The Daily Incite - October 25, 2007
October 25, 2007 - Volume 2, #147
Good Morning:
No long rants today. Too much Daddy stuff to do. One of the advantages
to working for yourself is that you can peel off and basically decide
to spend the day with your family. Which is exactly what I'm going to
do. There is no CEO to make you feel
bad. No VP Sales to poke you in the eye about a competitive bake-off. A
couple of clients that I need to keep reasonably happy, but I don't
talk to them every day anyway - so they'll hardly miss me.
And with my trusty Crackberry close at hand, I'm never too far away.
Have a great weekend, mine is starting right now.
Technorati: Information
Security, CSO,
Security
Mike, Internet
Security
 The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com  |
Top Security News
PCI
isn't that bad
So what? -
Or is it? If you look at this profile in eWeek about how Denver International Airport
dealt with PCI, it doesn't seem that bad. They already had a
lot of the controls in place and needed to work to update and keep the
policies current. And there is the expense of having the auditor come
back a couple of times to confirm the changes have been made. But I am
willing to go out on a limb and say DIA probably was in pretty good
shape prior to the PCI train started running. See, I needed to work a
choo-choo analogy into a story about an airport. Pretty slick, eh? I'm
afraid that not all folks are having a similar experience with PCI
because many have been ignoring security for a while. Sure they buy
products, but they don't have a PROGRAM, which is what PCI requires.
Link to this
Oh
crap, now the lawyers are involved
So what? -
If you needed another reason to dislike the Jericho Forum, now they've
gotten the lawyers involved. This NetworkWorld article highlights a new white
paper written by the ABA (American Bar Association) evaluating
Jericho's positions and proposing a legal framework given the idea of
protecting data - as opposed to just networks. The thing that
scares the bejeezus out of me is the idea of "a legal framework that calls for
“legal agreements between information-sharing
parties,” “verifiable administrative, technical and
physical-control practices,” and “standards that
set expectations for control.” Holy crap, that
means they want a legal agreement every time two organizations decide
to share data. Now I'm no lawyer (and I don't even play one on TV) and
I didn't read the white paper because anything written by a lawyer make
my eyes bleed (Shimel included). This hits a little too close to EDI,
which was a a huge
pain in the ass because every trading partnership needed a separate and
usually distinct legal agreement. One of the advantages of web services
and SOA architecture is that is allows ad hoc services to be used and
shared, increasing business flexibility and velocity. But that means
potentially fewer billable hours for our legal brethren, and that's no
good. Not if you bill by the hour to scrutinize words anyway.
Link to this
Finally, the database security gateway
rolling review stops rolling
So what? -
I've mentioned NWC's rolling reviews quite a few times and
now it seems when one actually stops rolling, they do a nice
little summary. This covers what they call "extrusion prevention
systems," but they really mean database security gateways. So they
compare Imperva and Guardium among others. It seems that 4 out of the 5
get named to the short list. That other guy (PynLogic) must really suck
because 80% of the combatants made the short list. Overall it's a
pretty valuable review, though the idea that each of these products
comes at the problem in a different way is kind of lost. But check it
out, especially if your PCI auditor is telling you that it's important
to implement a "compensating control" to get around the fact that you
probably can't encrypt your database yet.
Link to this
The Laundry List
- The Big Yellow Q2 is OK. 13% top line growth, but that includes Altiris - so it's a mature company in a mature market. But we already knew that. More concerning is some storm clouds regarding future growth, driven by economic concerns. - Symantec release
- What's in a product name? Not much, but Webroot is renaming their stuff anyway and adding a firewall. Now they get to chase Big AV like everyone else. Have fun with that. - Webroot release
- ID theft costs victims $31K? Huh? I've gotten those letters a bunch of times (and even had some fraudulent charges) and it only cost me a little time to tell Amex to fix it. My time is valuable, but not that valuable. - Rebecca Herold's blog
Recently
on the Security Incite's Blogs
Find out what Security
Mike is talking about
http://securitymike.blogspot.com
Check out the
latest on
the Security Incite blog
http://blog.securityincite.com/
Read the
most recent Daily
Incite
http://securityincite.com/security-incite-rants/daily-incite
Actually, that's both reasonable and already in place in a lot of cases where data has to be shared that is protected by legislation (HIPAA, FERPA, etc.). Under FERPA, for example, the DoE has stated that you can't give student-level data to anyone who is not a legal agent (either of yours or the relevant educational institution). A legal agreement needs to be in place so that you have some measure of control over how they use, protect and destroy your data.
I wouldn't want it to get out of hand with non-confidential information, but it's a good idea for confidential stuff.