Friday, September 26, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

What problem does NAC solve for you? [StillSecure, After All These Years]

Posted: 25 Sep 2008 07:03 PM CDT

I was at a large company yesterday that is a StillSecure Safe Access NAC customer (wish I could mention their name, but can't). The NAC project head was totally stoked about the latest information he was able to use as a result of NAC.  By mining the database of information that is gathered during the access control process, he was able to construct a chart showing each user, what IP address he is bound to, what MAC address his device had, what manufacturer corresponded to that MAC address, what OS was running and the results of the tests run on machine.  He has a lot of plans to do more with that information by combining it with other information. This will give him unprecedented insight into who and what is on his network and what they are doing. 

They use NAC already to test all managed company owned devices and identifying all guest trying to access the network.  Guests were being placed into a guest VLAN with web access and quarantined off from the internal network.  This was the original driver for NAC.  Now he was siphoning off guests, checking managed devices and tele-workers VPN'ing from home with their own devices, plus the data mining I just described.  This is a great example of NAC being used for more than just endpoint integrity checks, but instead helping with forensics, security, etc.

For those who say that NAC is not mature until we have true interoperability among all of the competing NAC frameworks, I say bunk!  NAC is mature and working and providing more value every day to organizations large and small right now! As more smart, innovative people continue to use it, they will find even more value in NAC by using the information and control it provides in new and exciting ways.

Reblog this post [with Zemanta]

HowTo: Hack your DBT-120 to run in RAW mode. [Nicholson Security]

Posted: 25 Sep 2008 03:27 PM CDT

Dre from TS/SCI Security wrote a post yesterday “Fun with WiFu and Bluesniffing.” In his post he mentioned the lack of clarity on “how to” hack USB Bluetooth dongles due to the number of posts about problems. I posted in the comments that I have a D-Link DBT-120 Wireless Bluetooth 2.0 USB Adapter [...]

Twitter — What happened to the fail whale? [Srcasm]

Posted: 25 Sep 2008 03:04 PM CDT

I gotta be honest Twitter, I liked the fail whale better. — What happen to the fail whale?  This is what I am getting when I visit now…

Update #3: And it seems to be fixed.  Thanks Twitter. I think this was a record — only 18 minutes from when I saw it to fixed.

Update #2: While Twitter is busy spewing out errors, hit up for access.

Update #1: Twitter seems to know about the issue.

Keep an open mind and ye shall succeed [Srcasm]

Posted: 25 Sep 2008 02:00 PM CDT

While perusing the blogosphere, I came across a great post by Alexis Siemons over at the Phillypreneurs blog.  She talks about the definition of an entrepreneur and what that means.  As Alexis states, Merriam-Webster says and entrepreneur is:

“One who organizes, manages, and assumes the risks of a business or enterprise.”

This definition is fine and dandy but I tend to have a bit of a different definition for one of these so-called entrepreneurs:

One who organizes, manages, and assumes the risks of a business, enterprise, idea, community, group, talent, job-juggle, event, show, game, game-show or anything else for that matter.

See what I did there?  I opened my mind.  An entrepreneur can be defined as “a pusher of things.”  You, your neighbor, your friends and family and anyone else can be an entrepreneur.  You simply need to take the ideas that you have in your head and turn them into real life (yes, that’s right IRL - like friends) projects.

As I’ve stated before, you need to take the first step.  Take your ideas, start a new group, form a new company, create the next Google, cure a disease or do whatever else your heart desires.  Just make sure you put your all into it.  Take a risk and see what happens.  You may find that ye shall succeed.

Recording and Stream Notice - Episode 124 [PaulDotCom]

Posted: 25 Sep 2008 01:15 PM CDT

We're doing things a little different tonight. We'll be breaking ths show up in to two parts.

The live stream for the news portion of the show should be active about 5:00 PM EDT, Thursday, September 25th. We should begin recording the live show at about 5:10 PM EDT.

We even have a very special guest again this week, Alex Horan from Core Security Technologies (and some other distinguished guests from Core). The stream should be live at about 8:45 PM EDT and we'll begin the interview at about 9:00 PM EDT.

