As we all get ready for the turkey-induced food coma awaiting us Yanks in two days, let me expand a bit on an incomplete thought put forth by the Hoff. His Cloudiness wonders aloud if Compliance is the Autotune of the Security Industry. Instead of having to actually craft and execute a well-tuned security program which focuses on managing risk in harmony with the business, we’ve simply learned to hum a little, add a couple of splashy effects and let the compliance Autotune do it’s thing. Genius. Forget that squirrel stuff, Hoff should just dub himself T-Comply. It’
I had an insanely early flight this morning for some client work in the Bay Area, so last night I hopped out to fill up on gas and grab some pizza for family movie night (The Muppets Take Manhattan, in case you were wondering). I’m at the gas station when the guy at the pump next to me asks if I ever shop at Target. This is the sort of question that raises my wariness under most circumstances, and since we were, at that moment, about 100 meters from said Target, this line of conversation was clearly headed someplace interesting.
Skipped out of town for a much needed vacation Friday, and spent the weekend in a very remote section of desert. I spent my time hiking to the top of several peaks and overlooking vast areas of uninhabited country. I rode quads, wandered around a perfectly intact 100 year old mine shaft, did some target practice with a new rifle, built giant bonfires, and sat around BSing with friends. A total departure from everyday life. So I was in a semi-euphoric state, and trying to ease my way back into work. I was not planning on delving into complex security philosophy
Rich makes the case that A Is Not for Availability in this week’s FireStarter. Basically his thinking is that the A in the CIA triad needs to be attribution, rather than availability. At least when thinking about security information (as opposed to infrastructure). Turns out that was a rather controversial position within the Securosis band. Yes, that’s right, we don’t always agree with each other. Some research firms gloss over these disagreements, forcing a measure of consensus, and then force every analyst to toe the line. Lord knows, you can never disagree in front of a client.
Now that the media has feasted on the Stuxnet carcass, it gives me a moment of pause. What of a different perspective? I know – madness, right? But seriously, we have seen the media in a lather over this story for some time now. Let’s be honest – to someone who has worked in the SCADA community, this really is nothing new. It’s just one incident that happened to come to light. An alternative angle to the story, which seems to have been shied away from, is under-financed but motivated agents. Technical ‘resources’ with too much free time and a
It’s drilled into us as soon as we first cut our help-desk umbilical cords and don our information security diapers: C is for Confidentiality I is for Integrity A is for Availability We cite it like a tantric mantra. Include it in every presentation, as if anyone in the audience hasn’t heard it. Put it on security tests, when it’s the equivalent of awarding points for spell your name at the top. We even use it as the core of most of our risk management frameworks. Too bad it’s wrong. Think about this for a moment.
As I continue working through the nuances of my 2011 research agenda, I’ve been throwing trial balloons at anyone and everyone I can. I posted an initial concept I called Vaults within Vaults and got some decent feedback. At this point, I’ve got a working concept for the philosophies we’ll need to embrace to stand a chance moving forward. As the Vaults concept describes, we need to segment our networks to provide some roadblocks to prevent unfettered access to our most sensitive information. The importance of this is highlighted in PCI, which means none of this is novel –
Lin Mun Poo of Malaysia sounds like a pretty bad-ass criminal hacker. He cracked into the Federal Reserve, and snagged hundreds of thousands of card numbers from a bank in Cleveland. But perhaps his intellectual skills don’t extend quite as far as they should for criminal survival. The article describes how he was nabbed selling card numbers in Brooklyn a few hours after landing at Kennedy airport. If you’re a conspiracy nut, the following sentence might indicate the government has some secret master key to crack your encryption: The stolen card numbers were found on his encrypted laptop
I got distracted by email. The Friday Summary was going to be about columnar databases. I think. Maybe it’s the flu I have had all week, or my memory is going, or just perhaps the subject was not all that interesting to begin with. But the email that distracted me was kind of funny and kinda sad. A former friend and co-worker contacted me for the first time is something like 10 years. Out of the blue. The gist of the email was he was being harassed by someone with threatening emails. After a while he started to worry and
I’m hanging out in the Red Carpet Club at the Orlando airport, waiting to head home from the Cloud Security Alliance Congress. Yesterday Chris Hoff and I presented a three part series – first our joint presentation on disruptive innovation and cloud computing (WINnovation), then his awesome presentation on cloud computing infrastructure security issues (and more: Cloudinomicon), and finally Quantum Datum, my session on information-centric security for cloud computing. It was one of the most complex presentations I’ve ever put together in terms of content and delivery, and the feedback was pretty positive, with a few things I need