Forgot your password?
typodupeerror
Security Businesses Government IT

Industry IT Security Certification Proposed 102

Posted by Soulskill
from the measuring-and-documenting-your-weaknesses dept.
Roberto123 writes "The US can build defenses against 'cyberwar' by having government and the private sector work together to confront the threat, a panel of experts said at RSA Conference 2011 in San Francisco this week. 'Chertoff called for a regulatory framework where company executives and board members sign on the dotted line, certifying what steps they have taken to secure their network, what backup systems they have in place and what level of resiliency is built into their IT system. “People take that seriously. Is it dramatic? No, but it moves the ball down the field,” Chertoff said. Schneier concurred, noting that holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley, the post-Enron law that requires directors and executives to certify their financial results.'"
This discussion has been archived. No new comments can be posted.

Industry IT Security Certification Proposed

Comments Filter:
  • by Anonymous Coward

    This will change nothing, and push us further towards a "Standards and Compliance" posture, and not a real security posture.

    -Someone who does this for a living

    • Re:Oh good. (Score:4, Interesting)

      by causality (777677) on Saturday February 19, 2011 @08:45PM (#35256808)

      This will change nothing, and push us further towards a "Standards and Compliance" posture, and not a real security posture.

      -Someone who does this for a living

      Organizational types, suits, institution men, whatever you want to call them just love bureaucratic measures of compliance. They honesty believe the world is a better place when you do what you're told because the policy says so, and not when you take action because as a thinking man you can see that it's a reasonable step towards a worthy goal. That way they can measure down to fractions of a percentage point just how obedient you are and sanction you accordingly.

      Is it any surprise that whenever government systems are audited for security they tend to do so poorly? Security is something that simply has to be right and declaration by fiat won't change what the right thing is. More than most other subjects, it exposes the crippling weaknesses of the top-down authoritarian approach and reveals the strengths of hiring people for their expertise and then listening to them so long as they remain reasonable.

      • by PCM2 (4486)

        Organizational types, suits, institution men, whatever you want to call them just love bureaucratic measures of compliance. They honesty believe the world is a better place when you do what you're told because the policy says so, and not when you take action because as a thinking man you can see that it's a reasonable step towards a worthy goal. That way they can measure down to fractions of a percentage point just how obedient you are and sanction you accordingly.

        Not quite. Suits like it when government sets a bar because it gives them a bar to aim for, no matter how meaningless that bar might be. When your goal is to defend your company from lawsuits, it helps to have boxes you can check off that can be admitted as evidence. It's not about being "obedient." It's about being able to do what you like, but having a pass in your back pocket that exonerates you in the event of a legal challenge. Vague "best practices" and "reasonable steps" in the eyes of "a thinking ma

        • by causality (777677)

          Not quite. Suits like it when government sets a bar because it gives them a bar to aim for, no matter how meaningless that bar might be. When your goal is to defend your company from lawsuits, it helps to have boxes you can check off that can be admitted as evidence. It's not about being "obedient." It's about being able to do what you like, but having a pass in your back pocket that exonerates you in the event of a legal challenge. Vague "best practices" and "reasonable steps" in the eyes of "a thinking ma

          • by PCM2 (4486)

            For what it's worth, I was speaking in terms of an IT worker who must relate to corporate management.

            That much was obvious. And as such, I maintain that you're looking at it backwards. You're looking at it from the perspective of an employee, looking up, who's asked to "obey." But the laws themselves are drafted for the benefit of the business owner, who never knows when his employees might screw up, leaving him exposed to legal liability. By codifying practices that business can "certify" against, laws like this put legal tools in the hands of business owners that can shield them from lawsuits. The point

            • by causality (777677)

              That much was obvious.

              I was really hoping so, though I have to balance that with how many times I've had to explain such things. Not so many folks are willing to decide "if it doesn't fit the scenario I first conceptualized, perhaps another valid scenario is a better fit"; they'd rather assume you're a moron. So I erred on the side of giving you redundant information.

