Is there no standard or best practices for government computing, internationally? Because surely someone needs to be steering leaders who don’t know much away from locked-in proprietary solutions. Seems like a UN opportunity or something.
“Government computing” is way too broad a term for there to be a standard for it. There are many open standards for many aspects of computing, and adopting them is obviously a good thing, but every institution has different needs.
The trouble with publishing best practices is it’s a blueprint for how to break in, like publishing a map to your house with all the locks and cameras labelled. If you establish that 2 factor authentication is required, with SHA256 encryption and passwords at least 16 characters, numbers, upper and lower case, and special characters, changed every six months, then the hackers know what they need. They need to spoof someone’s cell phone, they know how long it takes to decrypt sha256, and they know if your password was FuckingBullsh1tsecurity!3 two years ago, it’s probably FuckingBullsh1tsecurity!7 today.
Sorry but that’s not how computing best practices and computer security work. We’re far beyond “security through obscurity”. Security now works on encryption schemes which are highly publicized and vetted by multiple parties. That goes in combination with protecting through policy like access controls, endpoint protection and monitoring, and security training.
Is there no standard or best practices for government computing, internationally? Because surely someone needs to be steering leaders who don’t know much away from locked-in proprietary solutions. Seems like a UN opportunity or something.
“Government computing” is way too broad a term for there to be a standard for it. There are many open standards for many aspects of computing, and adopting them is obviously a good thing, but every institution has different needs.
The trouble with publishing best practices is it’s a blueprint for how to break in, like publishing a map to your house with all the locks and cameras labelled. If you establish that 2 factor authentication is required, with SHA256 encryption and passwords at least 16 characters, numbers, upper and lower case, and special characters, changed every six months, then the hackers know what they need. They need to spoof someone’s cell phone, they know how long it takes to decrypt sha256, and they know if your password was FuckingBullsh1tsecurity!3 two years ago, it’s probably FuckingBullsh1tsecurity!7 today.
Sorry but that’s not how computing best practices and computer security work. We’re far beyond “security through obscurity”. Security now works on encryption schemes which are highly publicized and vetted by multiple parties. That goes in combination with protecting through policy like access controls, endpoint protection and monitoring, and security training.