This week’s mailing is “Guidelines for Publishing Information Online“. To quote their own synopsis,

Remember that the internet is a public resource. Avoid putting anything online that you don’t want the public to see or that you may want to retract.

If you’ve reading the blog or listening to the podcast, you’ll probably have seen me use words very similar to that a number of times. Especially when Uncle Mike Rothman tries to get me going on a subject like privacy. Privacy isn’t dead, but the vultures are gathering and it’s up to each and every one of us to safeguard our own privacy by being aware of what we put on the Internet. ‘Cause once it’s out there and Google’s indexed it, you’ll never get that piece of information back in the bottle.

Isn’t it funny when someone who blogs as much as I do says be careful what you put on the Internet?

Another plugin in the same vein worth checking out is WordPress Automatic Upgrade. No more waiting for your service provider to get around to the upgrade or mess with all the funky files yourself. The only problem I have with it is re-enabling the plugins after an upgrade, which is a relatively minor issue. I run the plugin occasionally just to get a backup of the blog. See, I do learn from my mistakes occasionally.

Tonight’s Music: Pride by Paula Toledo

Network Security Podcast, Episode 101, April 15th, 2008

Time: 42:26

Show notes:

• Rich’s Macworld Keynote Impressions
• Congressional report slams TSA for security breach.
• Banking in Silence – And remember, these things are only going to get smarter and better
• First Rogue Cleaning tool for the Mac
• Tonight’s song:  Amy B with Brainwashing Machine

Network Security Podcast, Episode 90

Time:  27:41

Turns out that somewhere in the middle of the night, the PCI bus on the server’s motherboards decided to bite the dust. It shows memory errors where there were none before. The system comes up, and even though the NIC responds, it’s not allowing connectivity in any way shape or form. I can get on the server locally, but no network connections are being established.

Taking this as a sign from above that maybe it’s time to switch from hosting the site and my email at my house, I’ve switched all of my DNS, email and web services over to BlueHost. And since I have to rebuild everything anyways, I’ve switched from Movable Type to WordPress, something I’ve been thinking about doing for over a year now. And despite an earlier resolution to backup the entire database on a regular basis, the latest backup I have is from the end of August, so I’ll be losing a number of posts and comments until I take the time to recover them from the now defunct server. Luckily I’ve hardly been posting the last few months, so it’s probably no more than a couple of dozen posts lost.

I am not a happy camper, especially since I already had a full days worth of work ahead of me. I’ll probably take some more time this morning to at least get a better looking page up, but most of the real work is going to have to wait until another time. And since I have a report dues Monday, it looks like I’ll be working all weekend. And to top it all off, I managed to spill coffee on my sound board while trying to reach around to the back of the dying server. It seems to be okay so far, but I said more words the kids shouldn’t hear when that happened.

At least mail is working and the site is back up, even though it’ll take a day or two to have the DNS changes to propagate throughout the Internet. If you haven’t already changed over to the Feedburner feed, now would be a good time. As soon as I get that pointed to the new RSS feed that is. Speaking of which, I’ll be back once I’ve fixed that too

Edit: The FeedBurner feed is http://feeds.feedburner.com/MartinMcKeaysNetworkSecurityBlog

I don’t claim this as an original idea, it’s something I picked up from my teacher when I trained for my GSNA.  She stated that until you can change the way people are thinking about security, similar problems are going to continue to evolve again and again.  Policy might change the perception of security measures, education works better and sometimes people have to be replaced.  But until you can instill a proper security mindset in your users, problems will continue.

I always thought of PCI and compliance in general as a lever to promote change in the corporation.  People don’t like change and management really doesn’t like security managers who ask for large increases in their budgets.  But when you can use the compliance issue as a justification, you’ve taken that item from a ‘nice to have’ to a ‘must have’.  There are other ways to justify you’re work and your technology, but an itemized list of requirements helps a lot.

I also view becoming complaint as a secondary goal to becoming secure.  If you keep your priorities in that order, it should make doing both much easier in the long run.  I can’t say I’ve been completely successful at this in the past, but I found it made my life much easier when I do.  Focusing on a security solution that also happens go be a compliance solution is much more important than finding a compliance solution that’s secure. 

There are a lot of good comments on this thread.  I like the idea of a continuous approach to security, but it will be a change to the way people think.  If PCI or some other compliance framework is the tool you need to effect that change, use it.  But don’t lose sight of the real goal, which is the security of your company, not the compliance itself.

Technorati Tags: security, mckeay, black hat europe, Cisco, NAC