Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
United States Security

U.S. Cybersecurity Report Available 187

Kaelem writes "Kevin Rose put up a copy of the report Cybersecurity for the Homeland (pdf), due to be released tomorrow. It talks about some interesting things, like expanding the US-CERT website as well as funding for colleges to develop cybersecurity curriculum."
This discussion has been archived. No new comments can be posted.

U.S. Cybersecurity Report Available

Comments Filter:
  • by wcitechnologies ( 836709 ) on Monday December 06, 2004 @12:08AM (#11005500)
    More like from the U.S. Depeartment Of We're Not Going To Tell You Anything You Didn't Already Know About Security
    • by canuck57 ( 662392 ) on Monday December 06, 2004 @12:25AM (#11005569)

      More like from the U.S. Depeartment Of We're Not Going To Tell You Anything You Didn't Already Know About Security

      No one cares about security until they get burned. Once burned the battle cry goes for awhile and fizzles as most don't give a rats ass about security beyond looking politically correct. It is why so many sites and users get hacked.

      And here is a hint, most get hacked from the inside out, that is - some twit loads a spyware or malicious program and claims ignorance when it happens. More like carelessness but management often overlooks it.

      Safe computing is like safe sex, use some precaution and don't be a slut and download everything you can click on.

      • by Anonymous Coward
        Safe computing is like safe sex - you tell everyone else to do it, but when it's your turn you do what's easy and feels good.
    • I doubt that. (Score:5, Insightful)

      by dexterpexter ( 733748 ) on Monday December 06, 2004 @12:48AM (#11005650) Journal
      Really? As someone who just finished studying and reading the CERT guide for System Administration and Accreditation (yes, it was torture), I find that most system administrators do not know the principles within, or recklessly choose to disregard some of the most helpful ones. Many system administrators are seat-of-the-pants, self-taught individuals who learn along the way as issues come up, and sometimes miss some of the fine points of securing a system. A lot of admins push large upgrades on production systems, or use test systems still connected to the main network (the recent 60,000 computer fiasco reported in /. is a good example), don't practice isolation, choose their products on budget or because of a last minute need (although sometimes this is unavoidable), do not configure firewalls correctly, do not lock down their systems tightly, etc. Sometimes they do everything they should, but out of order. A lot of people don't realize the importance of order in bringing systems online. Many times, these are on critical systems or systems which contain confidential information. Customer information is put at risk, simply because the administrators do not know any better.
      A lot of companies hire admins who are actually unqualified, but who can do a "good enough" job because they don't understand what to look for in an admin.
      Not all admins are this way, but a suprising number of them are.

      If admins out there honestly knew everything there was to know about security, and administer their system to the CERT guide specs, then I would be impressed. Because my experience in observing everything from large university systems, health care systems, tag agency (all-you-need-for-identity-theft-agencies, more appropriately) systems, corporate systems (credit card information and personal information), is that this simply isn't so.
      A lot of penetration testing reveals vulnerabilities in areas that are clearly stated in that CERT guide.
      • Re:I doubt that. (Score:3, Insightful)

        by chris_mahan ( 256577 )
        It all comes down to money. Really.

        Would you put a $50,000 alarm system in your $30,000 car?

        Would you pay $300,000 a year to protect your company's data?

        Answer: It depends how much the company data is worth.

        For a lot of companies, especially smaller companies, the answer is no. The data might be compromised, but unless they deal with sensitive data whose loss could cause public embarrassment, they will not spend a lot of money to protect it.

        Would you hire a top-notch guy for $130k plus 1 helper at $70k
        • Re:I doubt that. (Score:4, Insightful)

          by dexterpexter ( 733748 ) on Monday December 06, 2004 @06:04AM (#11006391) Journal
          Perhaps not, unless customer contact information was involved, specifically credit card information, addresses, names, etc.

          But in my examples:

          -large university systems
          -health care systems
          -tag agencies

          and such and such. Yes, the protection of that information is extremely important.
          Just think about the information that someone would have on you by compromising just your local tag agency.
          When companies collect and store information about their customers, they owe it to their customers to protect that information.

