Security Regulations

  • Steve,

    I can't believe you are advocating a police force on the internet! Did you think this through?

    Who is going to comprise the police force? Who is going to police the police? What about cross country borders? Are they going to be able to enforce their fines in a country like Rwanda or is it only going to be the rich industrialized nations that pay these "fines"?

    If you are instituting a police force, why don't they go after the scammers, spammers, and zombie pushers before they start messing with individuals?

    Regards,

    Joe

  • john.campbell-1020429 (3/17/2010)


    Just going over my lecture notes on Citizenship in the Nation, which deals mainly with the US Constitution I somehow failed to find any reference to the federal govt.'s authority to regulate my computer. Please let me know which Article or Amendment this is so that I can point it out to the guys, since it sounds like they really need to know this.

    John.

    Amen. Enumerated Powers Act.

  • Joe... do you realise that the police do prosecute people for what they do on the internet?

    for example : Merseyside Police's High Tech Crimes Unit

  • John and Joe are correct. The government specializes in unintended consequences and removing your freedoms. I'm unwilling to tolerate any more of either in my life let alone my computing systems. Progressive nanny state elitists that think they know better will never be as good a DBA as Steve Jones.

    Ben, there's a difference between protecting my rights by prosecuting criminal activity (the role of government) and dictating what I should or shouldn't do with my property, resources and time (NOT the role of government).

  • I'm not necessarily proposing this, but before you get too upset keep a few things in mind.

    We have lots of requirements for interconnections. We require cars to be < xx inches wide, lonig, high. We have issues with how you interconnect your house to the power grid, and any number of "standards", both for efficient use of common resources as well as safety.

    I'm not saying that you have to patch your machine. I'm saying that it might make sense to say that a machine that contains a security issue, such as an open SMB port, or is vulnerable to some xx issue, be penalized somehow. I'm ok with disconnection from the 'net. Or perhaps some fine levied.

    It's not a police force that's demanding to get into your house/company/computer. I certainly don't want anyone to have rights to connect or view what's on your computer. But if you can't safely interconnect, or safely compute, perhaps you shouldn't be causing issues for the rest of us.

    I would also agree that we should disconnect or penalize anyone that is maliciously causing issues, but what about those that unintentionally do it? I think that is the intention of the proposal. Require standards for interconnection, which in this case, include having some type of firewall.

    BTW, a firewall dramatically cuts down on any internal vulnerabilities being exposed.

  • Great Steve. A tax on open ports. That should take care of everything.

  • Not a tax, a requirement to meet some standard. There's a difference.

  • Welllll

    In PA, you may not drive your car on our roads unless you pass an inspection. Many other states are the same. (And if you drive a car into PA, the State Police can, and have, prohibit you from moving it if it is unsafe).

    So, again, open and public standards can be applied. My ISP has terms of service that imply I must keep safe, though they're seldom enforced. Were I to complain about other users on my network, they might be. (I don't because I don't know about them).

    There is nothing wrong with an ISP requiring you (and you, and you) to meet certain standards else refuse to do business with you. Were there to be business pressure to do so, it could have a real effect.

    The Government doesn't have to do anything. I'd much rather see businesses advertise their standards and live up to them.

    The question of whether it's right or constitutional rarely matters once a law is passed. Better to preempt the potential with real standards that people WANT to live up to.

    Jim.

  • "Regulations are often compromises, which are inherently flawed in achieving their aims, and usually end up causing more problems than they solve."

    I love Steve, but this is a broad generalization that lacks validity.

    When we consider how, when properly enforced, regulations keep our food, water, air, travel, homes, buildings, workplaces, children's products, and consumer products safe, the evidence suggests that the opposite is true. In addition, most experts agree that it was the lack of regulations, or lack of enforcement of existing regulations, in the finance industry that led to the economic breakdown that we continue to enjoy today.

