Wow, RIP hackers ... It's Cyber-Lord Blunkett to the rescue for UK big biz A high-profile project has been launched with the aim of strengthening UK enterprises' IT security. The Cyber Highway was launched in London on Tuesday by Lord David Blunkett. The resource offers a “user-friendly online portal for large enterprises that want to strengthen the cyber defence of their supply chain.” Corporations …
The requirements do include some bits that are sensible and practical, and some that are neither. Take care to read to the end of each section before flaming. There is a cop-out for most of the over-broad requirements that reduce them to practicality or irrelevance. Careful choice for the definitions of undefined terms can make several requirements anywhere between practical and ineffective. Here are the howlers:
A subset of 8 character passwords are considered secure.
Administrative accounts should be configured to require a password change on a regular basis (e.g. at least every 60 days). - someone hasn't read the memo.
Administrative accounts should not be granted access to email or the internet (Diverting mail sent to an administrative account to the appropriate user account is simple and practical. If a sysadmin cannot fake From: and Reply-to: for the replies then he should RTFM promptly. What I do not get is how to prevent someone with administrative access getting around any restriction to internet access on an internet connected device.)
There is a long list of references to other standards that are not referenced in the text. This is where I expected to find requirements that effectively specify a particular brand of software. As they are not referenced, I would assume they are not requirements for certification.
There are two other documents: a questionaire and something about what to do with the answers. I am sure someone else will critique them before I get back.
Summary: vague woolly and the blind leading the apathetic.
I wholly agree with your entire comment, but ... I do think something along these lines has been needed for quite a long time, it gives us at least some peace of mind that at least a minimum standard of security has been implemented rather than not knowing if they have even bothered at all.
Would also be nice to see a scoring system in place, I'm hoping my bank doesnt score a D- :/
Ouch! That's a bit personal...
Meanwhile in another article not far from here, BT admit that their WiFi extender was released with security problems. Why concentrate on "large enterprises that want to strengthen the cyber defence of their supply chain" when large enterprises can't be bothered with the cyber defences of their own products?
The terrifying/depressing thing is how few organisations could reach even this basic infosec-101 level of competence. Sometimes I wake up to news of the latest big compromise or data leak and think "Yay! Job for life!" ... then ten seconds later I'm thinking: "Oh god, no, a job for life -- coping with all this /o\ "
"Small organisations account for 92 per cent of cyber attacks, often because of limited resources. "
But in the (near) future it will be Things that will account for the majority of cyber targets, not least because there will be billions of them, with minimal trustworthy source or support. Their operators (including the public) won't be included in schemes like this and their suppliers mostly won't care.
From outside the UK, the people you are likely to see representing the UK government are politicians from the house of commons. These are usually loud, because the need media attention to get elected, and ignorant because of the danger of letting anyone with a clue hold real power. They are only one third of the government. Another third is the house of lords. A few of them inherited their title, the others are often ex-members of the house of commons pushed into the other house to make way for someone less competent. A few members of the house of lords actually ask the right questions and get the worst of the house of commons' legislation delayed a year or two. The other third is the civil service - like the US presidents staff, but not replaced with the president. This lot are in theory responsible for implementing the policy dreamed up by the house of commons, but in practice keep everything pretty much as it has been for decades. For a more in depth understanding of UK politics, try the "Yes, Minister" TV series.
In the UK Cyber-Lord is the leader of an army of human brains in metal suits who stomp about saying "Delete".
"I'm not a Brit, so I have to ask: does that mean he's like the Meta Baron or something?"
He's an ex-local government politician, ex-MP with form, particularly when he was Home Secretary. I don't know how it fits with your admin but back then it included, police, prisons, forensic science and spying on the populace. He seemed particularly keen on the last. He is also blind which explains some of the previous comments.
But I'm not quite sure what he's a Chairman of.
Is it a QUANGO running a govt backed accreditation scheme? Is a private company with close-to-copyright-infringing similar name?
I will suggest that the UK level of SME infosec is so p***poor that anything that raises the baseline across a significant number of them is a good idea.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
