Friday Summary: May 28, 2010
We get a lot of requests to sponsor this blog. We got several this week. Not just the spammy “Please link with us,” or “Host our content and make BIG $$$” stuff. And not the PR junk that says “We are absolutely positive your readers would just love to hear what XYZ product manager thinks about data breaches,” or “We just released 7.2.2.4 version of our product, where we changed the order of the tabs in our web interface!” Yeah, we get fascinating stuff like that too. Daily. But that’s not what I am talking about. I am talking about really nice, personalized notes from vendors and others interested in supporting the Securosis site. They like what we do, they like that we are trying to shake things up a bit, and they like the fact that we are honest in our opinions. So they write really nice notes, and they ask if they can give us money to support what we do. To which we rather brusquely say, “No”. We don’t actually enjoy doing that. In fact, that would be easy money, and we like as much easy money as we can get. More easy money is always better than less. But we do not accept either advertising on the site or sponsorship because, frankly, we can’t. We just cannot have the freedom to do what we do, or promote security in the way we think best, if we accept payments from vendors for the blog. It’s like the classic trade-off in running your own business: sacrifice of security for the freedom to do things your own way. We don’t say “No,” to satisfy some sadistic desire on our part to be harsh. We do it because we want the independence to write what we want, the way we want. Security is such a freakin’ red-headed stepchild that we have to push pretty hard to get companies, vendors, and end users to do the right thing. We are sometimes quite emphatic to knock someone off the rhythm of that PowerPoint presentation they have delivered a hundred times, somehow without ever critically examining its content or message. If we don’t they will keep yakking on and on about how they address “Advanced Persistant Threats.” Sometimes we spotlight the lack of critical reasoning on a customer’s part to expose the fact that they are driven by politics without a real plan for securing their environment. We do accept sponsorship of events and white papers, but only after the content has gone through community review and everyone has had a chance to contribute. Many vendors and a handful of end-users who talk with us on the phone know we can be pretty harsh at times, and they still ask if they economically support our research. And we still say, “No”. But we appreciate the interest, and we thank you all for for participating in our work. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s Dark Reading article on What Oracle Gets In The Secerno Buy. Rich quoted in a Dark Reading article on database passwords. Did we mention Rich was on NPR Science Friday? The full transcript is up. Unfortunately – since it has all the “you knows” and “ums” in it. Adrian’s DAM Deployment Issues to Avoid launched this week. Rich on the Network Security Podcast. Adrian quoted in CRN Tech on database security. Mike quoted in SC Magazine. Favorite Securosis Posts Rich: Code Re-engineering. This applies to so much more than code. I’ve been on everything from mountain rescues to woodworking projects where the hardest decision is to stop patching and nuke it from orbit. We are not mentally comfortable throwing away hours, days, or years of work; and the ability to step back, analyze, and start over is rare in any society. Mike Rothman: Code Re-engineering. Adrian shows his development kung fu. He should get pissed off more often. David Mortman: Gaming the Tetragon. Adrian Lane: The Secerno Technology. Just because you need to understand what this is now that Oracle has their hands on it. Other Securosis Posts Understanding and Selecting SIEM/LM: Aggregation, Normalization, and Enrichment. Quick Wins with DLP Presentation. Incite 5/26/2010: Funeral for a Friend. Understanding and Selecting SIEM/LM: Data Collection. A Phish Called Tabby. Thoughts on Diversity and False Diversity. FireStarter: The Only Value/Loss Metric That Matters. The Laziest Phisher in the World. Favorite Outside Posts Rich: Data Loss Prevention and Enterprise Rights Management; Complimentary or alternative? For 6 months or so I’ve been getting a lot of “which is better, DRM or DLP?” questions. The problem is that they are not alternative technologies, but complementary. The trick is to figure out which one might be more appropriate to implement first, not which can replace the other. Besides, I think they are on the path to complete convergence in the long term, and we already have early samples of combined solutions. Adrian: Bejtlich’s Forget Pre-Incident Cost, How Much Did Your Last Incident Cost? Almost picked Rich’s post The Only Value/Loss Metric That Matters for my internal fave of the week, but this is like a two-fer. Mike Rothman: Google Secure Search and Security Overkill. Boaz makes the point that not all security is worth it. Playing at a security theater near you…. David Mortman: Privacy Theater. Project Quant Posts DB Quant: Discovery And Assessment Metrics (Part 2) Identify Apps. DB Quant: Discovery And Assessment Metrics (Part 1) Enumerate Databases. DB Quant: Planning Metrics (Part 4). Research Reports and Presentations Understanding and Selecting a Database Encryption or Tokenization Solution. Low Hanging Fruit: Quick Wins with Data Loss Prevention. Report: Database Assessment. Top News and Posts TabNabbing was the big news this week. Three indicted on $100M Rogue Software Scam. Mozilla Plugin Check via Brian Krebs. Supposed Vuln in iPhone Encryption. Oopsie. Why does the IRS never have a problem like this? Your Privacy in Their Hands via LiquidMatrix. Can you have a PCI Compliant Virtual Site? Good question. New School blog announces The