Page 11 - Cyber Warnings
P. 11
transaction. This would not need to be overly rigid or unbending, but able to flex with each
situation. No environment is the same, however the underlying needs and actions are the same.
The FDA has noted the industry is at a crossroads of InfoSec and technology (Schwartz, 2016).
A unified InfoSec platform would be beneficial to the specific industry, the overall industry,
consumers, and government with this single source of information and guidance to be applied.
There needs to be an action to bring this altogether. This would ensure the relevant, germane
parties are all operating under one set of rules and knows what to apply to comply. This, as a bi-
product, would also reduce the opportunity for ambiguity. With one set of standards being in
place, deployed, and actively implemented, this would ensure the best practices are being
reviewed and applied day-to-day, and not simply on an e-shelf collecting e-dust. As an example
SHA-1 would not be implemented, while SHA-2 in one of its key size would be.
This would be used as a better means of applying security to each endpoint or transaction. The
entities involved would clearly know the industry best practices as mandated by the appropriate
standard. The parties would clearly know these would be required to be followed. There would
be little doubt what security protocol and action to apply. For instance, legacy systems tend to
use outdated security practices. This is due to several features including these simply being
difficult to update, and the update being cost prohibitive. Although there may be hindrances to
updating the system and security, it is still prudent to update the application. This may add value
to the application and usage, however the costs may not be able to passed onto the clients.
The unified InfoSec protocols would remove the guesswork in this industry. The appropriate
parties would know what standard and protocol to apply to your project. Everyone in the industry
should be working the same set of standards. Any future changes to the protocol would be well-
publicized and the germane audience would be notified as this would be well-known. This may
be communicated with press-releases, email updates, tweets, and other accepted methods.
With a set of enforced standards as a simple baseline, issues with security would not continue
to abound. Without this, the attacks will continue. These may become more frequent in
occurrence and be larger. Future DDoS attacks may make the Krebs on Security DDoS appear
to be a practice run.
Method
The process to arrive at these standards should not be arrived at lightly. There needs to be an
abundance of caution and thought with this process. There would need to be a format for the
process. This would be utilized to form and approve the standards. This removes the potential
for ambuigity. With one format, all involved know what to expect. This would not be a
government committee due the potential political skew, which would be counter-productive. As
President Ronald Reagan is quoted, “The nine most terrifying words in the English language
are: “I’m from the government and I’m here to help…”.
These standards would need to be processed through a vetting process. This may be done with
a committee composed of academia and industry members. This brings together the many
11 Cyber Warnings E-Magazine – April 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide