funsec mailing list archives
Re: Law Enforcement: Unprepared to Fight Worldwide Cyber Crime
From: "John C. A. Bambenek, CISSP" <bambenek.infosec () gmail com>
Date: Thu, 28 Feb 2008 09:45:35 -0600
The problem has been around for a long time and is multi-layered and none of the individual layers are being planned to be addressed, much less remediated. 1) There is still a skill gap in information security to law enforcement. There are specialists, but they are expensive and the expense doesn't map up on a cost-benefit scale. We haven't "lost enough", and what we have lost can be built into the cost of doing business with actuarial magic so consumers don't know (hell, researchers can't even figure it out) how much this costs us. We're all specialists, probably making close to 6 figs or above. Probably our average salary is three times that of a cop. 2) There is a gap between the rules we operate on, the rules many countries operate on, and the rules the "bad guys" operate on. When we can get someone extradicted who drops a radioactive sushi in downtown London, publicly assassinating someone, you aren't going to put the screwed to Joe Carder. 3) We put all our resources into reactive measures... and not just reactive measures, but reaction only after incidents of significance. We allow the bad guys to have the first win, 100% of the time. 4) We continue to retrofit systems designed decades ago for "offline" use, slap them online and don't even consider rearchitecting for a new reality. The development cycle is so short, and the pressure is to only make it shorter, that anything besides "functionality" is now superfluous and a "risk". j On Wed, Feb 27, 2008 at 8:58 PM, Paul Ferguson <fergdawg () netzero net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Personal note: The underlying statement here is somewhat... shocking. The chances of a "...second Internet.." emerging has a snowball's chance in hell of actually coming to pass, and shows the non-committal stance (and technical inability) of law enforcement to actually tackle the hard problems of cyber crime. Also, as an aside, this is primarily the job that I have taken in 2008 – outreach to law enforcement, ISPs, and incident response handling organizations (e.g. CERTS, CSIRTS, etc.) to build channels to stop these issues from continually falling through the cracks. The problem is very bad, and unfortunately, it looks like it might get worse before it gets better. We have our work cut out for us... http://www.internetevolution.com/author.asp?section_id=593&doc_id=147027& Hat-tip: /. http://slashdot.org/article.pl?sid=08/02/27/2310247 - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHxiNnq1pz9mNUZTMRAvztAJ9UXqu5NUdwIAXxCgopO6r03MfWFgCgsQtg c2xoKns3EHdfFrB1oOhKMt0= =4FQ9 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Law Enforcement: Unprepared to Fight Worldwide Cyber Crime Paul Ferguson (Feb 27)
- Re: Law Enforcement: Unprepared to Fight Worldwide Cyber Crime John C. A. Bambenek, CISSP (Feb 28)