Friday, July 10, 2009

Fun Reading on Security and Compliance #17

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #17, dated July11, 2009 (read past ones here).

This edition of dedicated to people who send articles for me to read a few months after they are published:  hopefully folks were busy with something worthwhile…

  1. If you think that data breach disclosure laws made people immune to breach new, I bet the new medical breach law will suffer from it. Medical info loss is much scarier than card data loss, for sure. BTW, want smth even scarier? How about this, “DNA Database Breach?
  2. Also, a good insider “hack” story. $9m – gone. BTW, here is another.
  3. A few gems from Gunnar, as usual: “Enterprise Security Priorities” and “But I Don't Want To Trust the Cloud.”  Just read’em, no need to comment.
  4. Moderately fun read “Avoid Security Suffering With These 3 Questions.” Quote: “"What product should I start with?" is a very common first question, but it has about as much use as approaching a doctor and asking, "What medicine should I take?"
  5. Drazen has a good selection of links debating what drives security: ”Regulation vs. Market Forces – A collection of recent posts….” TODAY, market force to drive security = idealism.
  6. Calabrese’s Razor” post covers an interesting approach to risk and security metrics; quote: “I’ve long held the opinion that the community of “Information Security Experts” agree with each other 90% of the time, but waste 90% of their time arguing to the death with other InfoSec Experts about the remaining 10%.”
  7. Fun OWASP survey [PDF] is out, via “OWASP Security Spending Benchmarks Project Report for Q2 Published” post on Boaz blog. There is a lot of interesting SaaS and cloud stuff there. Mike also writes about it here.
  8. This fun read explores the relationship between cloud security and mobile warfare. It is a bit theoretical, but still worth a read: “With cloud computing, IT security can now use maneuver concepts for enhance defense. By leveraging virtualization, high speed wide area networks and broad industry standardization, new and enhanced security strategies can now be implemented.”
  9. Rich @ Securosis has his awesome “The State of Web Application and Data Security—Mid 2009” post. Fave: “When it comes to web application and data security, if there isn't a compliance requirement, there isn't budget.” Ah, and obviously this: “PCI is the single biggest compliance driver for web application and data security.” Overall, a must read!
  10. Web app is in such a horrible state, it isn’t funny. OK, sometimes it is funny. Also, this (see comments too) and this (with a good classifications of reasons…) cover  a lot of idiotic reasons why web application vulnerabilities are not fixed. My fave: “That application is behind 3 [!] firewalls!”
  11. Some fun SIEM FAIL and also here. More on SIEM from Securosis here.
  12. BusinessWeek prints ”Lessons from the Data Breach at Heartland.” Good insight on how business press views “this whole security thing.”
  13. “Honeypots aren’t dead” or “Goldman Sachs Code Torrent” story.
  14. Here is some SCAP fun: “Hot or not: SCAP is heating up”, “How SCAP Brought Sanity to Vulnerability Management” by Ed Bellis (also note the comments to both pieces. BTW, MITRE just did SCAP Developer days which I woefully missed. Here are the slides from the event which, sadly, don’t unzip for me ;-(
  15. Finally, Branden’s blog, as always, exudes pure awesomeness; here are some highlights:  “Do Data Breach Laws Push Compliance?” (quote: “My experience tells me that fines are a much bigger motivator to pushing compliance to a particular standard versus data breach laws.”), “Guest Post: The DNA of Compliance”, “The Top 8 Requirements Your Assessor Misses” (including “Requirement 11.2.a - QSA only documents the external ASV scan and internal scans are not addressed”), “More on NRF's Letter to PCI SSC, and the Wireless Network that Could” (and this post on NRF letter as well) and ”Guest Post: Is it better to be secure, or appear secure?” (scary shit, which reminds me of “Compliance First!” horrors – longer version)

As has become a tradition recently, a dedicated PCI DSS section, a bit short today:

  1. Also, Boaz has some fun discussion on “PCI and Nevada” here and here
  2. Mike Dahn is back into action, and he as a lot of fun blog posts: “The Good, Bad, and Ugly of PCI”, “How Banks and Merchants manage their risk with PCI DSS”  No comment needed – just read’em.
  3. Another awesome list of 10 PCI Misconceptions, courtesy of Rich. BTW, Mike has his own: “10 Fallacies in PCI Conversations.”
  4. Walt has a sadly humorous post about PCI and service providers: “PCI and Your Third-Party Service Providers – First, the Bad News.” Fave quote: “My favorite is when the vendor [=service provider] replies that they are compliant as a Level 3 (or 2 or whatever) merchant. That response is completely irrelevant and inexcusably misleading.”


Possibly related posts:

Dr Anton Chuvakin