Tuesday, December 09, 2008

Fun Reading on Security and Compliance #10

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #10, dated December 8th, 2008 (read past ones here). I admit that some stuff has been sitting in my “2blog queue” for way too long, but you know what? If it is relevant after a few weeks of “cooling down,” it is even more worth reading :-)

  1. “SOA Security in Real Life” – if you have to read up on SOA security, you really MUST do it at Gunnar ‘s site :-) Fabulous quote: “Infosec is spending waaayyyy too much time and money protecting garages and not enough protecting assets.”
  2. Bad? Buahahaha. “When it comes to offensive information security, we ain't seen nothing yet,” opines Dave Aitel (he is probably right :-()
  3. Are you “secure” ONLY because you didn’t let your auditor see your FAIL? The ugliest “security by obscurity” revealed. A quote: “Can a company be at the forefront of security and still maintain a cost/profit/edge over the rest of their market?”
  4. SaaS security fun: “You versus SaaS: Who can secure your data?”, “Cloud Providers Are Better At Securing Your Data Than You Are...”,
  5. Mike Rothman vs eBay fraudsters, an epic battle (a spoiler: Mike wins :-))
  6. “Myth or truism? Security experts judge conventional wisdom“ – it is from NetworkWorld, but it not that bad, actually :-)  It does contain some peculiar bits of “weirdom:”  “Q: Regulatory compliance is a good measure of security.  A: Lacey: Yes, it is. I have always found a direct correlation between the number of controls implemented and the level of incidents and vulnerability. Selby: (laughter)” This one is fun though: “There are lots of ways to measure security ROI, all of them flawed.” Guys, care for another ROI mudfight? :-)
  7. Fun insight from Gartner on ‘security as insurance’: “Is Information Security Spending At All Like Insurance Spending?” (picked via Mike R here)
  8. Does your business depend on intellectual property (IP)? Duh, isn’t [almost] everybody’s?  Well, “Intellectual Property: Develop or Steal” reminds us that if your competitors decide that stealing is cheaper  than developing a particular IP, then steal it they will (well, maybe in US most won’t, but in some other countries most definitely will…)
  9. I am sure everybody read Rich’s “Don't Fight the Future. No????!!!! GO-READ-NOW! Yes, it is that good!
  10. “Finally, “On the difficulties of event correlation”: “You wouldn’t know it by the number of vendors and products on the market, but event management and log correlation is really, really hard.” – it also describes it as “woefully inaccurate” and “stunningly misleading in some cases.”

Special “PCI DSS is fun!” compliance section:

  1. REALLY insightful post from BeastOrBudda: “PCI DSS Compliance Projects - The road to nowhere….” I do disagree with a few pointers there (e.g. that “all PCI projects are security projects” – I think NOT enough of the PCI projects are security/risk management projects!); otherwise, it is golden. A quote: “If anything, PCI DSS has demonstrated that across the world, very few organisations have ever taken security seriously.”
  2. “International Challenges in PCI Security” from CSO Magazine.
  3. A VERY interesting discussion on PCI “in the cloud”, MUST read “Please Help Me: I Need a QSA To Assess PCI/DSS Compliance In the Cloud...” and then MUST read “PCI Compliance in the Cloud: Get it in writing!” and then MUST read “Cloud computing security and PCI.” Also, MUST read the discussions for these; it is actually not as esoteric as it seems (albeit, pretty darn esoteric still :-))  When you are done, read this too.
  4. “Do someone know who is responsible for checking the merchants self-assessment questionnaires from the PCI-DSS program?”  He-he, uh, no :-) [this means “nobody apart from your acquiring bank, in most case”] Fave quote: “If you mark an SAQ as 100% compliant and have signed it off yourselves, the acquirer will not do any further checks.“ :-(
  5. Actually fun: PCI word cloud. Notice the big word in the center? VERIFY!
  6. This almost beat the “fire extinguisher–as– firewall” story: “One day he received a deduction from his deposits in the amount of $130 for “PCI compliance”.  He called up his gateway and found out it was an automatic charge for an online form he had to fill out.  He filled out the form and it turned out he failed compliance.  Why?  Because when asked “do you have a bonded company take your backup tapes off-site” he said “No” because it did not apply to his business.  So he called the gateway back and they said to “Fill out YES to every question so you can pass.””
  7. Dave Taylor’s “Are Your Stores Worth Stealing From?“  BTW, I am amazed that so few people know about the PCI Knowledge Base at KnowPCI.com. There is some really useful stuff on PCI.
  8. Another time, another smart guy reminds everybody “Beware PCI DSS Compliant solution vendors.”  Scammers are out there though. A good quote: ”The purpose of PCI DSS is to reduce risk. Risk can be reduced by reducing complexity. Increasing complexity increases risk.” If you don’t heed this advice, I got a PCI-compliant bridge to sell you!
  9. While we are on the subject, more noise and PCI and virtualization (nowadays, I guess, no paper that a) fails to mention Hoff and b) mentions virtualization has any credibility :-))
  10. Old news, but an important reminder: “QA for QSAs” is finally here. If you are a shady QSA, hopefully the council will find you and kick your ass. Or, “arse”, if you are in Europe :-)


Dr Anton Chuvakin