September 8, 2006 - #112
Good Morning:
This morning I'm feeling old. I know I'm not, but I just don't recover like I used to. In the days of yore, I could get by for days on 4 hours of sleep, including lots of partying and other mischief. Not anymore. I'm also looking back and appreciating how simple life was years ago, before the kids and other responsibilities that get piled on. My biggest issue was having enough Advil and Gatorade in the house to ensure I could function when the alarm went off the next morning.
A couple of things I found this AM got me thinking about how security has really evolved and become a business. And it makes me feel old because I've been in this space since pretty much the beginning. Besides Chris Klaus of ISS riding off into the sunset (here [0]), we've got constant fraud on Google (here [0]) and the bad guys are more in your face now. I was talking to someone yesterday and they mentioned how the trust factor is gone. He's right. If you get an email from your bank, you immediately think it's bogus. Guilty until proven innocent is the prevailing wisdom.
On the news front, the updated PCI standards have hit to very little fanfare (here [0]), which is pretty surprising. There aren't really substantial changes, and I'm still thinking that until Visa and/or MasterCard execute someone in the public square for not playing ball, PCI's impact will be minimal. It's just another way to justify stuff you already want to buy, as opposed to changing behavior. I'll also point to a new log management service introduced by VeriSign and LogLogic (here [0]). The managed security train has left the station folks, and one of the key questions you should be asking yourself is whether you can get someone else to do those rote functions better, faster, cheaper.
Have a great weekend.
Technorati: Information Security [1]
Top Security News
http://www.marketwire.com/mw/release_html_b1?release_id=0159874 [2]
Link to this [2]
http://biz.yahoo.com/ap/060907/spyware_settlement.html?.v=2 [3]
Link to this [3]
http://www.networkworld.com/news/2006/090106-iss-ibm.html
[4]Link to this [4]
http://searchwindowssecurity.techtarget.com/general/0,295582,sid45_gci1213806,00.html [5]
Link to this [5]
http://www.infoworld.com/article/06/09/08/37OPsecadvise_1.html [6]
Link to this [6]
Top Blog Postings
here [7]) have already been discussed by MasterCard and Visa, but still. PCI is one of those things that could either be very significant and change the way anyone who sells anything manages data security, or it could be an empty suit like HIPAA. It all gets back to enforcement. I know I've made these points before, but nothing has changed. It's still not clear what the ramifications of non-compliance are, which in my opinion is a problem.
http://www.mckeay.net/secure/2006/09/pci_11_is_out_heres_the_change.html
[8]Link to this [8]
http://securosis.com/2006/09/07/its-all-about-the-users-interface/ [9]
Link to this [9]
here [9]) and that works for me. I also want to expand the discussion a bit to encompass data protection, not just recovery. Remember, it's not sufficient to only backup. If there is any private information on the device, you also need to protect.
http://blog.guykawasaki.com/2006/09/why_smart_peopl.html
[10]Link to this [10]
http://securityblog.itproportal.com/?p=468
[11]Link to this [11]