One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 364556 |
| Date de publication | 2017-05-12 02:51:43 (vue: 2017-05-12 02:51:43) |
| Titre | Some notes on Trump\'s cybersecurity Executive Order |
| Texte | President Trump has finally signed an executive order on "cybersecurity". The first draft during his first weeks in power were hilariously ignorant. The current draft, though, is pretty reasonable as such things go. I'm just reading the plain language of the draft as a cybersecurity expert, picking out the bits that interest me. In reality, there's probably all sorts of politics in the background that I'm missing, so I may be wildly off-base.Holding managers accountableThis is a great idea in theory. But government heads are rarely accountable for anything, so it's hard to see if they'll have the nerve to implement this in practice. When the next breech happens, we'll see if anybody gets fired."antiquated and difficult to defend Information Technology"The government uses laughably old computers sometimes. Forces in government wants to upgrade them. This won't work. Instead of replacing old computers, the budget will simply be used to add new computers. The old computers will still stick around."Legacy" is a problem that money can't solve. Programmers know how to build small things, but not big things. Everything starts out small, then becomes big gradually over time through constant small additions. What you have now is big legacy systems. Attempts to replace a big system with a built-from-scratch big system will fail, because engineers don't know how to build big systems. This will suck down any amount of budget you have with failed multi-million dollar projects.It's not the antiquated systems that are usually the problem, but more modern systems. Antiquated systems can usually be protected by simply sticking a firewall or proxy in front of them."address immediate unmet budgetary needs necessary to manage risk"Nobody cares about cybersecurity. Instead, it's a thing people exploit in order to increase their budget. Instead of doing the best security with the budget they have, they insist they can't secure the network without more money.An alternate way to address gaps in cybersecurity is instead to do less. Reduce exposure to the web, provide fewer services, reduce functionality of desktop computers, and so on. Insisting that more money is the only way to address unmet needs is the strategy of the incompetent.Use the NIST frameworkProbably the biggest thing in the EO is that it forces everyone to use the NIST cybersecurity framework.The NIST Framework simply documents all the things that organizations commonly do to secure themselves, such run intrusion-detection systems or impose rules for good passwords.There are two problems with the NIST Framework. The first is that no organization does all the things listed. The second is that many organizations don't do the things well.Password rules are a good example. Organizations typically had bad rules, such as frequent changes and complexity standards. So the NIST Framework documented them. But cybersecurity experts have long opposed those complex rules, so have been fighting NIST on them.Another good example is intrusion-detection. These days, I scan the entire Internet, setting off everyone's intrusion-detection systems. I can see first hand that they are doing intrusion-detection wrong. But the NIST Framework recommends they do it, because many organizations do it, but the NIST Framework doesn't demand they do it well.When this EO forces everyone to follow the NIST Framework, then, it's likely just going to i |
| Envoyé | Oui |
| Condensat | 000 2001 2011 ability able about accidental accountable accountablethis accounts across actions actors actually add additions address addressing administration adversaries adviser affect affecting after against agencies aligning all almost already also alternate america american among amount another anti antiquated any anybody anything anyway are aren around arrest article aspirational associated attack attacks attempts attribute attribution authorities automated average avoids background backoff backup bad base because become becomes becoming been begin benefit best better big bigger biggest bits blackout blame blanket blowing both botnets brazen breaches breaking breech btw budget budgetary build built but buy can capabilities cares case caused causing certifications chain changes china chinese chips cissps claim claimed clear clearly cloud clueless code come comes commonly companies complex complexity components compromise computers concepts concern conclusionthis consequential considered constant consultant containing context controls costs could counterproductive countries country critical current cut cyber cyberczar cybersecurity cybersecuritydifferent days dealing defend defense deficient demand department departments desktop detection deter deterrence deterring devalue dhs did different difficult dining diplomat diplomats directed discovered distributed dnc document documented documents does doesn doing dollar don down downfall draft due during each economic economies educate effectiveness efforts einstein either election electric electronic email employ empower empowered encourages encouraging end engineers ensue entire entities equivalent europe even eventually everyone everything everywhere example executive expensive expert expertise experts explain exploit export exposure expulsion facing factories fail failed federal fetishes fewer fiasco fighting finally fired firewall first fix fixing flagged focus follow following forced forces foreign forward framework frameworkprobably frankly frequent from front functionality funny further future gaps general generation generators get gets getting gizmodo gmail goes going good government governments gradually great grid grown growth guess hack hacked hacker hackers hacking hacks had hand happens hard harder has have haven heads heating help here hiccup hilariously hilarity hindrance his hold holding home homes horn hostile hots how however huge hurt idea identified identify ignorant ignored ignores ignoring immediate implement impose impractical impressing incident include including incompetence incompetent increase increasing increasingly indeed indicators individual individuals industrial industry ineffective influencing information infrastructure insecure inserted insist insisting insists instead intentional interest interference internet intrusion involved iocs iran isn issue its japan job just kaspersky know korea lack language last lasting laughably leader leave led legacy less lessen like likely lines list listed located locations logged long look lot lots love machines mail mails make making manage managed managers mandate many mass may mean meaning means media medical might million millions missing modern money more most move much multi must named nation nature necessarily necessary need needs nerve network new news next nist nobody non north not note notes now number obviously off offshore often old once one only opm opposed options order organization organizations other out outage outages outsider over overridden own panels parade partially party password passwords people person phishing picking plain plan podesta point polices politics pooping poorer poorly post power powerwalls practice preference president pretty probably problem problems produced product professionals programmers projects prolonged protected protecting provide proxy publicizing pushed pushing rarely rather reaching reading real reality really reason reasonable recent recently recommends reduce reliably reliance relies rely remains replace replacing report requires resilience resources r |
| Tags | Guideline |
| Stories | Yahoo Tesla |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.