Archive for September, 2011

Sep 28 2011

I helped write this

Published by under PCI

When I left Verizon Business, I stuck around all of July for one reason and one reason only: I’d been working with the folks at Verizon for several months to collect all the data we could about the Reports on Compliance we had done in 2010.  I like my ex-coworkers, but it was really the fact that I wanted to help finish the report before I left.  I’d spent a lot of time in the data collection and it was just getting to the number crunching and writing when I accepted my current position at Akamai.  But I’d say sticking around to help write the Verizon 2011 Payment Card Industry Compliance Report was one of the best decisions I’ve made in my more recent history.  Other than taking the role as Security Evangelist at Akamai, that is.

I’m not going dissect the report, I’m still a little to close to it.  I will say that I’m worried because there’s a definite downward movement in compliance with the PCI requirements.  I’m not sure if merchants are feeling burnout, if QSA’s are getting tougher or if something else is going on, but it’s not heartening to see that meeting with the requirements is becoming less of a priority for merchants.  I wish the report had come out before the PCI Community Meeting so I could have asked Bob Russ and other Council members for some feedback.  It might have put a little bit of a damper on the ‘Rah! Rah!’ that was being presented to the crowds.

I used to fight with Josh Corman, saying that while it wasn’t perfect, it had improved the landscape of security.  Now I’m not so sure.  If compliance with the requirements are on the decline, maybe it’s not barely even being given lip service anymore.  Or maybe I’m reading too much into a year over year change, we’ll have to wait until next year to see.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on I helped write this

Sep 27 2011

Network Security Podcast, Episode 254

Published by under Podcast

We’re back!  Not that we actually left, but we’ve all been so tied up in each of our own lives that we’ve let the podcast slip the last month or so.  We’re working on a more permanent arrangement and some of the issues that have cropped up lately are getting solved, but we will probably miss a few more before the end of the year.  In the mean time, Martin got a chance to sit down with Schuyler Towne and discuss lock picking at the at the United Security Summit at San Francisco recently.

Network Security Podcast, Episode 254, September 27, 2011
Time: 44:54

Show Notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 254

Sep 13 2011

Hoping to affect change at the ISC2

Published by under CISSP/ISC2,Simple Security

It might just be a pipe dream to hope that these folks can make any significant change at the ISC2, but the fact that they’re trying is more than I’ve ever done.  Which is why I’m hoping you’ll throw a little support behind the five people Jack Daniel is highlighting who want to run for the Board.  Endorsing them simply puts them on the ballot, it does not mean you have to vote for them, it doesn’t mean any of them will actually get elected.  But it will hopefully send a message that whatever direction the ISC2 is currently headed in, and I certainly don’t know what direction that is, isn’t helping the general CISSP at all.

From Jack’s site:

Below are the five candidates I am aware of, in alphabetical order:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Hoping to affect change at the ISC2

Sep 06 2011

Network Security Podcast, Episode 253

Published by under Podcast

After a week off due to… life… we’re back Zach had to phone in for this one as he gets settled into his Hipster’s Paradise Pad in NYC (well, Brooklyn). But believe it or not, we manage to find some things to talk about *other* than DigiNotar! (Okay, we do talk about it, but mostly other stuff).

Network Security Podcast, Episode 253, September 6, 2011
Time: 29:25

Show Notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Sep 05 2011

A story I’m only beginning to learn

Published by under Cloud

I’ve only been at Akamai a month, but I’ve already started to understand how special a person Daniel Lewin must have been.  Maybe not perfect, but definitely special.  His loss on September 11, 2001 rocked the company to its core, but it also inspired the people working there to be the best they can be in many ways.  And sometimes that’s the most important thing we can leave behind as our legacy, inspiration for the people we interacted with to be better. 

A lost spirit still inspires –

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Sep 03 2011

Is this really the ‘State of Security’?

Published by under General,Risk,Security Advisories

I’m not a big fan of opinion polls, especially when the people writing them present them as if they were facts, rather than simply opinions of the people polled.  There’s a huge difference between the reality we live in and the way we perceive that reality.  That’s simply a fact of life, not a criticism of anyone in particular.  But it has a huge impact on the real usefulness of data when it’s based on perception rather than a quantifiable measurement.  And in the information security field, we’ve been working on perception and intuition for far to long and need to start relying on real, measurable data instead.  I have been told I’m too hard on polls, since opinions are valid data points as well, but I’m not so certain.

That’s quite an opening statement for a look at the latest security survey by Symantec, but I wanted to get my own personal biases out of the way before starting.  It also help explain some of my skepticism of the value of the Symantec State of Security 2011 report.  It’s pretty, it’s glossy, it has nice pictures, but it’s still an opinion poll and I always have to wonder how much it’s been affected by the perception of the people who were surveyed, how much they were willing to answer honestly and whether or not they actually knew the answers or just made stuff up.  As I said, I’m not a big fan of opinion polls in security, in large part because I’ve filled out more than a few of them myself.

There’s a lot of white space, large type and big graphs in the the report.  Padding that should have been replaced with more analysis and discussion rather than being wasted.  Which tells me this was probably produced by the marketing department rather than someone in engineering or security.  Marketing might have gotten the analysis right, but the 19 pages would have been boiled down to 8 or 10 pages if it had been written by an engineer instead.  That’s not to say there isn’t some good information in the report, but it does mean there’s a lot of fluff to wade through to get to it.

One of the important tidbits is that, according to the poll, 41% of security professionals feel that security has become more important to their businesses over the last year as opposed to 15% who think it’s decreased in importance.  Given some of the high profile attacks that we’ve seen in the last year, I don’t find that surprising, but I’m still glad to see that what we do is gaining in awareness of management.   41% of respondents also feel that they’re being given more budget, which leads me to ask if the increase in awareness is leading to a greater budget or if an increased budget lead to a feeling of more awareness?  Given how long we’ve been underspending on security, it is good to see some positive movement on this front.

I found the trends that are driving security concerns a little confusing.  According to Symantec, mobile computing, social media and consumerization of IT top the list of concerns; this was explained to me as coming from the newness of the technologies, but I find that hard to swallow.  Smart phones aren’t new, social media isn’t new and consumerization certainly isn’t new.  I know I had to deal with consumer products in the workplace when I was a sysadmin and that’s been nearly a decade.  The first thing I’d point out is that there’s only a 4% difference between the top 6 items in the list and Symantec acknowledges a 5% margin of error in the survey.  Which means that nearly any one of those categories could actually be the biggest security concern.  I’m a little surprised they split different aspects of ‘cloud computing’ into various subcategories such as SaaS, PaaS, public and private cloud, but I mean that in a good way.  It’s so nice to see someone who actually realizes that the ‘Cloud’ isn’t one technology but a collection of very loosely related technologies and implementations. 

I would like know more about how the question concerning significant security threats was posed to the people polled.  Hackers top the list, but there’s also a category for hacktivism, criminals, industrial espionage, targeted attacks and state-sponsored attacks.   I see those all as potentially falling under ‘hacking’ which could mean that there was a flaw in the question asked that biased the results.  I’m also not sure how this perception actually gains us any understanding in the first place.

“71% of respondents saw an attack in the last year…”  Oh boy, that’s a loaded statement.  If only 71% of the companies saw an attack, what were the other 29% doing, because I’m absolutely certain they were attacked, even if it was simply a drive-by attempt.  Were they playing ostrich, with their heads buried in the sand and no detective measures on their network?  Did they have anti-virus and ignore the malicious code that found it’s way into their network or did they not have AV at all?  Were they actually looking at the logs from their IDS or were they ignoring those as well.  I’ve run into more than a few security professionals who’ve said their management didn’t want detective measures  in the environment because detection would mean they’d have to do something about it.  But even I have a hard time believing it was 29% of the companies. 

The one perception I find in this report that I find scary is the measure of what security professionals think they’re doing well.  52% of security professionals polled believe they’re addressing routine security measure effectively.  But that also means 48% of security professionals don’t think they are.  Close to half of us are willing to admit we aren’t doing a good job at the basics.  And that was the highest measurement amongst all the data points.  If half of us admit we aren’t even doing the basics well, is it any wonder that we’ve seen so many breaches in the last couple of years?  Do we even have a chance if half of us admit we don’t have the resources to do the basics?

The recommendations by Symantec are generic and could have come from nearly any security report written in the last few years.  Policy, process, buzzwords don’t help much.  What should have been highlighted is the need to get the basics right, rather than work on policies that most people in your company will never even know exists.  Yes, policy gives us a lever to pry money out of management from time to time, but it doesn’t address the real problems of just being aware of what’s happening on your network.  But that’s probably not what management wants to hear anyway.

Take a little time to read the report, it won’t take you more than 15 minutes to read every word in it.  As with any report there are some nuggets of knowledge to be gained, but question the analysis put forth by Symantec.  I wish they’d included more information about the specific questions asked, because that tells a lot about the biases involved.  I would also like to see hard data points about the points made, rather than just opinions.  But I guess a couple of years of hanging around people like Alex Hutton and Wade Baker, writers of the DBIR, make me value analyzing data over opinion.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

12 responses so far