House of Representatives Homeland Security Committee PCI Hearing TODAY

UPDATE: live twitter from this hearing via tag #pcihearing.


This promises to be huge fun - and starts in about 1 hour...

What: House of Representatives Homeland Security Committee, Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Hearing “Do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Payment Card Industry Data Standards (PCI DSS) Reduce Cybercrime?”

When: Tuesday, March 31, 2009 @ 2PM EST

Witnesses:

• Rita Glavin, Acting Assistant Attorney General, Criminal Division, Department of Justice
• Robert Russo, Director, Payment Card Industry Data Security Standards Council
• Joseph Majka, Head of Fraud Control and Investigations, Global Enterprise Risk, Visa
• Dave Hogan, Senior Vice President and Chief Information Officer, National Retail Federation
• Michael Jones, Chief Information Officer, Michaels Stores Inc.

There will be a webcast of this hearing: http://hsc.house.gov/about/schedule.asp

Enjoy!

Network Scan for Conficker/Downadup Malware

Detecting Confickr (good analysis here at SRI site) infected hosts via an unaucá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365nticated network scan:

• Original Honeynet Project post: "Detecting and Containing Conficker - Management Overview", more detailed post "Detecting Conficker", a full paper [PDF] and a tool link.
• Dan Kaminsky "Taming Conficker, The Easy Way" and, of course, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 related Slashdot thread (yuck!).
• Also, Rich Mogul's "Easily Detect Conficker Infections- Over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Network."

It goes without saying, of course, that Qualys can detect it too now too!

BTW, this post also serves as a self-reminder that we here owe a few good people some beer :-)

Thoughts After Chicago “PCI Dinner” Panel

As I mentioned before, I did this ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r panel aka “PCI dinner” in Chicago with Branden Williams, Davi Ottenheimer and William Cook, a notable IP/security lawyer from Wildman Harrold. Apart from washing down filet mignon with Sterling cabernet, a lot of fun discussion on PCI DSS took place and a few surprising insights were born. Compliance vs/with/in place of/against Security was definitely one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 major cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mes.

First, here is one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insights that appeared. The discussion about PCI DSS and breaches led to a question: “Yes, companies suffer when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y experience a breach; but do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y suffer enough?” What makes one credit card breach almost unnoticeable on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company books (see: TJX), while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r leads to company’s near-demise (see: CardSystems)? What seemed to emerge was: if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 victim company admits failure [of at least admits “a little something” :-)], seems to be trying hard (or, at least, “is seen as trying hard”), goes public with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach soon enough, etc, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 regulators are likely to be more lenient and not penalize it that much (sorry, but $150k fine is NOT “that much”!). On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, companies who are seen as negligent even after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach, claim innocence despite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 facts, behave arrogantly (“No, it is NOT our fault! Screw you! Sue us!”), are more likely to be penalized severely and maybe driven out of business. What do you think?

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me, repeated here as well as during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous panel, was that a nice fat data breach is still cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best motivator for security spending and implementation. Definitely, it is “neat” when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach happens to a similar company that you know well, you get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 motivational power without cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 disclosure loss and all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post-incident frenzy. But cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n it “decays”: people start questioning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir security spending approximately one or two years after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach. Organizations end up overspending on security right after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach; instead of spending smaller amounts of money over time. How do you prevent that? I think this shows some uber-desperation for good security metrics!

Next, “outsourcing PCI” via 3^rd party credit card processing is seen as a way to replace cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security issue with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contractual issue. If you suck at security and you don’t suck at contracts, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole “PCI in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cloud” thing kinda makes sense. I suspect that, sadly, many companies know how to deal with contractual issues better than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y know how to deal with security issues…

A lawyer brought a good point about “director/officer liability”: compliance does invokes director or officer liability for failure to comply (with, say, PCI), all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way to personal liability. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, security is rarely seen as something that threatens CEO directly and personally.

