Monday, October 26, 2009

Fun Reading on Security and Compliance #20

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #20, dated Oct 25, 2009 (read past ones here).

This edition of dedicated to all the folks who write blogs, but never read blogs. Shame on you :-)

  1. Very, very bold statement: “Why On-Premise Log Management is Destined for Extinction” from my friends at AlertLogic: “why, for all but the largest organizations, hosting your own log management solution in your data center simply won’t be a practical solution”
  2. Some fun metrics-related reading: “A Bit on the State of Security Metrics” (quote: “Security is a complex system based on a combination of biological (people) and computing elements. Thus our ability to model will always have a degree of fuzziness.”) and Metricon 4.0 slides (some exude pure awesomeness).
  3. Cyber Security Awareness Month is almost over. Here is my token tribute to it – a link to SANS “month of tips”” Day 1 - Port 445 - SMB over TCP, Day 2, etc. (BTW, here is somebody making fun of the whole thing)
  4. This is hot shit (“5 Mistakes a Security Vendor Made in the Cloud”) and the sad part is that I know what the vendor is… Quote: "The client now doesn't trust itself and blocks everything." Good news? It was fixed quickly :-)
  5. Securosis shares a very useful tip on database logging: “Database Audit Events” (full lists here) for popular databases
  6. From the bizarro world, comes this LinkedIn thread: “When will Information Security professionals stop talking about ROI?
  7. Burton Group weighs in on SaaS security; key quote: “[cloud] vendors will provide the controls they feel are necessary to get and retain customers. They will provide proof to the customers of the controls if asked and as long as the proof does not increase their costs too much.”
  8. Richard encounters a “data idiot” and beats him into the pulp: “"Protect the Data" Idiot!”, “"Protect the Data" from Whom?” (the answer to “How do you protect yourself from nation-state actors?” is revealed…) and “"Protect the Data" Where?” Read it!
  9. Philippe on the shift to the cloud [PDF]. Quote: “One day, almost everything we do on private networks – manage information, applications, infrastructure, and services – will be accessible instantly and securely from anywhere and from any Web browser.”
  10. is doing another challenge, here. 
  11. We had an ROI war. Now another war is coming: “How to Value Digital Assets?” started it. The pile-up is here, here, here, here, here – hostilities continue…
  12. Finally, Josh Corman (now a security lead at 451 Group) unleashes some awesomeness here at FUDsec: “Do the Evolution..” He uses what lately became one of my favorite ideas as well: “Can you name *one* security control we’ve retired?” He also bitch-slaps some folks with “… or we could continue to whine about PCI ruining risk management” :-) BTW, you also must read the turmoil in the comments

PCI DSS section:

  1. Good or bad data, but this is worth thinking about: “PCI Survey Finds Some Merchants Don't Use Antivirus Software” (PCI haters should read it too, BTW!) This is about folks who security is nowhere near PCI DSS levels. Key quote: “Around 10 percent of the respondents who said they were PCI DSS compliant said they weren't using basic security software such as antivirus, firewalls and SSL.”  More comments on it here.
  2. Fun interview with Bob Russo. Enough said. Quote: “How many [QSAs] have left the QSA program because they weren't able to recertify [after being kicked in the balls by the QSA QA SWAT team]?”
  3. Tokenization Vs. End-to-End Encryption: Experts Weigh in” (myself includes). “End-to-end” claim worry me in the same way intrusion PREVENTION worries me…


Possibly related posts:

Dr Anton Chuvakin