Scott Wright’s Security Views

Well, today it’s my turn to host the Carnival of the Security Catalyst Community. The SCC Forum was launched by Michael Santarcangelo, the “Security Catalyst”. The forum itself can be found at http://www.securitycatalyst.org/forums (click HERE) and requires you to register for most of the threads posted by members. Most members are active security professionals, either consultants or security managers inside enterprises. However, for this Carnival entry, you can view any of the articles I link to below without registering.

As busy as I am, I don’t get to scour the full roster of the Security Catalyst Community of blog writers (there are dozens of them), let alone the larger security blogging universe. So, today I’m highlighting a variety of blogs, written by both SCC members and others. Some of these I subscribe to regularly, and some I don’t get to as often as I’d like. Taking a turn as the Carnival Moderator this week, I’m forcing myself to do a bit more digging than I usually do.

1) Bloginfosec.com – Author: Sam Dekay.
URL: http://www.bloginfosec.com/2008/04/22/does-security-awareness-work-pt-2-it-all-depends-on-what-you-mean-by-work/ (click HERE)
This is the second post by Sam in recent weeks on examples of real security awareness campaigns, and how successful they were. I think it’s essential to get more of these kinds of articles into the mainstream of business. Managers need to know what types of initiatives work, and what they will cost. I should add a disclaimer that I have posted a comment on this article, and on the Part 1 article.
2) Securosis.com – Author: Rich Mogull.
URL: http://securosis.com/2008/04/18/its-about-the-fraud-not-the-breaches/ (click HERE)
Rich has talked in the past about how breach reporting is not as useful as reporting on how electronic fraud is actually being perpetrated. His point is that we see so many reports of exposures these days that there is little incremental value in each one. There is no information shared by payment companies or even enterprises on whether, or how, information from a particular breach was abused to cause real damage. All we know is that there is “potential”. This gives a big out for companies to say, “There is no evidence that the information lost has been abused in any way.” Rich suggests some sources that may help, and ways to make it more transparent. Rich also posts a lot of good articles on other topics, including Data Loss Prevention.
3) Tssci-security.com – Author: Marcin Wielgoszewski / Dre.
URL: http://www.tssci-security.com/archives/2008/04/03/privacy-google-scroogle-and-you/ (click HERE)
Marcin / Dre (not sure if it’s one and the same person, based on the blog credits) talk about how search queries can be sensitive (i.e SSN, credit card numbers), and can be harvested. It seems that people tend to search on their own credit card numbers, for example, to see if it is posted anywhere on the web for others to steal and use. But the act of entering this information in a query can, in itself, trigger a sequence of events that may ultimately lead to the information being compromised.
4) Realtime-ITcompliance.com – Author: Rebecca Herold.
URL: http://www.realtime-itcompliance.com/information_security/2008/04/improve_program_change_control.htm (click HERE)
Rebecca is one of the hardest working privacy, compliance and awareness advocates I have come across. She relays real-life experiences about how organizations are handling security and privacy. In this post, she explains the need for program change controls to reduce incidents. I see this as a common problem in many organizations. Because a program may be a “one-time thing”, people either forget, or downplay the risks of not ensuring a secure process is followed. It makes a lot of sense, for several reasons, to plan and document a secure sequence of events when making program changes. Rebecca packs a lot of information into this article.
5) The Security Warrior - Author: Anton Chuvakin. URL: http://chuvakin.blogspot.com/ (click HERE)
Anton always manages to find good, digestible stories on logging and compliance. Many of his posts and links are entertaining. In his latest, as of today, he highlights how Hannaford compares with TJX (both were involved in highly visible breaches) in terms of “actual” compliance efforts. It makes a lot of sense, and doesn’t seem particularly onerous to “do the right thing.”

Thanks to Michael Santarcangelo for being such an energetic advocate for information protection. He is a well-rounded consultant, speaker and author whom I’ve learned a great deal from over the past year. Michael’s blog is located at http://www.securitycatalyst.com/blog (click HERE). I thank him for giving me the chair in the Carnival of the SCC this week.

AB24 B 25CF BB 3E11 42A F3E2A AB4D7 CA52DD4B.

B433CA22 46CD A1 BAD

C0DE BAD DA7E.

When you think about it, farmers know where their assets are better than a lot of us in business. Usually, they’re in the barn. A security geek’s interpretation of the term “closing the barn door after the horses have bolted”, would probably be something like “it’s too late to take preventative action after the incident has occurred.”

But if you think on it a bit longer, you may also realize that the barn door was probably already there; it just wasn’t being used properly at the time the horses escaped. Sometimes (as in when a security breach occurs) our safeguards are in place and just not used properly, but other times we didn’t even have a barn door to close. Is it any wonder the horses got out?

Continue Reading »

The November issue of TPSN is now available for download on the newsletter sign-up page (click HERE). Other back-issues are here, and you can sign-up for automatic subscription for future issues…

IN THIS ISSUE - Focus on cost-effective security, and avoiding being tricked

1) For Executives -

* Identifying your most important assets and business systems can make security more cost-effective.

Even people with the best of intentions can be fooled by SPAM e-mails, browser pop-ups or dialogs that try to scare them into doing something you wouldn’t otherwise do on the Internet.

This article in CNET’s “Spyware Horror Stories” series (click HERE) is an example of something that probably happens to a lot of people, and they don’t even know it.

Continue Reading »

This post marks the formal introduction of my newsletter, The Practical Security News ™.

While the format and content may evolve, the inaugural issue has articles addressing timely issues for Executives, Managers and Office Staff, Home Computer Users and Security Professionals.  Continue Reading »

Internal policies aren’t the only source of rules that must be followed when protecting information. Every time you initiate a relationship with another entity, there are potential risks on both sides that should be formally addressed.

Formalizing responsibility for security is especially important in outsourcing relationships with partners, clients or suppliers.

Continue Reading »

Thanks to Mike Rothman for locating this entertaining, but very informative post from Dark Reading that prints some of the top complaints managers have about security vendors. (HERE)

From my time as a Product Manager, I saw this problem from both sides. It’s hard to make round pegs fit into square holes. It should be the Sales Rep’s job to properly screen their prospects. But week after week I got pulled into presentations with prospects that represented “million dollar deals”. I have to admit it was often fun and educational for me to see Real Prospects and talk to them. That’s important, too. But if some reasonable percentage of those prospects had actually bought product we would all have been rolling in stock options and driving Porsches.

On the other side, vendors still contact me to pitch their solutions without knowing how, or even trying to find out anything about what my real problems are (or my Clients’ problems).

So, even though it can be a fun diversion from the daily routine to sit through a vendor pitch, or to get out of the office and present your latest technology to an unqualified prospect, your time is always better spent thinking about what you can be doing to make the most impact on your business, and then doing NOTHING ELSE until that’s taken care of. That will not only help your organization “get to secure” faster, it won’t hurt your career either. For that matter, it’s usually a faster way to get to the car dealer.