Got something to say? | SC Media

Got something to say?

June 12, 2007

Security clearances

The March issue contained a very interesting article written by Professor Danielle Zeedick of Norwich University [March 2007, Opinion] on people placing "stupid" stuff on the internet and how it comes back to bite them later on when they try to go for clearances in the government.

As the information assurance manager for the 103D Fighter Wing, one of my jobs, among many others, is to inform the base populace about computer security (COMPUSEC) and how it affects users, networks and access. I find this article in line as to what I'm trying to do in regards to security clearances.

I enjoy your magazine, and look forward to each issue. Keep up the good work.

SMSgt Robert "Z" Zukauskas      
East Granby, Conn.

 

Paper chase

I would like to bring to your attention the wrongdoings of Local 32BJ [scmagazine. com, "Union discovers sensitive documents in Chase bank garbage...," May 1]. I am not saying that Chase should not have shredded the paperwork, but I do think they were set up. They are trying to get security guards to join their union. Tell them to stop spending dues they collect from their members to go pick garbage. If these dumpster divers want to go through the trash, they should take the NYC sanitation test and go pick up trash the right way. 32BJ is misleading security officers all over NYC.

A concerned New Yorker and American

 

Prepare for PCI standard

The formation of the PCI Security Vendor Alliance is a positive step toward educating firms about the best practices of the Payment Card Industry data security standard. However, with the deadline for compliance looming [June 30] for financial institutions, their merchants and service providers, I urge them to look at their implementation and management.

In order to comply, firms need to address every element. To ensure easier audits, it is key that organizations have the software in place to record all integrity checks and detect violations so that they can provide the proof required to verify compliance with internal policies and external regulations.

As cash becomes obsolete, the effective compliance and management of the stringent standards set by the PCI Security Standards Council is vital to improving the security of payment transactions.

Paul Gostick,
Tripwire

 

Cert debate

Two experts, I assume they are, to have opinions printed in a magazine I regard very highly (it's one of the few I actually subscribe to), weighing in on "high assurance" certs [April 2007, Debate], the abomination formerly known as EV SSL, both correct, and both missing or avoiding the obvious: It's not only a marketing "thingy," it's just a cash cow...a search for a new revenue stream.

In addition to being tagged as "certifiably useless," based on a Stanford study that concluded: "The only real information a user will get from an EV certificate is that a particular web site ponied up extra cash to get one."

There are obvious questions that we should all ask: What is the definition of a Trusted Third Party Certificate Authority?

Was it simply for secure communications? Hogwash, it takes two or three clicks of the mouse to install a Private CA in IIS (likely just as simple for all other platforms), and we can all have encrypted traffic flowing.

Wasn't it so that we could have some third party who we could trust? Was it technology that failed or was it the process? Me thinks it's the latter. So will a "product" solve a process issue or is the process, in fact, the new product? But the "process" was their whole point for being, wasn't it?

Scott Harris: "...Ignorance or inattentiveness...we were all teaching...the yellow padlock." Exactly, and confusing the issue even more with a green padlock doesn't help. What's next, a padlock wrapped in chains — an "even better SSL," or perhaps encased in barbed wire for "the ultimate SSL"? Sigh....

Ok, so one study by Stanford shouldn't be taken as the ultimate source of information. Fine, I have a suggestion: If we really want EV SSL to "cure" phishing, it's simple. Stop selling "legacy" SSL certs. Then you'll have more credibility, and no confusion, since no one can have a "padlock" (of any color) without being validated properly (like they should have done in the first place). Only legitimate businesses can have a "padlock." Add some accountability, like offering some guarantee to the consumer if for some reason an illegitimate business manages to obtain a cert. Offer the same "insurance" provided to the cert holders, cap the liability if they want.

Then we can all join Scott Harris to "encourage (even teach) to only do business with sites that have a padlock," not green, not yellow nor white, just a padlock.

When cert providers do that, I'll stop calling it a cash grab.

Sorry, if the excuse is "what about the smaller people"?

What about them? Validate them, give tiered pricing, period. We don't need a green bar for that to happen.

Ed
via email

prestitial ad