Posts by NileH

Anyone who thinks that IT security is a priority should take a look at the job adverts dotted around the content you're reading right now.

If you've got the Technojobs ad, it'll reflect the current contents of the page - IT security - and it'll have three or four 'Information Security Analyst' vacancies at £35-45k, and one or two security consultant or senior manager roles at £65-75k.

That's OK for IT, but not exactly stellar. It's *way* less than the banks are paying programmers who write the security vulnerabilities, and it doen't sound like the pay rate for doing something particularly difficult, or critical to the company's success.

And Cisco? It's nice that they've woken up to the commercial case for security. But I doubt that the firmware and embedded systems in their hardware is anywhere near secure, and I am certain that every single router on sale today, from every company, everywhere, has a backdoor waiting to be discovered.

AOL... It's the Model-T Ford of the Internet age: the vehicle that worked, and got the whole of America on the highway.

...Good enough to get the masses mobile, but you wouldn't call it 'good' today.

Our tinfoil-hatted commentator is amusing, but he has *some* worthwhile points about solar storms:

http://en.wikipedia.org/wiki/Carrington_Event

http://en.wikipedia.org/wiki/March_1989_geomagnetic_storm

Short version: satellites will be fried, widespread power cuts will happen, and some systems attached to twisted-copper pair communications will be disrupted - possibly knocked down to 'restart from backups'.

Put it in the file marked 'This will happen and we should have contingencies in place'. You know, like the earthquake we are certain to get in California: it's out there, it's real, we've got stress measurements on the fault systems in the rocks, and we know it'll be big. But we don't know how big, and we don't know when; and human nature is such that we treat this as 'don't know when means *never*, and I won't do anything about it'.

Is this relevant to government incompetence and outsourcing? Well, yes: we'll get a lesson, sometime, that abrupt disruption gets the headlines, and natural disasters get things done... Much more so than rolling screwups like this one, which - in aggregate - cause far more trouble than the disasters in the headlines.

The Data Protection Act imposes a legal obligation to keep personal data secure...

But there's very little guidance on how secure.

Partly, that's a good idea: detailed guidance would go out of date very quickly, and this law dates from 1998. So phrases like 'appropriate to the sensitivity of the data' and 'best practice' and 'reasonable precautions' are necessary.

But I think it's time to start grading the data:

● 'Private' - identifying data, names and addresses.

● 'Confidential' - personal conversations and correspondence, purchasing habits, etc.

● 'Under legal privilege'

● 'Places individual at risk of violence'

● 'Places individual at an increased risk of fraud'

● 'Would immediately allow transfers of funds and assets'

● 'Medical information'

● 'Child Protection'

I'm sure that you could think of others: but you wouldn't want to flag up any individual as having information of interest to blackmailers - say, a juvenile arrest for prostitution and subsequent referral to social services - as that 'flag' would be a magnet for criminals and journalists. And, in these times, for officials of the state.

What would the flags do? Well, we'd need general security standards; starting with a minimum standard for private data specifying 'Encrypted data store', 'No passwords ever stored or sent in clear text' and 'Secure sessions'.

Any information at a higher level than 'private' would need a security review of the host system every two years; and the ICO might consider issuing security alerts for high-profile exploits that require confirmation - 'yes, we've patched that' - within ten working days from the registered owner.

The most sensitive data stores would need a yearly audit, to published standards, and a record of patches - with pen-test results - for all security alerts and vulns listed by, er... let me think... some public body that doesn't yet exist. There's probably a group within the Home Office that does this internally for the Civil Service - like the sysadmins at every bank - but I'm not aware that there is a state-sponsored *public* service, in any country.

That's a gap in the law, and an obvious case for the statutory provision of a service, rather than everyone relying on purchasing a service from competing private enterprises.

...There is, of course, a gap between what *should* happen, and what actually does.

The legal framework? This would probably be enacted as 'enabling legislation', in which regulations are 'Laid before Parliament' by the minister - in practice, it's handled by a regulatory agency that maintains and updates a book of regulations having statutory force. Look up the HSE and the Control of Substances Hazardous to Health regulations as the best example of this process.

The Information Commissioner's Office *may* actually have the power to do this already - I'd be grateful if someone here is legally qualified to offer an opinion on that.

Useful Link: The Information Commissioner's Office:

http://ico.org.uk/for_organisations/data_protection

That's the statutory body enforcing the Data Protection Act