          But you are absolutely correct in stating that, in most cases, budget is the deciding factor. But its amazing what good administration can do to counter budget issues. A lot of times, but not always, it is poor administration (again, putting things online out-of-order) and such and such that causes these compromises.

          If a company doesn't want to take extra steps to protect information, they they should consider not storing that information on a system accessible to the outside.
      • Contrary to your opinion I find that many self-proclaimed sys/netadms are simply too stupid to think for themselves in the security arena and rely on conferences and seminars to teach them "all they need to know." In reality they know nothing more about security after the conferences and seminars than they did going in and yet they have more confidence that what they're doing is right. You don't have to follow CERT's recommendations to the letter. Frankly I find that many of their recommendations are fla

    • U.S. Depeartment Of We're Not Going To Tell You Anything You Didn't Already Know

      Sure enough.

      But it's kind of like the stupid legal boilerplate language you find in consumer product manuals - you know the kind - don't use this hair dryer in the shower, etc.

      It seems stupid and it is stupid, in the sense that most knowledgeable sysadmins know what to do and what not to do. Whether they can enforce their view upon a user base of upper management downloading spyware and given an onerous workload that preven

  • by ProfaneBaby ( 821276 ) on Monday December 06, 2004 @12:09AM (#11005508)
    They're definitely focusing on a wide range ... something I didn't expect to see in the report was the DDoS / zombie bot armies:


    Just as 1920s gangsters evolved into organized crime syndicates, a sophisticated command and control network is emerging within the Internet with agreed-upon boundaries of control and "gangs" working for a "boss." These modern criminals and terrorists often don't know or meet the crews who carry out the actual cyber attacks, making it even more difficult to track and prosecute them.


    Definitely something worth investigating, just wondering what a few billion in research dollars is going to reveal - hopefully more than "it's a problem that's difficult to fix" report.
    • Unfortunately, their probably solution will be to mandate hardware changes that prevent 'unauthorized' software from running. (And some large IT company such as MS will be in charge of deciding whats authorized, of course). So MS will lock out its competition, and lock everyone in to running vulnerable crap that is in itself the source of most of the zombie armies.
      • They've also identified that much of the problem comes from outside of their jurisdiction, so I'm actually optimistic that their solution won't be that stupid...

        I could see something along the lines of mandated filters on international links, though. Time for MCI and Level3 to break out the lobbying money, else their international business may get much more expensive (can you imagine the peering complications if you have to enforce content filtering at the ISP level?)
    • I don't think they are talking about botnets here. Even to my paranoid mind it seems a bit of a stretch for government agencies to be referring to people who don't pathch their machines as "criminals and terrorists".
      • On page 9 (of 41), 2 paragraphs before the prior quote:

        Today, a prime motivation for cyber attacks is money: a high return on minimal investment and a high degree of anonymity. Terrorists or criminals can obtain or launder money across the Internet, typically by disguising their activities through miscreant cutouts. The orderliness and command structure of criminal and terrorist organizations is growing. The anonymous and complex nature of the Internet makes it even more difficult to monitor and track v

        • I guess I was misreading the distinction between the owners of computers involved in botnets and the operators who control them.

          The cynic in me expects some 60 year old grandmother to get arrested, charged, and convicted of cyberterrorism because her computer was involved in a DDoS attack any day now.

          NOTE: Many grandmothers are competent users of computers, just as many geeks shower from time to time, however a stereotype can be a useful communication device.
    • by Saeger ( 456549 ) <farrellj@nOSPam.gmail.com> on Monday December 06, 2004 @12:45AM (#11005632) Homepage
      I'm afraid you're right.

      In order for the control-freaks of the world to keep their socio-economic power, it's in their best interest to turn the open internet into a "Secure Internet" dystopia [fourmilab.ch] where only "Trusted Computing" devices are permitted to communicate.

      As usual, they'll spin total-accountability as a good thing necessary for combatting the evil cyber-terrahists, economic pirates, and pedophiles. But I, for one, will NEVER bow to DRM mandated by government and/or pushed by monopoly interests.

