Forgot your password?
typodupeerror
Government Security

US DOJ Lays Out Cybersecurity Basics Every Company Should Practice 58

Posted by samzenpus
from the protect-ya-neck dept.
coondoggie writes "The mantra is old, grant you, but worth repeating since it's obvious from the amount of cybersecurity breaches that not everyone is listening. Speaking at the Georgetown Cybersecurity Law Institute this week, Deputy Attorney General of the United States James Cole said there are a ton of things companies can do to help government and vice-versa, to combat cyber threats through better prevention, preparedness, and incidence response."
This discussion has been archived. No new comments can be posted.

US DOJ Lays Out Cybersecurity Basics Every Company Should Practice

Comments Filter:
  • John Brennan says there are tons of things companies can do to help spy on the populace^H^H^H^H^H^H^H^H terrorists.
    • by Anonymous Coward on Sunday May 26, 2013 @01:46PM (#43828067)

      The article advocates more passwords, and stronger passwords, saying it is less of a pain than having everything stolen by hackers.

      But....

      When your password rules are too onerous, people start rebelling against them out of practical necessity. People write them down on post-its or store them in files on the hard drive because there are too many to remember (and they are too hard to remember). The few people who don't do this suffer frequent lock-outs, costing the company time and money (over and over again) in password resets. And, invariably, your CEOs exclude themselves from the policies. These same CEOs tend to have way more access than they actually need, and as such are the primary targets for hackers.

      So, rather than requiring a few more special characters in the min of 20 character passwords that lock out after the second failed attempt, must be changed every 10 days, have an infinite history to prevent re-use, and each of which grants you access to between five and ten percent of the subsystems you use on a daily basis...perhaps we should work smarter instead of harder.

      Use two factor authentication for the core systems (everyone has a cell phone these days, and good systems can work on the employee's office landline anyway). Passwords lock out after 10 attempts (seriously, those extra 7 attempts are NOT what will give a dictionary attack its edge). Require long passwords with a minimum "variety factor" in the letters rather than specific number and special character minimums (the variety factor and length are far more cryptographically strong than adding a 123 at the end). Train employees to recognize phish. And, of course, don't give people access to stuff they don't need.

      • by gmuslera (3436)

        Key passwords (maybe mail, the password managers ones, places where you must type your password frequently) should be easy to remember, and hard to crack (hint [xkcd.com]), the rest (there are always a lot of them) should be in one or more password managers (i.e. your browser, with a master password, but also more portable ones like KeePassX [keepassx.org]) where as are not meant to be remembered are easier to change, to put hardest complexity, and of course, to have all different. And try to avoid automated password trying, special

      • Not everyone has a cellphone, nor wants/needs one. OTOH, I tend to use passwords (passphrases where possible) from Hell except where id10ts creates policies that are ummm... not to put too fine a point on it, idiotic. Like my banks and credit agencies, the government (multiple agencies no less all with fucked up policies), &c. ad nauseum. You want good policies? Get people who actually know the realities of security, people, and especially security theater.

        Meantime, I'll keep my passwords in encry

        • by Salgak1 (20136)
          Sounds about right. I also keep an offline copy, the encrypted password/passphrase list on a DVD-R, the decrypting software on the original CD, both of which live in my safe deposit box at the bank AND the fire-proof in the house. The decryption passphrase and instructions are in a tamper-noticable "Cookie" (heat-sealed plastic around paper). One copy of which is elsewhere in the house, and two more which are. . .somewhere else.
      • by chrismcb (983081)

        The article advocates more passwords, and stronger passwords,

        Why do companies have archaic password limitations? Must be less than 12 characters (or 16 or some other arbitrary short length) Must NOT be the following characters... Why is there a limit on the characters I use? Whenever I see boneheaded rules like this, I assume someone is incompetent, and I wonder what other security holes there are.

        • One of my banks has "eight digit, numbers only, cannot repeat numbers", and each time I change it, it no digits must me replaced in the same place as the last password. No three digits must be consecutive numbers, or consecutive in reverse order. Amongst other conditions.

          Generating a rememerable password is extremely hard. Even random numbers are of little use, since they tend to be rejected as well.

          This results in me having to use keepassx (instead of MY BRAIN) to store my passwords.

          Meanwhile, I can easily

  • Incentives (Score:5, Insightful)

    by Okian Warrior (537106) on Sunday May 26, 2013 @01:32PM (#43828019) Homepage Journal

    Making a book of "best practices" is a good first step, but incentives are also needed.

    For example, suppose the government set penalties for security breaches which result from not following best practices. The penalties would not trigger until an actual breach, but if one *does* happen then the company is fined for breach of trust.

    The fines should be structured to encourage businesses to reduce risk, by artificially creating proportional risk.

    If someone steals CC numbers because the company kept them in the clear, and kept them beyond the time necessary to complete a transaction, the company is fined $5 each number. If passwords are not encrypted and salted, $1 for each stolen password. If web form data is not sanitized and customer information is stolen, $3 for each record. If the power station control computers are on the net with default passwords - half a mil.

    The government could also set up incentives and rewards for white-hat hackers who find vulnerabilities. If 1/10 of the potential fine goes to the white-hat hacker who discovers it, security practices would come into line very quickly. Perhaps with a cap of $50,000: enough for incentive to the hacker and the company, but not enough to affect the business.

    (... tempered by common sense. The company can argue that a different action is just as secure as "best practice" - but this should be done in court as response to a data breach investigation. Also, security breaches which are the result of something not covered by "best practices" are exempt.)

    Government can tweak and tune things for the betterment of society, but it has to be structured in the manner of game theory. People have to want to follow procedures.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Oh, I see. You want to monetize security breaches and have the government provide price supports, sort of like the DEA does with drugs.

      Then a whole army of bureaucrats and police will be created to make sure security breaches remain a profit center for their continued existence.

      That will solve the problem!

      • by Anonymous Coward

        You need to live in the States to understand this, it's unlike any other country. In America Time is Money - seriously, every waking minute is either spent making or spending Money.

        A few years ago I read an article in a Canadian paper that compared media regulations in Canada and the States. It basically said that if a Canadian tv or radio station broadcasts something offensive they not only get their hands slapped but also risk not getting their license renewed, not a good thing. If an American station doe

    • by gmuslera (3436)

      Yes, "best practices" book is good step, specially if they are agnostics about the used solutions (is something that could be easily exploited by their "rulers" to force some particular providers or patented technologies).

      The penalties should go in the hand with consumer protection. If a company or government office stores passwords in plain text [slashdot.org] and is breached, then the users should be able to sue them. And the government maybe should be proactive finding and reporting to the responsible people about vul

    • Why do we need the government to tell us this? They're incompetent so why should we listen to them when they tell us how we should be running our businesses? WTF do they know about running a business? Almost nothing. I don't need some paper pusher bureaucrat in Washington telling me how to secure my networks and I sure as hell don't need them to give me advice on passwords. From my perspective all the government ever does is take my tax money and waste it on God knows who and for God knows what, but it sure
  • by Anonymous Coward on Sunday May 26, 2013 @01:54PM (#43828091)

        Do I secure my network or backdoor it to comply with the demans of the Surveillance State?

    • Direct hit!!! As a policy I never give AC's +mods. In your case, I'd give it all five positives!
  • Kinda like you should brush your teeth before going to bed. You dont see articles written about that! Well, it's because you don't brush your teeth ON A COMPUTER!!!! Move along nothing to see here (That slashdot crowd dont already know!).
    • Kinda like you should brush your teeth before going to bed. You dont see articles written about that! Well, it's because you don't brush your teeth ON A COMPUTER!!!! Move along nothing to see here (That slashdot crowd dont already know!).

      http://www.nhs.uk/Livewell/dentalhealth/Pages/Teethcleaningguide.aspx [www.nhs.uk]

  • Don't trust the DOJ on what it states as "best rules."

    • by gl4ss (559668)

      Don't trust the DOJ on what it states as "best rules."

      there wasn't actual rules list in the article.

      it just said that there's going to be an inevitable cyber incident sooner or later and you better get ready! oh and build firewalls because that's how you keep cyber incidents in the bay, since hackers can't go through firewalls (no mention of actually putting sensitive information off-network.. or defining what's a firewall in this case).

      and that government has some cyber security help program you can ask help from.

      CYBER! LAYER EIGHT!!!!! fucking fat bastard

  • So will these "minimum standards" now become a de-facto definition of "good" and (in law) "negligent" behaviour. I.e. if you don't meet these standards, you will be held accountable for security breaches, maybe even have any insurance cover withheld.
  • It'd probably cost the equivalent of $50'000 per year for my small business to implement all of those. Thanks for the suggestions. I can't do any of them and remain profitable at all. So I'm going to do none of them.

    Instead, I've got a suggestion for you. How about making it illegal to hack into my property; and then why don't you go about aresting and prosecuting criminals? In other words, how about you, my government, go about doing your job, instead of making me into a security task force unto mysel

    • by chrismcb (983081)

      How about making it illegal to hack into my property; and then why don't you go about aresting and prosecuting criminals?

      It is, and they do... But there is also only so much they can do to arrest and prosecute foreigners.
      Do you have locks on your doors at home? Do you use them, or do you expect the government to make trespassing illegal and to arrest and prosecute criminals?

      • Yeah, I live a neighbourhood where I don't need to use the locks on my doors, the alarm system, bars on the windows, neighbourhood watch, guard house, nor a private security company.

        And how dangerous is your neighbourhood? Ever thought of living somewhere safer?

        • by cwsumner (1303261)

          Yeah, I live a neighbourhood where I don't need to use the locks on my doors, the alarm system, bars on the windows, neighbourhood watch, guard house, nor a private security company.

          And how dangerous is your neighbourhood? Ever thought of living somewhere safer?

          I live in a similar town. People often leave there cars unlocked and their doors unlocked. Most of them also own guns. Very quiet.

    • by cwsumner (1303261)

      ... Welcome to laws. You don't want me to protect myself against criminals. That's not what we call a civilized society. I don't keep a suit of armour in the garage. I don't have a shield on-hand. I don't have chain-mail shirts -- ok, I do have one, but it's a halloween costume, and it's heavy.

      The government and the police have no legal requirement to protect any individual. (Much as most want to, and do the best they can.) The police are tasked to apprehend criminals. That's different. The citizens are expected to protect themselves, at least as long as it takes for the police to get there. Be warned...

      A place where the police are tasked with protecting all citizens, individually, is called a "police state". It is generally agreed that no one really wants to live there.

      • and what would you call individuals who hack into and steal from multiple systems routinely? Last I checked, someone who commits crimes is a criminal. English is funny that way.

        • by cwsumner (1303261)

          and what would you call individuals who hack into and steal from multiple systems routinely? Last I checked, someone who commits crimes is a criminal. English is funny that way.

          True. But the police only go get them after the crime has occurred, and that is often too late for the individual victim. All citizens need to take at least some precautions for themselves. How much, is a personal choice...

          • you're talking about detective work. "go get them". It's the penalty afterwards that's supposed to act as a deterant to others in-advance of those crimes. As an individual, I can't really deter future criminals. That's what the judicial system is for -- long after police are done with the man-hunt.

            But it's not a personal choice. I don't get the choice to spend $50K / year on security and still stay in business.

            The fact that I'm small means that I'm difficult to see, difficult to target, and not worth t

            • by cwsumner (1303261)

              Secure what you can, leave what you can't. Ever little bit helps, nothing is ever perfect protection. Hope the police can catch them after other crimes, before they get around to you. That's how it is.

              And, hope that the government doesn't decide, that not following all of the recomendations is grounds for some penatly... Yikes!

              • every little bit doesn't help. there's no use in having a rubber padlock. in this case, there's no use in resisting the amatuer hacker who won't be able to find me in the first place.

                and the government does have those penalties, that's why we're complaining now. things like making it illegal to NOT lock your car doors when it's parked on the street. what the hell?

  • A backdoor in all your security protocols to enable easy snooping by three letter agencies.
  • The Australian Department of Defense Top 35 Mitigation Strategies is a pretty good start for a corporate infosec framework.
    http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm [dsd.gov.au]

  • by Kirth (183) on Monday May 27, 2013 @03:07AM (#43831037) Homepage

    The DOJ, which illegally seizes domains from foreign holders? The DOJ which orchestrates illegal raids in New Zealand? The DOJ which is the bully of the Content Mafia?

    It seems that these are not really the most technical-minded people, and you expect them to advise on Computer Security?

    I'd rather follow the NSA Guidelines http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml [nsa.gov]

When the weight of the paperwork equals the weight of the plane, the plane will fly. -- Donald Douglas

Working...