The subject of incompetent, ignorant, negligent QSAs came up in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 informal discussion. Oops, sorry, I am not at liberty to say more :-) One thing we discussed was: what is more common reason for being “maybe compliant but definitely not secure” - a negligent QSA missing stuff OR a negligent organization, which deceives or misleads cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir QSA? I was surprised to hear that it was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 former. For example, a QSA asks a leading question (“You do this, don’t you? You have this handled just fine, riiight?”) and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 organization responds “Yes.” with no additional details. No ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r information is provided and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answer is accepted.

What deeply shocked me was that somebody reported that a well-known QSA firm was supposedly seen using THE SAME “PASSING” RoC as a template; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y just change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 assessed company name (!!!) When asked, why don’t cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir …. victims… eh… clients “rat” cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 council’s QA program, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y, reportedly, responded: what if we will be seen as liable? What if a new QSA will “make us do more”? I also learned how to “opinion-shop” for QSAs: ask a bunch of questions to a bunch of QSAs and pick one whose answer presents cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 smallest gap between your environment and a compliant state (yes, really!)

Here is a fun one too: audience also called for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 card brands to solve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem by creating a more secure payment system. Some suggested that PCI is card brands’ way “clearing risk from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir books.” I too would like to see us adopt a more security electronic payment system …. in my lifetime. Also mentioned was how “chip-and-pin” moved fraud from Europe to US, racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than eliminated it.

Also, a lawyer suggested that organizations must not change anything after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach so that good evidence can be collected. He said that it is even important to indemnify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 employees from past security mistakes at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 moment of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach. If you do not do this, a lot of things will be changed by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 employees, who are afraid of being blamed for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 breach. Good advice – but hard to follow – here!

Finally, we also did a quick unscientific poll: who do you fear more – a hacker or an auditor? It goes without saying that auditors won this round as well, just as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last round. Its OK, folks, just stay 0wned, it’s all good. Just don’t fail cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audit :-)

Possibly related posts:

• Thoughts After RMISC 2009 PCI Panel

• Risk vs Risk

Book Review: "Googling Security: How Much Does Google Know About You?" by Greg Conti

I just reviewed "Googling Security: How Much Does Google Know About You?" by Greg Conti and gave it 3 out of 5 Amazon stars. Here is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 review, also posted here:

Fails to Scare A Paranoid

I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book has good information and I enjoyed reading it. However, as I was reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book, I developed an impression that this was a book meant to scare cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reader into some kinda behavior change. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, I felt that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book was written to highlight cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risks, to explain why given somebody so much information about your online activities is a risky, bad thing and that you should do something differently.

Despite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that I enjoyed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book, I think this is where it fails. As somebody who works in security, I consider myself to be pretty paranoid, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book failed even to scare me! After reading it, I did not become afraid of Google at all. The author highlights some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presumed risks, but he fails to present scenarios that make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 dangers come alive; instead, he makes vague statements ("you know, it can be pretty bad"). So he ends up with a “non-scary Scary Tale.”

For example, when talking about ads, and especially targeted ads, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book suggests that such consumer profiling is scary, but doesn't explain how and why.

To conclude: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book presents a good story of how much Google knows about you, but my impression was that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risks are not made to be scary enough and few resulting behavior changes are suggested. It goes a little like this at time: “OMG, you CAN be hit by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 car if you cross cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 street!” A couple of times while reading it I thought that “you have no privacy, get over it” trumps what's written in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book...

Thoughts After RMISC 2009 PCI Panel

Today I participated in a very interesting PCI panel at ISSA Denver RMISC 2009 conference in Denver.  In fact, even our pre-panel discussion was quite fun: we planned to hit such subjects as checklist mentality vs risk mentality, prescriptive compliance versus outcome-based compliance, PCI for various sizes of organizations and even PCI compliance in virtualized environments.

To start off, it was calming to note that most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audience agreed that PCI was helpful for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir organizations in cases where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y wanted to jumpstart cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir security program, but were not sure how.  Most people also agreed that PCI helped cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m get executive attention and much-needed budget to implement cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security controls cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y knew cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y needed to have. No surprises here.

However, at some point in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 discussion I started to realize that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 desire of some organizations to do “compliance first” and to treat PCI as a “blind” checklist as well as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir desire to just focus on achieving compliance and not at all on security was due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pressure on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m “to be secure” was much weaker compared to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pressure “to be PCI compliant.”
In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, those organizations who embark on a journey to “we just need to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 auditor/assessor off our backs” fear cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir auditors more than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y fear cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hackers (uhu, Russian, Chinese and Romanian combined :-)); at least, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir decision-makers seem to. Those same decision makes also likely think that it is much simpler to measure when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are PCI compliant (=when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 QSA leaves with a ‘PCI OK’ report) compared to when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are “secure enough” (=when nothing bad happens for a long time DURING WHICH cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are not asleep at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wheel…); thus, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir minds,  compliance seems like a “cheap substitute” for security.

So we asked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audience:  “Why do you think some people fear an auditor more than a hacker?”

Results were interesting and somewhat surprising.  Some people suggested that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir bosses still (despite all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 evidence to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 contrary!) share cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 “it won’t happen to us” mentality.  At this point, I asked “But what about all those scary media stories?”  The audience response was “Well, maybe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't follow such media…”

When this discussion started, many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 audience members pointed out that PCI compliance projects were initiated by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 finance departments or even directly by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CFO.  At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time, most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security projects at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir organizations were initiated by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IT departments (or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir IT security sub-departments).  It goes without saying that CFO has much more of a CEOs ear, compared to some unnamed security manager down in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trenches.

It was also added that senior management and decision makers do not perceive information security personally: no fines on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, no jail time, no clear (to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m) chance of losing money or even cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir whole business.  However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do perceive various compliance issues as affecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m directly and personally (especially with CFOs reminding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m about it).

In light of this, it turns out that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest, best driver for implementing security measures and reducing risk to information was still a good old data breach or successful compromise! (BTW, read Rich’s paper on that [PDF]) Sometimes, as one audience member noted, a competitor suffering from such intrusion “helped” as well.  In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, intrusions, compromises and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r “0wnage” drives security, while regulatory mandates sometimes drive only “empty” compliance and none of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security (especially when a security department is eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r missing or inept at harnessing “compliance power surge” to furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual risk reduction agenda).

While I was listening to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 discussion, I realized that PCI has  no “superpowers” to magically make “security-ignorant” organization secure despite itself: if you are hellbent on ignoring security, PCI will not make you security conscious. If you want to help yourself and you organization to become more secure,  PCI DSS guidance is of service. Herein lies one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more interesting “limitations” (better called “perceived limitations”) of PCI and, in fact, of any detailed, prescriptive security guidance: one can choose to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 “checklist”  to be followed blindly with no real advancement of security…

To conclude, it goes without saying that PCI is very helpful start for security for those who want to start; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest can still choose to screw it up, no matter what level of detail is given in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 prescriptive compliance mandate. PCI won’t stop you if you insist on ignoring security; it can only make it a bit harder.

Possibly related posts:

• Tales From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 “Compliance First!” World

• More on “Compliance First!”

• PCI DSS and Data Breaches: Perception and Reality

• Risk vs Risk

Fun Views on DLP

For quite some time, I was meaning to write anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r post about “data leakage/loss prevention/protection” (DLP) – and this weekend presented a perfect opportunity. This post is also mildly inspired Richard’s Data Leakage Protection Thoughts from February 2009 as well as “lively” discussion that ensued.  Also, I would like to bring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 method I used in PCI DSS and Data Breaches: Perception and Reality, namely, contrast perceptions and reality of what is considered to be “DLP” today.