              You're looking at it from the perspective of an employee, looking up, who's asked to "obey." But the laws themselves are drafted for

              • by PCM2 (4486)

                Two points here. First of all, any such "risk" is caused by the very same legal system in the form of otherwise frivolous lawsuits that may still succeed. That's the location of the problem and it is there that any solution needs to be applied.

                We don't disagree here, yet this is one form of legal solution. It's probably about as effective as the proverbial finger in the dike, but it's one way to tackle the problem.

                That's why the security requirements need to start from first principles (bottom-up) and not from authoritarian fiat to meet some arbitrary set of legal requirements (top-down). The former comes from experts in the field who can make a solid case for their position.

                To give a recent example of why that isn't sufficient, look at the HBGary hack. [arstechnica.com] These guys were self-proclaimed security "experts," who were summarily stomped by a combination of SQL injection, lousy passwords, lousy encryption, unpatched servers, and social engineering. Some expertise.

                Mind you, which is the more likely outcome of this

                • by causality (777677)

                  To give a recent example of why that isn't sufficient, look at the HBGary hack. [arstechnica.com] These guys were self-proclaimed security "experts," who were summarily stomped by a combination of SQL injection, lousy passwords, lousy encryption, unpatched servers, and social engineering. Some expertise.

                  My very point is this: suppose there were security regulations that came not from security experts, but rather from politicians. How would that have prevented HBGary from having such glaring flaws? The on

                  • by ciabs (1972918)

                    I think the bigger picture here is the time, money and resources being wasted.

                    If I want to sell something on the web, I don't need the fucking government telling me I need jack shit for certification. All this does is make me not want to be on the web at all, we have enough financial problems in our lives now, to have to be constantly be fucking with the latest new government regulation. It's literally getting to the point where this fucking war on terror is domestic terrorism in and of itself. Which if en

          • And what is "the current legal environment" if not a top-down approach of mandating the way things should be, largely by those who have no expertise in the field of computer and network security? You are actually affirming my point. When speaking of a legal system, obedience is everything because disobedience is severely punished.

            You know, it warms my heart to see that most everyone sees through the fact that this is a wasteful scam and the arguments are about why it is a scam.

            This gives me hope that we can defeat this proposal the same way we thwarted other unproductive and harmful policies like the DMCA ban on circumvention tools, the Patriot Act and software patents. ...

            Damn it.

    • Re:Oh good. (Score:5, Interesting)

      by nurb432 (527695) on Saturday February 19, 2011 @08:53PM (#35256844) Homepage Journal

      It will raise costs for IT services and create another ecosystem for 'certification holders' to milk.

      Reminds me of iso9000..

      • by Seumas (6865)

        And to keep in line with ignorant idiots like Vivek Kundra (National CIO) who talk in meaningless non-sense phrases and don't know what they're talking about and approve $20mm Drupal websites that are half broken, the certification will be $50,000 per person and re-certification every two years will be another $25,000. And practicing technology services without a certification will be punishable by five years in prison.

    • Thank you for posting your expert opinion on the subject. No doubt you have a long list of credentials validating your immense expertise in all things IT. I wish I could tell but you posted AC. I guess I will just have to move forward with your expertly provided expert knowledge of everything.
    • Re:Oh good. (Score:4, Insightful)

      by ozmanjusri (601766) <aussie_bob@[ ]mail.com ['hot' in gap]> on Saturday February 19, 2011 @09:46PM (#35257074) Journal

      push us further towards a "Standards and Compliance" posture, and not a real security posture.

      There's a reason for that.

      Echoing the comments of Microsoft security chief Scott Charney from his Tuesday keynote calling for a “collective defense” of the Internet

      The manufacturer of the deeply flawed system at the hear of most security problems wants everybody else to pay for the consequences, so they're lobbying lawmakers. They'd also be pretty happy if it props up a few buggy whip businesses on the way.

      What's the bet the certification requirements will read like:

      1. Microsoft IIS Server (TM) is current and patched.
      2. McAfee Antivirus (TM) installed and updated.
      3. Microsoft .NET (TM) registered with Microsoft update and verification tool.
      4. All online systems systems pass Microsoft WGA (TM) checks.
      5. ...
      6. Profit.
      • by Bert64 (520050)

        You will find that a lot of so call security standards get watered down because microsoft is unable to comply with them...