Please keep in mind that these times are all estimates, but we will try to do the best that we can.

Don't forget to join in on the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at #pauldotcom.

When active, the live stream(s) can be found at:



Please join us, and thanks for listening!


- Larry & Paul

On Oracle World and Inference Attacks []

Posted: 25 Sep 2008 12:47 PM CDT

Some days I feel the suffocating weight of travel more than others. Typically, those days are near the end of a long travel binge; one lasting about 3 months this time.

When I first started traveling I was in my 20’s, effectively single (rotating girlfriends), and relatively unencumbered. At first it was an incredibly exciting adventure, but that quickly wore off as my social ties started to decay (friends call less if you’re never around) and my physical conditioning decayed faster. I dropped from 20 hours or more a week of activity and workouts to nearly 0 when on the road. It killed my progression in martial arts and previously heavy participation in rescues. Not that the travel was all bad; I managed to see the world (and circumnavigate it), hit every continent except Antarctica, and, more importantly, meet my wife. I learned how to hit every tourist spot in a city in about 2 days, pack for a 2 week multicontinental trip using only carry-on, and am completely comfortable being dropped nearly anywhere in the world.

Eventually I hit a balance and for the most part keep my trips down to 1 or 2 a month, which isn’t so destructive as to ruin my body and piss off my family. But despite my best scheduling efforts sometimes things get out of control. That’s why I’m excited to finish off my last trip in the latest binge (Oracle World) for about a month and get caught up with blogging and the business. For those of you earlier in your careers I highly recommend a little travel, but don’t let it take over your life. I’ve been on the run for 8 years now and there is definitely a cost if you don’t keep it under control. As we say in martial arts, there is balance in everything, including balance.

Now on to Oracle World and a little security.

I’m consistently amazed at the scope of Oracle World. I go to a lot of shows at the Moscone Center in San Francisco, from Macworld to RSA, and Oracle World dwarfs them all. For those of you that know the area, they hold sessions in the center and every hotel in walking distance, close of the road between North and South, and effectively take over the entire area. Comparing it to RSA, it’s a strong reminder that we (security) are far from the center of the world. Not that Oracle is the center, but the business applications they, and competitors, produce.

This year I was invited to speak on a panel on data masking/test data generation. As usual, it’s something we’ve talked about before, and it’s clearly a warming topic thanks to PCI and HIPAA. I’ve covered data masking for years, and was even involved in a real project long before joining Gartner, but it’s only VERY recently that interest really seems to be accelerating. You can read this post for my Five Laws of Data Masking.

Two interesting points came out of the panel. The first was the incredible amount of interest people had in public source and healthcare data masking. Rather than just asking us about best practices (the panel was myself, someone from Visa, PWC, and Oracle), the audience seemed more focused on how organizations are protecting their personal financial and healthcare data. Yes, even DNA databases.

The second, and more relevant point, is the problem of inference attacks. Inference attacks are where you use data mining and ancillary sources to compromise your target. For example, if you capture a de-identified healthcare database, you may still be able to reconstruct the record by mining other sources. For example, if you have a database of patient records where patient names and numbers have been scrambled, you might still be able to identify an individual by combining that with scheduling information, doctor lists, zip code, and so on.

Another example was a real situation I was involved with. We needed to work with a company to de-identify a customer database that included deployment characteristics, but not allow inference attacks. The problem wasn’t the bulk of the database, but the outliers, which also happened to be the most interesting cases. If there are a limited number of companies of a certain size deploying a certain technology, competitors might be able to identify the source company by looking at the deals they were involved with, which ones they lost, and who won the deal. Match those characteristics, and they then identify the record and could mine deeper information. Bad guys could do the same thing and perhaps determine deployment specifics that aid an attack.

If logic flaws are the bane of application security design, inference attacks are the bane of data warehousing and masking.


Fortinet adds to the chemistry with Secure Elements [StillSecure, After All These Years]

Posted: 25 Sep 2008 12:30 PM CDT

Fortinet has been making noise about moving beyond the UTM space for some time. Today they took a very tangible step in that direction with the announcement that they have acquired Secure Elements. For those of you not familiar with Secure Elements, they were a DC-area based vulnerability management solutions provider. Their C5 platform started out as a run of the mill vulnerability scanning tool. I think they used the Nessus scanner and than started importing other scanner data.  Over time they morphed more to configuration management solution.

Secure Elements was virtually unknown outside of the Federal Government space.  I would bet 90+% of their customer base was in the Fed space.  They were one of the leaders in the FDCC and S-CAP requirements that NIST recently put out.  Their founders and pedigree had a long history of working in friendly confines of the DC Beltway. 

Fortinet on the other hand, while trying hard did not have a ton of success in the Federal space.  Is the fact that much of their development and design happens in Asia and China specifically represent a reason for this? Perhaps it did. Also beyond UTM what technology did they have. They recently announced an endpoint based agent for security that sounded suspiciously like a McAfee or Symantec type of play.  They had been making noises around doing vulnerability scanning and management as well.  Now the other shoe drops and we see where that comes from.

So what is Fortinet's end game.  Well certainly if the public markets were not in the sad state they are in, they would be a good candidate for an IPO. But beyond financial goals, what do they want to be when they grow up?  I think it is becoming clear.  They want to take on Symantec, McAfee, Checkpoint and others as providers of a full spectrum of security solutions. They want to use their base as an ASIC based UTM and move to the endpoint and beyond.  With the kinds of units they sell in UTM they certainly have the revenue to fund it.

My final question is:  How long until Fortinet offers a NAC solution?  If they are interested I know a company that is pretty good at OEM'ing their NAC solution to others.  You know how to reach me ;-)

Reblog this post [with Zemanta]

Finnigan Oracle Master Class [Infosecurity.US]

Posted: 25 Sep 2008 12:14 PM CDT

Oracle HQ

Oracle (NasdaqGS: ORCL) Security pioneer and all-around class act Pete Finnigan has just released, (along with his sponsor SENTRIGO, publishers of HedgeHog, and the winner of the SC Magazine 2008 Rookie Award) a new set of slides and video of his recent Oracle Security Master Class.

If you have not had the opportunity to attend one of Pete’s superb webinars, I strongly suggest you watch the video (viewable via Microsoft Windows Media Player, or VLC), and high-thee-ho over to to delve deeper.

Reblog this post [with Zemanta]

[1] An update, slides, USA and a masterclass

[2] Sentrigo: Sentrigo Wins SC Magazine 2008 Rookie Security Company Of The Year Award

[3] Oracle Security Master Class Courtesy of Sentrigo: Database Security_Masterclass_With_Pete_Finnigan

Shout out to Melanie Marks, Director of Marketing at Sentrigo for permissions.

Don’t worry, be happy [Srcasm]

Posted: 25 Sep 2008 11:33 AM CDT

It’s not everyday that someone comes up and compliments you.  It’s very common-place for people to put you down, talk down to you or simply ignore your strengths and that should change.  I’ve noticed how much it affects people when you simply say, “Great job!” or, “You look lovely today.”  A smile shines on their face for hours to come as they think of what it felt like to get that compliment (especially when they are unexpected).

This type of mentality can be taken to the workplace as well.  When working with people, it’s important to recognize what they’ve accomplished, not just what you’ve done.  When working for someone, it’s important to feel appreciated for what you do and when someone works for you, remember how great it feels to be appreciated by the people above you.  Keep this in mind every day and make sure you reach out and make someone smile.  Here are a few tips that work well for me…

  • Be genuine.
  • Make sure you are speak honestly about the person.
  • Make sure the compliment will be taken as one by the other party. (i.e. “You are one hot mama,” should not be said to your boss.)
  • Don’t expect anything back.  While it would be nice, not everyone knows that it feels good to make others happy.  They’ll catch on, keep at it.
  • Be genuine. (I say this twice because it’s super important.  Nothing makes someone feel crappier than when they get a compliment that they know is not genuine.)

Keep this with you all the time and make sure you share the love with those around you.  Not just your friends, but your associates, business contacts and even enemies — We all deserve to smile.

What is Cisco up to? Up your stack [StillSecure, After All These Years]

Posted: 25 Sep 2008 11:33 AM CDT

Cisco announced the other day that they were buying Jabber.  Jabber of course makes instant messaging and chat software.  In and of itself this acquisition is simple enough, but when you look at some of the recent Cisco acquisitions you start to get the feeling that there is more here than just more network gear.  Over the last two years Cisco has made several acquisitions in the social networking, web conferencing, email and now chat/messaging.

I think this points to Cisco moving up the stack from pure network or even intelligent networking.  They clearly are moving into applications. I think it is about the quad play stuff for them.  They realize that rich media communications is going to drive more network use.  This time, not only do they want to own the pipes that this traffic moves in, they want to own the means of putting that traffic in the pipes as well. In doing so they are going to compete with a different set of companies than the Nortel, Foundry, Extreme, Brocade, etc. that they compete with now.  These new sets of competitors could be named Microsoft, Adobe and Oracle.  I say good more competition is a good thing!

Reblog this post [with Zemanta]

PCI 1.2 [ImperViews]

Posted: 25 Sep 2008 11:22 AM CDT

As I wrote yesterday, the PCI Community Meeting discussions are interesting and useful. Many have asked me to provide insights on the actual changes to the specification and especially on section 6 and 6.6 (ensuring that all public Web-facing application are protected against known attacks), section 10 (track and monitor all access to network resources and cardholder data) and section 3 (protect stored cardholder data).

While we still need to respect the embargo on disclosing the actual details of the PCI DSS 1.2, there are few insights that I can share regarding the community culture and the spirit of this event. As you can see below, section 6.6 can also be used as an opening sentence when one is looking for new friends...

PCI Humor.pngAs soon as the embargo is lifted, I will share our thoughts and insights.  And for more insight into the world of the PCI QSA, I encourage you to attend our upcoming webinar, "The Inside Story of PCI: Confessions of a QSA." 

Why Does Innovation In Network Security Come From Startups? Part 2 [Napera Networks]

Posted: 25 Sep 2008 09:34 AM CDT

A post by Nir Zuk at Palo Alto on innovation and another at OnStartups inspired me to follow up on my earlier posting on why much of the recent innovation in networking and security has come from startups. The first idea I wrote about was the ability to engage with customers. The next is the ability to focus on and quickly innovate around the customer problem.

Building great products requires focus. Large companies often spin out incubator units to drive innovation and Xerox PARC and Microsoft Research are great examples of this. Regardless of high concept research units, few large technology companies consistently turn research into innovative products. R&D is often disconnected from customer needs and instead is aimed at some future delivery of breakthrough technology. The reason in my experience is that large companies foster an environment where people become distracted by a myriad of concerns and are unable to focus on the essential customer value of their product. Instead, they often turn out products which try to be all things to all people and end up simply mediocre. Much of the innovation in security in the last decade such as stateful inspection, firewall appliances, network access control and security in the cloud came from companies that were startups at the time and challenged the status quo.

Some large companies eschew R&D and simply outsource their innovation to startups. Cisco is one example that has followed a successful long term strategy of acquiring networking startups as markets mature. Often the companies Cisco acquires have been founded by ex-Cisco engineers, which proves that even when the very same people are involved, the startup culture demands freedom in which to successfully innovate, and an opportunity to focus on the problem at hand without the distractions of trying to satisfy other demands.

At a successful startup, all the wood is behind one arrow. Everyone should be working on solving the customer problem, and success is predicated on achieving that result faster and more creatively than others. The level of focus on the customer and ability to quickly innovate is unmatched. The best startups foster a clear rallying point around a compelling technology, have a direct connection between customers and product management, and build an environment dramatically more efficient at creating new products.

The speed of innovation is critical. At Napera we are running on a three month innovation cycle and we are closing on our third release since we announced our product line. For anyone building a complex networking product,  this is much faster than larger companies that can take a year or more to get out a new release. Talking to a customer about a pain point and then demonstrating the first pass of a solution a few months later is dramatically more effective than trying to solve all of a customers problem with one gigantic release that takes forever, and often misses the point entirely.

Reblog this post [with Zemanta]

PR vs. Marketing [Srcasm]

Posted: 25 Sep 2008 09:07 AM CDT

I was involved in a very interesting conversation the other day about the different between marketing and PR.  I was always under the impression that they were very similar positions…  They both try to sell the company or product (without being a sales guy), they both educate others as to the latest and greatest news and they are both integral parts of an organization but I apparently never really separated them out the way that was necessary.

See, PR focuses on the media.  This doesn’t have to be exclusively traditional media but much of it revolves around television, newspapers and other writers.  They are also usually responsible for those organized press releases that companies put out on the wire.  As far as the marketing people, they need to be the front men/women for the business.  They should be out there shaking the hands, kissing the babies and doing what is necessary to make sure that everyone knows what the product is.

In many organizations, the marketing people are focused on new media technology.  Whether they’re blogging or interacting with users and potential users on Twitter or Facebook, they are always on their game.  They can also help to write copy that the company can use for both their own website and locations where people need information from the source.

Why am I writing this blog post?  I’m writing it to help you figure out where you stand.  It can be difficult to separate out jobs, especially in a start-up world, but it can be important to the success of the idea.  People can become too sucked into all the hats that they wear and they start to lose sight of their goals.  Make sure you think about your position and how you need to interact with your idea or organization.

Please contact Microsoft for Firefox problem? True but Funny Dialog Box [Musings on Information Security]

Posted: 25 Sep 2008 08:23 AM CDT

OWASP AppSec 2008 - New York [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 25 Sep 2008 07:15 AM CDT

OWASP AppSec 2008 in New York City, day 2 is officially under way. Day 1 was tremendous simply because of all the great people I got to get back in contact with, and many I've never met in person before. There were also a bunch of wonderful presentations, for example the w3af talk by Andres Riancho was not only very informative - but made me realize that commercial black-box web app sec tool vendors have some things to learn from w3af and the supporting group. The Cross-Site Scripting Filter Evasion talk by Alexios Fakos was also very good - filled the room and got a thunderous applause when that was over... great job. I think Alexios made lots of the folks in that room realize that their black-lists are not only very inadequate but that you can do so much more than most people even think to evade filters. Ivan Ristic's talk on mode_security was pretty good too. I think that if the commercial WAF vendors didn't have someone in the room paying attention, it will be their loss. No matter how you feel about the topic of WAF, Ivan's talk set the record straight in a lot of ways and clearly outlined the benefits and downfalls of the WAF community while highlighting mod_security.

I think I have to echo the folks I was standing around with and their sentiment when it comes to the ISC^2 tactic for party-scheduling. First off, a room-full of security nerds and an open bar is never a good idea for that much time... but when you first don't feed us and give us endless glasses of liquor before your talk on... whatever it was you talked about - I don't think anyone remembers what that talk was about. All I can recall was that someone won a 42" TV, and that my drink (Goose & cranberry) ended up being a Fruit Punch and grapefruit. I guess that's what I get for ordering from a guy that well...

As a final note - thanks to Trey and Darren for hanging out and drinking beers and eating some late-night dinner food... great times guys.

Now I'm off to the next day of presentations and lunacy.

BSQL Hacker - Automated SQL Injection Framework [Darknet - The Darkside]

Posted: 25 Sep 2008 05:15 AM CDT

BSQL Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities in virtually any database. It ships with Automated Attack modules which allows the dumping of whole databases for the following DBMS: MS-SQL Server ORACLE MySQL (experimental) Attack Templates for: MS...

Read the full post at

September Podcast: This Month In Control System Security [Digital Bond]

Posted: 24 Sep 2008 10:15 PM CDT

Joining me in the September Edition of This Month In Control System Security:

  • Joe Weiss of Applied Control Solutions to discuss why he thinks a control system CERT is required and his recommendations provided to CSIS for the next President.
  • Jake Brodsky of the Washington Suburban Sanitary Commission updates us on Secure DNP3 and discusses security needs for control system protocols in general.
  • Dave Teumim of Teumim Technical discusses the progress made in the transportation sector in a new APTA security guideline effort.

Some links discussed in the show:

Direct link to the podcast.

Podcast Info:

We have made it easier for you to get Digital Bond’s podcasts.

