Industry IT Security Certification Proposed 102
Roberto123 writes "The US can build defenses against 'cyberwar' by having government and the private sector work together to confront the threat, a panel of experts said at RSA Conference 2011 in San Francisco this week. 'Chertoff called for a regulatory framework where company executives and board members sign on the dotted line, certifying what steps they have taken to secure their network, what backup systems they have in place and what level of resiliency is built into their IT system. “People take that seriously. Is it dramatic? No, but it moves the ball down the field,” Chertoff said. Schneier concurred, noting that holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley, the post-Enron law that requires directors and executives to certify their financial results.'"
Oh good. (Score:1)
This will change nothing, and push us further towards a "Standards and Compliance" posture, and not a real security posture.
-Someone who does this for a living
Re:Oh good. (Score:4, Interesting)
This will change nothing, and push us further towards a "Standards and Compliance" posture, and not a real security posture.
-Someone who does this for a living
Organizational types, suits, institution men, whatever you want to call them just love bureaucratic measures of compliance. They honesty believe the world is a better place when you do what you're told because the policy says so, and not when you take action because as a thinking man you can see that it's a reasonable step towards a worthy goal. That way they can measure down to fractions of a percentage point just how obedient you are and sanction you accordingly.
Is it any surprise that whenever government systems are audited for security they tend to do so poorly? Security is something that simply has to be right and declaration by fiat won't change what the right thing is. More than most other subjects, it exposes the crippling weaknesses of the top-down authoritarian approach and reveals the strengths of hiring people for their expertise and then listening to them so long as they remain reasonable.
Re: (Score:3)
Organizational types, suits, institution men, whatever you want to call them just love bureaucratic measures of compliance. They honesty believe the world is a better place when you do what you're told because the policy says so, and not when you take action because as a thinking man you can see that it's a reasonable step towards a worthy goal. That way they can measure down to fractions of a percentage point just how obedient you are and sanction you accordingly.
Not quite. Suits like it when government sets a bar because it gives them a bar to aim for, no matter how meaningless that bar might be. When your goal is to defend your company from lawsuits, it helps to have boxes you can check off that can be admitted as evidence. It's not about being "obedient." It's about being able to do what you like, but having a pass in your back pocket that exonerates you in the event of a legal challenge. Vague "best practices" and "reasonable steps" in the eyes of "a thinking ma
Re: (Score:3)
Re: (Score:3)
For what it's worth, I was speaking in terms of an IT worker who must relate to corporate management.
That much was obvious. And as such, I maintain that you're looking at it backwards. You're looking at it from the perspective of an employee, looking up, who's asked to "obey." But the laws themselves are drafted for the benefit of the business owner, who never knows when his employees might screw up, leaving him exposed to legal liability. By codifying practices that business can "certify" against, laws like this put legal tools in the hands of business owners that can shield them from lawsuits. The point
Re: (Score:2)
Well sure, and to clarify, it's not like I'm arguing more laws will be the answer here.
Re: (Score:2)
I was really hoping so, though I have to balance that with how many times I've had to explain such things. Not so many folks are willing to decide "if it doesn't fit the scenario I first conceptualized, perhaps another valid scenario is a better fit"; they'd rather assume you're a moron. So I erred on the side of giving you redundant information.
Re: (Score:3)
Two points here. First of all, any such "risk" is caused by the very same legal system in the form of otherwise frivolous lawsuits that may still succeed. That's the location of the problem and it is there that any solution needs to be applied.
We don't disagree here, yet this is one form of legal solution. It's probably about as effective as the proverbial finger in the dike, but it's one way to tackle the problem.
That's why the security requirements need to start from first principles (bottom-up) and not from authoritarian fiat to meet some arbitrary set of legal requirements (top-down). The former comes from experts in the field who can make a solid case for their position.
To give a recent example of why that isn't sufficient, look at the HBGary hack. [arstechnica.com] These guys were self-proclaimed security "experts," who were summarily stomped by a combination of SQL injection, lousy passwords, lousy encryption, unpatched servers, and social engineering. Some expertise.
Mind you, which is the more likely outcome of this
Re: (Score:2)
My very point is this: suppose there were security regulations that came not from security experts, but rather from politicians. How would that have prevented HBGary from having such glaring flaws? The on
Re: (Score:2)
I think the bigger picture here is the time, money and resources being wasted.
If I want to sell something on the web, I don't need the fucking government telling me I need jack shit for certification. All this does is make me not want to be on the web at all, we have enough financial problems in our lives now, to have to be constantly be fucking with the latest new government regulation. It's literally getting to the point where this fucking war on terror is domestic terrorism in and of itself. Which if en
Re: (Score:2)
And what is "the current legal environment" if not a top-down approach of mandating the way things should be, largely by those who have no expertise in the field of computer and network security? You are actually affirming my point. When speaking of a legal system, obedience is everything because disobedience is severely punished.
You know, it warms my heart to see that most everyone sees through the fact that this is a wasteful scam and the arguments are about why it is a scam.
This gives me hope that we can defeat this proposal the same way we thwarted other unproductive and harmful policies like the DMCA ban on circumvention tools, the Patriot Act and software patents. ...
Damn it.
Re:Oh good. (Score:5, Interesting)
It will raise costs for IT services and create another ecosystem for 'certification holders' to milk.
Reminds me of iso9000..
Re: (Score:2)
And to keep in line with ignorant idiots like Vivek Kundra (National CIO) who talk in meaningless non-sense phrases and don't know what they're talking about and approve $20mm Drupal websites that are half broken, the certification will be $50,000 per person and re-certification every two years will be another $25,000. And practicing technology services without a certification will be punishable by five years in prison.
Re: (Score:1)
Re:Oh good. (Score:4, Insightful)
push us further towards a "Standards and Compliance" posture, and not a real security posture.
There's a reason for that.
Echoing the comments of Microsoft security chief Scott Charney from his Tuesday keynote calling for a “collective defense” of the Internet
The manufacturer of the deeply flawed system at the hear of most security problems wants everybody else to pay for the consequences, so they're lobbying lawmakers. They'd also be pretty happy if it props up a few buggy whip businesses on the way.
What's the bet the certification requirements will read like:
Re: (Score:3)
You will find that a lot of so call security standards get watered down because microsoft is unable to comply with them...
For instance requiring AES encryption, microsoft only implemented that in windows 2008 and vista despite it existing for many years on other platforms...
Similarly requirements for removing unnecessary software, microsoft made it very difficult to remove stuff, so this basic requirement gets dropped too.
Re: (Score:1)
Re: (Score:2)
"First post AND dubs? I must be a god!"
And a E-Standards Compliant one at that!
War Cap (Score:5, Insightful)
As a nation, we are fighting either politically or violently on too many fronts here. We have too many wars going on. To name a few:
Now there's "cyberwar". There should be no new wars until we declare victory or admit defeat on some of the existing ones. Actually when I consider how successful the ones in the (incomplete) list above have been, I think we can save a great deal of time just admitting defeat on all of them. Then, instead of a retaliatory "cyberwar" we can do something rational like secure our systems.
Is that really so much to ask? It'd be easier than what we are doing now.
Re: (Score:3)
Re: (Score:3)
To be fair, we have always been combating these things.. It's just in the last 20 years, media has begun to slop catchy nick names to them to sell more eyeballs.
Re: (Score:2)
Re: (Score:2)
While I completely agree with you, I feel that you're attacking the problem from the wrong angle. I mean, within our bodies, we may be fighting off multiple infections at once, so there's a biological analogy that perfectly matches the US government's behavior. Not that it's right; the US government is fighting off beneficial bacteria as well as detrimental. But it is entirely possible and logical to fight multiple wars on multiple fronts. Again, I agree that these "wars on existence" should be stopped.
Yeah, but have you looked at these "wars" critically?
Let's take the easiest one to deconstruct: the War on (some) Drugs. Both the drug dealers and the drug users are willing participants. There is no victim. No victim of force or fraud means no legitimate reason to involve law enforcement. Yet law enforcement is involved and the result is that the worst criminal elements have a ready source of black-market funding.
How about the War on Obesity? Personally, I think parents of obese children should be ch
Re: (Score:2)
The immune system within our own bodies is not nearly as stupid, not nearly as psychopathic.
And, I agree, our current behavior does not engender the long-term benefit of the host organism.
Re: (Score:2)
I believe it is unconstitutional as well. I never understood how it is that a Constitutional amendment was required in order to give the government the authority to enact alcohol prohibition, was later repealed, yet somehow the government still has the authority to enact drug prohibition. There seriously needs to be a way fo
Re: (Score:2)
You're unusually well-informed to so unequivocally realize this.
Thanks for that. I feel the same way about you, reading the above. (Well, that is, you've been a friend for a while. :) And as for fluoride, it's a well-known waste product [zerowasteamerica.org] that they somehow convinced the government to purchase. I'm not sure foreign nations are the only sovereign ones needing invasion to save their peoples.
If they did, well that would make them unsusceptible to advertising, radically change the nature of politics, and generally might upset the precious status quo.
