Tom Olzak

Archive for the ‘Regulation’ Category

Executive Order: Improving Critical Infrastructure Security

In Control Systems, Critical Infrastructure, Cyber Espionage, Cyber-warfare, Government, Regulation on February 15, 2013 at 21:03

President Obama issued an executive order (12 Feb 2013) addressing the need for a cybersecurity framework to protect the critical infrastructure of the United States.  You can read the order here...  In theory, it’s what we need.  In practice, how long will it take before politicians weaken the order’s intent to the point that it becomes a meaningless script for staging a ” We really do care” position?

The order includes a directive for information sharing but leaves it to the various departments to decide who to notify, what to declassify, etc.  Based on how slowly our bureaucrats move on anything, an attack will be long over and China will be manufacturing the stolen designs before a notice goes to the potential targets.  Nothing in the order specifies process or technology needed to give timely notifications.  Given how long it has taken the government to understand it has a security problem, the delays in achieving the president’s expected outcomes will likely last far into the next administration… where its eventual demise is highly probable.

The administration is looking for incentives to encourage critical infrastructure owners and operators to carry out recommendations the NIST is requested to formulate.  Incentives?  Incentives for public utilities, for example, will need to be a kick in the pants and the threat of jail time.  If the operators of critical infrastructure really cared, we wouldn’t find ourselves in this mess.  It wasn’t yesterday that security became an issue for anyone with a computer.  There is no excuse for our current situation except heavy lobbying and political career survival practices.

I do hope there is progress on the president’s plan, but I’m not hopeful.  My faith in business and government doing the right thing left the station long ago.

 

 

YAWN!!!!

In Application Security, Business Continuity, Cyber Espionage, Cyber-warfare, Cybercrime, Government, Network Security, Regulation, Security Management on February 10, 2013 at 19:44

Another article from AP today about the U.S. vulnerability to cyber attacks.  No longer news, this kind of information is simply depressing.  Mike Rogers, a member of the House of Representatives, believes that 95% “of private sector networks are vulnerable and most have already been hit.”  Maybe, but nowhere does the article offer actual statistics or source research.  Further, no mention is made of the porous security protecting government agencies.  Figures…

Rogers contends that all the government has to do is share classified threat information and all will be well.  What is he smoking?  Everyone already knows what is needed to protect our national infrastructure.  This looks like a good copout by Republicans: protecting business by doing something useless while convincing the gullible they are doing something worthwhile.  Compromising national security isn’t necessary; all we have to do is start forcing the slackers to meet minimal security requirements.  The Feds should start with their own minimal security guidelines included in FIPS PUB 200.

In my opinion, this grandstanding by legislators needing another law passed to prove their value (God knows something has to) is not helpful.  What is helpful is applying meaningful efforts to identify weaknesses–can anyone say public utilities–and apply the necessary pressure to remove them.  This must happen without whining about cost to affected businesses and industries.  My MBA helps be understand the business side, but my common sense and sense of insecurity drive me to scream, “ENOUGH!!”

Health Care Information Security Challenge

In Data Security, HIPAA, Regulation, Security Management on December 27, 2012 at 15:27

In the last week, I’ve read several articles claiming that health care information is a prime target for cyber-criminals in 2013.  While I agree with this, I don’t agree with one of the reasons given.

Some bloggers and journalists claim that the HIPAA has not kept up with technology, and this is the reason health care is at risk today.  I disagree with this.  the HIPAA is strongly aligned with ISO/IEC 27002:2005.  General compliance with the ISO standard of best practice brings a covered entity into compliance with the HIPAA security rule.  Add to this HITECH, Subtitle B, and a covered entity has everything it needs to keep information safe.  In my view, the problem isn’t with the HIPAA; the problem is with perspective.

Compliance is not security: it is not effective risk management.  When I was director of security for a national health care organization, compliance initially went down this path.  C-level management began to ask why risk still existed after we were judged “HIPAA compliant.”  Putting the need in terms of bottom-line risk helped to turn perspectives; it made management look at HIPAA as a starting point, not an endpoint.

Today, many health care organizations are HIPAA compliant, but that does not mean risk has been sufficiently mitigated.  This is also true of publicly traded companies who pass SOX audits.  One of the biggest mistakes we as security professionals can make is allowing our employers or clients believe they are secure simply because they are compliant with a regulation.

So this begs the question… Is the current health care information security challenge a problem with the regulation or a problem with how we view compliance and risk?

SAS 70 replacement: SSAE 16

In Business Continuity, Cloud Computing, Data Security, Government, Network Security, Policies and Processes, Regulation, Risk Management, Security Management, Vendor Management on February 28, 2011 at 22:24

I’ve never been a big fan of SAS 70, even though it seemed to many  like a great way for an organization to tell the board and its auditors that it practiced due diligence.  You know, ” hey look, I got a SAS 70 from the service provider.  See, they’re secure.”  Not so fast, bucko.

The SAS 70 was never intended to be a test of the effectiveness of an organization’s security controls.  Rather, it simply checks to see if controls are in place–controls as defined by the audited organization’s own management.

In the article, SAS 70 replacement: SSAE 16 – CSO Online – Security and Risk, CSO’s Bill Brenner takes a look at something that may strengthen SAS 70… a replacement.

 

What about Us?

In Government, Regulation, Risk Management, Security Management on September 30, 2010 at 14:05

Here we go again… The last time this came up, no one could respond to security researchers who asked if this also means banning testing of anything that resembles a tool that can be used to attack a network.

Existing rules stipulate that illegally accessing and interfering with computers, servers and data is punishable as a criminal offence. The proposed directive will maintain and strengthen current provisions. But it will also specifically address and punish those who build, use and sell tools and software designed to carry out cyber-attacks.

via EU to up its defence against cyber attacks | EurActiv.

Will this be another governmental knee-jerk reaction, or will reason and common-sense prevail…?  Yes, I know.  They’re politicians, but I can hope, can’t I?

%d bloggers like this: