Sign in / up

back to article IT bosses: Get budgets for better security by rating threats on a scale of zero to Yahoo!

What do you reckon US government regulations on computer security look like? If you selected outdated, contradictory and avoidable, congrats, you're an industry veteran – or you were paying attention to a talk this morning at the BSidesSF 2017 infosec conference. In a presentation titled "Swimming upstream: regulation vs …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Terminator

    Compliance and secure safe network frameworks

    "One customer had a requirement that all data traffic within the firewall was to be unencrypted to allow for inspection by network monitoring tools"

    Modern switches can decrypt data on the fly, they do this by forging certificates, thus rendering encryption moot in the first place.

    "Head of security and compliance teams at healthcare IT firm Nuna .. The sheer amount of reporting and paperwork involved can be crushing"

    'compliance' .. no amount of form filling is going to secure your network.

    "Sun Tzu’s guide to IT management"

    For f**k sake, just hire the one man to run penetration tests on your network and close-up the holes demonstrated there-in.

    SecTools.Org: Top 125 Network Security Tools

    4 1 Reply

    1. This post has been deleted by its author

    2. P. Lee
      Reply Icon

      Re: Compliance and secure safe network frameworks

      >'compliance' .. no amount of form filling is going to secure your network.

      Was the article referring to legal compliance, or configuring things in compliance with the corporate standards?

      Compliance is the verification and documentation that you have done things right. If you don't do the paperwork, you'll spend your life rechecking things which don't need to be rechecked.

      Compliance should be done by the plan/design/build/run teams at design gates and for changes, and then done again by the (separate) auditing team on a regular basis.

      0 0 Reply
      1. Doctor Syntax Silver badge
        Reply Icon

        Re: Compliance and secure safe network frameworks

        "Compliance is the verification and documentation that you have done things right."

        All too often only the documentation matters. For people who design bureaucratic systems paperwork is the only reality.

        0 0 Reply
    3. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Compliance and secure safe network frameworks

      "Modern switches can decrypt data on the fly, they do this by forging certificates"

      With a little knowledge your dangerous, by your reasoning all asynchronous encryption is broken - So let me correct you, this will only work if the correct PKI is in place and the end points have the certificate as a trusted CA, which means it's very difficult to implement unless your a trusted administrator with access to the switches, end points and servers. Else this will set alarm bells ringing, with browsers throwing alerts and firewalls blocking invalid certificates.

      2 0 Reply
  2. Anonymous Coward
    Anonymous Coward

    All talk and no play...

    Leaves the network unprotected.

    It never stops to amaze me how some people can talk for hours about how things should be done, yet fail to actually set something into motion themselves. I'm not saying he's wrong, I'm saying that he might be talking to the wrong audience.

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: All talk and no play...

      He's not talking about how things should get done - he's talking about how to communicate the reason for security and get buy-in from the penny pinchers commercially-minded that investing in security is in there interests, and to do this, you need to speak in measurable figures and demonstrate a commercial benefit.

      Its all part of the office-politik for getting budget! It sucks, but welcome to management.

      2 0 Reply
  3. Nick Sticks

    Yakety Yak

    What I learned from this article is that Yak's hair must grow very fast.

    0 0 Reply
  4. Doctor Syntax Silver badge

    "He recounted the time he asked a vendor if a particular threat was covered as per the regulations, so he could pass on the reassurance to auditors."

    Shouldn't that have been an ex-vendor?

    1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like