Friday, March 06, 2009

Fun Reading on Security and Compliance #13

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #11, dated Feb 20th, 2009 (read past ones here). I admit that some stuff has been sitting in my “2blog queue” for way too long, but you know what? If it is relevant after a few weeks of “cooling down,” it is even more worth reading :-)

This edition of “Fun Reading on Security and Compliance” is dedicated to all those people in our security community who are “too busy to read blogs.”

  1. OMG, not disclosure debate again. Yep, it sure seems like it. Starts here and then goes on when Pete “The Disclosure Warrior” Lindstrom picks it up.
  2. Our CTO Wolfgang Kandek discusses IE on our new blog. Specifically, check out this shocking bit: ”Internet Explorer 6 continues to be the more prominent browser in the Enterprise.” IE7 came sooooo long ago (I think in 2006) and meanwhile “I use IE” became synonymous with “I am 0wned” – but people still don’t upgrade?!
  3. CAG is out and – as far I can see – the response is ranging from skeptical to negative. Here are the examples: Richard’s “Consensus Audit Guidelines Are Still Controls”  (“CAG is all about inputs.”) and “Inputs vs Outputs, or Why Controls Are Not Sufficient”, (ISC)2’s “Consensus Audit Guidelines - What is the consensus?” (“I do not believe the initial draft of the CAG meets the goals it set out to achieve, and should be adjusted accordingly.”) and even “Clouds of CAG Confusion” (“There is a haze of confusion settling around the Consensus Audit Guidelines origins.”) BTW, here is a good CAG-related preso, direct from its mysterious source.
  4. Next, Gunnar reminds us to be “to be asset focused, not auditor focused, in infosec”  by using “Berkshire 2008 Annual Letter
  5. Hoff’s “Offensive Computing - The Empire Strikes Back” reminds us to think again – is security really about “war with hackers?” and we need offense. What if it is insurance? Or door locks? Or something else?
  6. Something I wanted to highlight for a long time: “How to Suck at Information Security” A very good thing to read next is “Information Security: How Does Your Organization Fail?
  7. Another one that spent too much time in my 2blog folder: “Alignment of Interests in Web Security” from Jeremiah.
  8. Layer8 post reminded me why I swore on an Orange Book [on second thought, I should have used a Tan Book :-)] to never get a CISSP…
  9. Feel like getting de-pe-re-me-trized? :-) Make sure you don’t kill BOTH network security AND system (=endpoint) security at the same time:  “Deperimeterization without endpoint control?
  10. Reminders, reminders… The “you’ve GOT to be realtime” crowd is less noisy now, but here is why before you utter the word “proactive” you should at least learn to be “reactive” well! Richard states it succinctly here: “we should adopt a mindset, toolset, and tactics that enable retrospective security analysis -- the ability to review past evidence for indicators of modern attacks”
  11. Finally, IT in the year 2109? Yes, really. We will be “using technology that is able to transmit data at speeds of 10,000+ times the speed of light”…

Enjoy!  This post is certified “Heartland-free” :-)

All other “security reading” issues.

Dr Anton Chuvakin