Jan 22, 2015 08:06 am | PC World

Calls for better information sharing and data breach reporting could hamper innovation or infringe on privacy, experts caution. 

by Tony Bradley

President Obama called for strengthening cybersecurity and privacy protection in his State of the Union speech Tuesday. Most security experts agree with the President's overall goals, but warn of potential unintended consequences that could do more harm than good.

A vision for stronger cybersecurity

The President outlined three broad areas to focus on: cybersecurity information sharing, modernization of law enforcement agencies' weapons against cybercrime, and national data breach reporting. Those are all worthy goals, however, they're not necessarily the more urgent ones. Security experts disagree on how--or whether--these goals can even be achieved.

Gary Steele, CEO at Proofpoint, said, "The President's inclusion of cybersecurity as a topic in his speech is further validation of the critical importance of this issue across all industries and sectors, public and private. As regards his specific proposals, it is absolutely the role of the government to legislate consumer protection--but not corporate security strategy. Legislation cannot evolve as quickly as the threat landscape."

Reforming existing security rules

"From the point of view of a company that is subject to notifying the public of breaches, I can say it would be a breath of fresh air to have a single, consolidated, and consistent regulation to deal with," declared Mark Kraynak, Chief Product Officer, Imperva. "But from a practical industry perspective, if there's any value to breach notifications, it's already been realized by the plethora of overlapping state and international laws."

Tripwire CTO Dwayne Melancon also suggested starting with some clarification of the existing rules and requirements. "Organizations have an overwhelming array of choices available to improve their cybersecurity programs, but what criteria should they use to make these investment decisions?"

Melancon added that the lack of clarity also hampered corporate risk assessment around cybersecurity policy and practices. "None of the expectations about cybersecurity protection are clearly articulated, and few come from an authoritative source," Melancon said. "This means that it's difficult for companies to legally defend themselves in the event of a significant breach, and it also makes it difficult for companies that haven't been breached to accurately assess business risks."

Robert Hansen, VP of WhiteHat Labs at WhiteHat Security, was less than enthusiastic about Obama's cybersecurity proposals. "While it's understandable that the American population wants to take a stand against computer crime, what the President is proposing to enact into law would have made no difference in the Sony case."

Hansen suggested that the technologies being recommended to protect a free and open Internet will actually make government censorship easier, and have a chilling effect on benign computer security research--efforts by researchers like those at WhiteHat Labs designed to proactively identify vulnerabilities and exploits in order to protect the American public. Businesses may move out of the United States for fear of public backlash if they are required to disclose that they have been breached.

Chris Doggett, managing director for Kaspersky Lab North America, agreed that any legislation enacted shouldn't end up prohibiting the techniques and methods used by legitimate security researchers, security consulting companies, and security vendors. He warns that we can't "handcuff" the very people and organizations we rely on to defend us from the cybercriminals.

Doggett also stressed that mandated information sharing could do more harm than good. "It should not cross-over into the area of broad-reaching surveillance (in conflict with our right to privacy), nor should regulations be enacted that force information disclosures which compromise criminal investigations. And of course, we must safeguard against information being disclosed which causes incremental damage to the victims of the attacks or unduly punishes those who are not our true adversaries in the battle against cybercrime."

Stay calm and keep secure

Cybersecurity plays an integral role in the safety and economic stability of our nation. It's about time that cybersecurity be treated as a higher priority, and that we start to find ways for the public and private sector to work together for better security. Finding a politically acceptable common ground that actually has a chance of impacting cybersecurity is a virtually impossible task, though.

It's important for people to be informed about what the government is planning, and to speak up to their elected officials if they disagree with proposed legislation. Tim Erlin, director of IT security and risk strategy at Tripwire, cautions against freaking out prematurely, though. "Rhetoric is just that, and the cybersecurity industry as a whole should be cautious about Obama's proposals. Until they make their way through the muck and mire of Congress, they remain merely ideas aspiring to become reality."

- See more at: http://www.itnews.com/government-use-it/87939/obama-supports-cybersecurity-and-privacy-experts-warn-unintended-impacts?page=0,1#sthash.OVgMz3Bt.dpuf

One of my earliest blogs was about security and I made a point of deterring people from going to websites other than the big name, well known sites. I was a little surprised that I didn’t get many emails telling me that I was being overcautious. I did get one message pointing out that a large part of the value of surfing the net is finding new sites with new information. I agree. Is that contradictory?

I’m guilty of doing exactly what I said shouldn’t be done. When I search for information I frequently click on links to sites that I’ve never been to belonging to companies I’ve never heard of. I’m not immune to malware, but I do have a few tricks and tools up my sleeve to help make sure I’m protected. The first and most important tool is education. I’ve spent a great deal of time since I started this career learning about the methods that hackers use to attack computers. This knowledge has helped me to develop habits that make me a less likely target for hackers. While I believe that nothing will completely protect someone from malware and security breaches, I’ll share some tricks and tips that will certainly help.

