Monday, February 15, 2010

Fun Reading on Security and Compliance #23

Here is an issue #23 of my “Fun Reading on Security and Compliance,” dated February 16, 2010 (read past ones here). You can judge that my “2blog” folder has been kinda full, since I was too busy working on a few consulting projects.
This edition of dedicated to all bloggers who only care about the opinions of other bloggers. Please grow up! :-)
  1. First, I’d like to highlight a surprisingly intelligent whitepaper "SIEM: Five Best Practices for Success" from some outfit called Pivot Point Security (which I personally never heard of before).  You have to register to get it, but it is worth it for those who are planning to deploy a SIEM.
  2. "Ranum's Rants: Cloud Forum Roundtable": Marcus Ranum + Cloud + Security. What can possibly go wrong? Boom! Quotes: "Cloud Computing is going to happen. In fact, if you think it hasn't happened, it just means you're out of the loop"  and "loud Computing can be seen as the business units' final revenge on IT (and security) for saying "no" one time too many, taking too long, or costing too much"  as well as other fun insights. Read it!
  3. Finally, read this("Don’t ask me, ask that guy over there") and think really hard: "How many organizations out there consider data breach notification laws to be completely irrelevant to them?  Not because they aren’t applicable, but because the organization’s security state is so abysmal that they wouldn’t know a data breach if it sent them a strippergram with their own money? " or even "You’re ignoring the vast majority of people who are responsible in some way for the security of their networks, but (a) don’t know it, (b) don’t care, and/or (c) don’t have the knowledge or management backing to do anything about it."  SO, next time you whine about PCI DSS, keep that in mind!  BTW, while you are there, read this too on political risk.
  4. FUDSec continues to impress; for examples read these two pieces: "FUD and Other Sales Errors" and "FUD Just Feels Right" ("FUD is something we all use, abuse and understand and it is a Good Thing[™] as long as it motivates action and does not lead to submission.").Oh, and this one too: "Guerilla Security Leadership."  And this one: “he argues that FUD is less about security, and more about shills selling security to suckers” and “Why, without a firewall, you're screwed like a slow ape by a fast gorilla!”
  5. Somehow I forgot to mention Ben's "How NOT To Build a Security Program" is a fun read. While on this subject, read “Top 10 Reasons Your Security Program Sucks and Why You Can’t Do Anything About It”: “The bad guys are more interested in attacking you then you are in defending yourself, at least they work longer hours.”
  6. Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream)” is a good piece from Chris Hoff: “Manage compliance, don’t let it manage you because a Cloud is a terrible thing to waste.” :-)
  7. If you read only one piece from all the APT/Google/China crapfest, that’s this one from Richard: “4. The victim named the perpetrator. This amazes me. We need more of this to happen. By doing so a private company influenced a powerful policy maker to issue a statement of a diplomatic nature.”
  8. Finally, a quick – but often useful - reminder from Securosis: “Getting Your Mindset Straight for 2010.” Quote: “Repeat after me: A widget will not make me secure. Neither will two widgets or a partridge in a pear tree.”
  9. Dave always has a very fun prospective on security, here is an example: “Everyone says an attack is "sophisticated" whenever any 0day is involved. But that should be the baseline. Or rather, it IS the baseline and everyone seems to just be finding out.”
  10. AlertLogic folks has quietly launched  and it has some fun posts, like “Cloud-Bashing and The Innovator's Dilemma”: “The most relevant points of debate are about current examples of the fits and starts of cloud evolution.  Will cloud solutions succeed in "trickling" up-market or will they become extinct after a short life?” (they will trickle, for sure - example)
  11. Read these two and weep: “Is Quantified Security a Weak Hypothesis?” (which refers to this [PDF])  and “THE MOST MAGICAL QUESTION OF ALL -- WHY ARE SO MANY BRIGHT PEOPLE FOOLING THEMSELVES ABOUT THE SCIENCE IN NFORMATION SECURITY”: "Read that if you think there is a place for science in information security. On the other hand, if you think information security is something else, better off to go read something on creative journalism, public relations, politics, marketing, etc.”
PCI DSS section:
  1. Fun follow up from our “The Great PCI Security Debate of 2010” is here: “LOAD UP ON STEEL, AND SHOOT IT OUT! PCI AND THE MARKET FOR SILVER BULLETS”: “By way of hypotheses in the market for silver bullets, we then find ourselves seeking to reduce the exposure to those external costs; this causes the evolution of some form of best practices which is an agreed set that simply ensures you are not isolated by difference.”
  2. Heartland Breach: State of Payments Security 1 Year Later” is a fun read as well.
  3. If you have a Forrester subscription, read “PCI Unleashed” by John Kindervag. If not, read Branden’s blog about it: “Just try asking a rep from a payment brand if this is why PCI DSS was started, and you might learn a new way to answer a question without actually answering it.” :-)
  4. Time to Revisit Intent of PCI DSS”  has some curious arguments, like: “When you add up all the money being spent on that compliance effort, you can’t help but wonder if it would be simpler and less expensive for all if the payment card issuers were to stop doing business with a minority of merchants that become embroiled in a fraudulent act until they can prove that they have put the appropriate level of security in place.”
  5. PCI Security Policies and You - Part 3” from Walt shares some wisdom on PCI DSS security policies: ”A good security policy template provides you with a structure while preserving flexibility. It also should lead you to additional resources where this can be useful.”
BTW, I can use a bit more work in March – let me know if you need anything done around the area where I focus: logs, SIEM, etc.
Possibly related posts:

Dr Anton Chuvakin