So, personally, I have seen/heard cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following views on DLP:

1. DLP  is worse than useless; it is actually harmful due to false sense of security it provides [e.g. in comments here it is called “an expensive, distracting failure”]
2. DLP is completely, 100% useless.
3. DLP is useless against anybody, but a certifiable, clinical idiot [BTW, this says nothing about its overall usefulness – cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are plenty of idiots who are after your organization…]
4. DLP is great, as long as you monitor and not block.
5. DLP is great, as long as you block and not monitor.
6. DLP is not perfect! [some cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n quickly to jump to “…and thus useless”]
7. DLP is perfectly workable as long as a) you know what you want, b) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 task is actually technically feasible and c) DLP is capable of doing that task.
8. DLP IS “That Silver Bullet” (tm).
9. DLP is everything: backup, encryption, access control – it cannot be good or bad, since it is EVERYTHING.

I wouldn’t spend much time talking about extreme views such as #1, #2 as well as #8, #9; as usual, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is usually little truth in extreme views. Additionally, a piece of technology seen as “truly useless” by some can be a “God-send” for ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs, depending upon what’s on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir network and what’s on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir minds. I will also not touch #6 as self-evident. Richard does a good job explaining #4 and #5 is his post, specifically leaning towards #5 (even though I suspect he underestimates cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data discovery and classification angle of DLP a bit…). To top it off, it is also quite hard to perform such level of analysis while talking about technology “in general,” not any particular box.

So, what do we have left? These two:

DLP is useless against anybody, but a certifiable, clinical idiot

DLP is perfectly workable as long as a) you know what you want, b) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 task is actually technically feasible and c) DLP is capable of doing that task.

The first one is an interesting one; it is typically tossed by people who are technically advanced and who know that THEY will never be blocked by an early 21st century DLP system. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 jury is still out on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 overall harm brought by so-called “IT idiots.” I think if some DLP vendor will market a near-100% effective (eh… effective vs subjects highlighted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 solution name, that is) “IdiotDefense DLP 2.0,” it will sell pretty darn well as a lot of real, hard $$ are burned due to stupid behavior. Also, Kevin’s comment (here) rings very true: "The threat surface is actually quite complex and not so simple as "stupid-employee" vs. "evil genius hacker". So, “Idiot+ Defense DLP” has a pretty real use case.

The second point is my favorite and I covered it in my previous posts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subject, specifically in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 “So, CAN We Have DLP?” That point was trivial and deep at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time: it – hopefully correctly! – states that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are enough people who need what DLP offers; thus it is clearly useful for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. And just as was typing this, I saw this Forrester report with this amazing statistic: “About 38% of enterprise customers have DLP implemented already. Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r 21% are planning to implement it this year.” I am sure this is biased towards cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 higher side, but still.

The report furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r goes one and says “These two issues -- increased toxicity of customer data, and mandates designed to protect that toxic data -- are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 primary reason DLP is taking off. About 80% of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, enterprises evaluating DLP are doing it because of toxic data problem [A.C. – and NOT due to intellectual property protection yet - “toxic data” use case seems to be easier to grasp and to start off with compared to IP protection].” 

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r worthwhile read related to this is A Response to Bejtlich on DLP which highlight anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r – sadly common! – case where DLP will be useful: “… DLP has potential to allow an organisation with an immature security posture, to fairly quickly put controls around high risk data, start working out where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir high risk data is stored and where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir biggest leaks are.”  Finally, here is also a fun report about nexTier, a DLP vendor that lists me on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Advisory Board.

Possibly related posts:

• In Passing on DLP

• So, CAN We Have DLP?

• A Few More Words on DLP and Compliance

• DLP Works – If You Know What “Works” Mean!

OMFG - Mutiny on Board

Cory Doctorow starts (! - that is how he starts) in his "The High Priests of IT — And cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Heretics": "Though I've done time in corporate IT — and have even born cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CIO title more than once — I've always had more sympathy for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 firewall-breaking, virus-toting, data-leaking users than I have for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 responsible and sober IT departments that struggle every day to keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 systems running while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 users set out to dismantle it."

One comment: OMFG.