I've been married to a Brazilian. She said that her politicians promise "a fridge in every house" even though there's no realistic way to accomplish that. The ones that do (promise
Re: (Score:2)
so there's a biological analogy that perfectly matches the US government's behavior.
Schizophrenia or psychosis?
Re: (Score:2)
Re: (Score:2)
Agree.
The "war on drugs" is a failure. And besides, it violates our civil rights. If someone wants to use drugs, who is the Federal government to tell them that they can't???
It is one thing to provide education and have treatment programs. It is another thing to outlaw personal behavior.
And it is counter-productive. All it has done is created a huge illegal industry. If drugs of all kinds were legal, that industry would be in the daylight, and it could be regulated and taxed, and the proceeds directly used
Re: (Score:2)
But unfortunately no "War on war"
Republicans calling for bigger government (Score:1)
I wonder what company he has stock in that would profit from the increased BS.
About as effective as Sarbanes-Oxley? (Score:4, Interesting)
Ok. If you're proposing something that will be as good as Sarbanes-Oxley... you probably need to find a better idea. Sarbox was a knee jerk response to Enron and has done nothing but drive up costs.
Good thing that those tight accountability rules prevented the massive credit / derivatives bubble.
Re: (Score:1)
Ok. If you're proposing something that will be as good as Sarbanes-Oxley... you probably need to find a better idea. Sarbox was a knee jerk response to Enron and has done nothing but drive up costs.
SOX wasn't only in response to Enron. There was a wave of massive fraud being perpetrated by CEOs of huge corporations starting near the end of the dotcom boom: WorldCom, Adelphia, Tyco, and HealthSouth were some of the others. Something needed to be done. BTW Enron wasn't some little known company, it had a stellar reputation as one of the most innovative companies in American business (all baloney, as it turned out).
Good thing that those tight accountability rules prevented the massive credit / derivatives bubble.
Apples and oranges. That was a different game, where the villains were the banks, mo
Re: (Score:2)
Good thing that those tight accountability rules prevented the massive credit / derivatives bubble.
Apples and oranges. That was a different game, where the villains were the banks, mortgage companies, Wall Street traders and ratings agencies.
It wasn't the same thing, but there are some important similarities. In both cases the responsible parties misrepresented their real risk exposure and they were then caught with their pants down when the market turned against them. In the case of mortgage brokers there was pretty clearly outright fraud; people lying on their applications at the brokers suggestion, etc. Presumably better "corporate governance" should have prevented that, but it didn't.
As far as the ratings agencies go... yeah... why th
horrible idea, but I bet the lawyers love it. (Score:1)
Re: (Score:2)
It's also driven new companies away from going public, because the requirements are less onerous on privately held companies.
I agree with you entirely. If this is what they're using as an example of what we're facing, this idea needs to die a swift death.
what I've learned from the I.T. industry... (Score:5, Insightful)
All "certifications" are scams at some level. Some worse than others, but at some point it's about wanting to get your money while doing very little. It will create a nice new market for testing centers, book writers and publishers, and study material makers, but will ultimately do very little. Think how much Microsoft Certified Engineer....
Re: (Score:2)
yup. rtfa... It's a different certification, it's still a scam.
Re: (Score:1)
Agreed. I've been in the business 30+ years. I've taken the certs for fun (company pays them and thought they would impress me) and passed all of them and no, they didn't impress me. I tell people none of certs impress me with the possible exception of CCIE.
Re: (Score:2)
Re: (Score:2)
The problem with MCSE and other similar vendor-provided certifications is that a product vendor is absolutely the wrong entity to be providing such certifications...
If they made the certification hard, then few people would pass it resulting in few people in the industry certified to use their products, bad for sales.
On the other hand if they make it easy, then they have more "certified" people out there helping them sell their products.
another boondoggle? (Score:4, Funny)
Hey, I bet HB Gary will want to get a piece of this action!
Has half a chance of being useful-- (Score:2)
The risk is that they provide a "get out of jail free" card, where complying with a set of minimal standards absolves an organization of liability and/or blame.
Re: (Score:2)
The "get out of jail free" card already exists in some situations. HIPAA and HITECH set forth huge penalties for losing track of personal medical data, unless that data's on an encrypted device, sufficiently separated from whatever makes it personal, or a few other exemptions I don't remember offhand. It makes sense to me. If the information can't be accessed or linked to any particular person, losing it really doesn't matter.
