindebit.blogspot.com)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=42f2594e-fe1d-4c98-8694-487eb8d82155)
Encyclopedia of IT terms
CMP ChannelWeb have an on-line encyclopaedia of IT terms. This is a useful addition to my toolbar for composition, along with a more conventional dictionary.
The definition of 'information security' seems limited to access control, which is very disappointing. The definition for 'computer security' is more comprehensive. Never the less, to a security professional both these definitions are lacking.
What screams out to me, and this is very obviously my bias, is the lack of any mention of INTEGRITY in these definitions. As I keep pointing out, if you don't have integrity, any other efforts at security, be it information security, or "Gates, Guards, Guns and Dogs" physical security, be it backup and disaster recovery, be it access control, be it 1024-bit SSL, are all going to be pointless.
Its not until we follow a few links at the Encyclopaedia do we come to a mention of Donn Parker's six fundamental and orthogonal attributes of security is there mention of 'integrity'. Even so, that definition has only a like to 'data integrity'. There is a separate definition for 'message integrity'. While these specific items are important, they are details. What is lacking is a general definition of "Integrity". Once again, Fred Cohen's seminal 1997 article on the importance of Integrity comes to mind.
No, a much better reference is Rob Slade's "Dictionary of Information Security", which, of necessity, encompasses many IT terms.