More SHOCKING quotes: "Contemporary corporate IT's top job is locking down cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PC and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network, blocking users from installing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir own apps, blocking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m from accessing forbidden websites (nominally this is about blocking porn, but a dismaying number of workplaces also block IM, webmail, blogs, message-boards, and social networking services where employees might ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise find useful, low-cost coordination with ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r employees, suppliers and customers), and spying on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir every click and keystroke to capture cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 occasional bad egg who's saying or doing something that could put cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole firm at risk."

"The fact is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most dreadful violators of corporate policy — cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ones getting that critical file to a supplier using Gmail because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 corporate mail won't allow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attachment, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ones using IM to contact a vacationing colleague to find out how to handle a sticky situation, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incorrigible Twitterer who wants to sign up all his colleagues as followers through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work day — are also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most enthusiastic users of technology, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ones most apt to come up with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next out-of-left-field efficiency for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 firm."

More comments - I will add more as people post cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m:

• "The High Priests of IT"
• "Of maturity and mediocrity."

This deserves to be discussed widely in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security community...

Nobody Is That Dumb ... Oh, Wait XI

Many, many moons ago I had this brilliant :-) series "Nobody Is That Dumb ... Oh, Wait" (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last one was back in May 2008) where I made fun of people making dumb claims with apparent - and often scary! - seriousness. Somehow I neglected this series, but today I just happened upon a perfect piece to restart it.

So, when was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last time somebody who appears to be in a security business proclaimed:

"Is complying to PCI not enough anymore?"

Yes, really! NEWFLASH!!!!!!!!! PCI compliance is not enough. Wow, really? Why would you say that?

On Heartland V

Sorry, but I cannot resist – here comes “On Heartland V.” Why did I break my promise?

This is why:

Source: DatalossDB

And this is why:  “Class Action Lawsuit on behalf of certain investor in Heartland Payment Systems over alleged violations of Federal Securities Laws” (here)

And this is why:  “Visa withdraws Heartland PCI compliance” (here) And “a little bird” (tm) brought this missing piece of info: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir merchants are contractually obligated to do business with a PCI-compliant processor (please confirm or deny this rumor, if you have more info)

Overall, in light of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 above I now think that Heartland might well end up being “CardSystems 2.0” and actually die. That will make “security doesn’t really matter” crowd … well… not matter :-) At least for a while.

Case closed? Security breaches actually … gasp! … matter for business.

Possibly Related Posts:

• On Heartland I
• On Heartland II
• On Heartland III
• On Heartland IV
• Compliant + Owned = ?
• Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r PCI DSS coverage

Dillbert on "Risk Management Software"

Dillbert on "Risk Management Software"

It's Official: Heartland Is NOT PCI Compliant (... Anymore)

A fun read here: "Visa Puts Heartland on Probation Over Security Breach"

Key points/questions/quotes:

• "HPS has advised, however, that it is aggressively working on remediation and re-validation of its systems to comply with PCI DSS standards." - AND cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n let cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m lapse into insecurity+non-compliance again? If not, why not? How do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y plan to be sure?
  
• "The company will be relisted once it revalidates its PCI DSS compliance using a Qualified Security Assessor and meets ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r related compliance conditions." - OK, SAME QSA or a different one?
• "So Heartland is off of Visa’s Christmas card list for 2009, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y still get a fruitcake." - OMG, I get it now: Heartland is "TOO BIG TO FAIL" :-)
• "Fines - In accordance with Visa Operating Regulations, fines will be assessed to Heartland’s sponsoring banks." - Ah, fines finally! BTW, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 definition of a "sponsoring bank" is here.
  
• "This recent compromise underscores cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 importance of all parties maintaining ongoing compliance with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Payment Card Industry Data Security Standard." - to me this line is proof that "people in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 know" now know that Hearland case is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m being validated PCI-OK (by a QSA of unknown degree of "anality") and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n lapsing into insecurity AND non-compliance.
  

