For, by Bill Geime, director of information assurance, Open System Sciences
No law will remove the threat to data security, but some recent laws have been beneficial. California's SB1386 requires organizations that store sensitive customer information to notify customers of possible security breaches. As of last summer, 18 states had enacted similar laws that effectively remove the cloak of secrecy that has surrounded the theft and hacking of sensitive data.
FISMA (Federal Information Security Management Act) is another example of a "good law." It forces government agencies to assign someone to be responsible for security, and then document and sign off against the known risks. The public FISMA scorecards are forcing agencies to move security higher on their list of priorities and dedicate resources.
Like any regulatory issue, security compliance could be misused, but the right kind of legislation could provide a wide range of benefits.
Against, by Richard Stiennon, chief research officer, IT-Harvest
No, Congress should not legislate data security. Data security legislation would create a huge consulting industry, as well as spawn hundreds of vendors that sell data protection solutions. Yet, with predictable carve-outs for small business and government entities and rapid evolutions in attack vectors, it would do little to solve the data theft problem.
At this stage it is easy to point out that Congress and technology do not mix. Sarbanes-Oxley has demonstrated just how far removed Congress is from reality. I have it directly from a representative that they didn't know what they were doing when they signed that legislation. Any law, no matter how carefully crafted, no matter the quality of investigation, no matter the expert testimony in hearings, would not address the latest and greatest threat by the time it was passed into law.
Data security technology is available to anyone who wants it today. Doing data security well is going to be a competitive differentiator in the marketplace. There is no need for Congress to interfere.
THREAT OF THE MONTH: Image exploits
What is it?
Since late last year, numerous vulnerabilities have been found in tools that render various image formats. In June, three new vulnerabilities were found, including one in AOL images called ART files ("Another Ray Tracer").
How does it work?
Image exploits work by taking advantage of a weakness in the routines that render the images. By providing a few bytes at the beginning of a malicious file, the criminal convinces the operating system the file is an image, but actually includes attack code aimed at a vulnerability in the rendering engine. Such an exploit would likely install a bot, backdoor or keystroke logger.
Should I be worried?
ART files are used widely on AOL. A new vulnerability was discovered in rendering WMF files, which are used extensively in Microsoft Office documents. To date, there has not been much evidence that these image vulnerabilities are being widely exploited.
How can I prevent it?
Stripping attachments at the email gateway is the first preventative step. None of the image formats found vulnerable in June are likely to be common in email, or encountered via the web. In response to this threat, enterprises should strip attachments with extensions .ART, .PNG, and .WMF at the email gateway or firewall.
-Russ Cooper, senior information security analyst, Cybertrust