        For instance requiring AES encryption, microsoft only implemented that in windows 2008 and vista despite it existing for many years on other platforms...

        Similarly requirements for removing unnecessary software, microsoft made it very difficult to remove stuff, so this basic requirement gets dropped too.

        • by iivel (918436)
          And funny enough, the Microsoft implementation of the Rijndael algorithm still hasn't been verified as FIPS 140-2 compliant - so you have to run 3DES (even on a server 2008 system). Try enabling it sometime and running a .NET website ... great and useless precompilation messages. HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled
  • War Cap (Score:5, Insightful)

    by causality (777677) on Saturday February 19, 2011 @08:40PM (#35256782)

    As a nation, we are fighting either politically or violently on too many fronts here. We have too many wars going on. To name a few:

    • War on (some) Drugs
    • War on Poverty
    • War on Terror
    • War on Obesity

    Now there's "cyberwar". There should be no new wars until we declare victory or admit defeat on some of the existing ones. Actually when I consider how successful the ones in the (incomplete) list above have been, I think we can save a great deal of time just admitting defeat on all of them. Then, instead of a retaliatory "cyberwar" we can do something rational like secure our systems.

    Is that really so much to ask? It'd be easier than what we are doing now.

    • You're right. America has a bad case of corporate ADHD. We need to cut out the sugar, turn off our computers and TVs, drop a couple tabs of Ritalin and solve one war at a time. We can call it Focus America! Now we just need a Focus Czar.
    • by spydum (828400)

      To be fair, we have always been combating these things.. It's just in the last 20 years, media has begun to slop catchy nick names to them to sell more eyeballs.

    • by Thing 1 (178996)
      While I completely agree with you, I feel that you're attacking the problem from the wrong angle. I mean, within our bodies, we may be fighting off multiple infections at once, so there's a biological analogy that perfectly matches the US government's behavior. Not that it's right; the US government is fighting off beneficial bacteria as well as detrimental. But it is entirely possible and logical to fight multiple wars on multiple fronts. Again, I agree that these "wars on existence" should be stopped.
      • by causality (777677)

        While I completely agree with you, I feel that you're attacking the problem from the wrong angle. I mean, within our bodies, we may be fighting off multiple infections at once, so there's a biological analogy that perfectly matches the US government's behavior. Not that it's right; the US government is fighting off beneficial bacteria as well as detrimental. But it is entirely possible and logical to fight multiple wars on multiple fronts. Again, I agree that these "wars on existence" should be stopped.

        Yeah, but have you looked at these "wars" critically?

        Let's take the easiest one to deconstruct: the War on (some) Drugs. Both the drug dealers and the drug users are willing participants. There is no victim. No victim of force or fraud means no legitimate reason to involve law enforcement. Yet law enforcement is involved and the result is that the worst criminal elements have a ready source of black-market funding.

        How about the War on Obesity? Personally, I think parents of obese children should be ch

        • by Thing 1 (178996)
          Just finding parallels. Like I said, I agree with you. Many of these wars could be easily solved legislatively: the illegality of drugs is unconstitutional; see the 1920s for the test. The war on obesity can be won by eliminating the government subsidy for the corn growers (HFCS, to spell it out). The war on terror can be won by keeping our troops on domestic soil.

          The immune system within our own bodies is not nearly as stupid, not nearly as psychopathic.

          And, I agree, our current behavior does not engender the long-term benefit of the host organism.

          • by causality (777677)

            Just finding parallels. Like I said, I agree with you. Many of these wars could be easily solved legislatively: the illegality of drugs is unconstitutional; see the 1920s for the test.

            I believe it is unconstitutional as well. I never understood how it is that a Constitutional amendment was required in order to give the government the authority to enact alcohol prohibition, was later repealed, yet somehow the government still has the authority to enact drug prohibition. There seriously needs to be a way fo

            • by Thing 1 (178996)

              You're unusually well-informed to so unequivocally realize this.

