Friday, February 20, 2009

Fun Reading on Security and Compliance #12

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #11, dated Feb 20th, 2009 (read past ones here). I admit that some stuff has been sitting in my “2blog queue” for way too long, but you know what? If it is relevant after a few weeks of “cooling down,” it is even more worth reading :-)

  1. An instant classic “The Security Laugh Metric” by Ben: “The laugh metric indicates a manager's lack of understanding of risk when presented with a security issue. For example, when a reasonable security recommendation is followed by a loud laugh, expect that the manager is probably only mildly aware of their security risks.”
  2. PHPbb “0wnage” – a fun read. Main content, some fun comments and password analysis. BTW, “password” is still a king of passwords :-) “In any event, "cocacola" appears to be more popular than "pepsi" among those who choose passwords.”
  3. Ben’s “instant classic” – “Are You Addicted to Information Insecurity?” Fave quote: “While smokers' actions are driven by cravings for nicotine despite the health hazards, information technology's actions are driven by users' desire for easy access to data, usability, and quick deployment, with a disregard for confidentiality, integrity and availability of that data. These organizations typically know the risk of giving short shrift to security (many have even been bitten by data breaches and malware outbreaks), yet continue with their insecure ways despite clear evidence of its hazards.”
  4. UK “infected hospitals” (here and here) is kinda disturbing. Would you prefer your surgical equipment crashed by a Windows Update OR by a worm, huh? Fave idiotic quote: “Mytob, which also goes under the name MyDoom, was introduced "accidentally" into the network with "no malicious intent," the report concluded without providing details.” This whole situation remind me of Dave Rice’s “Geekonomics” -  a clear route to clinical paranoia…
  5. Thinking Strategically about Information Security Metrics” we all know that metrics=fun, pretty much.
  6. From the “not good” dept: “Kaspersky breach exposes sensitive database, says hacker."  What can I say? SQL injection works! :-(  “A security lapse at Kaspersky has exposed a wealth of proprietary information about the anti-virus provider's products and customers, according to a blogger, who posted screen shots and other details that appeared to substantiate the claims.”
  7. “Why doesn’t the security industry like regulatory compliance?” is pure gold. But then again, what do you expect from Mike “PCI DSS is my license plate” Dahn? :-)
  8. Mike Rothman on “Selling Fear,” a must read. Yes, FUD is alive and well (and useful at time for both infosec pros and vendors) - “Why not remind the customer they could get hit by a bus? Of course, I hope not - but it could happen.”
  9. Fun reflections on why a security startup died are here. Quote: “Whoever heads sales must be highly proficient in motivating sales people and ensuring that sales efforts are always on track. This person is in my mind the most valuable person in a software company.”  and “Ensure that you have a sufficient nucleus of highly proficient developers and quality assurance staff. ” Material like this makes perfect “reading between the lines?” :-)
  10. ATM theft case here (“Largest Coordinated ATM Rip-off Ever Nets $9+ Million in 30 Minutes”) via Mike R: “… in reading James Heary's analysis of the event, my blood ran cold. This folks is the future of crime. It's kind of a "clicks and mortar" approach to crime.”
  11. Mike Fratto kicks some ROI butt in “ROI Is Not A Good Justification For Security;” some sore vendor ass tries to argue and Mike beats him up :-)  Time for a 3rd ROI war to commence?
  12. Discussion of “full-auto” patching is baaaaaack: “Should Microsoft Take You out of the Patching Question?” Fun quote: “I have no business making your patch decisions for you and neither does Microsoft. It's your job. And if your decision not to rush the MS08-067 patch resulted in a Conficker outbreak in your enterprise, well you and whoever else is responsible deserve to suffer the consequences. It's not Microsoft's fault; they made a patch available and told you how serious the matter was.”   I think we ARE ready for full-auto patching in SOME products.
  13. Laura’s musing on FISMA are here: “An agency could have exceptional security in place, but if the security mechanisms, controls, policies, and procedures are not well documented, or incorrectly documented, there is a good chance the agency could receive an F. Keeping that in mind, an agency that receives an F could possibly even have better security than an agency that receives a C or a B. If you have mediocre security in place, but you document the security controls, policies, procedures, and contingency plans at least well enough […], it is altogether conceivable that you could receive a better grade than an agency that has nothing documented, but has sound technical security controls in place.” Fun!
  14. Love or hate survey, here is one more: “Latest Javelin Research Shows Identity Fraud Increased 22 Percent, Affecting Nearly Ten Million Americans: But Consumer Costs Fell Sharply by 31 Percent
  15. Gunnar Peterson sadly reflects in “Why Start Now?” that time to revisit old security models is NOT now, but 9 years ago :-) And flashes his now-legendary “firewalls+SSL” chart…

Special compliance section:

  1. First, “PCI Experts Around Every Corner,“ a fun read.
  2. Martin on “Evaluating the cost of PCI” has some fun links to think about: “When I was a security manager, I loved PCI because it gave me a really good reason to spend the money on the technologies I knew needed to be in place.” Another good one from him is “Are credit cards worth the risk?” with this useful reminder “Realistically, the option of ignoring PCI is there, but it’s something that is almost guaranteed to bite you eventually, not to mention the ethics and morality of a security professional ignoring security compliance.”
  3. pci actually never fails” argues with some of the points made  in previous PCI writing.
  4. A very nice intro to PCI DSS 1.2 is “PCI DSS v1.2 in a Nutshell
  5. Thanks for reminding us that “The true intent of PCI compliance is NOT to pass an audit.” It kinda belongs in the Heartland saga (1,2,3,4), but I am not, NOT, NOT doing “On Heartland V.” Quote: “If PCI DSS requirements are implemented according to their true intent—improve security to reduce risk of compromise—we should seldom hear about massive breaches and data compromise from organizations that passed their PCI DSS audit.”


Dr Anton Chuvakin