Wednesday, December 31, 2008

Review of My 2008 Security Predictions

OK, so other bloggers are not doing it, maybe they are too shocked by The Death of the Internets, 2008 Edition, Rel. 2.0. I will, however!  Namely, I am going to revisit my 2008 predictions, posted here. BTW, I disagree that year-end predictions and reflection are a waste of time. I think  whenever you do it, it is useful to think and reflect about the long term.

So, here are the predictions (in italic) and how they did (in regular) after about 12 months of “facing reality.”

Platform security:

  • Vista makes us secure = no. People start to actually use it (in large numbers) = maybe. And then get 0wned = yes! The volume of Vista hacking (and then Win 2008 hacking) will increase as the year progresses.

This prediction was too safe; and also not too specific! Vista definitely did not make us secure. I can suggest that the part that “people start to actually use it” was a failure and Vista is NOT yet in wide use (definitely not on the corporate side). There was not much public ”Vista hacking” and few critical Vista vulns. On the other hand, Vista is not a security failure; it is just a regular one :-) So, is Vista the new OS/2?

  • Increase in Mac hacking = yes. The story is that Vista drives Mac adoption -> Mac increase in popularity will drive a new wave of Mac "0wnership"

Just as the previous one of his prediction was not too specific. I think we can claim that Mac hacking has increased and few critical Mac vulns crept up.  However, I don't have the metrics to prove it.  Definitely, the idea that “Mac = secure” has shrunk in popularity down to its minimum value: the size of a Mac fandom :-)

  • Web application hacking still on the growth path = yes. As they say, 'it will get worse before it gets better.' I am predicting that 2008 is still the year when it continues to be getting worse.

Yes, yes and yes! As Jeremiah said, web application hacking has finally arrived (after a few false starts).  However, I will call this “a pussy prediction” since it was so easy to get right.  In any case, go check your website for SQL injection, it is probably 0wned already :-)

Vulnerabilities:

  • 0days use becomes mundane = yes. This will be especially true for those browser-hacking folks who "need" to earn some cash off phishing and other data theft. Thus, "0day use" will no longer constitute news!

I’d say, “a miss,” despite all those fine folks 0wned thru IE 0days: a good zero day attack story still makes news. BTW, check Pete’s “0day tracker” here.

Hacking, data theft, etc:

  • Loss of trust towards legitimate Internet sites = yes. This is manifested by things like this point by the WS guys - more 0wned than malicious sites are used to spread malware. Even now I shudder from the thought that ANY site I visit might be displaying a malicious banner ad which is either bought or "hacked in" by the attackers. The implications of this are pretty horrifying!

I wanted to link to Rich’s  Amex example here, but why bother?  The whole root CA fakery is a much, much, much better example (brief, details, for laymen) Fake sites –> fake SSL sites is definitely an ominous possibility (even though this particular issue is not that scary [more cool than scary!], but it illustrates the point)

  • Major utility/SCADA hack = no (not yet). Everybody predicts this one forever (as Rich mentions), but I am guessing we would need to wait another year or so for this ...

This one makes for interesting thinking about why it did not happen; surely there is a massive fun factor in sending some sewage towards your enemies.  I'm happy to be correct here, but I was predicting that something major and world changing would NOT happen so Feynman paradox is on my side.

  • Cyber-terrorism = no (again, not yet!) Will it be a reality in the future? You bet! Just not now ...

Do I really have to comment on this one? Is there anybody with a semblance of a brain who expected 2008 to be the year of “cyber terrorism?” This was a safe one; an ultimate “pussy prediction." Easy to get right for the same reasons as the previous one, about SCADA.

  • A massive data theft to dwarf TJX = yes. And it will include not some silly credit card number (really, who cares? :-)), but full identity - SSN and all.

Ok, I missed this one – no “TJX 2.0”  this year.  I seemingly forgot about the famous Feynman paradox (see book), which says that if you predict the status quo, you’d be right more often than not. Still, I think that the current onslaught of security breaches is not the worst we have seen,  not by far.

Malware:

  • The year of mobile malware = no (not yet, if you insist!). As I discussed here, mobile malware is "a good idea" (for attackers) provided there is something valuable to steal (not the case yet in the US)

This one was a no-brainer; another “Fuzzer prediction.” In fact, I think that everybody who predicts it either is retarded or has something to sell.

  • More fun bots = yes. Bots are here to stay: they follow an overall trend for IT automation (seriously!). Think of bot infrastructures as "shadow IT" with their own SLAs, business model innovation, performance optimization tactics, etc
  • Fewer worms and viruses = yes (why write one if you can make money off bots?) As the share of "conventional" viruses and worms in the whole malware universe decreases, so will the popularity of "legacy" AV vendors ...

These two go hand and hand! Worms did NOT come back while bots proliferated. Unless folks invent new and cool ways of making money with worms, we are looking at further bot development. I’d say that it slowed down a bit since our defenses are so far behind. BTW, what was the latest infection numbers for bots? 30% of all desktops? 60%? 87%?

  • Facebook malware/malicious app = yes . This one will be fun to see (others agree), and current malware defenses will definitely not stop this "bad boy."On the flip side, there is not that much to steal off Facebook accounts ...

A miss. My guess is that there is still not much to steal from Facebook accounts (well, maybe that picture :-)) I think social networks will become more than an insignificant source of malware, just not today.

Compliance:

  • PCI DSS continues its march = yes. In fact, I bet PCI DSS frenzy will spread downmarket - there is sooooo much more Level 3s and Level 4s compared to Level 1 merchants. They all take CCs, they are all insecure - thus, they will all be 0wned! And then hopefully fined :-)

I am proud of this one, actually, and not only because of my job title. So many sore losers has predicted that PCI momentum will fizzle. No such “luck.”  While some people criticize it for specific requirements or missing things here and there, I swear that those who paid ABSOLUTELY NO attention to security now do it ONLY because of PCI. As a result, PCI DSS –> the world is a safer place for everybody!

  • ISO17799, ITIL, COBIT frameworks = maybe (again); they likely won't be 'hot,' at least not in the US; ad hoc approach (with some use of ideas from the above frameworks) to security management will still rule.

Ok, I took the cowardly route here too, I should have said “no” (not “maybe”) and I’d still be correct.  In fact, I think that even all this work on ISO2700X will NOT make ISO popular in the US.

Risk management:

  • Will we know what risk management actually is in the context of IT security = no. Some people (e.g here) might, but not the majority. And don't even get me started on security ROI :-) This part of security realm will continue to be occupied mostly by loudmouths who will spout, but never define; rant, but never explain; blab, but never clearly state. Sorry to those who are not like this, but you will continue to be in the minority in 2008.

Darn it, I stand by it. We still don’t know jack about how to apply “risk management” (aka “sometimes you think you manage risk, and sometimes the risk manages you” :-)), but there are some really good attempts at it.

Security technologies:

  • eVoting security will flare up = yes. Expect big and bad stories about evoting in preparation to the US elections. Maybe another "chad story", but with an "e-" added to it? Fun, fun, fun! :-)

Yeah, there was some noise, but not as much as I thought. So, maybe we’ll call it a miss.

  • Full disk encryption becomes popular = no. In fact, I predict that in 2008 encryption would be "the new firewall" - more and more people will hide from reality behind "we have encryption - we are safe now!" (check out my piece on encryption mistakes, while you are at it)

Not happened yet, so we will call it a hit. I do think that in 2009 it will get there though (I am typing this on a laptop with an encrypted hard drive! :-))

  • NAC= huh. Huh? The451Group said it best: "NAC has been the 'next big thing' for about four years now – that's a long time in the IT world." Others just say "NAC fallout has started." NAC vs insider attacks? Gimme a break... :-)

A hit, for sure. Was I the first to predict the demise of NAC? Probably not. In fact, Gartner folks make fun of some NAC predictions here. “You know what we said about NAC becoming a $2B market that will achieve 100% enterprise penetration in 2008?” Bua-ha-ha-ha.

  • More whitelisting for host and network security = yes (but combined with blacklisting, which is certainly not going away!) As malware landscape becomes even more diverse, application whitelisting for security will start to shine even more.

Hard to say; I am tempted to say that it is a hit, but the inertia of “Big AV” is still too huge.

  • Academic security research stays ridiculous = yes. Wrong problems, wrong solutions, wrong speed (as in: solving solved problems of day before yesterday...). There will be some exceptions: for example, some of the Project Honeynet academic participants deliver a punch!

Seriously? As ridiculous as ever. I will NOT be shocked if some academic will invent a new anti-worm solution :-) Ya know, to stop Blaster, Slammer and their ilk.

  • Secure coding becomes mainstream = no (definitely, 'not yet' on this one) It pains me to say that that I think that while this ball definitely started rolling (e.g. SANS is pushing it hard now) it won't be hurtling down the highway at full speed. 2009? Sure, may be!

Again, this was an easy one. The tricky part is to predict when it will become mainstream or will the economics keep it in the niche. Here is a thought:  maybe it will become mainstream WHEN somebody will make it easy!

No, no and no. A hit, for sure. Please remind me the latest DoD deadline for IPv6? 2004? :-)

Security market:

  • Mid-market and SMB security = yes! I think 2008 is the year when smaller organizations will start buying the types of security solutions that were only looked at by the large enterprises before. After all, they have the same problems to solve! They have compliance too. They lose data

Well, PCI is making it so, but sooooooo slowly. I guess I phrased it safely (“start buying”)  and so it is a hit, but I’d say that it will take more development before smaller organization will even get a chance to become secure.

  • More security SaaS (software as a service) = yes. It is not just Qualys anymore ... More companies will figure out ways to sell security software as a service. This is especially true due to the SMB security spending increase predicted above!

He-he, funny you’d mention that :-) Of course! Yes, definitely a hit. The question is who will make it work next.

  • 'Consolidation' = no. Whaaaaat? You just said 'no' to consolidation in security market? :-) Well, Vendor X might buy Vendor Z and Vendor N might go down in flames, but I predict that we will celebrate 2009 with just as many security vendors as we have today ...

A hit, a counter-intuitive one for some.

Logging and log management:

  • Database logging = yes. 2008 is the year when database logs will be collected and analyzed just as Unix syslog, Windows event logs and firewall logs are collected and analyzed today by just about everybody.

This is true to a large extent, but I will not say that “everybody is doing it” so it is a partial.

  • Application logging will start = yes. People will start collecting (at least collecting at first) application logs, not just firewall and server OS logs (and database logs, as mentioned above). Maybe ERP, CRM logs, maybe other large enterprise applications will lead the way. Major 'application logging waterfall' will occur later, however ...

Starting – yes, but definitely not en masse. I think log standards work (CEE) has to be more advanced before application logging and log analysis will spread.

  • Now that collection and management are 'taken care of' in many organizations, log analysis will (again...) come to the forefront = yes. In the end of 2008, we will be doing log analysis in a large number of fun, new ways - it won't just be about rule-based correlation and keyword searching anymore (Andrew agrees)

A nice fat piece of wishful thinking on my behalf. Log storage is still largely the state of the art, even though I trust splunk folks will help advance this one.

Dark horses, that will influence security in a major but unknown way in 2008:

  • Virtualization = people talk about hypervisor security and virtual security appliances as well as other fun stuff (e.g. this), but, in all honesty, we can't yet fathom the impact that the coming virtualization wave will have on information security.

This one give a lot of people  a lot of reasons to talk about fun stuff (Hoff comes to mind) Will I call 2008 a year of virtualization security? No, probably not.

