All this EU red tape telling us that we've got do sensible things like this. The sooner we're rid of it the better.
Coat. It's not raining right now so I don't need it.
The UK government has announced that businesses providing essential services like energy and transport could be fined as much as £17m or 4 per cent of global turnover for failing to have effective cyber security measures in place. The proposals from the Department for Digital, Culture, Media & Sport satisfy requirements under …
This is a near verbatim copy of the recent Russian legislation after removing criminal responsibility for the directors.
The El Reg screamed bloody murder at the time as it included DNS servers and peering points as well as the ability of the government to issue an "isolate" order. They concentrated on that particular aspect and missed the rest which is surprise, surprise nearly the same as what we hear now from HMG.
By the way the "disconnect from net to keep the country running" order is not a bad idea. It should be in the legislation.
TBH I don't see how anything other than C suite jail time will ever make companies take this sort of thing seriously.
"Oh dear. We got fined. What to do, what to do... I know, put them prices up for the next quarter! Problem solved. Lets all go play golf."
How quickly standards slip. It would be OK if organisations followed what the government actually said, "assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities", but already it's slipped (here in the comments) to "current best practice", which I guess means, "no-one else bothers with more than this".
Anyone want to predict how long before a court accepts, "industry standard practice" as a defence?
I expect this'll lead to a whole lot more checklists.
And software tools to help ensure compliance.
And then blind adherence to what the tools tell you. Despite the best efforts of tool vendors to tell you that their warnings don't mean "this is wrong" but rather "this is flagged up for human attention".
Hmmm. Like ... dear me, was it really 2008 I noted this little anecdote?
"And then blind adherence to what the tools tell you"
It very much depends on who you have doing your security.
Some of us care about the *reality*, rather than just paying lip-service to the latest trend. It doesn't matter a pair of fetid dingo's kidneys to me if the projects to secure things tick boxes for this or that, as long as the systems deployed actually *do* this or that.
The main issue I see is that in such a target rich environment you are closing the big doors first and you'll get to the niche areas of weakness eventually - the problem with that approach is that state actors could be using those niche areas for some time before something is deployed to detect them & you can respond.
Still, you have to try, and I see this push to motivate the big players as a positive thing. The worst thing that can happen though is that it will result in lots of knee-jerk box-ticking without any real-world benefit. Not a major issue where I am because there are people who care enough to lose their jobs rather than jfdi, especially if you know it will lead to a weaker system. It's impressive to some people that security consultants care enough about something to potentially lose their lucrative contract over, it isn't common and it raises eyebrows (as long as you are known for integrity and passion for your work :) )
The biggest UK victim of the WannaCry outbreak was the NHS, when last I heard the NHS was a Government Department so the Governments first task should be punishing itself for not complying with its own rules. Ah, but the reason for non-compliance was under-investment in IT by...you guessed it, the Government. So the government intends to punish itself for not complying with its own rules by fining itself a substantial sum which will leave itself with even less budget to spend on the deficient IT systems that caused the problems in the first place. This will make them more vulnerable to future attacks which will result in even heftier fines leaving them with less cash to fix the problems making them more vulnerable.......................
"non-compliance was under-investment in IT"
Unfortunately, this particular issue wasn't caused by underinvestment. Although a lot of attention was thrown at Windows XP (and it's an issue, don't get me wrong), the reality is that Windows 7 (still supported) was the majority victim and it affected Windows all the way up to 10. The issue was patching and Microsoft making patches available and the time it takes to apply them. It was also about intelligence agencies keeping exploits to themselves and then when they suddenly get known, not enough time is available to sort things out before the exploits hit.
Of course, we shouldn't be running Windows XP machines anymore and underinvestment is a primary cause of this (although in some areas such as machines running scanners, it's very difficult), but it wasn't the cause of this particular issue.
Anonymous for obvious reasons.
Problems in the NHS:
Chronic underfunding of infosec
Infosec staff not being dedicated to that role despite them being so on paper.
Capita not securing ACLs, hell not even applying them at all in some cases.
MS patching last year causing problems with clinical systems, prevening patching rapidly after release. (lots of testing required, creating a lag).
^^ This all affects trusts/boards/CCGs regardless of whether they have XP or not.
And now we've got the new directive coming, which I welcome but I know I'll still not get to do my infosec job because I'm doing 2 other peoples roles too. Meanwhile my infosec skills wither away as I can't keep them up to date. It's been over a year since I fired up any sort of pen testing tool, don't use it, you lose it!
Biting the hand that feeds IT © 1998–2020