October 25, 2007 - Volume 2, #147

Good Morning:
No long rants today. Too much Daddy stuff to do. One of the advantages to working for yourself is that you can peel off and basically decide to spend the day with your family. Which is exactly what I'm going to do. There is no CEO to make you feel bad. No VP Sales to poke you in the eye about a competitive bake-off. A couple of clients that I need to keep reasonably happy, but I don't talk to them every day anyway - so they'll hardly miss me.

And with my trusty Crackberry close at hand, I'm never too far away.

Have a great weekend, mine is starting right now.

Technorati: Information Security [1], CSO [2], Security Mike [3], Internet Security [4]

[5] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [6]

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com [7] [8]

Top Security News

eWeek about how Denver International Airport dealt with PCI [9], it doesn't seem that bad. They already had a lot of the controls in place and needed to work to update and keep the policies current. And there is the expense of having the auditor come back a couple of times to confirm the changes have been made. But I am willing to go out on a limb and say DIA probably was in pretty good shape prior to the PCI train started running. See, I needed to work a choo-choo analogy into a story about an airport. Pretty slick, eh? I'm afraid that not all folks are having a similar experience with PCI because many have been ignoring security for a while. Sure they buy products, but they don't have a PROGRAM, which is what PCI requires.
Link to this [9]

NetworkWorld article highlights a new white paper written by the ABA (American Bar Association) evaluating Jericho's positions and proposing a legal framework given the idea of protecting data [9] - as opposed to just networks. The thing that scares the bejeezus out of me is the idea of "a legal framework that calls for “legal agreements between information-sharing parties,” “verifiable administrative, technical and physical-control practices,” and “standards that set expectations for control.” Holy crap, that means they want a legal agreement every time two organizations decide to share data. Now I'm no lawyer (and I don't even play one on TV) and I didn't read the white paper because anything written by a lawyer make my eyes bleed (Shimel included). This hits a little too close to EDI, which was a a huge pain in the ass because every trading partnership needed a separate and usually distinct legal agreement. One of the advantages of web services and SOA architecture is that is allows ad hoc services to be used and shared, increasing business flexibility and velocity. But that means potentially fewer billable hours for our legal brethren, and that's no good. Not if you bill by the hour to scrutinize words anyway.
Link to this [9]

NWC's rolling reviews quite a few times and now it seems when one actually stops rolling [10], they do a nice little summary. This covers what they call "extrusion prevention systems," but they really mean database security gateways. So they compare Imperva and Guardium among others. It seems that 4 out of the 5 get named to the short list. That other guy (PynLogic) must really suck because 80% of the combatants made the short list. Overall it's a pretty valuable review, though the idea that each of these products comes at the problem in a different way is kind of lost. But check it out, especially if your PCI auditor is telling you that it's important to implement a "compensating control" to get around the fact that you probably can't encrypt your database yet.
Link to this [10]

The Laundry List

http://securitymike.blogspot.com [14]

Check out the latest on the Security Incite blog
http://blog.securityincite.com/ [15]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [15]