My wife says to me, “I seem to be getting your junk mail. Somebody just sent me Data Security Quiz results.” I have no idea what she means, so she forwarded me the email from the National Information Security Assocation (NISA). I confess that I had never heard of this organization before, and I really don’t know what they do. Apparently they quizzed a number of real estate agents and brokers around the country to find out how much they knew about data security. The results were emailed as a way of educating real estate professionals at large. Color me shocked. Actually, I thought the questions were pretty good to be asking for sales people. The Q&A was as follows:
- According to industry standard practices, when is it safe to leave sensitive client information in your car (either in electronic form, such as a laptop or in paper form)? Answer: d) Never.
- Which tool is most important once a network breach has been discovered? Answer: c) Access Log
- For most workplace computers when is it possible to be infected with malicious software? Answer: a) Anytime the computer is on.
- If I only collect client data for a short sale processing company, I am not responsible for data leaks? Answer: False
- What are the only actions that can guaranty the security of client data? Answer: c) There is no way to guaranty data security.
- What is the one sure method to determine if your computer contains malicious software? Answer: b) There is no way to be 100 percent sure.
Question three actually cracked me up because it is so true! I think there is a little bit of FUD going on here to get people to attend a seminar, because the email talks about blended threats and Stuxnet. I know real estate agents are pretty pissed about the state of the economy, but I am pretty sure plutonium enrichment is not a general concern. Regardless, it is very interesting to see how much security awareness training and security bullitens are being distributed to real estate professionals. Like Rich’s mention a few weeks ago that the owner of the local coffee shop was aware of PCI-DSS. The times they are a-changin’.
One final note: It appears we have SOLD OUT the Cloud Security Training course we are offering February 13th. If you are still interested, let us know and we will see if we can find a bigger room. Probably not, but we will see what we can do. Given the interest in the material, we are looking at providing more classes in the coming months so it helps us if you let us know if you are interested in cloud security certification.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian’s Dark Reading article on Database Security in the Cloud. First in a series.
- Securosis Mentioned in PF newsletter.
- Adrian’s podcast on Agile Development, Security Fail for RSA.
- More NRF quotes from Adrian on security in the retail vertical.
- Rich quoted on 10 Risks in Public Cloud Computing.
Favorite Securosis Posts
- Mike Rothman: Good Programming Practices vs. Rugged Development. We can always learn from similar initiatives and try not to make the same mistakes. Interesting post here from Adrian comparing Rugged to Agile.
- Adrian Lane: You Made Your Bed, Now Sleep in It. Ego and bravado have a funny way of coming back to crush security pros. Have I mentioned I suck lately?
Other Securosis Posts
Favorite Outside Posts
- Mike Rothman: Everyone has a plan until they get hit. I’m glad Gunnar is our team. Great quote from Tyson. Great post.
- Adrian Lane: Why terror alert codes never made sense. Actually every airport I have been to has been ‘Orange’ for three years. Too bad there are no free market forces to punish this type of stupidity.
Project Quant Posts
- NSO Quant: Index of Posts.
- NSO Quant: Health Metrics–Device Health.
- NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS.
- NSO Quant: Manage Metrics–Deploy and Audit/Validate.
Research Reports and Presentations
- The Securosis 2010 Data Security Survey.
- Monitoring up the Stack: Adding Value to SIEM.
- Network Security Operations Quant Metrics Model.
- Network Security Operations Quant Report.
- Understanding and Selecting a DLP Solution.
- White Paper: Understanding and Selecting an Enterprise Firewall.
- Understanding and Selecting a Tokenization Solution.
- Security + Agile = FAIL Presentation.
Top News and Posts
- Microsoft accuses Google of Clickjacking.
- Abusing HTTP Status Codes to Expose Private Information.
- Plentyofhack, er, Plentyoffish Hack.
- Skimmers That Never Touch ATM.
- Mark Anderson says China’s IP Theft Unprecedented.
- Egypt shuts down their Internet.
- NRO to announce IPV6. The NRO might want to have someone pen test their site as I am getting error codes straight from the database, but that’s a different subject.
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Joshua Corman, in response to Good Programming Practices vs. Rugged Development.
Rugged is a Value. A characteristic. An Attribute. A Quality. A State.
Rugged in its simplest sense is an affirmative, non-security-executive desirable. Security is a negative – a Cost/Tax and usually an inhibitor to what a CIO wants.
Rugged encapsulates things like:
…that the CIO already wants.
For your eCommerce, do you want a flimsy Hosting Site? or a Rugged Hosting site?
Communities like OWASP can help developers to affect more Rugged outcomes. Jeff is involved in Rugged.
Rugged is on the overlooked People level more heavily than on the process and tech level.
We have a lot of great tools and technology and frameworks (sure we could use more and better ones). What’s most been lacking is Mainstream awareness and demand for the value of Rugged.
In my 11/12 months, I’ve seen the most traction for Rugged on those buying software. on Demand. If we can drive sufficient Demand, Supply will often follow.
I’m still looking to connect with you 1 on 1.
For now think of Rugged as what people want/need/deserve, and thing like OWASP, Agnitio, etc as ways people can help them to pursue.