Tuesday, May 05, 2009

Fun Reading on Security and Compliance #14

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #14, dated May 1th, 2009 (read past ones here). I admit that some stuff has been sitting in my “2blog queue” for way too long, but you know what? If it is relevant after a few weeks of “cooling down,” it is even more worth reading :-) This time I have to clean up a HUGE 2blog backlog :-(

This edition of “Fun Reading on Security and Compliance” is dedicated to all those who only read blogs posts after they’ve been twittered :-(

  1. Disagree with the Concept or Implementation?” from Jeremiah analyzes one of the well-known mysteries in our industry: do you “hate” a certain solution (e.g. WAF, in his case) because it is “designed to never work” (wrong concept) or because it is “never implemented right” (wrong implementation)? Quote: “What’s interesting is the vast majority of the time it’s only the current implementation by particular security vendors that are opposed. We all know many vendors abuse customers with over promising marketing, under delivering products, selling/doing/saying anything for a buck, etc. This reality will never go away, we can only expose the behavior, and this is also very different from saying that the concept behind the solutions shouldn’t exist at all or be offered by someone capable of doing better.” Another gem from the same source is “Quick Wins and Web Application Security” has this in it: “They instead selected Network security, while at the same time curiously agreeing that Application security would have been the better path. His rational was that that it is easier for him to show results to his CEO if he invests in the Network.”
  2. RSA is over, and so Gunnar is asking “Where We Are and Where We Are Going.” Key quote: “I am still stunned that any CIO would sanction the purchase of 90% of the products I saw there. Utterly amazing waste of resources to spend so much money on toys and shenanigans just so "security" people can play cops and robbers on the shareholder's dime”
  3. Laws of Vulnerabilities 2.0 Declared” by Qualys: the said truth is people don’t fix vulnerabilities any faster than in 2004 (half-life is still at 30 days)
  4. I missed TRISC2009 conference – and it looked like a missed a very fun PCI presentation “PCI PA DSS: Partners Against Credit Card Fraud [PDF]” by Rafael Rosado from PSC.
  5. Top 5 Information Security Annoyances” – yes, both “compliance=security” and “risk modeling” are in.
  6. If you can handle, high-caliber cynicism go read “The infosec industry is a fraud”, which is centered around the following point: “The cost of 0wning a corporation is a fraction of a percent of their annual infosec spend.” Good read, even for non-cynics :-)
  7. Boaz on OWASP “Security Spending Benchmarks Report” has A LOT of insights.
  8. Security Inevitabilities” from Securosis is something to read and think about. However, I just don’t see this happening “Any critical SCADA network will be pulled off the Internet” unless, of course, the mean “Any critical SCADA network will be CONNECTED TO the Internet” :-)
  9. A bunch of interesting data from Dave Shackleford’s informal survey “The Economy Affecting Infosec? Survey Says!” Also check out his brilliant “The Security Hierarchy of Needs.” However, Dave, you suck for not allowing comments to posts! :-)
  10. Gunter’s “Ignorance is bliss (in Web application security)” is a good read: “One of my favorite security maxims relates to "Ignorance is bliss" - i.e. the confidence that people have in security is inversely proportional to how much they know about it.”

Special PCI DSS section:

  1. Should InfoSec companies be betting on PCI ?” is not a bad read from SensePost. It is a little pessimistic (“The infosec market isnt going away, but i suspect that the credit-card model we currntly use, will. […] Its like building a company on the Y2k hype. […] The situation is built for check boxes that obey the law but miss its essence.”), but has a few good insights.
  2. Fallout from PCI hearing: “Washington And PCI Are A Terrifying Combo”, “PCI Hearing in Congress”, “There’s nothing wrong with the PCI DSS”, “PCI Debate: How Do We Raise the Bar on Security?”, “PCI security rules may require reinforcements” and “An Analysis on the Hearings before the Sub-Committee on Emerging Threats, Cybersecurity, and Science and Techology; "Do the PCI Standards Reduce Cybercrime?" (by far THE deepest, from a Ph.D. in public policy (!))
  3. “Heartland Data Breach Update: Now More Than 600 Institutions Impacted” (full list – NOT a fun read)
  4. A fun read: “The Great PCI Divide: The Dids And The Never Dids,” just read it :-)
  5. PCI And Schrodinger's Cat”, a fun piece I think I forgot to link to before. This has some discussion of it too.
  6. A pile of fun reads from Branden which I forgot to link to before: “Rolling the Dice on PCI”, “BUSTED! Why passing the blame for a PCI Breach will fail” , “PCI Council releases Prioritized Approach for v1.2”, “Sanity DOES Exist!”, “The Problem with PCI” (this has the following quote in comments: “Most in the know (Including myself) are unwilling to come out and publicly state that there are a lot of validations (PCI DSS & PA-DSS) that are complete junk.”), “What SHOULD Keep You Up At Night”, “Companies need PCI++ (not just PCI) to be safe!”, “How a Little Push can put you into a Freefall” and a more recent “An alternative to PCI” (the last piece has a few awesome ideas, BTW!)
  7. Dave Taylor’s awesome “How PCI Leaders are Different from Other Merchants” is based on KnowPCI research. An insightful read! Another one from Dave (“PCI’s Grading System Is Failing”) has a good idea about how PCI can be made less “black and white” but still remain compelling (and not diluted by [poor] risk thinking)
  8. Mike’s old-ish “There is No Spoon - Compliance in a New World” is another piece I forgot to link to; now justice prevails. Also check his “Ten Commandments of PCI;” my fave is “Thou shalt not covet your neighbors compliance certificate.”
  9. Untangling ‘out of scope’ Vulnerabilities & Compliance Threats“, a good read from Trey Ford. One line summary: you are way more vulnerable than you think (and way less compliant :-()
  10. “Compliance doesn’t really matter” by Andy is worth reading as well.
  11. Simple and to the point “What Good is PCI?“ has a few good questions and answers on PCI DSS, useful for merchants.
  12. Seriously fun read “Six ways you can bork PCI” from an ever-insightful Declan Ingram from Securus Global.


P.S. The word “fun” has been used 17 times in the above text :-)

P.P.S Now I’ve done it. I cleaned my “2blog” folder.

Note: this is posted by a scheduler; I am away from computers for a few days.

All other “security reading” issues.

Dr Anton Chuvakin