Reality has a funny way of intruding into the best laid plans.
Some of you might have noticed I haven’t been writing that much for the past couple weeks and have been pretty much ignoring Twitter and the rest of the social media world. It seems my wife had a baby, and since this isn’t my personal blog anymore I was able to take some time off and focus on the family. Needless to say, my “paternity leave” didn’t last nearly as long as I planned, thanks to the work piling up.
And it explains why this may be showing up in your inbox on Saturday, for those of you getting the email version.
Which brings me to my next point, one we could use a little feedback on. If you look at the blog this week we hit about 20 posts… many of them in-depth research to support our various projects. I’m starting to wonder if we are overwhelming people a little? As the blogging community has declined we spend less time with informal commentary and inter-blog discussions, and more time just banging out research.
As a ‘research’ company, it isn’t like we won’t publish the harder stuff, but I want to make sure we aren’t losing people in the process like that boring professor everyone really respects, but who has to slam a book on the desk at the end of class to let everyone know they can go.
Finally, this week it was cool to ship out the iPad for the winning participant in the 2010 Data Security Survey. When I contacted him he asked, “Is this some phishing trick?”, but I managed to still get his mailing address and phone number after a few emails.
Which is cool, because now I have a new bank account with better credit, and it looks like his is good enough for the mortgage application.
(But seriously, he wanted one & didn’t have one, and it was really nice to send it to someone who appreciated it).
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- Adrian Lane: NSO Quant: Monitor Metrics – Analyze. Definitely correlate. Ten minutes to Wapner.
- Mike Rothman: Monitoring up the Stack: Introduction. We’re starting another research project, pushing forward on our Monitor Everything philosophy. Keep an eye on this one – it’s going to be great.
- Rich: HP Sets its Arcsights on Security. Mike’s analysis of the HP/Arcsight deal, which tells you whether and why this matters.
Other Securosis Posts
- The Securosis 2010 Data Security Survey Report Rates the Top 5 Data Security Controls.
- Incite 9/15/2010: Up, down, up, down, Repeat.
- FireStarter: Automating Secure Software Development.
- Understanding and Selecting an Enterprise Firewall
- DLP Selection Process
Favorite Outside Posts
- Pepper: DRG SSH Username and Password Authentication Tag Clouds. Nice rendering of human nature (you can call it laziness or stupidity, as you prefer).
- Adrian Lane: Gift Card FAIL. Gift cards seemed designed to be scammed. Does the bank ever lose, or only merchants? Something to think about.
- Mike Rothman: Evil WiFi – Captive Portal Edition. Ax0n provides very detailed instructions on building your own Evil WiFi kit. For research purposes, of course…
- David Mortman: Security Planning – who watches the watchers?. It’s almost but not quite Banksy.
- Rich: Want to know if your app (especially Adobe Reader) is using unsafe functions? Errata has an app for that.
Project Quant Posts
- NSO Quant: Monitor Metrics – Validate and Escalate.
- NSO Quant: Monitor Metrics – Analyze.
- NSO Quant: Monitor Metrics – Collect and Store.
- NSO Quant: Monitor Metrics – Define Policies.
- NSO Quant: Monitor Metrics – Enumerate and Scope.
Research Reports and Presentations
- Security + Agile = FAIL Presentation.
- Data Encryption 101: A Pragmatic Approach to PCI.
- White Paper: Understanding and Selecting SIEM/Log Management.
- White Paper: Endpoint Security Fundamentals.
Top News and Posts
- Flash Flaw Puts Android at Risk.
- Web Hacking Incident Database updated.
- HDCP Encryption Supposedly Hacked. It’s not like you can’t reverse engineer the set top box, but the details on this will be interesting.
- Another Adobe Flash zero day under attack.
- Old-school worm making the rounds. How nostalgic.
- Martin: What skillz should a geek kid learn?
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Troy, in response to Tokenization Will Become the Dominant Payment Transaction Architecture.
Interesting discussion. As I read the article I was also interested in the ways in which a token could be used as a ‘proxy’ for the PAN in such a system – the necessity of having the actual card number for the initial purchase seems to assuage most of that concern.
Another aspect of this method that I have not seen mentioned here: if the Tokens in fact conform to the format of true PANs, won’t a DLP scan for content recognition typically ‘discover’ the Tokens as potential PANs? How would the implementing organization reliably prove the distinction, or would they simply rest on the assumption that as a matter of design any data lying around that looks like a credit card number must be a Token? I’m not sure that would cut the mustard with a PCI auditor. Seems like this could be a bit of a sticky wicket still?
Troy – in this case you would use database fingerprinting/exact data matching to only look for credit card numbers in your database, or to exclude the tokens. Great question!