Monday, September 14, 2009

Fun Reading on Security and Compliance #18

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #18, dated Sep 14, 2009 (read past ones here).

This edition of dedicated to all those who would do things for fun that others are paid to do.

  1. At some point intruder will reveal vs defender cannot know all. “Response for Daily Dave”: “At some point the intruder is likely to take some action that reveals his presence”  vs “At some point, the intruder is in so deep that he cannot be removed, ever (source)”
  2. Old, but excellent piece from Chris Hoff (Asset Focused, Not Auditor Focused) is worth a read (or reread)
  3. John Viega Talks About Beautiful Security” is a worthwhile read as well. I loved the book – and contributed to it as well.
  4. Fun “security maxims” from ANL. Read’em. Quote: “Infinity Maxim: There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys)” and “Thanks for Nothin’ Maxim: A vulnerability assessment that finds no vulnerabilities or only a few is worthless and wrong”
  5. Dave’s “10 Things Your Auditor Isn’t Telling You” is pure gold; I am so ashamed of not blogging it earlier. Also read his “BS Filtering for CISOs: Vendors and Third Parties
  6. Good insight from “the Big G”: “3 Reasons The Security Market Is (Still) A Big Unconverged Mess.”  Whenever I hear about “consolidation,” I cringe… Gartner said it best: “don’t be fooled into a convergence story where one doesn’t exist.”
  7. Is “ignore the risk” the same as “accept the risk”? Read here in “Treating risks.”
  8. …. read “Nobody Hates Software More Than Software Developers” and many a mystery of the Universe will be open book to ya :-) Seriously!
  9. The Auditor’s Prerogative”: “In my 13 years of experience as an auditor, I have found that the people I audit do not tell the truth.”
  10. The Tangled Mess” from Dan Blum: “That IT is a mess probably isn’t news to you. […] What will happen when we try to move IT functions to the cloud?”
  11. Security Religions and Risk Windows” explores a good old question: protect everything a bit or protect something a lot. Right answer: both. Popular answer: neither :-)
  12. Legal Implications of Cloud Computing — Part One
  13. Very useful reminder: “On assuming that you are owned.” I used to like that theme a lot in the past – and it is still hot, since you are, obviously, more 0wned than a few years ago :-)
  14. Nao and Zen:  Security Koans for Everybody” is totally worth a re-read… Quote: ‘“There are no material findings,” said the master to the QSA, “since there is no material world.  All is impermanent in this world of the mind.”….’

PCI DSS section:

  1. ‘'PCI and Fraud Analysis: To Have and Have Not” by PCI KB is very, very interesting: “Instead of PCI controls helping reduce fraud, for some companies, they are making fraud detection more difficult.”  Moreover, read his “Why PCI Has Not Reduced Fraud” as well. As well as “On The Other Hand, PCI Sometimes Actually Can Reduce Fraud
  2. QSA Vendor Selection – Points of Consideration” – one of the known hard problems :-)
  3. Recasting "Dowsing Your Way Through Enterprise Risk" is a fun read.
  4. PCI DSS Hosting – my new religion” – a very useful read: ““How are you guys going with PCI compliance”? - The response was “We looked into it and decided it wasn’t worthwhile””  :-(
  5. How Market Forces Can Fix PCI is a very worthwhile read as well.
  6. “What’s an Acquirer?” And Other Noteworthy SME Questions” with the fave quote: “Small business owners may be too ignorant to ever be PCI compliant.”
  7. A very, very fun PCI battle is here. Bob Russo himself had to come down to the trenches to tackle the opponent.
  8. PCI DSS and Incident Handling: What is required before, during and after an incident” (something I wanted to write for a long time, but he beat me to it :-)) - good read.
  9. Picking PCI's Locks” is a good piece from Pete": “PCI "works" if the risk-adjusted amount of damages is reduced by more than the cost of the audit.”
  10. Standards aren’t security: PCI compliance and Heartland’s data breach”  is a very good counter to all the idiotic whining about “PCI is not enough”, “NERCV is not enough”, “FISMA is not enough,” etc. No external standard is enough – please remember it now and forever!
  11. Finally, random collection of fun PCI reads: “Why We Need PCI-DSS to Survive”, “Does PCI DSS Expose Risk Or Create It?”, “PCI Debate Ignores Planned Improvement Cycle”, “PCI Service Provider Contracting”, “TJX Settlement: More Proof That Security Investment Is Really Hard To Justify”, “4 Ways to Get the Most from Your PCI QSAs”  , “PCI DSS vs ISO 27001

Enjoy! Now that I’ve FINALLY cleaned up all the 2blog links, I can finally get to that juicy “editorial calendar” I have created for my blog :-) BTW, I didn’t even know that I was in “10 Popular Security Blogs”  at

Possibly related posts:

Obligatory “added everywhere” posts :-)

  • I am not at Qualys anymore and looking for the next big security idea to work on! I might be available for consulting projects.

Dr Anton Chuvakin