Wednesday, September 23, 2009

Fun Reading on Security and Compliance #19

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #19, dated Sep 23, 2009 (read past ones here).

This edition of dedicated to all the folks who write blogs, but never read blogs. Shame on you :-)

  1. Very, very bold statement: “Why On-Premise Log Management is Destined for Extinction” from my friends at AlertLogic: “why, for all but the largest organizations, hosting your own log management solution in your data center simply won’t be a practical solution”
  2. Health IT Data Breaches: No Harm, No Foul” is eye-opening: “If the entity decides the harm to an individual is not significant, no notification is required.”
  3. Professionalism in the Security Community, Part Deux (Clever Talkers)” , a must read for all in the community. It reminds me a bit of my “Myth of an Expert Generalist” and “On Media Whoring” (especially the latter…)
  4. Mike wonders about log management and SIEM, but he knows the answer; he gave it himself (“SIEM still struggles (and it’s our own fault)”), others say the same (“The SIEM Market: Why Isn’t it Doing Better?”).
  5. Rich posts some hot cloud stuff: “Cloud Data Security: Use” and “Cloud Data Security: Share
  6. The truth about complete 0wnage starts to seep out in the mainstream (“Heartland on Defense at Senate Hearing: Senator 'Astonished" That Breach Lasted So Long”): “Sen. Susan Collins, R.-Maine, asked Heartland CEO Robert Carr to explain how this delay happened. Carr responded that a breach is usually detected when the processing payer is notified of fraudulent use of cards, and that didn't occur until the end of 2008.” This means: “there is no spoon” … and here is no security industry :-(
  7. I’m Not Secure and You Can’t Make Me” from FUDSec. FUDSec exudes pure awesomeness. Enough said.
  8. Logs of Our Fathers” from Marcus Ranum is a must read for all loggies; quoted log entry: “Mouse climbed into the blower behind regulator rack, set blower to vibrating: result no more mouse and a !!! of a racket."
  9. I found one more set of posts that I forgot to repost here, but they are very, very useful to read (but then again – most of Richard’s stuff is): “Black Hat Budgeting”  (“for $1 million per year an adversary could fund a Western-salaried black hat team that could penetrate and persist in roughly any target it chose to attack”) and “White Hat Budgeting” (“for $1 million per year a defender could not fund a Western-salaried white hat team that could plan, resist, detect, and respond to any $1 million black hat team”)  Read both and mediate on them for a while!
  10. David Rice from “Geekonomics” (my review) fame, writes in his “An Absence of Leadership: Four reasons why leadership trumps compliance”: “Compliance, benchmarks, and checklists [A.C. - yes, they can!] can always help cybersecurity improve, but never enough to compensate for a lack of leadership. Far too often, in my opinion, organizations are relying on tightly scripted audits, consensus benchmarks, and information sharing to unite people around cybersecurity.”
  11. Finally, new fun site devoted to social engineering, one of my fave subjects: “Nothing even close to the level of documentation required to treat social engineering like a science”

PCI DSS section:

  1. Why You Should Love A PCI Hater!” by Branden: “the majority of the individuals (normally falling into the first three categories above) hating on PCI are doing so out of a fundamental misunderstanding of the standard” and “If you think that the payment brands force merchants to store cardholder data, you might be a PCI haytah.”

Enjoy!

Possibly related posts:

Obligatory “added everywhere” posts :-)

  • I am not at Qualys anymore and looking for the next big security idea to work on! I might be available for consulting projects, whenever I finish my current consulting projects.

Dr Anton Chuvakin