Last week, I came across a great article at Forbes.com, "Fighting Hackers, Viruses, Bureaucracy", an excerpt :
"Cyber security largely ends up in the backseat," says Kurtz, who prior to lobbying did stints in the State Department, the National Security Council and as an adviser to President George W. Bush on matters relating to computer security. "Our job is to shine a bright light on it, to help people understand it."
Basically, it provides more info on how bureaucracy tends to dominate, and how security often ends up in the "backseat". Moreover, Paul Kurtz executive director of the Cyber Security Industry Alliance and it's multi-billion market capitalization members can indeed become biased on a certain occasions.
Still, he provides his viewpoint on important legislative priorities :
- setting national standards for data breach notification
PrivacyRight's "Chronology of Data Breaches Reported Since the ChoicePoint Incident" keeps growing with the recent Fidelity's loss of laptop. Standards for data breach notification are important, and the trends is growing with more states joining this legal obligation to notify customers in case their personal information is breached into -- given they are actually aware of the breach. Moreover, with companies wondering "To report, or not to report?" and let me add "What is worth reporting?", Uncle Sam has a lot of work to do, that will eventually act as a benchmark for a great number of developed/developing countries. Personal data security breaches are inevitable given the unregulated ways of storing and processing the data, or is it just to many attack vectors malicious identity thieves could take advantage of these days? E-banking is still insecure, and protection against phishing seems too complicated for the "average victim". Compliance means expenses as well, so it better be a long-term one, if one exists given today's challenging threatscape.
- a law on spyware
Do your homework and try to bring some sense into who's liable for what. Claria obviously isn't, and it's not just pocket money we're talking about here. Spyware legislations are a very interesting topic, that I also find quite contradictive, laws and legislations change quite often, but given the Internet's disperse international laws, or the lack of such, a spyware/adware's vendor business practices may actually be legal under specific laws, or the simple absence of these.
- and ratification of the Council of Europe's Convention on Cybercrime
That's important, the Convention on Cybercrime I mean, would they go as far as ratifying Europe's well known stricter compared to the U.S privacy laws? Excluding the data retention legislation, and various other privacy issues to keep in mind, there's this tiny sentence in its privacy policy "Google processes personal information on our servers in the United States of America and in other countries.
In some cases, we process personal information on a server outside your own country", makes it so virtually easy to bypass a nation's privacy regulations that I wonder why it hasn't received the necessary attention already. On the other hand, we have Interpol acting as a common cybercrime body, that according to a recent article :
"We need an integrated legal framework to exchange data. A lot of legislation doesn't consider a data stream as evidence, because the evidence is hidden behind 0s and 1s. We have to rethink the legislative framework".
There is already such and that's the NSP-SEC - a volunteer incident response mailing list, which coordinates the interaction between ISPs and NSPs in near real-time and tracks exploits and compromised systems as well as mitigates the effects of those exploits on ISP networks.
Still, The Internet Storm Center remains the most popular Internet Sensor.
No matter how many security policies you develop and hopefully implement, at the bottom line you either need regulations or insightful security czar in charge. And while the majority of industry players profitable provide perimeter based defenses, going through "2004's Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" a decision-maker will hopefully start perceiving the problem under a different angle. While I find plain-text communications a problem, Bluecoat seems to be actively working in exactly the opposite direction. And while I find measuring the real cost of Cybercrime rather hard, applying a little bit of marginal thinking still comes handy. The future of privacy may indeed seem shady to some, and while data mining is definitely not the answer, sacrificing security for privacy shouldn't be accepted at all. Moreover, do not take a survey's results for granted, mainly because "There's always a self-serving aspect to anything a vendor releases," says Keith Crosley, director of market development with messaging security vendor Proofpoint, which does a few surveys per year" - in NetworkWorld's great article "It's raining IT security surveys".
To sum up, I feel in the security world it's the malicious attacker having the time and financial motivation to "spread ambitions" that outperforms, while in the financial world, it's Symantec that is the top performer - (Google Finance, Yahoo! Finance) with its constant acquisitions and trendy business strategy realizing the current shift towards convergence in the industry. Wish they could also diversify and take some market share of WetPlanet Beverage's Jolt Cola drink :)
Illustration by Mark Zug
UPDATE : This post was recently featured at LinuxSecurity.com "Are cyber criminals or bureaucrats the industry's top performer?"