Possibly related posts:

• “Compliant” + 0wned = ?

Brian's Interview With Me on PCI, Vulnerability, Application Security, etc

Brian did this fun interview with me a few days ago. The topics are PCI DSS (of course!), vulnerability management, application security and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r fun stuff. The actual interview is here and a direct link to MP3 here.

How's That For Compliance=Security?

So I was googling for something and happened upon this hilarious gem of a quote (here): somebody "is calling for a PCI DSS status directory in which compliant merchants and processors are publicly listed. Opponents say such a directory could be used by hackers to find vulnerable companies to attack."

I know, I know... it is most likely taken out of context and all; but it doesn't stop me from ROFLMAOing here.

RSA 2009 Panel on Log Standards

Yes, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 words “log” and “standard” in one sentence; alongside each ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, in fact :-)

 

Session Code: HOST-304

Session Title: Common Event and Log Standards: Leveling IT's Tower of Babel

Scheduled Date/Time:  Thursday, April 23 02:10 PM @ Purple 304

Abstract:  The IT industry suffers from a lack of standards for event, log, and audit information. Regulatory requirements to retain, protect, and destroy log data continue to increase. Organizations also need better situation awareness and cost control across complex IT security event horizons. The good news is that standards efforts are underway, which this session will detail.

Moderator:

• Daniel Blum, Senior VP, Principal Analyst Burton Group

Panelist:

• Anton Chuvakin, Director of PCI Compliance Solutions, Qualys
• David Corlette, GRC Solution Architect
• Eric Fitzgerald, Senior Program Manager, Microsoft
• Mary Ann Davidson, Chief Security Officer, Oracle

Attendance is mandatory :-)

More on “Compliance First!”

I was about to post this back in January (!), but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n Heartland blew off (coverage of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Heartland processor breach: On Heartland I, II, III and IV) and now it seems like ancient history. Still, I think one can say that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Heartland case shed some new light on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems I covered in my “Making PCI Easier” and “Compliance First?” posts.

So, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se were cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365  responses:

• Risktical’s  Making PCI Easier – A Reality / Health Check (“This post is more focused on merchants or processors making PCI compliance easier for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves. My thought process is that if merchants can make some aspects of PCI compliance easier on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves – cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is a reduced need for relying “so much” on QSAs and less heartache around PCI-DSS in general.” – cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post is also full of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r comments useful for those dealing with PCI DSS “in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 trenches”)
• RiskAnalysis.is’s Using The Compliance Stick Actually Weakens You   (“WHY PRESCRIPTIVE COMPLIANCE WEAKENS OUR INDUSTRY. […] Using prescriptive regulatory compliance to “get your way” removes your ability to be that [A.C. - see full post] consultant.  So you don’t help make good decisions and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore, in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 eyes of management, have yet to earn cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 decisions you feel you need to make.   In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 long run, you turn into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 “guy who manages our PCI stuff”, and your value is limited to doing just that.  And cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore, so is your budget, your ability to execute, and ultimately, your “security”.” – a good argument that debates my points; in fact, I agree with it – BUT only in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 context of a mature risk/security management program, not small ignorant company…)

• Infosec Ramblings’s Interesting Information Security Bits for 01/15/2009  (“Compliance does not equal security. Never has and never will.” – just a useful reminder!)

• Martin’s “Security first” please! (“While I’ve only heard of one concrete example of a situation where PCI caused a company to actually become less secure than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were before, I’ve seen multiple examples of company’s that were concentrating so hard on meeting compliance deadlines that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y ignored any security measures around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir network that weren’t directly related to PCI. ”  - his post expands this discussion, he also picks on my second point [see comments below this post])

And, finally, some news from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Delusion Dept: some people somehow still think that “compliance=security” (yes, really!)

