Opinion: Four laws Congress needs to pass now to boost computer security
Laws need to require companies to take steps to prevent computer crimes, not react to them
Computerworld - Even though we have a new Congress, I doubt that much will change with regard to computer security. While a law related to identity theft will probably be passed in one form or another, I expect that it will be trivial and not deal with preventing the theft of individuals' personal information. Corporate lobbyists have proved themselves to be too adept at manipulating members of Congress so they don't pass laws requiring companies to be proactive, especially with regard to security measures.
Identity theft is a symptom of poor computer security. There are two underlying methods of identity theft: hacks of vendor computers, and client-side attacks. Vendor hacks are the result of poor security on the part of the vendor and often lead to the theft of thousands, or millions, of credit card numbers, at once. The laws passed in this regard basically state requirements that vendors have to follow once data is stolen. However, they do not lay out computer security requirements. The hope is that if vendors have to act if their security fails, they will try to better protect themselves. All you have to do is browse Computerworld.com to see how well that's working.
Congress, however, has taken no action to address client-side attacks targeting the end user. These include phishing, keystroke logging and virus attacks. The underlying enabler of these attacks are the bot networks that grow unchecked. Botnets are networks of PCs that have been compromised by a remote attacker through known vulnerabilities on the PCs. The attacker then has the compromised PCs do his bidding without the knowledge of the PCs' owners.
Bots send out billions of spam e-mails and their evil cousins, phishing messages. Just as important, bots are used for distributed denial-of service-attacks. DDoS attacks use thousands of computers to simultaneously send data packets to a victim's computer to overwhelm the computer and the supporting network infrastructure. The attackers then use the DDoS attacks to extort money from owners of various Web sites. For example, it's common for online gambling sites to be threatened prior to a major sporting event, where the attacker will say, "Unless you pay me $50,000, I will take you down for a day before the event." A successful attack could cost a good-sized gambling site more than $1 million.
Likewise, DDoS attacks have targeted critical elements of the Internet, such as the root DNS servers. Those attacks have crippled segments of the Internet for periods of time. It should be expected that similar attacks will occur in the future and will attempt to do even more damage. Frankly, I believe that if there is a significant Internet attack, it will involve bot networks.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts