Friday Summary: January 7, 2011By Rich
Compliance and security have hit the big time, and I have the proof.
Okay: all of us who live, eat, and breathe security already know that compliance is a big deal and a pain in the ass – but it isn’t as if “normal” people ever pay attention, right? Other than CEOs and folks who have to pay for our audits, right? And according to the meme that’s been circulating since I started in the business, no one actually cares about security until they’ve been hit, right?
Well, today I was sitting at my favorite local coffee shop when the owner came over to make fun of me for having my Mac and iPad out at the same time. We got to talking about their wireless setup (secure, but he doesn’t like the service) and he mentioned he was thinking of dropping the service and running it off his own router. I gave him some security tips, and he informed me that in no way, shape, or form would he connect his open WiFi to the same connection his payment system is on.
Because he has to stay PCI compliant.
Heck, he even knew what PCI PA-DSS was and talked about buying a secure, compliant point of sale system!
He’s not some closet security geek – just a dude running a successful small business (now in two locations). He’s a friggin’ Level 4 merchant, and still knows about PCI and compliant apps. I feel like kissing the sales guy who must have explained it all to him.
And security? He never uses anything except his up-to-date Windows 7 computer to access his bank account.
Now can we all shut up about not making a difference? Do you really think I could have had that conversation even a few years ago?
One last note:
RSA is fast approaching. We (well, @geekgrrl) are working hard on the Securosis Guide to RSA 2011, the Recovery Breakfast announcement will go out soon, we’re cramming to finish the CSA training class, and we’ve locked in an awesome lineup for the RSA e10+ program we are running this year. And then there’s our sekret squirrel project.
In other words, please forgive us if we are slow responding to email, phone calls, or beatings over the head.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Mort quoted in Incident%20response%20plans%20badly%20lacking,%20experts%20say.
- Kevin Riggins gives us a shout-out and review.
Favorite Securosis Posts
- Mike Rothman: Mr. Cranky Faces Reality. Any time Adrian is cranky, you need to highlight that. I guess he is human after all.
- Adrian Lane: The Evolving Role of Vulnerability Assessment and Penetration Testing in Web Application Security.
- David Mortman: Web Application Firewalls Really Work.
- Rich: BSIMM meets Joe the Programmer.
Other Securosis Posts
- React Faster and Better: Initial Incident Data.
- Mobile Device Security: Saying no without saying no.
- Incite 1/5/2011: It’s a Smaller World, after All.
- HP(en!s) Envy: Dell Buys SecureWorks.
- Motivational Skills for Security Wonks: 2011 Edition.
- Mobile Device Security: I can haz your mobile.
- Coming Soon….
- React Faster and Better Chugging along.
- React Faster and Better: Alerts & Triggers.
Favorite Outside Posts
- Mike Rothman: Quora Essentials for Information Security Professionals. Lenny Z talks about how to use the new new social networking thingy: Quora. I’m a luddite, so maybe I’ll be there in a year or two, but it sounds cool.
- Adrian Lane: thicknet: starting wars and funny hats. A couple weeks old, but a practical discussion of MinM attacks on Oracle. And Net8 is difficult to decipher.
- Rich: Slashdot post on how China acquires IP. I suggest the full article linked by Slashdot, but it’s a translation and even the short bits in the post are very revealing.
Project Quant Posts
Research Reports and Presentations
- The Securosis 2010 Data Security Survey.
- Monitoring up the Stack: Adding Value to SIEM.
- Network Security Operations Quant Metrics Model.
- Network Security Operations Quant Report.
- Understanding and Selecting a DLP Solution.
- White Paper: Understanding and Selecting an Enterprise Firewall.
- Understanding and Selecting a Tokenization Solution.
Top News and Posts
- Researcher breaks Adobe Flash sandbox security feature. He did not actually break anything, but figured out how to bypass the restriction.
- Windows 0day in the wild.
- SourceFire buys Immunet.
- More perspective on Gawker Hack.
- Chinese hackers dig into new IE bug, says Google researcher.
- Breaking GSM With a $15 Phone … Plus Smarts.
- The Dubai Job: Awesome article in GQ on the assasination.
- Security risks of PDF.
Blog Comment of the Week
One can not keep information secret that is accessable by >10 people over years, period. Mind you, ‘systems’ and ‘networks’ are not limited to the typical IT stuff one might think of but includes the people and processes. Trying to secure it is doomed to fail, so what one needs is to adjust the mindset to reality. Sorry, no spend-more-dollars solution from me…