Subscribe via iTunes.

Or you can subscribe to the Podcast RSS Feed.

This posting includes an audio/video/photo media file: Download Now

Java Update 2 for Mac OSX Released [Infosecurity.US]

Posted: 24 Sep 2008 08:11 PM CDT

Java Update 2 (all 136.4M of it) for Mac OS X has been released this afternoon. Based on Apple’s (NasdaqGS: AAPL) statements the update provides increased reliability and compatibility for Java SE 6, J2SE 5.0 and J2SE 1.4.2 on Mac OS X 10.5.4, 10.5.5 and later.

Reblog this post [with Zemanta]

Rogue ISP Atrivo Emerges From Deadpool [Infosecurity.US]

Posted: 24 Sep 2008 06:42 PM CDT

Isn’t it time we clean house?

KnujOn reports (along with The Register, ArsTechnica and PCWorld) Rogue ISP Atrivo/Intercage has apparently been re-animated and now blames equally rogue, malware-rich cousin  EstDomains for it’s laundry list of problems.

Reblog this post [with Zemanta]

Why support is so important in a cut-throat world [Srcasm]

Posted: 24 Sep 2008 05:29 PM CDT

Frank Eliason (aka @ComcastCares) and his team of phenomenal people are at it again!  They’ve had a bit of publicity on ZDNet, Brian Solis’ blog and even the Get Satisfaction crew is getting satisfied.

Today, I had a strange issue — I could no longer get the music channels on my digital box.  A quick reboot of the box didn’t fix it so I sent an email to Frank’s team.  Within the hour Catherine, from PA/De Corporate Escalations, had both called me and emailed me to see if we could get to the bottom of my problem.  After a quick call back, she had booked a service call for 7-9pm on Thursday (that’s right, a two hour window next day).  About 5 minutes later she called to ask if anyone had sent a signal to the box yet.  Nope?  She did and within seconds the music channels reappeared.  The fiancĂ©e was happy and so was I and she got to close a ticket in probably near-record time.  I want to make sure I say thanks to that whole team.  And keep up the great work, Comcast.

As for everyone else, learn from this.  Comcast has had historically poor support but they are working their butts off to get better.  When I call Verizon, AT&T, PGW and the rest of the bunch, I would love to actually get an educated, nice person on the phone — or at least be able to reach out to them on Twitter.

"Pea-Sea-Eye" [ImperViews]

Posted: 24 Sep 2008 05:17 PM CDT

I'm at the 2008 PCI Community Meeting in Orlando. The Standards Council asked us not to disclose any information or pictures regarding the content of the upcoming PCI DSS version 1.2 beyond what has been already discussed in the press or on the Council's web site. For those that are not familiar with the subject (can't spell P-C-I as Bob Russo, General Manager of the council explained), here is a complimentary image. 


Seriously, this is one the more important events for the data security community and if you are reading this blog, you are probably affected in some way. More reports and coverage (without revealing anything that I promised not to) will be coming soon.

Cisco Releases Multiple Security Advisories [Infosecurity.US]

Posted: 24 Sep 2008 04:09 PM CDT

Cisco Systems Inc. (NasdaqGS: CSCO) released several significant security advisories earlier today. You’ll find the links to each advisory after the break. Again, all enumerated advisories are significant. We strongly suggest immediate action in the unlikely event that your network administrators are unaware of these vulnerabilities.

Cisco Advisory: Cisco IOS IPS Denial of Service Vulnerability
Cisco Advisory: Cisco IOS MPLS VPN May Leak Information
Cisco Advisory: Multiple Multicast Vulnerabilities in Cisco IOS Software
Cisco Advisory: Cisco uBR10012 Series Devices SNMP Vulnerability
Cisco Advisory: Multiple Cisco IOS Session Initiation Protocol Denial of Service
Cisco Advisory: Unified Communications Manager SIP Denial of Service
Cisco Advisory: IOS Software Firewall Application Inspection Control Vulnerability
Cisco Advisory: Cisco IOS NAT Skinny Call Control Protocol Vulnerability
Cisco Advisory: IOS MPLS Forwarding Infrastructure Denial of Service
Cisco Advisory: Cisco 10000, uBR10012, uBR7200 Series Devices IPC Vulnerability
Cisco Advisory: Vulnerability in Cisco IOS While Processing SSL Packet
Cisco Advisory: Cisco IOS Software Layer 2 Tunneling Protocol (L2TP) Denial of Service
Reblog this post [with Zemanta]