First of all, any computer connected to the Internet should be fully patched and protected by firewalls. Yes, that was plural. Data travels between computers and the Internet in two directions. Home and small business routers by default block all traffic coming in, but allow all traffic outbound. They can typically be changed to block all but the necessary outbound traffic, but this requires quite a bit of knowledge and management to implement and maintain. For outbound traffic, I recommend a personal firewall such as the firewall built into recent versions of Microsoft Windows. This firewall will typically prompt you if a port or program is blocked so that you can consent to allowing access. If you don’t know what’s asking for access it’s best to say no. My experience is mainly with Microsoft products, but patching applies to every operating system available today. For Microsoft Windows, I recommend turning on automatic updates and checking to make sure that updates have been applied at least once a month. Of course all computers should have up to date antivirus software installed as well.

Once you have this basic protection in place you’re ready to open a web browser. If you’re searching for information there are many search engines available. I like Google, but feel that it’s a personal preference, not because of any technological advantage. When you get your results, look at the URL that is linked. Most North American domains have a .com, .net, .org or .ca although there are some other new ones gaining popularity. Phishing and hacking sites are often hosted in countries where law enforcement is not as likely to catch them, so unless you’re looking for something specifically in China, avoid domains ending with .cn for example. Once you’ve clicked the link, if you see a lot of pop-ups or the page is not what you expected; leave. Close your browser and any pop-ups. It may already be too late, but there is a chance that you’ve been quick enough to avoid a “drive by download”.

The Internet is a wonderful tool, but like anything popular it attracts people who hope to profit from people who don’t know how to protect themselves. If you leave your purse on your car seat and your windows down, chances are that it will be stolen. Basic protection will help avoid the majority of threats.

Deciding who to call when you have a computer or network problem can be a very difficult task. Labour rates probably play a role, but certainly don’t represent the major differentiation in providers. How do you know that the person you’re calling has the knowledge to correct the issue properly? So the question is: What criteria can you use to determine the skill level of a given company or technician in helping you with your company’s IT?

The computer industry has many certification standards with varying levels of value to different types of clients and businesses. The first widely received and respected certification in the industry was Novel’s Certified NetWare Engineer (CNE) certification. Probably the most well known today is Microsoft’s Certified System Engineer (MCSE) certification which focuses on Microsoft server software. Both of these certifications test knowledge on specific operating system functional knowledge and configuration techniques, but both lack the ability to test real world troubleshooting ability, communication skills, experience, and basic computer and network knowledge.

In the late 1990s with the dot com boom and growth of IT, the industry became flooded with people who were referred to as “paper CNE’s”. This term referred to people who were good at writing tests and absorbing book knowledge, but who ultimately did not have the necessary skills to support computer systems and networks. As a result both of the above mentioned certifications lost a great deal of credibility. In addition to this trend, many software and hardware manufacturers started to look at their certification programs as profit centers instead of break-even service programs. The Computer Technology Industry Association (CompTIA) saw the gap between the manufacturer specific certifications and created the A+ certification to test basic knowledge, communication and troubleshooting skills, and has since added a number of other more focused certifications in areas such as networking, servers and security to name a few.

While certifications do have some value for someone looking to find assistance, there are better measures available. Reputation is probably the best test of a person or company’s skills. If someone is recommended by a trusted source with firsthand knowledge of someone’s abilities, then a foundation of trust has been offered.

Experience, while sometimes misleading, shows that a person has been able to stay relevant in a changing and challenging industry. A company with a varied technical team and a culture that promotes collaboration will offer the combined experience of the team which enhances their ability to address a wider range of technology challenges.

Communication is also an important quality. The most important step in troubleshooting a problem is understanding what the problem is. You should feel comfortable that the person you are dealing with has taken the time to fully understand what the issue is that they have been asked to address. Computers are complex devices with many variables that can affect how software, hardware, and humans interact. Unforeseen problems will arise regardless of a technician’s skills and experience, so it is important to know how these problems will be addressed as well.

There are always exceptions and exceptional people so these are merely guidelines to help put you on the right path. Everyone’s specific needs are also different so there is no one company or person that would be considered the best or “guru” in all cases. Select someone who you feel will meet your needs, but don’t be afraid to change if they are not a good fit.

Basic IT Solutions has been helping small and medium-sized businesses in the Lower Mainland with their IT needs for over 30 years. We can handle everything from project planning and deployment to outsourced service. Contact us today for all your IT needs!