It’s Friday again and time for the summary. It’s been a yin & yang kind of week for me, with mixed blessings and curses all around.
On the down side, Friday is always the day for bad news. It’s the day that Fannie Mae, Countrywide and others announce impending disaster so as to lessen the impact on the market. I just have to wonder if they learned that from Office Space. Based upon what I am seeing in the press, and some things here in Arizona, this Friday will be no exception as I expect there to be another big bank announcement. Four friends have lost jobs in the last week and are struggling to find any work, and I am going to have to help a friend move this weekend because their house is going back to the bank. One person I know had someone access their bank account with a fake ATM card, and my next door neighbor got a call Tuesday from Wells Fargo as someone was trying to make a “Phone Cash Advance” on their account. And yet another indication that the system is broken is the credit shell game, with Experian no longer willing to sell credit scores to consumers. Technically, they were not doing it before, but when pushed to sell consumers the real FICO scores, instead of the “FAKO’s” they have been providing, they decided to bow out. Should we just go back to cash? That would solve a lot of problems.
On the positive side we here at Securosis are in a very good mood and have high hopes for the future. Principal among the reasons for this is we are officially on “Nugget watch”, or rather we are waiting for the little Mogull to arrive soon. Mom is in good health and spirits while Rich is furiously decorating, arranging and preparing for the arrival. Male nesting … it’s simultaneously cute and sad to watch. But I have to say, the baby’s room looks great! Stay tuned as I will post something as soon as I hear more news.
I had several conversations with different SIM/SEM vendors this week and I view the changes as positive. It’s no longer “Gee, look at all this neat data we have” nor trying to convince customers how great aggregation is (gaak!), and more about using that data to solve business problems and building some intelligence into the products. Rich and I are seeing some very cool things happening around encryption and key management that should make a lot of people very happy, and we will begin the encryption series we promised in the next couple weeks. And it looks like Motorola found some loose change under the couch, spinning out Good Technology to Visto; Visto should be able to put the technology to good use. That’s all positive! Rich & I are both wrapping up a couple of interesting projects and about to commence on new ones as well so things are busy. I am even starting to get excited about going to Source Boston and seeing a bunch of friends. Maybe we will even get to see where Mr. Hoff lands!
Rolling into the weekend I am focused on the positive, so here it is, the week in review:
Favorite Securosis Posts:
- Rich: A Very Revealing Statement by the PCI Council.
- Adrian: Thinking positive, Netezza buying Tizor is good for all parties.
Favorite Outside Posts:
- Adrian: SEC Investigating the Heartland breach.
- Rich: Microsoft confirms Zero-Day.
Top News and Posts:
- PCI Council announced ranked security and milestones
- Top Ten Web Hacking Techniques 2008, now official!
- More happy news: Flowers for Pirate Bay Witness’ Wife.
- Fuzzing for Fun & Profit on CGISecurity.
- Kindle 2 looks awesome. Comments here and here.
- Why we have spring training: Adobe “swings and misses” with PDF vuln.
- Virtualization: Disruptive Technologies and Security
- In GM’s continuing effort to go out of business no matter how much money is thrown at them: it also wanted to account for a possible tilt toward sales of bigger vehicles if gas prices remained at current levels in coming years.” Wow. With leadership like that, who needs enemies.
Blog Comment of the Week:
Allen Barronov on Will This Be The Next PCI Requirement Addition:
If you are putting money down I’ll take you up on it let me just get some poor sucker’s credit card details in case I lose.
On a serious note: DLP is very reactive.
One advantage is that your CEO doesn’t have to say (quoting from Bob Carr) “we were alerted by Visa” which sounds very weak and can really be read as “we had no idea that people stole information from us until someone else told us about it”. This is apparently quite normal.
Proactive is to analyse the entire PCI process from start to end and secure it accordingly.
A few companies that I have had the privilege of working for have firewalled their “process network” off from their main business network. The reason to do this is really to protect availability. If a virus hits the business network then the (real) money making part of the business can still function – there may be pain but the gadgets still get made/gathered/fixed/etc.
A payment processing business should think: PCI transmission is different from the normal network traffic and they should separate it accordingly. If Sue from Accounts gets a virus on her PC, it should not impact on PCI processing in any way (CIA).
I really like DLP but it is not a cure for bad network design.
I guess the answer is layers. Good network design (based on Business Processes) with DLP to catch the drips.
“You know what else everyone likes? Parfaits.” Donkey in Shrek.
Now, I am off for some more stealth photography.
Reader interactions
3 Replies to “Friday Summary: Feb 27, 2009”
We’‘ll be looking out for it and anticipate comparing notes.
chrs,
/ma
@Mark – Yeah, I will. I am planning on blogging more on the subject over the next couple of weeks. Still need to do some additional research and talk to some more people before I am ready.
-Adrian
‘Adrian,
Can you say more about your discussions with SIEM vendors?
/ma