  • Privacy = I predict that privacy issues, also privacy laws and public outcry due to privacy violations will impact the world of information security in 2008. However, my crystal ball is refusing to share the details on how exactly, citing "privacy concerns" :-)

This one will also have to wait. If you think about a) security b) privacy and c) compliance, then c) holds MUCH more mindshare today, sadly.

Conclusion: my personality type is hereby labeled “successful but cowardly predictor” :-)

2009 predictions are coming soon!!! Yes, they are!!

Tuesday, December 30, 2008

Woooooow....

'The cat is out of the bag : The title of the talk “Making the theoretical possible” has been changed to “MD5 considered harmful today: Creating a rogue CA certificate”.'

OK, this IS seriously cool. And, yes, as usual there is always somebody who just knew it before :-)

Live stream here somewhere.

Monday, December 29, 2008

On 2008 (!) Security Predictions

Notice how few people (one example, Rothman will do it of course) actually go back to their past year predictions (all 2008 predictions via my delicious tracker) and review them. Is it because more than a few of those predictions are retarded? I dunno... I am working on my 2008 predictions review as we speak.

And, BTW, I am baaaack! Kauai is indeed as awesome as people said :-)

Friday, December 19, 2008

No Blogging Next Week

No blogging and twittering next week. I am off to warmer places.

BTW, if upon return I won't find at least a dozen of cool security predictions from my fellow security bloggers, I will kick your blogging ass ;-)

Finally, Somebody Said It Like It Is...

So, I was writing a long blog post (still to be finished) about how I read some stuff people write about "cloud security" and laugh. Why? They write about cloud security and cloud-based security services, but we DO it. Now somebody said it really well here:

"Cloud computing is all the rage now.

But Qualys, a fast-growing Redwood City-based network security firm, was a pioneer in offering computing applications and services over the Internet when it was founded in 1999."

Think about it ... you are writing write about it in 2008 and there is somebody who has been doing it since 1999.

OMG, I Started to Be Knows As ...

... as @anton_chuvakin (example)

I am NOT @anton_chuvakin, I am Anton Chuvakin :-)

Thursday, December 18, 2008

On Infosec-related Cat Names

Don't ask me to explain it, but you can vote in my newest poll about the best infosec-related cat names here. As usual, results will be posted here.

Finally, I'd hate to bias the poll for you, but I suggest that you vote for "Fuzzer."

UPDATE: infosec cat story takes on a life of its own.

UPDATE2: Fuzzer is winning!

On "IRS Doesn't Check Cyberaudit Logs"

As reported by Ken Belva from bloginfosec.com '"IRS Doesn't Check Cyberaudit Logs" (Slashdot, original source): "The US Internal Revenue Service's IT staff hasn't routinely checked its cybersecurity audit logs, according to a report released this week by the agency's inspector general's office. "

SHOCKING ... or PREDICTABLE?

Come on.... is there anything shocking in infosec?

When “Solutions Before Problems” Approach is OK?

So, they say that dumb overeager salespeople push “what they have” no matter “what the customer needs” – and, more often  than not, end up with BOTH an annoyed customer and some damage to their employer’s brand (yes, it might be all about his/her personal sleaziness, but it DOES damage the employer’s brand!) On the other hand, it is said that a smart salesperson will always inquire about “what problem does the customer have?” and then position/describe his wares accordingly, IF they are indeed a fit for his needs.

I happen to agree with this and think that problems should be visible before solutions are unpacked. Other people mention it as well (recent example from Andy’s blog and its continuation, and then here and again here; read it – its fun!)

However,  what happens when a customer insists: “tell me what ya have!”  There are, curiously, many versions of that, when a customer confronts you with something like this:

  • “You guys are experts; tell me what I need to be doing ‘to be OK’”
  • “Please tell me which options I should enable”
  • “Just give me a document explaining how I can “be secure” using your product”
  • “You tell me which one is the best!”

