Network Security Blog

Michael Dahn started an interesting conversation with his post, “Putting an end to compliance via continuous security“.  He wonders why he and other auditors come back to companies and find the same problems year after year.  Why can’t a company stay compliant over the course of a year?  The reason, or at least a reason is because the technologies might be changing, but the mentality that created the problem in the first case is still there. 

I don’t claim this as an original idea, it’s something I picked up from my teacher when I trained for my GSNA.  She stated that until you can change the way people are thinking about security, similar problems are going to continue to evolve again and again.  Policy might change the perception of security measures, education works better and sometimes people have to be replaced.  But until you can instill a proper security mindset in your users, problems will continue.

I always thought of PCI and compliance in general as a lever to promote change in the corporation.  People don’t like change and management really doesn’t like security managers who ask for large increases in their budgets.  But when you can use the compliance issue as a justification, you’ve taken that item from a ‘nice to have’ to a ‘must have’.  There are other ways to justify you’re work and your technology, but an itemized list of requirements helps a lot.

I also view becoming complaint as a secondary goal to becoming secure.  If you keep your priorities in that order, it should make doing both much easier in the long run.  I can’t say I’ve been completely successful at this in the past, but I found it made my life much easier when I do.  Focusing on a security solution that also happens go be a compliance solution is much more important than finding a compliance solution that’s secure. 

There are a lot of good comments on this thread.  I like the idea of a continuous approach to security, but it will be a change to the way people think.  If PCI or some other compliance framework is the tool you need to effect that change, use it.  But don’t lose sight of the real goal, which is the security of your company, not the compliance itself.

When I saw this last night, I couldn’t believe that Adobe would do something as stupid as shutting down the personal firewall so they could do updates.  What makes it funny is that they probably would have gotten away with it if they had just remembered to turn the firewall back on after the fact.  Come on guys, this isn’t rocket science.

I get to give stuff away next week!

We’ve moved the Cobia blog to a new system and spiced up the look and feel quite a bit.  Alan, Mitchell and I will be posting there regularly.

On a separate note, I’m going to be spending all of next week in Las Vegas at Interop.  In case you’ve never heard of Interop, it’s one of the biggest network conventions there is.  Mitchell, Alan and I will all be there, so be sure to stop by and talk to us for a few minutes.  We’ll be doing several podcasts from the show room floor and I’ll be wielding my new HD video camera from time to time.  Stop by the booth and pick up a t-shirt, at least as long as they last.

We’ve got some exciting things to announce at Interop, so stay tuned!

Technorati Tags: Cobia, Interop, StillSecure

I’m in Austin, Texas tonight getting ready to attend the Texas Regional Infrastructure Security Conference tomorrow.  Michael Farnum is speaking about security and blogging.  I don’t know anything about that, but I’m showing up to support Michael anyways.  Or maybe I’m just using this as an excuse to catch up with my buddies, Michael Farnum and Cutaway.  Michael’s right about one thing, I will be talking to anyone who gives me a few minutes about Cobia, but I hardly think that counts as “pimping”. 

Sometimes Mother Nature has her own plans.  Last night for example, I was supposed to fly into Denver at 8:20 and be in Boulder for beers by 9:30.  But instead of landing like we were supposed to, we had to taxi around Denver for 30 minutes before heading to Wyoming to get gas so we didn’t fall out of the sky.  By the time we made it to the airport at Denver, it was after 11:00, obviously blowing my plans for the evening.  Something about bad thunderstorms and funnel clouds over Denver made them delay every flight last night, go figure.

So I apologize if you showed up in Boulder planning to talk to me.  I’ll take the blame for many things, mostly because it’s usually my fault, but acts of nature are outside of my sphere of influence. 

I’m going to be shifting almost all of my blogging efforts to the Cobia site for the foreseeable future.  It doesn’t mean I won’t be blogging here, it just means it’ll be less often. 

I’ve been some trepidations about doing my own video blogging, but here it is.  I have a new Canon H20 HD video camera and a hand held mic and I’m not afraid to use them. 

I’ve got The Security Show over at Podtech and I’m going to be posting to there as much as I can in the future.  As long as it doesn’t interfere with the day job, that is.  Doing video blogging for Podtech brings in a nice supplementary income, but the primary source of food on the table has to come first.

Here’s what I posted on Podtech:

You might recognize my face from the video I did at RSA, but do you know anything about Martin McKeay? I thought I’d take a few minutes to tell you who I am and why I’m the host of The Security Show on PodTech. I started my IT career as a desktop support technician working my way into computer security and now into the position of Product Evangelist for Cobia at StillSecure. It’s been a long and interesting journey. My video skills are a little rough, as is my voice tonight (due to allergies). The good news in both cases is that things can only get better. You can read my blog, the Network Security Blog, which is also the home of my podcast.

Neither allergies nor allergy medicine could stop me from recording a podcast last night. It’s short, but it’s out, which is what was important to me.  I have a few articles I talk about shortly, plus I introduce the first real segment to the show.  Appropriately called the “Events Segment”, it’s where I talk about the events I’ve been to or am going to in the near future.

I forgot to mention one thing that was really important to me on the show last night:  I have my own channel on Podtech, the Security Show.  Now I just have to make the time to create more content.  That’s part of tonight’s efforts, my first real video blog I do from start to finish.  Should be interesting.

Show notes:

• (In)Secure Magazine Issue 11 is out.
• Data breaches seen to threaten IT job security - Well, duh.
• The trouble with Google hacking techniques
• Former court expert witness pleads guilty to perjury
• Check out Cobia.
• Tonight’s Music: Road Dogs by John Mayall

Network Security Podcast, Episode 67

Once again, I’m flying into Denver for work this coming week and I’m taking the opportunity to meet with other security professionals in the Boulder area.  It’s going to be a little later this time, around 9:30, but we’ll be at my current favorite hangout in Boulder, the Walnut Brewery.  This is an entirely informal get together, but a very good opportunity to do some networking.  Plus drink some good beer and tri-tip.

I guess it helps if you say what day, it’s going to be: Monday, May 14th at 9:30PM in the Walnut Brewery in downtown Boulder. I promise I’ll get to Denver next time