              Thanks for that. I feel the same way about you, reading the above. (Well, that is, you've been a friend for a while. :) And as for fluoride, it's a well-known waste product [zerowasteamerica.org] that they somehow convinced the government to purchase. I'm not sure foreign nations are the only sovereign ones needing invasion to save their peoples.

              If they did, well that would make them unsusceptible to advertising, radically change the nature of politics, and generally might upset the precious status quo.

              I've been married to a Brazilian. She said that her politicians promise "a fridge in every house" even though there's no realistic way to accomplish that. The ones that do (promise

      • so there's a biological analogy that perfectly matches the US government's behavior.

        Schizophrenia or psychosis?

    • by Zedrick (764028)
      And the funny thing is that the US is losing all those wars. Perhaps it's time to beg for a ceasefire?
    • Agree.

      The "war on drugs" is a failure. And besides, it violates our civil rights. If someone wants to use drugs, who is the Federal government to tell them that they can't???

      It is one thing to provide education and have treatment programs. It is another thing to outlaw personal behavior.

      And it is counter-productive. All it has done is created a huge illegal industry. If drugs of all kinds were legal, that industry would be in the daylight, and it could be regulated and taxed, and the proceeds directly used

    • by plopez (54068)

      But unfortunately no "War on war"

  • I wonder what company he has stock in that would profit from the increased BS.

  • by rta (559125) on Saturday February 19, 2011 @08:53PM (#35256842)

    Ok. If you're proposing something that will be as good as Sarbanes-Oxley... you probably need to find a better idea. Sarbox was a knee jerk response to Enron and has done nothing but drive up costs.

    Good thing that those tight accountability rules prevented the massive credit / derivatives bubble.

    • by Anonymous Coward

      Ok. If you're proposing something that will be as good as Sarbanes-Oxley... you probably need to find a better idea. Sarbox was a knee jerk response to Enron and has done nothing but drive up costs.

      SOX wasn't only in response to Enron. There was a wave of massive fraud being perpetrated by CEOs of huge corporations starting near the end of the dotcom boom: WorldCom, Adelphia, Tyco, and HealthSouth were some of the others. Something needed to be done. BTW Enron wasn't some little known company, it had a stellar reputation as one of the most innovative companies in American business (all baloney, as it turned out).

      Good thing that those tight accountability rules prevented the massive credit / derivatives bubble.

      Apples and oranges. That was a different game, where the villains were the banks, mo

      • by rta (559125)

        Good thing that those tight accountability rules prevented the massive credit / derivatives bubble.

        Apples and oranges. That was a different game, where the villains were the banks, mortgage companies, Wall Street traders and ratings agencies.

        It wasn't the same thing, but there are some important similarities. In both cases the responsible parties misrepresented their real risk exposure and they were then caught with their pants down when the market turned against them. In the case of mortgage brokers there was pretty clearly outright fraud; people lying on their applications at the brokers suggestion, etc. Presumably better "corporate governance" should have prevented that, but it didn't.

        As far as the ratings agencies go... yeah... why th

    • I agree. What a horrible proposal this is. Really, the slow, creaky federal government thinks that it can possibly regulate something as dynamic as computer/network security. It's completely laughable. You know what happens when the government and "private" industry get together to regulate, don't you? You get fat-cat, lobbyist heavy companies paying off corrupt politicians to pass rules that benefit them at the expense of everyone else. Beyond this, every company with a computer network will be at the merc
    • by Tridus (79566)

      It's also driven new companies away from going public, because the requirements are less onerous on privately held companies.

      I agree with you entirely. If this is what they're using as an example of what we're facing, this idea needs to die a swift death.

  • by MickyTheIdiot (1032226) on Saturday February 19, 2011 @08:55PM (#35256848) Homepage Journal

    All "certifications" are scams at some level. Some worse than others, but at some point it's about wanting to get your money while doing very little. It will create a nice new market for testing centers, book writers and publishers, and study material makers, but will ultimately do very little. Think how much Microsoft Certified Engineer....

    • yup. rtfa... It's a different certification, it's still a scam.

  • by sribe (304414) on Saturday February 19, 2011 @08:55PM (#35256850)

    Hey, I bet HB Gary will want to get a piece of this action!