• Treasure Institute’s Compliance First vs. Security First (Updated Friday 1/16)  is great by itself, but a real “gem” was dropped by one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 visitors: “… putting compliance first is putting security first, and vice versa.” )

There you have it – thanks to all who commented on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se posts; hope cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were useful to deepen our understanding of this whole conundrum…

BTW, in my next post, I will address a common misconception that “a PCI scan is a pussy scan.” :-)

Possibly related posts:

• Tales From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 “Compliance First?” World
• Making PCI Easier
• On Heartland I
• On Heartland II
• On Heartland III
• On Heartland IV
• Compliant + Owned = ?
• PCI DSS and Data Breaches: Perception and Reality
• Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r PCI DSS coverage

Fun Reading on Security and Compliance #13

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #11, dated Feb 20th, 2009 (read past ones here). I admit that some stuff has been sitting in my “2blog queue” for way too long, but you know what? If it is relevant after a few weeks of “cooling down,” it is even more worth reading :-)

This edition of “Fun Reading on Security and Compliance” is dedicated to all those people in our security community who are “too busy to read blogs.”

1. OMG, not disclosure debate again. Yep, it sure seems like it. Starts here and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n goes on when Pete “The Disclosure Warrior” Lindstrom picks it up.
2. Our CTO Wolfgang Kandek discusses IE on our new blog. Specifically, check out this shocking bit: ”Internet Explorer 6 continues to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more prominent browser in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Enterprise.” IE7 came sooooo long ago (I think in 2006) and meanwhile “I use IE” became synonymous with “I am 0wned” – but people still don’t upgrade?!
3. CAG is out and – as far I can see – cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 response is ranging from skeptical to negative. Here are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 examples: Richard’s “Consensus Audit Guidelines Are Still Controls”  (“CAG is all about inputs.”) and “Inputs vs Outputs, or Why Controls Are Not Sufficient”, (ISC)2’s “Consensus Audit Guidelines - What is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consensus?” (“I do not believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 initial draft of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CAG meets cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 goals it set out to achieve, and should be adjusted accordingly.”) and even “Clouds of CAG Confusion” (“There is a haze of confusion settling around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Consensus Audit Guidelines origins.”) BTW, here is a good CAG-related preso, direct from its mysterious source.
4. Next, Gunnar reminds us to be “to be asset focused, not auditor focused, in infosec”  by using “Berkshire 2008 Annual Letter”
5. Hoff’s “Offensive Computing - The Empire Strikes Back” reminds us to think again – is security really about “war with hackers?” and we need offense. What if it is insurance? Or door locks? Or something else?
6. Something I wanted to highlight for a long time: “How to Suck at Information Security” A very good thing to read next is “Information Security: How Does Your Organization Fail?”
7. Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r one that spent too much time in my 2blog folder: “Alignment of Interests in Web Security” from Jeremiah.
8. Layer8 post reminded me why I swore on an Orange Book [on second thought, I should have used a Tan Book :-)] to never get a CISSP…
9. Feel like getting de-pe-re-me-trized? :-) Make sure you don’t kill BOTH network security AND system (=endpoint) security at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time:  “Deperimeterization without endpoint control?”
10. Reminders, reminders… The “you’ve GOT to be realtime” crowd is less noisy now, but here is why before you utter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word “proactive” you should at least learn to be “reactive” well! Richard states it succinctly here: “we should adopt a mindset, toolset, and tactics that enable retrospective security analysis -- cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ability to review past evidence for indicators of modern attacks”
11. Finally, IT in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 year 2109? Yes, really. We will be “using technology that is able to transmit data at speeds of 10,000+ times cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speed of light”…

Enjoy!  This post is certified “Heartland-free” :-)

All ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r “security reading” issues.

On "PCI Myths: Common Mistakes and Misconceptions About PCI"

We are doing this fun event "PCI Myths: Common Mistakes and Misconceptions About PCI" on 3/19/2009. Here are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 details - I promise it will be fun:


"Date: Thursday, March 19, 2009

Time: 2pm EST / 11am PST

Length: 20-30 min plus Q&A

Synopsis:

The briefing will cover PCI DSS-related myths and misconceptions that are common among some merchants and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r organizations dealing with PCI DSS challenges. Mistakes related to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 technical and process side of PCI, self-assessment and audits as well as PCI validation requirements will be discussed. The information will be useful to all merchants dealing with credit card information and thus struggling with PCI DSS mandates."