      • On the other hand, it's clear that anonymity has both upsides AND downsides (eg. spam, fishing sites, ...). If both options were available to everyone right now, it would be my guess that a large number of slashdotters would choose to require proper identification for some portion of their internet activity, and choose to frequent anonymous areas of the internet for other internet activity. (for example: do any of us really want a Slashdot with only anonymous cowards and no +2 logins?)

        From a technical p

      • Not to mention the army of open source zealots who will be the ones called upon to creat such of a system, or rather, not hack the system to shreds and maintain such of a system. Besides, how the hell are they going to regulate wireless systems? Anyone can make an antenna and broadcast from it for miles around. Even within such of a system, there's huge insentive for corporate espionage and datamining. I really don't think corporations want the internet locked down, unless it's under their power.

        If a
  • by spoonyfork ( 23307 ) <spoonyfork@@@gmail...com> on Monday December 06, 2004 @12:10AM (#11005512) Journal
    References to computer network infrastructure as "cyber" sound very amateur to me. 1995 already happened. Could we please get an adult vocabulary and start talking about serious subjects with maturity? Thank you.
    • I always thought "cyber" was, you know, IM sex...

    • References to computer network infrastructure as "cyber" sound very amateur to me. 1995 already happened. Could we please get an adult vocabulary and start talking about serious subjects with maturity? Thank you.

      This may be very true for you and me, but the majority of the folks pushing papers that make the real decisons for our country need relatable terms.
      • but the majority of the folks pushing papers that make the real decisons for our country need relatable terms

        You're absolutely right. Dictionary.com's first three usage examples for cyber [reference.com] are cyberpunk, cyberspace (Gibson references to be sure), and cybersex. No doubt these terms are relatable to all and well covered by the document in question.

      • the majority of the folks pushing papers that make the real decisons for our country need relatable terms.

        • See Spot
        • See Spot Hack
        • [...]
    • Could we please get an adult vocabulary and start talking about serious subjects with maturity? Thank you.

      A fine and noble sentiment. Do you suppose we could make a beginning here on Slashdot?

    • You are SO [utulsa.edu] right.

      /sarcasm

    • References to computer network infrastructure as "cyber" sound very amateur to me.1995 already happened. Could we please get an adult vocabulary and start talking about serious subjects with maturity?

      I'd imagine that a lot of people are very interested in "cyber" security - like insuring the person they are cybering with is actually the sex they claim to be. Especially when they are using an adult vocabulary.

    • We're talking about the same people who thought naming the PATRIOT act gave it some credibility. What a fucking joke.

      Do Americans realise just how patheticly childish your naming conventions/schemes look to the rest of the world? :) "PATRIOT" - hahaha!

    • I'm afraid that ship has sailed. Sorry you weren't invited to the meeting where that term was selected, back in 1990 or so, but it's here and in people's heads, so it's probably not leaving anytime soon. You getting over it is a lot easier and more likely to happen than people selecting a better term.

      But if you want to keep complaining that you don't like their terminology, why don't you toss in a hackers vs. crackers speech, while you're at it?
  • by eeg3 ( 785382 ) on Monday December 06, 2004 @12:11AM (#11005519) Homepage
    Kind of a broad term. Don't most colleges already have courses similar to this? I know my college had something that could fit into that term. Anyone else seen "cyber security classes" at their college?
    • Many certainly don't. Seems like something where the topic would be addressed in many separate classes, but I can't see the importance of a few course on it.

      You talk about the coding implications when you teach common coding practices (buffer overflows, etc, belong in a C/C++ theory course), you talk about the practical implications in networking style courses, and you talk about the social and realistic implementations in computing ethics courses.

      Build it into the curriculum doesn't mean making a single
      • by dexterpexter ( 733748 ) on Monday December 06, 2004 @12:27AM (#11005576) Journal
        That is very true. Many colleges simply have a few security courses, and that is it.

        But there are some colleges with offer the five major security certifications and offer network security, ecommerce security, network programming, penetration testing, operational security, forensics, enterprise security managment, and more courses which basically make up a secondary Computer Science program. Those students still have to learn all of the fundamentals, but also push themselves to learn the security aspects. These courses are also often taught by ex-government workers, ex-hackers, and such. I know of at least one that is also broadening their program to include electrical engineering and hardware aspects as well, so things like biometric sensors are covered in addition to programming databases.