(all above examples are fictitious, but “inspired by true stories”)

I can fight it (and I did fight it on a few occasions in the past, actually, insisting on problem description), but it creates a bizarre paradox:

“Customer is always right” + “problems before solutions” + “customer wants to hear about solutions first” = ?

Just sharing an observation… 

Thursday, December 11, 2008

On Retarded Year-end Security Predictions

‘Tis the season to predict (prediction tracker), BUT it is also a season to make fun of other’s idiotic or super-trivial predictions. Let’s start NOW!

More activity from the cyber underworld” (here)  - ya know, hackers will hack, phishers will phish, spammers will spam type stuff we need more of :-) Deep, deep insight in this.

Computer users can expect to see more spam” (here)  - now that we are on the subject of spam :-)

Someone will unplug the Internet” (here sadly) – no comment, really.

SCADA <anything REALLY bad>” (here) – to be really honest, I have not really seen it yet this year so no link, but it will come. Help yourself to previous year embarrassments :-)

The space <insert this vendor’s space> will be all the rage in ‘09!” (many) – if you are a NAC vendor saying this, you get 10x of the idiocy points. Congrats, you are now in prediction biz too :-)

Year of mobile malware AGAIN AGAIN AGAIN AGAIN AGAIN” (here) – the number of dangerous mobile viruses will grow 700% from 1 to 8 :-) [OK, I admit there are more than that, but what is their risk today?]

This would have made it into wonderful entry of “Nobody Is That Dumb ... Oh, Wait XI” (long forgotten series on my blog)

Wednesday, December 10, 2008

DLP Works – If You Know What “Works” Mean!

I’ve been reading all the recent DLP-related stuff (esp Rich’s ”Analysis Of The Microsoft/RSA Data Loss Prevention Partnership“ as well as this DLP gem -  “My Wife Finally Knows What I Do”) and thinking a bit about it. Also, I have to respond to a few folks who hold a somewhat naive belief that “DLP technology is a solution in search of a problem.”  Nah, it is actually a good workable solution for a specific problem hilarity ensues only when you start thinking that DLP will address all your data security needs ...  So, if “a magic bullet” is a bullet that you can shoot ANY monster with – and it would die, DLP is not a magic bullet (nor is it a silver bullet that can, if my fantasy skills serve me right, kill any undead monster :-))   

As my previous DLP musings (here and here and here) mentioned, using DLP tools will solve some of the real problems that people have today; that much is established. However, two questions remain:

  1. Will you have to kill yourself and ravage your IT environment in order to apply it successfully?
  2. Will it stop/detect all the leaks, with the sad exception of those that you actually care about?

I do think that there are tools that actually solve the problem of a) accidental leaks over a set of network channels and b) specific set of malicious leaks over a set of network channels and to do that without massive ‘collareral damage’ to your mental sanity and IT infrastructure. And, to top it off, they do it without falling victim to questions #1 and #1 above.  If you want more (like, a box to stop ALL malicious leaks without any work on your part) … well…. me too :-)

In light of the above, I don’t think that DLP is “another NAC” (which is as good as gone now that  even Cisco is not doing much of it.) The reason DLP is not another NAC is: it solves a much more isolated problem of discovering, learning and then detecting/blocking the movement of specific content. Maybe “DLP fused with DRM and embedded into an OS” will indeed turn out to be a NAC-sized boondoggle, but a clean DLP box that does a few things well AND running in an environment where these same things needs to be done deserves to be deployed.

BTW,  NextTier (where I am on the Advisory Board) is now listed in “10 IT security companies to watch.” While some companies from past years fared disastrously, I think workable DLP technology that people can use without killing themselves with massive data classification has a better future than that. BTW, NextTier is doing a beta program for a new release soon. Interested?

Possibly related posts:

Tuesday, December 09, 2008

Fun Reading on Security and Compliance #10

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #10, dated December 8th, 2008 (read past ones here). I admit that some stuff has been sitting in my “2blog queue” for way too long, but you know what? If it is relevant after a few weeks of “cooling down,” it is even more worth reading :-)

  1. “SOA Security in Real Life” – if you have to read up on SOA security, you really MUST do it at Gunnar ‘s site :-) Fabulous quote: “Infosec is spending waaayyyy too much time and money protecting garages and not enough protecting assets.”
  2. Bad? Buahahaha. “When it comes to offensive information security, we ain't seen nothing yet,” opines Dave Aitel (he is probably right :-()
  3. Are you “secure” ONLY because you didn’t let your auditor see your FAIL? The ugliest “security by obscurity” revealed. A quote: “Can a company be at the forefront of security and still maintain a cost/profit/edge over the rest of their market?”
  4. SaaS security fun: “You versus SaaS: Who can secure your data?”, “Cloud Providers Are Better At Securing Your Data Than You Are...”,
  5. Mike Rothman vs eBay fraudsters, an epic battle (a spoiler: Mike wins :-))
  6. “Myth or truism? Security experts judge conventional wisdom“ – it is from NetworkWorld, but it not that bad, actually :-)  It does contain some peculiar bits of “weirdom:”  “Q: Regulatory compliance is a good measure of security.  A: Lacey: Yes, it is. I have always found a direct correlation between the number of controls implemented and the level of incidents and vulnerability. Selby: (laughter)” This one is fun though: “There are lots of ways to measure security ROI, all of them flawed.” Guys, care for another ROI mudfight? :-)
  7. Fun insight from Gartner on ‘security as insurance’: “Is Information Security Spending At All Like Insurance Spending?” (picked via Mike R here)
  8. Does your business depend on intellectual property (IP)? Duh, isn’t [almost] everybody’s?  Well, “Intellectual Property: Develop or Steal” reminds us that if your competitors decide that stealing is cheaper  than developing a particular IP, then steal it they will (well, maybe in US most won’t, but in some other countries most definitely will…)
  9. I am sure everybody read Rich’s “Don't Fight the Future. No????!!!! GO-READ-NOW! Yes, it is that good!
  10. “Finally, “On the difficulties of event correlation”: “You wouldn’t know it by the number of vendors and products on the market, but event management and log correlation is really, really hard.” – it also describes it as “woefully inaccurate” and “stunningly misleading in some cases.”

Special “PCI DSS is fun!” compliance section:

  1. REALLY insightful post from BeastOrBudda: “PCI DSS Compliance Projects - The road to nowhere….” I do disagree with a few pointers there (e.g. that “all PCI projects are security projects” – I think NOT enough of the PCI projects are security/risk management projects!); otherwise, it is golden. A quote: “If anything, PCI DSS has demonstrated that across the world, very few organisations have ever taken security seriously.”
  2. “International Challenges in PCI Security” from CSO Magazine.
  3. A VERY interesting discussion on PCI “in the cloud”, MUST read “Please Help Me: I Need a QSA To Assess PCI/DSS Compliance In the Cloud...” and then MUST read “PCI Compliance in the Cloud: Get it in writing!” and then MUST read “Cloud computing security and PCI.” Also, MUST read the discussions for these; it is actually not as esoteric as it seems (albeit, pretty darn esoteric still :-))  When you are done, read this too.
  4. “Do someone know who is responsible for checking the merchants self-assessment questionnaires from the PCI-DSS program?”  He-he, uh, no :-) [this means “nobody apart from your acquiring bank, in most case”] Fave quote: “If you mark an SAQ as 100% compliant and have signed it off yourselves, the acquirer will not do any further checks.“ :-(
  5. Actually fun: PCI word cloud. Notice the big word in the center? VERIFY!
  6. This almost beat the “fire extinguisher–as– firewall” story: “One day he received a deduction from his deposits in the amount of $130 for “PCI compliance”.  He called up his gateway and found out it was an automatic charge for an online form he had to fill out.  He filled out the form and it turned out he failed compliance.  Why?  Because when asked “do you have a bonded company take your backup tapes off-site” he said “No” because it did not apply to his business.  So he called the gateway back and they said to “Fill out YES to every question so you can pass.””
  7. Dave Taylor’s “Are Your Stores Worth Stealing From?“  BTW, I am amazed that so few people know about the PCI Knowledge Base at KnowPCI.com. There is some really useful stuff on PCI.
  8. Another time, another smart guy reminds everybody “Beware PCI DSS Compliant solution vendors.”  Scammers are out there though. A good quote: ”The purpose of PCI DSS is to reduce risk. Risk can be reduced by reducing complexity. Increasing complexity increases risk.” If you don’t heed this advice, I got a PCI-compliant bridge to sell you!
  9. While we are on the subject, more noise and PCI and virtualization (nowadays, I guess, no paper that a) fails to mention Hoff and b) mentions virtualization has any credibility :-))
  10. Old news, but an important reminder: “QA for QSAs” is finally here. If you are a shady QSA, hopefully the council will find you and kick your ass. Or, “arse”, if you are in Europe :-)

