Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #19, dated Sep 23, 2009 (read past ones here).
This edition of dedicated to all the folks who write blogs, but never read blogs. Shame on you :-)
- Very, very bold statement: “Why On-Premise Log Management is Destined for Extinction” from my friends at AlertLogic: “why, for all but the largest organizations, hosting your own log management solution in your data center simply won’t be a practical solution”
- “Health IT Data Breaches: No Harm, No Foul” is eye-opening: “If the entity decides the harm to an individual is not significant, no notification is required.”
- “Professionalism in the Security Community, Part Deux (Clever Talkers)” , a must read for all in the community. It reminds me a bit of my “Myth of an Expert Generalist” and “On Media Whoring” (especially the latter…)
- Mike wonders about log management and SIEM, but he knows the answer; he gave it himself (“SIEM still struggles (and it’s our own fault)”), others say the same (“The SIEM Market: Why Isn’t it Doing Better?”).
- Rich posts some hot cloud stuff: “Cloud Data Security: Use” and “Cloud Data Security: Share”
- The truth about complete 0wnage starts to seep out in the mainstream (“Heartland on Defense at Senate Hearing: Senator 'Astonished" That Breach Lasted So Long”): “Sen. Susan Collins, R.-Maine, asked Heartland CEO Robert Carr to explain how this delay happened. Carr responded that a breach is usually detected when the processing payer is notified of fraudulent use of cards, and that didn't occur until the end of 2008.” This means: “there is no spoon” … and here is no security industry :-(
- “I’m Not Secure and You Can’t Make Me” from FUDSec. FUDSec exudes pure awesomeness. Enough said.
- “Logs of Our Fathers” from Marcus Ranum is a must read for all loggies; quoted log entry: “Mouse climbed into the blower behind regulator rack, set blower to vibrating: result no more mouse and a !!! of a racket."
- I found one more set of posts that I forgot to repost here, but they are very, very useful to read (but then again – most of Richard’s stuff is): “Black Hat Budgeting” (“for $1 million per year an adversary could fund a Western-salaried black hat team that could penetrate and persist in roughly any target it chose to attack”) and “White Hat Budgeting” (“for $1 million per year a defender could not fund a Western-salaried white hat team that could plan, resist, detect, and respond to any $1 million black hat team”) Read both and mediate on them for a while!
- David Rice from “Geekonomics” (my review) fame, writes in his “An Absence of Leadership: Four reasons why leadership trumps compliance”: “Compliance, benchmarks, and checklists [A.C. - yes, they can!] can always help cybersecurity improve, but never enough to compensate for a lack of leadership. Far too often, in my opinion, organizations are relying on tightly scripted audits, consensus benchmarks, and information sharing to unite people around cybersecurity.”
- Finally, new fun site devoted to social engineering, one of my fave subjects: “Nothing even close to the level of documentation required to treat social engineering like a science”
PCI DSS section:
- “Why You Should Love A PCI Hater!” by Branden: “the majority of the individuals (normally falling into the first three categories above) hating on PCI are doing so out of a fundamental misunderstanding of the standard” and “If you think that the payment brands force merchants to store cardholder data, you might be a PCI haytah.”
Possibly related posts:
- All other security reading posts.
Obligatory “added everywhere” posts :-)
- I am not at Qualys anymore and looking for the next big security idea to work on! I might be available for consulting projects, whenever I finish my current consulting projects.