        I was suprised at how many programs there are in the nation which gear into this stuff; unfortunately, it is probably not enough. Most CS or IS programs focus on the theory and some practical implications, but stop at the security implications.
        • I would not be too impressed with an entire curriculum on cyber security ... at least not in a major university (and as a conduit to getting security certifications? I just don't see the role of major universities to be feeders to the CISSP or whatever).

          It would be one thing to have kind of Security specialization but even then you run the risk of having an expiration date on your diploma. It needn't be this way but it's important to have a good basis in the fundamentals so that you can predict (even bet
          • Actually, as I mentioned in another post, the students in these programs must basically double-up duty. They must learn the fundamentals as well as the security aspects.

            The expiration date is true of most majors. I received my bachelors degree in Electrical Engineering and had three years of Mechanical Engineering, and beyond the basics, most of the specializations which students take on during their masters study, given technology trends, will carry an expiration date. That is why most college graduate
            • I think we have different notions of typical specializations. The ones I'm familiar with are: AI, HCI, Systems, Theory, and one or two others. Not many, though. And as you can see: nice and broad.

              This is as contrasted to professional type programs, like Berkeley's Certificate in Telecommunications and Network Engineering; this sort of thing: designed to meet an immediate industry need but certainly nowhere near the rigor of a normal Master's program, for example (intellectually).

              So I guess I don't buy
    • by dexterpexter ( 733748 ) on Monday December 06, 2004 @12:21AM (#11005560) Journal
      The National Science Foundation (NSF) and the Department of Defense (DoD) already sponsor Scholarship For Service (SFS) programs like the Cyber Corps to train students in aspects of cyber security with the intention of placing them in government information assurance positions.

      And many colleges are developing Centers for Information Security (CIS), and among those, that is where you see the government encouraging these programs.

      The tag line, I believe, is "Defending America's Cyberspace."

      More information on the SFS program can be found here:
      http://www.sfs.opm.gov/ScholarshipMain.asp [opm.gov]
      • In the meantime cyber security is left up to the private sector via contracts with the government. What I find appalling is the milking of government by these contractors. You've all already heard of Halliburton and KBR milking the government in Iraq, but have you heard of contractors doing that here on US soil, in the IT field where things are supposedly "more efficient?"

        Don't know what I mean? Let's say a bid is requested by government for a specific site security analysis/surveillance. If done right, it
        • What you are describing is a federal crime and would result in severe consequences for the contracting company and their management. Labor charges for federal contracts are audited on a regular basis.
    • considering the amount of security work (dsniff, honeyd, steneography) done at umich by people such as song, honeyman, and provos, its pathetic that this coming winter semester is the first semester a security-focused class will be offered.

      then again, its better late than never...
    • by Anonymous Coward
      Yeah, I currently attend Dakota State University http://www.dsu.edu and we have a Computer Security Major & Minor, as well as a Masters in Information Assurance. It was created after 9/11 because the NSA said there was a shortage in computer security professionals. We're recognized by the NSA and both the DoHHS, it's pretty cool, but the courses from the degrees are awesome.
    • Well, I know that Purdue has CERIAS [purdue.edu] (Center for Education and Research in Information Assurance and Security), headed by the almighty Eugene Spafford. We've got a pretty big emphasis on security classes here, including a few undergrad courses in cryptography and secure networks.

      I know that the grad program is much more extensive. If you want to do security research, Purdue is definitely the place to persue it.

    • I'm not sure if it's a "major" per-se, but from what I know, University of Illinois was (one of?) the first to introduce a specific concentration/specialization for cyber security earlier this year.
      • One of, unless I misunderstand you. The SFS program that has been in place at many universities have been around since 2000/2001.

        Although the major is still labeled as Computer Science or a variation thereof, all courses in the masters program are geared toward cyber security.