Enjoy!

Monday, December 08, 2008

My 2009 Annual Predictions Tracker

As during past few years, I track all the end-of-the-year security predictions:
http://delicious.com/anton18/security+predictions+2009

There are a few there already, so start obsessing about them :-)

Also, I suggest other bloggers start making fun of others FAIL'ed :-) security predictions.... please don't be shy...

Is This?

Is this how YOUR security program structured too?

Sunday, December 07, 2008

Friday, December 05, 2008

HIPAA Humor

As you know, misspelling HIPAA (I am NOT going to type it here in its wrong form ... it makes me want to puke) is one of my fave pet peeves. I have long fought this without much success (apparently) as otherwise intelligent people keep doing it. Here is one recent example.

Please make fun of them so that they will stop :-)

UPDATE: others have been just as outraged about it, for years (quote: "AAAAAAARRRRRRGGGGGGGGGHHHHHHHHHH!!!!")

UPDATE2: here is an easy tip for remembering this, if you are a security vendor: each time you spell HIPAA with two "P"s, think that you are posting a note at your website that says "we are retards; we don't care about compliance and our customer needs; we just want to make money and fuck you." Better now?

Wednesday, December 03, 2008

One More Bit On "Compliance First"

I did say that I am writing a longer blog post on that ("Scary Tales from 'Compliance First' World"), but I just can't resist.

Yes!, Yes!!, Yes!!! - everybody smart and security-savvy KNOWS: focus on security, risk management first AND whatever compliance du jour will come. "Security first" mantra works, it just works.

But you know what? I am constantly SHOCKED since I notice a volume of people who INSIST on "compliance first" AND in silo'ed, regulation by regulation way. OMFG!

Tuesday, December 02, 2008

Monthly Blog Round-Up – November 2008

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is an attempt to remind people of useful content from the past month! If you are “too busy to read the blogs” (!), at least read these.

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics.

  1. Amazingly, this month by far the #1 post is my “'Blogging from DeepSec 2008 in Vienna.” DeepSec was indeed an awesome conference.
  2. Last month, I said that “SIEM bashing reached a new high.” OMFG. What should I say now? I dunno. In any case, “11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!" is on the top list. BTW, “On Open Source in SIEM and Log Management” is also again on the top list, to much of my amazement.
  3. Again and again, PCI compliance is obviously still all the rage: MUST-DO Logging for PCI? post was again propelled to a place in my monthly Top5 list.
  4. Get a firewall AND a fire extinguisher, now, will ya? Is it too much to ask? :-) The post “On Small Companies and PCI Compliance” is on the Top list.
  5. Shockingly, AGAINx2 :-) this month, the "Top 11 Reasons to Secure and Protect Your Logs" came up as on the Top list.  BTW, see my other logging polls and my other “top 11” lists.

See you in December. Also see my annual “Top Posts” (2007)

Possibly related posts / past monthly popular blog round-ups:

 

Technorati Tags: ,,,

Dr Anton Chuvakin