Jan
18
2008
It’s a legitimate question to ask if “The New Face of CyberCrime” is a documentary on the state of security or just a marketing piece for Fortify. They could have easily made a 20-minute movie that was all about Fortify, but they didn’t. The movie was a short, straight forward look at some of the issues facing internet users today regarding the security of the Internet. There are bad people out there and they’re becoming more organized in their efforts to get your data. It was meant to mildly shock the members of your board room or a class you might be teaching, without sending too strident of a message. Fortify hit their goal of making a movie that could be used to educate end users who aren’t that familiar with the Internet.
There were two things that disappointed me about the film though. The first was that there was nothing in the film that the audience hadn’t seen or read before. Much of the film was like reading an article from any one of the half dozen glossy security magazines that come out on a monthly basis. They rehashed many of the same subjects we’ve seen before, with many of the people we’ve all read before. There were a lot of people in the audience who would have like to see something that added to the body of knowledge, not just rehash what we know. In the director’s defense, they we weren’t his target audience. He was aiming for people who were like himself and barely understood computers.
The second thing I thought the film was lacking was a call to action. There was enough information in the movie to scare some people, but there was no “now go do this…” in the movie. There was a slight bias towards securing the applications, but nothing you’d notice if you weren’t in a theater surrounded by Fortify staff. But there was no suggestion of something to do about it, no suggestions of where to look for further information. If the film works and there’s an emotional charge worked up by viewing the film, you want to give people something to do with that energy. But I guess that’s for the person presenting after the film to take control of. The director says they thought of that, but that any call to action would have made The New Face of CyberCrime into a marketing piece and he may be right.
I went into The New Face of CyberCrime expecting to see something new and interesting; instead I saw Rsnake pointing to a screen while saying “Cross site scripting” a number of times and a good view of Marcus Ranum’s backyard. It wasn’t what I was hoping for, I would have liked to have heard some of the deeper conversations that went around the sound bites. But I think the movie was what Fortify and the director were hoping for. The New Face of Cybercrime would make a good brown bag lunch movie, something where you lead a conversation afterwards and educate your users. As far as using it in the board room though, I’m not too sure I’ve ever worked in a company where I could get the board to listen to me for 20 minutes, let alone watch a movie that long.
![[Slashdot]](http://slashdot.org/favicon.ico)
![[Digg]](http://digg.com/favicon.ico)
![[Reddit]](http://reddit.com/favicon.ico)
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif)
![[Facebook]](http://www.facebook.com/favicon.ico)
![[Technorati]](http://technorati.com/favicon.ico)
![[Google]](http://www.google.com/favicon.ico)
![[StumbleUpon]](http://www.stumbleupon.com/favicon.ico)
Jan
14
2008
Alex at RiskAnalys.is is ticked off because he sees the Payment Card Industry Data Security Standards as “being more a bunch of legal-wrangling” than it is about mitigating the risk to the data. And I think he hits pretty close to home; PCI is about transferring the risk of a data breach from the credit card companies to the person closest to the data: the merchant. By giving the merchant a minimum set of standards to follow, the credit card companies divorce themselves from the risks associated with a breach and place it on the merchant who’s actually holding the data. Securing the enterprise can be nice side-effect of becoming PCI compliance, but the real goal is to set a minimum standard that merchants have to adhere too. The credit card companies can claim best effort when there is a breach and the liability (and negative press) fall squarely on the shoulders of the merchant who was holding the data.
Yes, I’m more than a little bit cynical. PCI compliance is about marking off all of the boxes on a checklist, proving that your company is meeting with a set of minimum standard. And a lot of companies hit that minimum and make no effort to keep securing their infrastructure beyond that. But that’s not a failing of PCI, that’s a failing of the company. Nowhere in PCI does it say you can’t take additional measures above and beyond those minimums. There’s no reason in the PCI you can’t have a web application firewall as well as a third-party code evaluation. But most companies won’t do that because it costs money and no one has money to spare.
One statement I heard somewhere is that it’s easier to be PCI compliant by being secure than it is to be secure by being PCI complaint. If you’re shop is already being run in a secure manner, you may have to make some changes to meet the letter of the requirements, but they’ll probably be minimal. If you’re just trying to meet the PCI DSS requirements though, there’s a good chance you’ll leave open a vulnerability that’s unique to your environment. Which is why the credit card companies are pushing the risk and liability as close to the data storage as possible, every environment is unique.
Andy, IT Guy has the right idea: rather than thinking of PCI as a minimum standard, use it as a driver for change. Build your case and sell it. Use PCI as a fulcrum point to implement the changes that need to be made to the corporate environment. Policy and procedures are a large part of the PCI assessment; use this to make changes to the way your company does business. Look for ways to implement the PCI requirements that will best benefit your business, rather than complaining about the holes it leaves behind. When it’s all said and done, it’s the guy who’s there day in and day out who’s responsible for securing the systems, not the PCI assessor who comes once a year for a week.
Additional note: I think the mailing list Andy and Alex mention is the PCI Standards list on Yahoo. I created this group about 18 months ago and still approve new members. It’s an open group, unmoderated, low traffic and has no official standing with the PCI Council or anyone else. In other words, don’t post any significant details when sending questions to the list.
Jan
12
2008
Contenders in both the Republican and Democratic parties are asking for a manual recount of the ballots in the New Hampshire state primary. While there has been no evidence of foul play at this point, there were discrepancies between districts that originally counted votes by hand and those that used Diebold scanning machines to count the vote. There’s at least one theory that explains the difference, but this needs to be investigated to preserve confidence in the voting system.
I’ve never liked Diebold or any of the voting systems, mostly they’ve all been very resistant to allowing testing of their systems. We have to take the companies word that their systems are secure, going against the basic security tenet of ‘trust but verify’. At least in the case of New Hampshire, we’re talking about a state where they’ve mandated paper trails, so we have a secondary trail to follow in the recount. Such a discrepancy will be much harder to audit and prove or disprove when we start moving into counties that allow for a purely digital voting system. Yes, there’s hashing and other means of digital certification, but if someone can get access to a machine, those are going to be suspect at best. And it’s been proven multiple times that getting physical access to a evoting machine isn’t all that hard.
On one hand, I don’t want this recount to turn up any major flaws, since we can’t afford that kind of chaos going into a Presidential election. Proof that a major electronic voting machine line was compromised would put a huge strain on many counties as they had to find another way to hold elections. But if no errors are found, I also don’t want Diebold holding up this incident as proof that their systems are secure. All the recount would prove is that Diebold security was good enough this time. When I used to be licensed to sell mutual funds, we had a phrase we had to tell customers: “Past performance is no indicator of future value.” The same could be said of electronic voting machine security.
Jan
09
2008
Last week’s server crash is turning into quite a positive incident. Yes, most of the incoming links to the site are broken due to differences between Movable Type and WordPress, but I’ve managed to redirect all of the RSS feeds so readers should continue to get updates as I write new posts. Using FeedBurner to manage the feeds has turned out to be as close to painless as humanly possible. It’s been a lot of work and there’s still more to go, but overall I’d call this a positive experience, especially since the site looks so much better than it ever has before.
What I hadn’t really thought about until today was what this would mean to my home network; I often told people that my home network was more complex than the average small business. And it was true, complete with a DMZ, two wireless networks and two wired networks, each with it’s own purpose. Now that I’m no longer hosting my own web, email and DNS services, the DMZ is no longer needed, nor is one of the internal wired networks. In one fell swoop, I was able to remove four pieces of network equipment, four wall warts and innumerable cables. My office almost looks like a human works here, rather than a robotic rat in a mood to nest.
My wife’s already commented on how much faster internet access is. My office is a good 10 degrees cooler and 10 decibels quieter than it’s been in years. I may be looking at a savings around $100 on my electric bill next month. My home office will no longer be a fire hazard. I even have all of my systems backing up to external hard drives for a change. There are times when you quietly say to yourself, “Why didn’t I do this before?”
