Tuesday, November 24, 2009

Fun Reading on Security and Compliance #21

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #21, dated November 23, 2009 (read past ones here).

This edition of dedicated to all the folks who write blogs, but never read blogs. Shame on you :-)

  1. The “60-minute-gate”: start here, then comments here and here.
  2. Hilarious SIEM/log management video (“I need an outlet for my detective instincts”).
  3. Did somebody finally beat “the Levin record” (which seems not really his now) from 1994? Stealing $9m purely through computers is kinda cool :-)
  4. This shit is deep: data breaches cause data abuse (fraud, etc), says recent research. Captn Obvious award does not go unclaimed :-)
  5. Detecting Malice eBook is out.  Get it!
  6. NIST SCAP Conference presentations are finally posted (including mine). Check them out here.
  7. Privacy and future shock discussion: read this (“Forget Privacy, It Is Just An illusion”), then this (“Gartner Gets Privacy Dead Wrong”), then this (“Bob Blakley Gets Future Shock Dead Wrong”). Fun to read and think about.
  8. “HIPAA teeth” and HITECH act, very interesting. Also, this says that “57% of the survey respondents said they would make additional investments in security tools or technologies” [due to HIPAA/HITECH]. Is this for real?
  9. Various smart people beat up risk assessment: here (“The practice of risk analysis is one of the root causes of our failure to match security countermeasures to the emerging threats. It depends on too many unrealistic assumptions”) and here (“I think one of the “hot” areas that I care about is being able to quantify risk. I personally don’t think this can be done because I’ve had too many customers show me their risk measuring systems and I’ve found fault with them.”) And then some other people defend it.
  10. Gunnar’s cloud wisdom: Part 1,2,3a, 3b. Did I mention it is awesome?
  11. Dave for the n00bs. Useful read, and not just for the n00bs: “Please please please please PLEASE do not come out of school with a degree in “Information Assurance” or some other bullshit and tell me you are a security professional.”
  12. As I think more about SIEM, I find this old Decurity post very insightful, even though its enlightened creator has been absorbed by the EMC machine :-)
  13. “The Art and Science of Infosec” is surprisingly insightful. Key quote: ”too many security folk, especially consultants and auditors, seem to fall into the trap of having the science drive their work more than the art.”
  14. I read this (“Is Your Response Time Less Than 120 Days?” that talks about a security monitoring tool which was “mistakenly turned off for a four month period.”) and it reminded me of my old paper on "the fallacy of real-time” (here). Why obsess about sub-second correlation on your SIEM, if your “process” is to respond to events months after they happen? I like to call it “Is CNN your IDS?” syndrome. :-)
  15. “Change the game” or “raise the bar”?

PCI DSS section:

  1. I can’t think  why I haven’t highlighted it earlier: “Will PCI Mandate The Use Of Data Discovery Tools?” It is from Branden “Awesome” Williams, now of EMC.


Possibly related posts:

Dr Anton Chuvakin