I think a certification could work similarly. If whatever's being protected (for e
Re: (Score:2)
The "get out of jail free" card already exists in some situations. HIPAA and HITECH set forth huge penalties for losing track of personal medical data, unless that data's on an encrypted device, sufficiently separated from whatever makes it personal, or a few other exemptions I don't remember offhand. It makes sense to me. If the information can't be accessed or linked to any particular person, losing it really doesn't matter.
I think a certification could work similarly. If whatever's being protected (for example, storing usernames and passwords) is sufficiently mitigated by the minimum certification requirements (such as using a strong hash with a salt everywhere the password's kept), then it might be just fine to escape liability. If nothing else, being able to cut some liability provides a nice boost to the cost/benefit analysis, so the managers will decide it's worth the cost to follow decent security practices. Again, that's only if the minimum is sufficient for the situation.
I really want to believe that it would work out as you describe.
However, experience teaches me that the well-funded guy in an expensive suit who can put on a compelling presentation will lobby the decision-makers to make certain that any requirements are thoroughly divorced from realistic practices that truly yield better security.
Unfortunately we do not live in anything like a meritocracy. Becoming one of the decision-makers means knowing the right people, knowing on which side your bread is buttered, say
Re: (Score:2)
Meritocracies do not exist, so it cannot be "unfortunate", any more than it being "unfortunate" that there are not endless supplies of candy for everyone.
Meritocracies are impossible. And considering that "merit" is a highly subjective measure, that might be a very fortunate thing.
Sometimes, reliable imperfection is preferable to an unreliable ideal. (Think: "Free Market")
Sarbanes-Oxley success??? (Score:3)
Sure. Ask all those shareholders left holding the bag of excrement at Lehman Brothers, Countrywide Financial, GMAC, Wachovia, CitiBank, ... even though the SarbOx forms were filled out and signed by the respective CEO (not one of which has been "held accountable").
Re: (Score:2)
"holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley"
Sure. Ask all those shareholders left holding the bag of excrement at Lehman Brothers, Countrywide Financial, GMAC, Wachovia, CitiBank, ... even though the SarbOx forms were filled out and signed by the respective CEO (not one of which has been "held accountable").
Are not the shareholders ultimately responsible for the management they permit and the company in which they have chosen to invest? Note, I don't dispute that CEOs should be more personally accountable for dishonest corporations. They absolutely should. But the CEO is the CEO because the board of shareholders has permitted it.
I fully support this (Score:3, Insightful)
I fully support this - as long as we can hold policy makers to the exact same standards of punishment when things go wrong (like recessions, budget shortfalls, and other issues).
Already happening, (Score:2)
From: http://www.cjr.org/the_audit/audit_notes_hb_gary_federal_ba.php [cjr.org]
For one thing, it turns out that the firms involved here are large, legitimate and serious, and do substantial amounts of work for both the U.S. Government and the nation’s largest private corporations (as but one example, see this email from a Stanford computer science student about Palantir).
and:
And perhaps most disturbing of all, Hunton & Williams was recommended to Bank of America’
privacy too please (Score:2)
Can we have a similar certification for privacy protection ,please?
Then we can finally have insight into what big companies like Google and Facebook are doing to our data, by letting them comply to OUR rules, instead of the other way around.
and while they are busy doing that ... (Score:4, Insightful)
... I will be busy building a new wooden fence around my property to keep out flies. I think that I will be about as successful ...
How about a technical fix instead? (Score:2)
I strongly believe that it's possible to reduce the treat of "cyber war" by actually fixing the security problem at it's source, our computers and servers. Imagine if it were possible to greatly reduce the number of security holes on the average pc or server. If this were the case, we wouldn't need to have politically motivated filtering and other types of control to "save us" from our own systems.
The internet is just a big network, and while BGP seems to have it's issues, with some work they can be solved.
Re: (Score:2)
This idea raises a few questions:
Re: (Score:2)
Lots of interesting questions, which I can't answer (especially a 1:30 am)... the bit about how to ask for capabilities is the part that I'm still fuzzy about... not sure how that would work... mostly I assume they are given at runtime, and that's it, which doesn't cover these cases.
Thanks for the comments, I'll ponder them, and try to build a stronger case for this... we really need to fix this before it gets "fixed" for us in a bad way.
Re: (Score:2)
It's one thing to throw around words like "WE NEED MICROKERNELS!" and it's another thing to actually understand what it is you're talking about.
Re: (Score:2)
I'm not involved in Linux Kernel development, nor am I ever likely to be.
I'm hoping to keep the option in people's minds as piece of the solution.
I'm trying to make a reasoned argument based on what appears logical to me. Attacking my credentials doesn't affect the validity of this argument.