Technorati tags :
Security, Information Security, Technology, Compliance, Survey, Bureaucracy, CSIA, Cybercrime
Monday, March 27, 2006
Are cyber criminals or bureaucrats the industry's top performer?
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
DVD of the Weekend - War Games
Hi folks, as it's been a while since I last posted a quality post, I feel it's about time I catch up with some recent events. What I'm currently working on, is gathering a very knowledgaable bunch of dudes in order to open up a discussion on the emerging market for 0day vulnerabilities, and I'm very happy about the guys that have already showed interest in what I plan to do -- more on that around the week, or the beginning of the next week.
As you're all hopefully aware by now, yet another 0day IE vulnerability is in the wild, so either change your browsing habits for a little while(don't or you lose the battle, as secure surfing is still possible to a certain extend), or consider switching to another alternative -- security through obscurity isn't the panacea of fighting the problem in here, instead it's just a temporary precaution. On the other hand I'm desperately trying to promote my RSS compatible feed URL to make it easier for everyone to keep up to date with posts, whereas the majority of readers seem to enjoy reading the blog directly,
I appreciate that!
As always, it's disturbing how "quality" always becomes the excuse for security, in respect to MS delaying patches (or is it just patches only?) whereas WebSense is already aware of over 200 web sites disseminating the exploit code, I wonder are they counting the hundreds of thousands of zombie pcs acting as propagation vectors. In one of my previous posts "5 things Microsoft can do to secure the Internet, and why it wouldn't?" I tried to summarize some of my thoughts on the problem, while on the other hand things definitely change pretty fast as always -- for the good I hope! Was the participants' secrecy in place, in order not to get a "shame on you" look from fellow hackers, whatever the reason, I doubt anyone is going to change their hats soon.
UPDATE :
Déjà Vu as Third Parties Ship IE Patches, and the patches themselves, while on the other hand it's great that anti-virus vendors have as well started detecting malicious sites using it.
Going back this weekend's DVD (check out the previous DVDs and vibes as well) War Games has shaped not just imaginations back in 1983, but acted as an important factor for the rise of another generation -- not wardialers, but wannabe hackers obsessed with command'n'control strategies such as Civilization 1 or Dune II, or at least that's how I remember it. Today's War Games have another dimension and it's called Network-Centric Warfare, or military communications and control over IP, and while there's a little chance an AI would malfunction and cause Doom's day, human factor mistakes will always prevail. As always, SFAM seems to have reviewed the majority of cool movies, so check out the review.
Technorati tags :
Weekend, War Games, Cyberpunk
As you're all hopefully aware by now, yet another 0day IE vulnerability is in the wild, so either change your browsing habits for a little while(don't or you lose the battle, as secure surfing is still possible to a certain extend), or consider switching to another alternative -- security through obscurity isn't the panacea of fighting the problem in here, instead it's just a temporary precaution. On the other hand I'm desperately trying to promote my RSS compatible feed URL to make it easier for everyone to keep up to date with posts, whereas the majority of readers seem to enjoy reading the blog directly,
I appreciate that!
As always, it's disturbing how "quality" always becomes the excuse for security, in respect to MS delaying patches (or is it just patches only?) whereas WebSense is already aware of over 200 web sites disseminating the exploit code, I wonder are they counting the hundreds of thousands of zombie pcs acting as propagation vectors. In one of my previous posts "5 things Microsoft can do to secure the Internet, and why it wouldn't?" I tried to summarize some of my thoughts on the problem, while on the other hand things definitely change pretty fast as always -- for the good I hope! Was the participants' secrecy in place, in order not to get a "shame on you" look from fellow hackers, whatever the reason, I doubt anyone is going to change their hats soon.
UPDATE :
Déjà Vu as Third Parties Ship IE Patches, and the patches themselves, while on the other hand it's great that anti-virus vendors have as well started detecting malicious sites using it.
Going back this weekend's DVD (check out the previous DVDs and vibes as well) War Games has shaped not just imaginations back in 1983, but acted as an important factor for the rise of another generation -- not wardialers, but wannabe hackers obsessed with command'n'control strategies such as Civilization 1 or Dune II, or at least that's how I remember it. Today's War Games have another dimension and it's called Network-Centric Warfare, or military communications and control over IP, and while there's a little chance an AI would malfunction and cause Doom's day, human factor mistakes will always prevail. As always, SFAM seems to have reviewed the majority of cool movies, so check out the review.
Technorati tags :
Weekend, War Games, Cyberpunk
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)