  • This might work, if there are actually standards with teeth in them, such as (evolving) PCI standards (PA DSS, PCI DSS) and compliance.

    The risk is that they provide a "get out of jail free" card, where complying with a set of minimal standards absolves an organization of liability and/or blame.
    • by Sarten-X (1102295)

      The "get out of jail free" card already exists in some situations. HIPAA and HITECH set forth huge penalties for losing track of personal medical data, unless that data's on an encrypted device, sufficiently separated from whatever makes it personal, or a few other exemptions I don't remember offhand. It makes sense to me. If the information can't be accessed or linked to any particular person, losing it really doesn't matter.

      I think a certification could work similarly. If whatever's being protected (for e

      • by causality (777677)

        The "get out of jail free" card already exists in some situations. HIPAA and HITECH set forth huge penalties for losing track of personal medical data, unless that data's on an encrypted device, sufficiently separated from whatever makes it personal, or a few other exemptions I don't remember offhand. It makes sense to me. If the information can't be accessed or linked to any particular person, losing it really doesn't matter.

        I think a certification could work similarly. If whatever's being protected (for example, storing usernames and passwords) is sufficiently mitigated by the minimum certification requirements (such as using a strong hash with a salt everywhere the password's kept), then it might be just fine to escape liability. If nothing else, being able to cut some liability provides a nice boost to the cost/benefit analysis, so the managers will decide it's worth the cost to follow decent security practices. Again, that's only if the minimum is sufficient for the situation.

        I really want to believe that it would work out as you describe.

        However, experience teaches me that the well-funded guy in an expensive suit who can put on a compelling presentation will lobby the decision-makers to make certain that any requirements are thoroughly divorced from realistic practices that truly yield better security.

        Unfortunately we do not live in anything like a meritocracy. Becoming one of the decision-makers means knowing the right people, knowing on which side your bread is buttered, say

        • by PopeRatzo (965947) *

          Unfortunately we do not live in anything like a meritocracy.

          Meritocracies do not exist, so it cannot be "unfortunate", any more than it being "unfortunate" that there are not endless supplies of candy for everyone.

          Meritocracies are impossible. And considering that "merit" is a highly subjective measure, that might be a very fortunate thing.

          Sometimes, reliable imperfection is preferable to an unreliable ideal. (Think: "Free Market")

  • by clyde_cadiddlehopper (1052112) on Saturday February 19, 2011 @08:57PM (#35256866)
    "holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley"

    Sure. Ask all those shareholders left holding the bag of excrement at Lehman Brothers, Countrywide Financial, GMAC, Wachovia, CitiBank, ... even though the SarbOx forms were filled out and signed by the respective CEO (not one of which has been "held accountable").

    • by causality (777677)

      "holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley"

      Sure. Ask all those shareholders left holding the bag of excrement at Lehman Brothers, Countrywide Financial, GMAC, Wachovia, CitiBank, ... even though the SarbOx forms were filled out and signed by the respective CEO (not one of which has been "held accountable").

      Are not the shareholders ultimately responsible for the management they permit and the company in which they have chosen to invest? Note, I don't dispute that CEOs should be more personally accountable for dishonest corporations. They absolutely should. But the CEO is the CEO because the board of shareholders has permitted it.

  • by the_Bionic_lemming (446569) on Saturday February 19, 2011 @09:11PM (#35256926)

    I fully support this - as long as we can hold policy makers to the exact same standards of punishment when things go wrong (like recessions, budget shortfalls, and other issues).

  • And not for the best...

    From: http://www.cjr.org/the_audit/audit_notes_hb_gary_federal_ba.php [cjr.org]

    For one thing, it turns out that the firms involved here are large, legitimate and serious, and do substantial amounts of work for both the U.S. Government and the nation’s largest private corporations (as but one example, see this email from a Stanford computer science student about Palantir).

    and:

    And perhaps most disturbing of all, Hunton & Williams was recommended to Bank of America’
  • Can we have a similar certification for privacy protection ,please?

    Then we can finally have insight into what big companies like Google and Facebook are doing to our data, by letting them comply to OUR rules, instead of the other way around.