Which compliance pill to take? [Security Balance]

Posted: 24 Sep 2008 03:50 PM CDT

Anton Chuvakin wrote a very good piece about PCI and how regulations like that are usually written and interpreted. He is completely right on defining the problem as:

  1. Mandate the tools (e.g. “must use a firewall”) - and risk “checklist mentality”, resulting in BOTH insecurity and “false sense” of security.
  2. Mandate the results (e.g. “must be secure”) -  and risk people saying “eh, but I dunno how” - and then not acting at all, again leading to insecurity.

About those options, he says:

“Take your poison now?! Isn’t compliance fun? What is the practical
solution to this? I personally would take the pill #1 over pill #2 (and
that is why I like PCI that much), but with some pause to think, for sure.”

Actually, I believe it may be possible to reach an intermediate alternative. By defining the rules and standards for Risk assessment and management we could set the standards on defining acceptable risk levels instead of saying “must be secure”, and without the need to go as deep as “must use a firewall”. Of course that this approach would cause several questions about how to achieve compliance, but it would give more freedom to organizations about how to approach the risks and avoid “checklist mentality”.

The problem with risk management based compliance is that the organization can manipulate its risk assessments and downplay stuff that should be identified as “high risks”. If the risk equation, impact and probability levels are standardized, however, it would be easy to compare apples to apples and say things like “risks above level X must be mitigated until level Y”.

Even by taking that approach we would still have to deal with the control efficiency problem. Like the firewall that Anton mentioned, there are several controls (probably most of them) that the way that they were implemented and how they are managed are even more important than the control itself. Maybe the best way to solve that is defining appropriate ways to deploy and maintain each proposed control. Ok, we could go into a very deep (and inefficient) level of details by doing that. Seems to be a catch 22 situation. Personally, I don’t know who is worse to point where the bar should be placed: auditors or standard writers. I don’t trust both :-)

CyberWar: Burmese Dissident Web Sites Attacked By Junta [Infosecurity.US]

Posted: 24 Sep 2008 01:22 PM CDT

Free Aung San Suu Kyi Protest

Image by lewishamdreamer via Flickr

News reports surfaced yesterday, noting a somewhat under-reported (in the US at least) clandestine cyberwar targeting Burmese dissidents. The likely culprits are (according to The Australian) the current Burmese Junta…

From the report: “A YEAR after emailed images of Burma’s brutal crackdown against democracy demonstrations were transmitted across the world, the junta has launched a ferocious “cyber war” against dissidents who use the internet.”

[1] The Australian: Junta in cyber war against dissidents
[2] Wikipedia: Aung San Suu Kyl
Reblog this post [with Zemanta]

A new direction [Srcasm]

Posted: 24 Sep 2008 12:36 PM CDT

I plan on taking a new direction on life.  I’ve been a netsec guy for a while and I enjoy the technology.  I really enjoy working with my hands, designing new systems, breaking into others but I believe that I will have a lot more fun in the startup, entrepeneur and community-driven world.

The big reason for this change is that I love working with people.  I love learning from people, meeting new people, teaching what I can and simply listening to what others have to say.  This is the direction I want my life to go in.  I don’t want to be answering the calls, I want to make them.  I want to take the community head on and learn from what each and everyone of you have to teach.  I want to share what you have to teach to the rest of the world.

That’s why, in addition to starting a new career path very soon, I am also going to start to talk to more people and post what they have to say here, at  To start I’m talking to Jason Allum, of RipIt, and his life and how it got him to where he is.  Did you know Jason lived in Japan, built awesome things with his hands and travelled the world?  I didn’t either until I stopped to listen.  I’ll be writing a post outlining who Jason is and will hopefully be getting answers to the questions of (that means the questions from you, the readers).

Live, learn, and be merry.  It’s easy, lets try.

No comments: