cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Flyslinger2
Community Champion

Planes, trains, automobiles and fish bowls ...

O.K. so the fancy people in the world call them aquariums, I grew up surrounded by corn fields thus my description.

 

What troubles me about this is the last statement that the former bureaucrat made: "It's probably one area where there'll likely need to be regulation for minimum security standards, because the market isn't going to correct itself," he said. "The problem is these devices still work — the fish tank or the CCTV camera still work."

 

I'm all about the pressure of the consumer, the power of the media, and the wisdom of all CISSP pro's to hold manufacturers feet to the fire regarding their products.  I'm a little o.k. with some regulation for the protection of individuals data. I am NOT o.k. with mind numbing political buffoonery when it comes to the creation of stifling regulations that slows the speed of progress.

 

Thoughts?

 

5 Replies
Shannon
Community Champion

A market is driven by demand, and can be controlled by regulations. If you look at these 3 factors in terms of their contribution and relevance to security, we'll get something like this:

 

  • Market: Entities marketing a product / service may not care much about security, so long as neglecting to factor this into what they market doesn't impact their business.
  • Demand: Entities using a product / service will be happy if it's convenient, either unaware of the risk due to the of a lack of security in the same, or preferring to accept it.
  • Regulations: While marketing may have to comply with these, their enactment & enforcement usually depend on the support of the 'masses' for the cause.

In a recent thread we talked about the risks of using virtual assistants, and it was concluded that since these are unavoidable, the most we can do is adapt to them. A security-aware person might refrain from using them, someone who's not aware of unconcerned may enjoy the convenience they offer. At the same time, the regulatory authorities can't simply ban them --- for multiple reasons.

 

It all boils down to user-awareness, and since regulations that simply limit the provision of popular products or services may be ineffective, they could be initially 'softened' to enhance awareness and control use.

 

(An example is cigarette smoking. Once upon a time, it wasn't regulated and no one was aware of the risks. Nowadays, while the product is still on the market, regulations in most places mandate that cigarette packs bear a warning banner, and smoking is usually restricted to certain areas in public places.)

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
CISOScott
Community Champion

Well I think it is an evolving spectrum. It goes in a cycle.

Something starts out and until it either becomes very popular or starts getting dangerous it can go without regulation.

Here in the United States there has been illegal gambling since people got off the ships. Until gambling became popular or people started having problems with it, the government saw no need to regulate it.

The government decided it wanted to get a piece of the action so it started regulating it.

Not only the government but the people can generate regulation as well. Look at unions. They started out to serve a purpose. Working conditions were becoming too hazardous or too cumbersome on the workforce. People unionized and fought back against the employers. Then the government stepped in and created regulations. But the unions didn't go away.

I think that regulations have their purpose in a world where people do not use their common sense or act with common decency. It helps enforce the way people should act.

rslade
Influencer II

> Flyslinger2 (Contributor I) posted a new topic in Industry News on 08-14-2018

> O.K. so the fancy people in the world call them aquariums, I grew up surrounded
> by corn fields thus my description.

"Fish bowls" is probably the right description in this case, since we are, again,
talking about IoT, and IoT is making sure we all live in fish bowls.

(And, of course, we live in a world increasingly governed by technology, where a
huge majority of the population are not only ignorant of the technology
governing them, but *proud* to be ignorant! The news last night was full of
"Google knows where you are even if you turn off "Location!" stories. Really?
This is news? You didn't know this? You didn't know that, even if you turn off
GPS there are three, completely different, means of locating your phone? That
are being used constantly? You don't want to be tracked? Get rid of your phone.
And, no, Android isn't to blame, since the same day that the entire media was
running the Google story, everybody was ignoring the fact that Apple admitted
that Siri was listening to you all the time. Technopeasants.)

>   What troubles me about this is the last
> statement that the former bureaucrat made: "It's probably one area where
> there'll likely need to be regulation for minimum security standards, because
> the market isn't going to correct itself," he said.

Well, I'm always worried about statements made by bureaucrats, but he's right.
Adam Smith's invisible hand is complicated, and it'd take a long time for
companies that make insecure products along this line to go bankrupt. And a lot
of people will be hurt along the way.

>   I'm all
> about the pressure of the consumer,

These are the same consumers that have made skin care products a multi-billion
dollar industry despite the total lack of evidence that any of them do anything?
The same consumers that buy "cleanses" and "detox" products that do nothing?

> the power of the media,

These are the same media people who ran the Google stories yesterday (see
above)?

> and the wisdom of
> all CISSP pro's to hold manufacturers feet to the fire regarding their
> products.

These are the same CISSPs that pay dues to ISC2 to support the "community"?

>  I'm a little o.k. with some regulation for the protection of
> individuals data. I am NOT o.k. with mind numbing political buffoonery when it
> comes to the creation of stifling regulations that slows the speed of progress.
>   Thoughts?

Progress? Trying to connect cars, doors, and fridges to the Internet is progress?
Connecting toilets, dildoes, and snipers rifles to the Internet? I mean, who needs
an Internet connected thermometer for a fish tank? The whole point is to keep
the tank at a constant temperature. You don't need to keep reading it or fiddling
with it.

"I have seen [progress] in an egg ... We call it going bad ..."
The Voyage of the Dawn Treader, C. S. Lewis

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
A great sailor can sail even with a torn canvas. - Seneca
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
denbesten
Community Champion

@rslade wrote:

I mean, who needs an Internet connected thermometer for a fish tank? The whole point is to keep the tank at a constant temperature. You don't need to keep reading it or fiddling with it.

You are thinking of a thermostat.

 

A thermometer is just a monitoring device. Connecting it to the Internet adds alerting capabilities.  Someone with a million dollars worth of fish likely values monitoring and alerting a bit differently than most of us.

 

Given that casinos understand physical segregation extremely well, one would think that they would have placed a greater emphasis on data segregation.  The worst that should have happened from this exploit is a fish-fry.

 

 

 

DAlexander
Newcomer III

Whether it's monitoring the temperature of a million dollars worth of fish or IT equipment, network-connected temperature monitoring devices are well worth considering in layered physical disaster defense plans.