        Some courses offered:
        --Computer Security
        --Secure Electronic Commerce
        --Enterprise Security Management
        --Secure System Administration and Certification
        --Network Security
        --Computer and Network Forensics
        --Information System
  • Cybersecurity demands a guy with a cybershield to keep our heads from a sploding.
  • by R.Caley ( 126968 ) on Monday December 06, 2004 @12:19AM (#11005553)
    Security advice from people who can't manage a simple press release process. I'm sure you all feel safer already.

    Actually, come to think of it, perhaps incompitence in a secret po^H^H^H^H^H^H^H^H^Hhomeland security department is not such a bad thing.

    • by Anonymous Coward
      Incompetence of the sort that can't spell the word?
    • ncompitence in a secret po^H^H^H^H^H^H^H^H^Hhomeland security department is not such a bad thing.

      I hope that government incompetence pervades the homeland security initiative. They are more of a danger to citizens than terrorists, although I'm sure there will be more and more terrorists in the future, since our foreign policy seems bent on enraging everyone possible. Perhaps the future will not be like 1984, maybe it will be more like Brazil, or better yet, Hogan's Heroes. "I SAW NOTHING!"

  • by amigoro ( 761348 ) on Monday December 06, 2004 @12:21AM (#11005561) Homepage Journal
    1. Assitant Secretary for Cyber security
    2. Budget and Program
    3. Private Sector Outreach and Information Sharing
    4. Risk Assement and Remediation
    5. NCSD/NCS
    6. R&D and Education

    Why do I see more bureaucracy and less action?

    Moderate this comment
    Negative: Offtopic [mithuro.com] Flamebait [mithuro.com] Troll [mithuro.com] Redundant [mithuro.com]
    Positive: Insightful [mithuro.com] Interesting [mithuro.com] Informative [mithuro.com] Funny [mithuro.com]

    • Those should be the steps (generally) for most projects.

      A program that doesn't go through budget planning, cooperation with the private sector, risk assessment, remediation, and further research and development, as well as education about the program, is exactly why we have to problems that we do. People complain that programs are pushed and rushed from start to finish without any forethought or planning, and then are critical when that planning goes into place. I suppose people would prefer seat-of-the-
    • Also note the "Private Sector Outreach..." bullet.

      Yeah, that'll bear fruit.

      This is a somewhat unique infrastructure problem as the infrastructure is a shared responsibility and controlled mostly by corporations. Contrast that with security in the physical world: bridges, tunnels, water treatment plants...

      That's probably the first area I'd like to see some progress in: coming up with a mechanism to foster meaningful info sharing b/n corporations that protects their interests within reason (doesn't p
    • From page 7 of the report:

      Unfortunately, the level and detail of planning documents needed to manage the new cyber mission within DHS was not forthcoming. Budget paperwork throughout the fiscal year was vague. It is still unknown whether spending plans and detailed budget execution data exists.

      ...

      Once in place, the Director, a well-respected cybersecurity expert with experience in both the private and government sectors, left the Department after only a year and has not been permanently replaced as

  • the U.S. department of oxymorons...
  • by Anonymous Coward
    That just cut off Orlando from "homeland defense funds" for 2005, even though they get 44 million visitors a year (disneyland, etc).

    The local news is sure pissed off about that. Kinda makes you wonder what their priorities are. Oh wait, Bush got re-elected, I guess the hype is over.
    • That just cut off Orlando from "homeland defense funds" for 2005, even though they get 44 million visitors a year (disneyland, etc).

      Who'd miss it if it was blown up?

    • Yes, the report originated from the DHS, which
      by function (if not design) is another government
      oxymoron. This is why, after 3+ years, airline
      cargo and (port) container cargo are still not
      inspected, and why there are more illegal border
      crossings today than before 9-11-2001. Billions
      (USD $$) more to be spent on a theater missile
      defense system, but cut back on the Clinton
      "100,000 more police on the streets" program,
      and no real additional attention spent on what
      container cargo comes into our ports. Any countr
  • Keep the Cybermen [wikipedia.org] out!

    Of course, the best way to do this is throw gold dust at them... lots of gold dust.

  • cyberia (Score:4, Insightful)

    by Doc Ruby ( 173196 ) on Monday December 06, 2004 @12:51AM (#11005659) Homepage Journal
    Does it mention why every cybersecurity "czar", starting with Richard Clarke, through this Fall, has quit in disgust? I didn't think so.
  • my 2 cents (Score:2, Insightful)

    by TheLibero ( 750207 )
    PATRIOTISM, n.
    Combustible rubbish read to the torch of any one ambitious to illuminate his name.

    In Dr. Johnson's famous dictionary patriotism is defined as the last resort of a scoundrel. With all due respect to an enlightened but inferior lexicographer I beg to submit that it is the first. (from The Devil's Dictionary)

  • Can we please shorten this report to two simple words?

    Common Sense

    My career in computing security; which consisted mainly of securing sites for small companies; taught me that much of what is going on is lack of clear policy and common sense.

    Much of what I see missing can be traced back to the lack of a clear, well thought security policy.

    This one document (often not more than a simple statement) is the root of all security related activities within an company or organization.

    It have collaped and wet my pants while laughing at what I have seen for 'security' at some organizations.

    An example: A company with some of the greatest tools and equipment; firewalls, VPN, the whole works. But with no clear documentation on how to configure what. Everything kept between the ears of the lead sysadmins. If they quit or get laid off (which happens); all this information gets lost.

    Firewall set nice and tight (nothing in at all except VPN and port 80 to a machine on a security island). However, the VPN was configured with shared passphrase that was 'secret' and with no restrictions on what IP can initiate a connection.

    Or VPN's that have proper certificates but with no revocation lists. Road Warrier VPN clients with the passphrase hard coded on the box and not having to be keyed in: Stolen laptop - direct acces to company VPN to inside network.

    Or, nice tight firewall and VPN; but with open wireless ports inside (easily reachable from the parking lot or common building lobby or better still, the public cafe on the ground floor).

    What realy keels me over laughing is how vendors are allowed free access to the company network. And how that access it not properly terminated upon conclusion of the contract.

    Couple this with no clearly written and fully agreed upon (throughout the entire enterprise) security policy. Easy path to desire.

    Luv you all

    • Can we please shorten this report to two simple words? Common Sense

      Common sense is far less common than is commonly believed ;-)

    • Inside wireless ports? Sheesh, I worked for one well-known company that had a network of 13,000 clients in Europe alone. Because they used 'creative' methods of securing the firewalls and routers (and they couldn't figure how to allow certain types of access), 'trusted' clients had dial-in access that went right behind the firewalls! No VPN or anything. They had employees that could connect over the VPN and just browse out any old how; we found one guy (a manager) managed his own commercial Web site usi
  • by joeljones ( 460126 ) on Monday December 06, 2004 @01:41AM (#11005795) Homepage
    Am I the only person who is tired of the rhetoric "Since September 11th, each and every American's life has changed"? For those outside of the goverment, and particularly the military, has it really? Certainly we have mangled the Bill of Rights beyond recognition, but am I the only one whose reaction to the 2nd attack on the WTC was "well, it finally happened?" And the notion that using commercial airliners as weapons was unthought of? Given that Tom Clancy is a best selling author, the odds that no one in our security infrastructure read about that scenario is close to zero.
    • Read "Heart of a Soldier" [amazon.com], James B. Stewart's biography of Rick Rescorla, head of security for Morgan Stanley, who died in the collapse of the WTC, after getting everyone in the company safely out of the building. Rescorla's best friend Daniel Hill had written a paper for the US government proposing using a plane to attack a building years before. It's a great and deeply moving read.

    • My life has changed a lot since then, but it has nothing to do with the attacks. I don't really mind the phrase, though, as it makes for an easy filter. Anybody who says something like "everything is different post-9/11", or "security is paramount" is an idiot and should not be listened to further.
    • by dave420 ( 699308 ) on Monday December 06, 2004 @09:06AM (#11006985)
      Seeing as the pentagon was having drills for what to do should airliners be used as weapons against them, and the previous G8 meeting earlier in the year when anti-aircraft armaments were deployed, to defend against rogue aircraft, their claim they didn't know about airplanes==weapons is just pathetic lying.

      For a country that loves democracy so much, America doesn't seem to give a flying shit when their politicians lie. Unless it's about a blowjob, in which case it's TREASON, I tells ya! TREASON!

      Sort it out, America. It's time for torches and pitchforks, and a nice stoll down to Washington DC... Unless you do that, the rest of the world will simply look on and laugh at the mess you've got yourself in ;)

      • Did you follow the last election?

        If Americans gear up with torches and pitchforks, they'll be fighting each other before they even get to Washington.

        It's not that politicians are failing to give the people what they want, it's that they can't even agree on what they want.
        • But it's not going to stop until something happens. The US is in a downward spiral. Patriotism is force-fed into US kids from a startlingly early age. All those flags everywhere, national anthems every time you go to the toilet, US-centric news, sicophantic media, pledges of allegience, etc. make many, many Americans overzealously patriotic, to a point where unless they have some external influence, they will follow "America" to the bitter end (as they've been instructed to their entire lives). That's w
          • Our media gets too excited with itself and plays things up to be big deals which really aren't. I know this, I expect it. It's the natural consequence of people looking to their news to also be entertainment, and the news giving them what they want.

            It sounds like your news is guilty of the same indulgence. The situation over here is really nothing like you paint it in your first and third paragraphs. If you had decent coverage of our last election, you wouldn't say "These staunch republicans and scared de
  • You asked me. . .

    Here is what I did for one of my clients:

    First thing; Clear security policy. Goes something like this:

    • Company, customer, and vendor information shall be protected to the best extent possible:
      1. Confidentiality - Allow only authorized persons visibility
      2. Integrity - Allow only authorized persons ability to change and keep records and controls on changes
      3. Availability - Ensure that information is maintained despite natural or man made disaster or hostile event
      4. Provinence - Ensure that informa
  • ..or the University of Nevada, Las Vegas already has a computer security curriculum (well, a few classes in the CS dept. from which I have received a degree or two). This includes information security and a general computer security. Also at UNLV is the Center for Cybermedia Research part of which is a computer security research lab.
  • So when do I get my Intrusion Countermeasure Electronics?
  • by syrinje ( 781614 ) on Monday December 06, 2004 @05:17AM (#11006278)
    Very Helpfully(tm), the executive summary says "September 11, 2001, changed the life of each and every American..." as the first sentence in the report. As if we needed to be reminded yet again.

    Just in case the reader forgot this fact while reading the rest of the exec summary, the next chapter, the Introduction, starts with "On a fateful day in September 2001, our lives changed forever as a handful of terrorists proved they had the means to destroy on a level equal to their hatred.".

    Having grabbed the readers attention, the rest of the report goes on to do the following
    a. Narrate an administrative history of the establishment of DHS and the cybersecurity divisions within it
    b. Provide volkswagen loads of justification for the existence of said departments - based on various criteria, all liberally illustrated with suitably scary numbers
    c. Lay the groundwork for greater control and monitoring by the departments, of all computing and telecommunication resources in the country, regardless of who owns/operates them.
    d. Attempts a definition of cybersecurity - which is a good thing.
    e. Provides more volksvagens full of information designed to prove that legislative and administrative machinery are acting diligently and responsibly along the road to better security. This also absolves the departments themselves from any potential blame in the event of a screw-up - "all our bases are covered"
    f. Throws in some pseudo-wise statements about educating mom-n-pop about how to protect their store computers and generously mentions that it will fund education in related matters. Remains to be seen if they will just restructure existing funding, reallocate under a new head and claim a job well done there.

    Not at all the level of analysis, detail or accountability information you'd expect. Of course, John Q.Public is told that his representatives are in the loop, so don't worry, sleep tight. Its almost as if the report was specifically designed to NOT reveal any information. We'd rather not tell you any more, thank you, cuz you and your neighbors might all be security risks.

  • People don't follow basic security.

    At one client our basic security recommendations (get a lock for the server room. install a patch panel in the wiring closet, removing 40+ crimps) took 6 months to happen. Our most advanced recommendation? Move your mail/web servers off-site so you're not allowing inbound traffic, since we know you can't handle a DMZ.

    Residentially... if people would buy a $20 router it would begin to solve problems (which residential ISP's should bundle anyways). The number of times I've

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...