In a micro-kernel system, the amount of code which runs in privileged mode is kept to the barest minimum to effectively do the job. The linux kernel includes drivers in protected mode, which means that literally millions
Re: (Score:2)
You essentially just described SE Linux / apparmor.
Re: (Score:2)
Yeah... almost... except that SE Linux is a kernel patch, its not embedded all the way down into everything. It is definitely a step in the right direction.
It's also the way that our applications are written that needs to change as well. They need to stop relying on the ability to perform arbitrary actions.
The tech guys and not some PHB should be singing (Score:3)
The tech guys and not some PHB should be singing this as the PHB can say our systems are fine and have no idea about what state they are in at the time.
Re: (Score:3)
You ARE aware that this will lead to a hotseat game, right? Here's how it works:
PHB: "Sign here!" ... but ... we're not secure!"
Techie: "But
PHB: "Sign here or you're fired!"
Techie: (gulp) Ok... let's hope...
When something happens, Techie gets fired and replaced. Nothing else changes. Start script at line one.
Re: (Score:1)
Re: (Score:2)
What do you suppose said disgruntled techie does after being fired? Keeps his mouth shut?
Let me guess... (Score:1)
The requirement for this certificate will be a series of classes or a test, which in itself requires a 'nominal fee' to take. More bureaucratic nonsense serving no purpose other than fill the pockets of people who have no clue about what they're actually selling.
Worthless (Score:2)
That's the only word possibly describing such a "certificate". Worthless.
We're talking about an industry that reinvents itself every 3 months. I am neither kidding nor exaggerating. The average turnover of your knowledge is 3 months. 6 months tops. After a year, everything you knew is worthless because the threats are something completely different. There are of course timeless "best practice" rules (never give out passwords, verify your communication partner...), but a step by step guide to the tune of "do
Re: (Score:2)
lolz (Score:2)
No?
How long do you think it will take for them to make one of the certs "Microsoft Genuine Advantage Certified"? A month?
It's reason for IT (Score:1)
So, how far did you guys read? (Score:2)
Okay, show of hands. Who else stopped reading the summary when the hit the word "cyberwar"?
(Okay, I'll admit I scanned the rest of it, but saw "Chertoff" and really stopped reading.)
Sarbenes-Oxley? They cited S-O? (Score:4)
Security in one easy step (Score:2)
That will cover about 90% of it right there
Re: (Score:1)
If instead it delegated the calculations to a shell command (ok, pretend windows has a unix-like shell), like "dc " + num1 + "+" + num2; then you'd be in the (losing) business of trying to sanitize your inputs.
How about Leaving Everyone the fuck alone (Score:1)
How about the government (and it's little FCC dog too) getting away from our networks and infrastructure, and leave people the fuck alone so we can try to survive this monetary terrorism, without all this fucking disruption and uncertainty of the future.
Fucking government better go after the banksters before the people rise up and go after this fucked up government since there's no jobs left except murder and war!
Re: (Score:2)
Coming From Microsoft .. (Score:4)
No patents will be enforceable when it comes to implementing Microsoft's proposed "collective cyberdefence".
And then... (Score:2)
They start mandating that any computer that can read or write to a arbitrary area of ram or storage is a security tool, only to be sold to certified professionals. The rest will be sold something even more strictly controlled then the iOS devices, and if found jailbroken will be prosecuted as if trafficking in military grade hardware.
The corporations will be happy, the big brother government will be happy, the rest "fuck em".
Terrific! (Score:2)
Much in the same way a PMP certification ensures you get great project management, an IT security certification will ensure we have excellent security professionals out there.
Re: (Score:2)
And even if:
1) The certification meant something
2) The certificate holder was competent
3) The certificate holder has the actual chops, beyond the certificate
You will still have problems if you do not give them the time and resources to get the job they need to get done. Too many places do the equivalent of handing an engineer a shovel, saying "build me a bridge". Or, sadly, handing their draftsman a pile of sticks and some baling twine and saying same.
Reality Bites (Score:1)
Chertoff - Backscatter radiation scanners redux? (Score:2)
Is this the same dude who got rich by forced irradiation of flying public by TSA (which he recently lead?)
ISO paper chase (Score:2)
I smell another ISO paper chase brewing. A standard will be created and then there will be a surge of meetings, documents prepared, more meeting, certification classes, more meetings, etc. They will follow the standard on paper without knowing what it means in actual implementation.
If my previous experience with ISO holds true.
If Corporate America can fool the IRS... (Score:2)
There is absolutely no evidence to support the hypothesis that Corporate America will not try to find a way to evade or defraud any regulatory requirement or "business standard" that costs them so much as a zinc penny.