Fun Reading on Security and Compliance #25

Here is an issue #25 of my “Fun Reading on Security and Compliance,” dated May 24, 2010 (read past ones here). You can judge by its size that my “2blog” folder has been way too full, since I was too busy working on a few fun consulting projects.

Main section: 

1. Fun piece from my co-author (“PCI Compliance”) Branden: “Compliance, Easier Than Security!”
2. CloudAudit (former A6WG) goes ahead full-steam: “Q&A: CloudAudit targets automated risk assessment, management” (I suspect this is where we’d go for practical guidance in a few years … not to CSA [PDF]) BTW, CSA did release its cloud compliance control matrix  a while ago and it is used by CloudAudit.
3. I dunno why, but I forgot to highlight Alex’s awesome BSides presentation on…risk management: “Risk Management - Time to blow it up and start over?” (now you know that my 2blog folder has been rotting since March 2010 :-))
4. Worthwhile posts from Securosis: “Mogull’s Law”, “LHF: Quick Wins with DLP—the Conclusion”, “Announcing NetSec Ops Quant: Network Security Metrics Suck. Let’s Fix Them” , “Help Build the Mother of All Data Security Surveys”  and their discoveries regarding PCI Level 4 merchants "Level 4 Apathy"
5. In addition, Securosis folks started a series on SIEM (a must):  "Understanding and Selecting SIEM/Log Management: Introduction"  "Understanding and Selecting SIEM/LM: Use Cases, Part 1", "Understanding and Selecting SIEM/LM: Use Cases, Part 2", "Understanding and Selecting SIEM/LM: Business Justification"
6. Notable pieces from FUDSec: ”The Broken Windows Economics of IT Security” , “SCSOVLF (aka, the Shpantzer Coma Scale Of Vendor Lameness and FUD)” (quote: “If, when asked, "How do you approach the APT issue, exactly?" they respond "That's on our roadmap"”)
7. Fun posts from Richard: “Time and Cost to Defend the Town”, “Forget ROI and Risk. Consider Competitive Advantage” (a fresh batch of ROI jokes inside)
8. Famous Forrester “too much compliance” study (notes, full PDF) , a must read!
9. Gunnar’s “10 Quick, Dirty and Cheap Things to Improve Enterprise Security” that I should have highlighted earlier (and of course: “8. Improve your Audit Logging”…)
10. Completely awesome presentation on REAL cloud security from Alex Stamos @ SourceBoston (was one of my favorite at Source)
11. Interesting report on web ownage from Dasient (disclosure: I am an advisor). Quote: “We found that 97% of Fortune 500 web sites are at a high risk of getting infected with malware due to external partners. In fact, Fortune 500 web sites have such a high risk because 69% of them use external Javascript to render portions of their sites and 64% of them are running outdated web applications.” Niiice.
12. InfoSecMentors (site, blog) launched off the ideas from the SourceBoston mentorship panel.
13. The Security FAIL Chronicles launched (site); “the purpose of this site is to document security failures in various technologies.” Note to self: I need to get my KilledBySoftware site finally up… :-)
14. SANS produces a mid-year list of security predictions for 2011-2012. Why now? I don’t know, but the predictions are always fun.
15. “How to Kick Ass in Information Security — Hoff’s Spritually-Enlightened Top Ten Guide to Health, Wealth and Happiness”...awesomely hoffistic piece.
16. Please don’t laugh but do check the calendar (the year part): people…still…ask…questions…what…ports…to block…on…a firewall! On a list where Marcus Ranum lurks. If this is not the best way to have you balls flattened, I don’t know what is.
17. Upon leaving security (!), Mark Curphey reposted all his Security Bullshit cartoons here.
18. A great, though-provoking piece from Michal Zalewski "Security engineering: broken promises"

Logging, log management section and SIEM section:

1. “Using OSSEC for the forensic analysis of log files” – OSSEC is mostly for real-time log analysis, but now you can also analyze stored logs
2. Useful list of windows event IDS that record application install/updates, such as “1005 Install operation initiated a reboot” and all others.
3. Gorka Sadowski has a useful bit on various logs here (especially read the part about anti-virus logs)
4. Rocky has a series of fun posts on SIEM that you need to read: "SIEM Evolution: Chapter 1" , "2010 Gartner MQ for SIEM" (with a lot of fun MQ analysis), "Tetragon of Prestidigitation".
5. “Centralized vs. Distributed Syslog System Architectures” about exactly what it says :-)
6. This fits under both PCI DSS and logging so, “log data revisited” is worth a read (it mentions 70TB of log data which is always juicy): “The second thing we hear most often is, “We only look at log data when we have a problem.” Typically what this means is that the problem has now grown to the size of a whale and has become noticeable by end users who are complaining.”
7. “Building a logging VM – syslog-ng and Splunk”
8. A really old log trick that people need to be reminded of: “How to Protect Your Logs from Tampering”
9. SANS ISC on application logs explains deep suckage of [most] application logs: “dear developer, please spare us the debug log that got swiftly re-branded into "audit log" five minutes before project completion.”
10. My “PCI Logging HOWTO, Part 2” (part 1). While we are on this subject, here is a fairly useful list on what to log for PCI DSS on Windows.
11. Another “you have no logs – when you REALLY need them” horror story: “ERP billing systems that did zero audits (total breach of SarOx) due to performance constraints and lack of vendor know how on what to implement let alone how.”
12. I've long whined about firewall "connection allowed" logs (example), LogLogic folks  reminder everybody about their value again: "Do your "Traffic Allowed" logs sing?"
13. Another bit on SIEM "SIEM: The good and the bad - Part I" with SIEM basics. Key quote "I believe SIEM's will be as common as firewalls within 5 years. " (let’s see whether it will happen this way!)
14. Well-spelled out example of what one organization are looking for in a SIEM/log management tool: "Open Source centralized log management/SIEM solutions"
15. Bloor folks also unleashed a salvo in a direction of SIEM - their angle is SIEM as information management solution: "The problem with SIEM 1" and "The problem with SIEM 2" Quote: "…  analytic warehouses are currently capable of ingesting data much faster than any of the SIEM products. In our survey the highest load rates we found were at around 4TB per day: analytic warehouses can often load that much per hour!"
16. SIEM implementation lessons video.

PCI DSS section:

1. “PCI And Cloud Computing: It’s All About Scope” …PCI DSS + clouds = what else do you need? :-)
2. Fun interview with me on PCI DSS. Quote: “Q: Where do you see the PCI compliance industry in five years? A: To be honest, I don’t want to see “PCI compliance industry” at all: not now, not in a year, not to five years. […]”
3. “Undergoing a PCI Assessment – How to Prepare” and “PCI Onsite Assessment - Part 1” (also “Part Two - Preparation for an onsite assessment and what to do first!” and all the way to “Part Five - Selecting a QSA!”)
4. Please take a good swig from the bottle of no less than 60 proof alcohol before reading this. EXTREME RAGE ALERT! :-)
5. A really good Forbes piece on PCI: “The easiest way for small businesses to address the information security requirements imposed by credit card companies is the wrong way. I'm talking about lying and praying.” and a quote from me:  “Businesses that endanger their customers really do deserve to die.” 

Enjoy!

Possibly related posts:

• All other security reading posts.
• Fun Reading on Security and Compliance #24
• Compliance Mega-Epiphany!