    Like everybody, I have problems with specific regs. But the question isn't are regulations good or bad? The question is where are regs needed and where are they not needed? Where needed, the questions become how best to develop and implement them.

  • Whether they realize it or not, most large companies are already following government guidance for security compliance - anyone ever hear of ITIL? That is the guidance that has been coming out of the UK's OGC for about 25 years now. And most large companies have been using it for at least the last 15 years, even if only because thier software vendors have been using it. The Microsoft MOF makes heavy use of it. I'm not advocating for forced regulations, but ITSM and governance is one thing that government actually has figured out and implemented quite well. Most governmental organizations will never be bitten by a bad security patch because they use lifecycle management and actually run the patch through development and test environments before dropping the patch into production. I can't say the same for most of the Fortune 500 copmanies I've worked at, but they are getting there as they adopt ITIL. I'm convinced that if companies simply implemented ITIL, there wouldn't be a need for government regulation. And there is no excuse for not implementing best practices with so much guidance available - http://technet.microsoft.com/en-us/library/bb687798.aspx

  • Chris-232075 (3/17/2010)


    I love Steve, but this is a broad generalization that lacks validity.

    Good points. I sometimes get caught up in the "no more government" frenzy at times. Regulations do often make things better in our lives.

  • It could be a good idea if it was implemented correctly. The problem is that it probably would be another series of complex laws that increase the cost of a project without securing it. People who are motivated will always find a way around fixed regulations and organizations who are trying to secure their applications with have another useless time and money expense to deal with. Let the marketplace deal with security, whoever allows the breach pays for the breach. That will fix the problem.

  • I sure hope the government doesn't try and take this over also.

    We'll get what we're going to get with ObamaCare:

    Government Health Care: The efficiency of the Post Office, with the compassion of the IRS.

  • As another poster mentioned, anyone interested can start with some of the NIST Special Publications.

    For example, if we look at the path of, say, SSL encryption, we might start at:

    SP 800-52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations

    In section 4.2, Protocol Selection, we see "... However, using the criteria discussed in 4.1, TLS 1.0 is the only acceptable alternative."

    A few pages later, Section 5.3, Table 3 shows a very explicit list of Cipher Suites which boil down to TLS with DSS or RSA authentication, AES or 3DES private key encryption, DHE, RSA, or DH Key establishment, and a SHA-1 Digest (regrettably not SHA-256, SHA-384, or SHA-512).

    To implement this for SQL Server, which uses SCHANNEL, we can see Microsoft article How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll, which tells us to create a bunch of registry keys called "Enabled" with a DWORD value of 0 under all nonsupported protocols.

    Other (upcoming standards, like SP 800-118 DRAFT Guide to Enterprise Password Management, SP 800-111 Guide to Storage Encryption Technologies for End User Devices, and in many cases SP 800-122 DRAFT Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) may also be of interest.

    Finance and Health Care, at least, have their own special legal requirements.

    Security is important. Don't expect it to be cheap. Don't expect it to be easy. Don't expect it to be easy. Don't expect it to be painless. Don't expect to be able to do it alone. And don't expect it to be finished. Ever.

  • Steve Jones - Editor (3/17/2010)


    Not a tax, a requirement to meet some standard. There's a difference.

    Is there really though?

    How are those requirements enforced? If you're fined for not meeting the requirements, then you are either being charged money for non-compliance, or having to pay money to meet requirements. Either way, you are being forced, at gunpoint (the only way the Government can ultimately enforce its mandates is with the barrel of a gun), to pay money to comply with a Government action - a tax.

    Further, you're mandating additional authority for the Government to come into my company or home and go through my computers to ensure compliance. Additional gun-toting bureaucrats itching to try out their new toys.

    As mentioned earlier, someone needs to point out the Constitutionality of this. That's a document that seems to be far too underutilized and misunderstood in our modern society.

Viewing 15 posts - 16 through 30 (of 52 total)

You must be logged in to reply to this topic. Login to reply