Come join it!

Stratfor on Chinese Bots

A very fun read from Stratfor, available in open access: "China: Pushing Ahead of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cyberwarfare Pack."

I took issue with a few of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bits in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 piece and received a nice clarification from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. The bits were:

"The Chinese government can decipher most types of encrypted e-mails and
documents" (I said that it is defies cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 common sense of most every
cryptographer as brute-forcing many today's algorithms is pretty much
impossible - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y clarified that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y meant to add "... by 0wning cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 endpoints," which makes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir point quite correct.)

"Details were vague, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 implication was that computer encryption
inside China would become essentially useless." (disclosing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 algorithms
does NOT make encryption useless - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y clarified that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y mean "... hardware encryption with key embedded in a device and device available to China" which makes it pretty true)

"The government’s strongest tactic is a vast network of “bots” —
parasitic software programs that allow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir users to hijack networked
computers." (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that bots are govt-controlled and not individual
hacker group-controlled has NEVER been proven; this is just a rumor - this point is still highly debatable, IMHO)

"Today, with current technology, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Chinese government can hack into most
anything, even without information on specific encryption programs."
(my comment was "no comment" on this one :-))

"Many Chinese Web sites have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se embedded bots, and simply logging on to
a Web site could trigger cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 download of a bot onto cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host computer."
(again, no proof that this is by govt, not hackers)

In any case, enjoy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 piece here.

Monthly Blog Round-Up – February 2009

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y see today. These monthly round-ups is an attempt to remind people of useful content from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past month! If you are “too busy to read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blogs” (eh…cause you spent all your time on twitter? :-)), at least read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se.

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics.

1. Just as last month, my coverage of Heartland data breach saga took cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 #1 spot, by a long shot. Specifically, “On Heartland”, “Heartland II”,“Heartland III” and new “On Heartland IV” are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most popular. My first original post is here too (“Compliant + 0wned”) – cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 second just came up (“PCI DSS and Data Breaches: Perception and Reality”)
2. Next up, strangely, is my obscurely humorous post on SAQSA (“PCI SAQSA?”) – and to think that many people suggest that ‘humor’ and ‘auditors’ don’t mix …
3. A post where I link to a rumor of a new processor breach (“New Processor Breach?”) is next. No solid info has since emerged.
4. Next is my link to SANS SIEM whitepaper (“SANS on SIEM”); it is good reading on SIEM, even if a bit too “EPS-obsessed” to my taste.
5. And now something weird: two completely unrelated posts tie for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 5th place: an old  “On Doomsaying (Terry Childs case)” and a new “CAG Out!”   Please joke about it at your own leisure :-)

See you in March. Also see my annual “Top Posts” (2007, 2008)

Possibly related posts / past monthly popular blog round-ups:

• Monthly Blog Round-Up - January 2009
• Monthly Blog Round-Up - December 2008
• Monthly Blog Round-Up - November 2008
• Monthly Blog Round-Up - October 2008
• Monthly Blog Round-Up - September 2008
• Monthly Blog Round-Up - August 2008
• Monthly Blog Round-Up - July 2008
• Monthly Blog Round-Up - June 2008
• Monthly Blog Round-Up - May 2008  
• Monthly Blog Round-Up - April 2008  
• Monthly Blog Round-Up - March 2008  
• Monthly Blog Round-Up - February 2008  
• Monthly Blog Round-Up - January 2008  
• Monthly Blog Round-Up - December 2007  
• Monthly Blog Round-Up - November 2007  
• Monthly Blog Round-Up - October 2007  
• Monthly Blog Round-Up - September 2007
• Monthly Blog Round-Up - August 2007

 

Technorati Tags: chuvakin,monthly,blog,security