  • by Zemran (3101) on Saturday February 19, 2011 @09:27PM (#35256990) Homepage Journal

    ... I will be busy building a new wooden fence around my property to keep out flies. I think that I will be about as successful ...

  • I strongly believe that it's possible to reduce the treat of "cyber war" by actually fixing the security problem at it's source, our computers and servers. Imagine if it were possible to greatly reduce the number of security holes on the average pc or server. If this were the case, we wouldn't need to have politically motivated filtering and other types of control to "save us" from our own systems.

    The internet is just a big network, and while BGP seems to have it's issues, with some work they can be solved.

    • by Sarten-X (1102295)

      This idea raises a few questions:

      • What manages the microkernel keys? Another kernel?
      • What prevents a disk driver from simply asking for the key to use the network?
      • If a filesystem driver gets infected, can any other driver stored on that filesystem be trusted?
      • Will the target micro-kernel validate the keys, or another system?
      • Could an appropriately misrepresenting system overwrite a target system in memory with code of its own choosing?
      • If every kernel call verifies a strong key, what effect will this have on sy
      • by ka9dgx (72702)

        Lots of interesting questions, which I can't answer (especially a 1:30 am)... the bit about how to ask for capabilities is the part that I'm still fuzzy about... not sure how that would work... mostly I assume they are given at runtime, and that's it, which doesn't cover these cases.

        Thanks for the comments, I'll ponder them, and try to build a stronger case for this... we really need to fix this before it gets "fixed" for us in a bad way.

        • I'm sorry to point this out, but how exactly are you involved with kernel development? Do you have any experience or research in the area? Have you bothered to really sit down and take the time to compare what's out there and come up with something better? Have you had academic access to say, view the code in the NT kernel of modern Windows operating systems?

          It's one thing to throw around words like "WE NEED MICROKERNELS!" and it's another thing to actually understand what it is you're talking about.
          • by ka9dgx (72702)

            I'm not involved in Linux Kernel development, nor am I ever likely to be.

            I'm hoping to keep the option in people's minds as piece of the solution.

            I'm trying to make a reasoned argument based on what appears logical to me. Attacking my credentials doesn't affect the validity of this argument.

            In a micro-kernel system, the amount of code which runs in privileged mode is kept to the barest minimum to effectively do the job. The linux kernel includes drivers in protected mode, which means that literally millions

    • You essentially just described SE Linux / apparmor.

      • by ka9dgx (72702)

        Yeah... almost... except that SE Linux is a kernel patch, its not embedded all the way down into everything. It is definitely a step in the right direction.

        It's also the way that our applications are written that needs to change as well. They need to stop relying on the ability to perform arbitrary actions.

  • by Joe The Dragon (967727) on Saturday February 19, 2011 @09:48PM (#35257084)

    The tech guys and not some PHB should be singing this as the PHB can say our systems are fine and have no idea about what state they are in at the time.

    • You ARE aware that this will lead to a hotseat game, right? Here's how it works:

      PHB: "Sign here!"
      Techie: "But ... but ... we're not secure!"
      PHB: "Sign here or you're fired!"
      Techie: (gulp) Ok... let's hope...

      When something happens, Techie gets fired and replaced. Nothing else changes. Start script at line one.

  • The requirement for this certificate will be a series of classes or a test, which in itself requires a 'nominal fee' to take. More bureaucratic nonsense serving no purpose other than fill the pockets of people who have no clue about what they're actually selling.

  • That's the only word possibly describing such a "certificate". Worthless.

