Fun Reading on Security and Compliance #15

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #15, dated May 22, 2009 (read past ones here).

This edition of dedicated to DRM: “Don't worry about people stealing your idea. If it's original, you will have to ram it down their throats.” (source) :-)

1. Adam continues an old Richard’s discussion on security inputs and outputs in his “Security is about outcomes, not about process”: “We've focused on process because we have so little data on outcomes. People will talk about their training processes. But when you ask them, did that process work? no one wants to say.” Pete adds to this discussion here.
2. “Geekonomics” future is coming? “Software Developer Liability Up For Debate In Europe”: “It appears that it's back up for debate in Europe, where the European Commission wants to make developers liable for buggy code.” More comments from one security vendor here.
3. A good read from Shrdlu ““Security is dead” must DIE.” Quote: “Is the rain attacking you as you walk beneath your umbrella?  Yes, water can drown you if applied correctly, but it doesn’t mean every drop is trying to kill you” and “you have a massive disconnect between the population that doesn’t think anything is possible—and the population that knows what’s possible and believes it all to be inevitable”
4. “The Security Implications Of Google Native Client” from the dark wizards at Matasano: “So the primary obstacle between Google and the future of software delivery is security. Google has a lot of interesting ideas about how to overcome that obstacle.”
5. Ben’s mini-treatise on risk management (“Dowsing Your Way Through Enterprise Risk”) is a fun read: “In many ways, risk assessment today is exactly living dowsing. We walk into organizations with some mystical methodology that assesses pseudo-risk and then we act is if we've done something that is in fact truly legitimate and well-founded. […] As such, we're stuck with gut instinct in assessing risk ratings, challenged in trying to come up with a consistent, reliable, and accurate method.”
6. The best read of the week (“The Future : Regulation is Futile – Market Forces Will Prevail”) comes from a super-enlightened Mark Curphey; there is too much to quote there, may be this: “Regulations will not work. “You can’t regulate the problem away”. Market forces drive economic change and when the cost of security becomes something everyone considers, people will act on Fact and not FUD. […] Market forces (insurance) will drive change. Market forces require empirical data to provide a framework in which to trade.”
7. Finally, why are people upset about PsyOps being conducted? Mike Murray links to an awesome read on Obama’s use of NLP patterning in his speeches: “It’s an excellent description of many hypnotic language patterns and how they can be used artfully to influence a large audience.”

Special PCI DSS section:

1. Required reading to those who say “PCI is too tough”: “Regulating IT Security Practices. PCI DSS too tough?:” “There’s really little in the PCI DSS that is not normal good IT security practice. If you’re not doing it [good security practices] now, questions should be asked as to why not? Businesses have an obligation to be doing it….for themselves, business partners, customers, staff, shareholders and society as a whole. If it takes a big stick to make it happen, well, I’m all for that.”
2. Mass hosting site + PCI DSS – thinking = security disaster; a worthwhile read “Mass Hosting && PCI: A Case Study”
3. Pete analyzes Verizon report as a measure of PCI DSS effectiveness in his “Verizon's DBIR on PCI Effectiveness” and “Is PCI Working?” and finds the data insufficient. While it is not the last word on PCI efficiency, the amount of insight there is still pretty enormous. BTW, more fun comments on the report are here and here.
4. Dave Taylor shares why “Why Most PCI Self-Assessments Are Wrong” – the idea is that many QSA- or self-assessments will miss undocumented, but risky and blatantly-non-compliant business processes. Also, here is another great read from Dave (“The technical complexity of the controls is inconsistent with the grading system that requires 100 percent to be compliant.”) And another one: “Raising the Bet: A National Payment Security Standard” where he reveals that a new, non-PCI retail security standard is coming!
5. Some people are somehow upset that PCI is about transferring risk. I don’t get why anybody should be upset about transferring risk to where is belongs: merchants are insecure –> they get breached –> they suffer. Seem perfectly fair to me, why should issuing banks eat all the losses?
6. Branden, my brand new co-author and partner in [PCI] crime, reminds about a big hole: “Compliance & Security Diverge on Private Label Cards.” Quote: “Here's one of those areas where security and compliance stare at each other angrily across the table instead of skipping down the trail together singing, "Tra-la-la."”
7. Can one take the PoS out of PCI scope? Analysis here in “Take The POS Out Of The Scope Of PCI.” It sounds a tiny bit fishy to me, since the card data will still traverse the PoS, but it is a fun read.
8. Finally, a good reminder that it is NOT true that “the only people who defend PCI are the ones who profit from it.” A fave quote: “One of the more difficult issues that I face with dealing with a company that is trying to obtain PCI compliance without a serious concern for security, is that they will do just about anything to obtain compliance.”

Enjoy!

Possibly related posts:

• All other security reading posts.