    We're talking about an industry that reinvents itself every 3 months. I am neither kidding nor exaggerating. The average turnover of your knowledge is 3 months. 6 months tops. After a year, everything you knew is worthless because the threats are something completely different. There are of course timeless "best practice" rules (never give out passwords, verify your communication partner...), but a step by step guide to the tune of "do

    • You're missing the entire point here. The US is primarily a service based nation. Obama knows this because of the high unemployment rate among new college graduates. His recent dinner meeting with Jobs, Zuckerberg and other industry giants is very revealing IMO. I predict that our federal gov is looking to create make-work IT employment boot strapped via bureaucracy. What they won't fucking understand is that this will do the exact 100% pure opposite. It will KILL the level of dynamic change and freedom tha

  • So the very first, and most important certification is: Everything's open source... right? right?
    No?
    How long do you think it will take for them to make one of the certs "Microsoft Genuine Advantage Certified"? A month?
  • The reason for IT is the aggregation of information. The problem is the aggregation of Information. It's like putting all your eggs in one basket. We need a fundamentally new way of aggregating the information and a new way of accessing it. But it will never be perfect as long as we aggregate the information.
  • Roberto123 writes

    "The US can build defenses against 'cyberwar'

    Okay, show of hands. Who else stopped reading the summary when the hit the word "cyberwar"?
    (Okay, I'll admit I scanned the rest of it, but saw "Chertoff" and really stopped reading.)

  • by SlappyBastard (961143) on Sunday February 20, 2011 @12:42AM (#35257710) Homepage
    OMFG . . . when cluelessness attacks. How can anyone say that the post-Enron regulatory framework was anything except a clusterfuck? Show me the goddamned accountability in terms of real jail time.
  • Step 1: don't let your users write/modify your program (e.g. buffer overflows, SQL injection, XSS attacks, URL manipulation, etc,etc,etc)

    That will cover about 90% of it right there
  • How about the government (and it's little FCC dog too) getting away from our networks and infrastructure, and leave people the fuck alone so we can try to survive this monetary terrorism, without all this fucking disruption and uncertainty of the future.

    Fucking government better go after the banksters before the people rise up and go after this fucked up government since there's no jobs left except murder and war!

    • You mean so corporate overlords can be free to take our money while giving us the illusion of "choice"?
  • by AftanGustur (7715) on Sunday February 20, 2011 @03:21AM (#35258220) Homepage
    To any idea calling for a "collective" something and coming from Microsoft or any of the other big Commercial IT players, I would like to add the requirement:

    No patents will be enforceable when it comes to implementing Microsoft's proposed "collective cyberdefence".

  • They start mandating that any computer that can read or write to a arbitrary area of ram or storage is a security tool, only to be sold to certified professionals. The rest will be sold something even more strictly controlled then the iOS devices, and if found jailbroken will be prosecuted as if trafficking in military grade hardware.

    The corporations will be happy, the big brother government will be happy, the rest "fuck em".

  • Much in the same way a PMP certification ensures you get great project management, an IT security certification will ensure we have excellent security professionals out there.

    • by CAIMLAS (41445)

      And even if:

      1) The certification meant something
      2) The certificate holder was competent
      3) The certificate holder has the actual chops, beyond the certificate

      You will still have problems if you do not give them the time and resources to get the job they need to get done. Too many places do the equivalent of handing an engineer a shovel, saying "build me a bridge". Or, sadly, handing their draftsman a pile of sticks and some baling twine and saying same.

  • While I am not fond of, or supportive of, Government certification processes, I am sure than anyone working for a non-IT company as a sysadmin knows how seriously (NOT) most of the PHBs take the issue of making sure the company networks are secure. And not just from external Terrorists. I work for a scientific research firm that is run by a bunch of PhDs (the worst kind of PHBs) who have all the answers. Getting them to understand, and act on / pay for, the things necessary to secure our company network
  • Is this the same dude who got rich by forced irradiation of flying public by TSA (which he recently lead?)

  • I smell another ISO paper chase brewing. A standard will be created and then there will be a surge of meetings, documents prepared, more meeting, certification classes, more meetings, etc. They will follow the standard on paper without knowing what it means in actual implementation.

    If my previous experience with ISO holds true.

  • ...they can certainly fool Homeland Security. I imagine that "certification authorities" in the Cayman Islands capable of ginning up the requisite answers and documentation began organizing even as the breath left Chertoff's mouth as he made that statement

    There is absolutely no evidence to support the hypothesis that Corporate America will not try to find a way to evade or defraud any regulatory requirement or "business standard" that costs them so much as a zinc penny.

Neckties strangle clear thinking. -- Lin Yutang

Working...