The Falcon's View

In Brief: InfoSec Island may not post what you submit, but instead grab text from your blog (whether authorized or not). When I filed a complaint, their first response was to threaten to delete the post, and they ultimately deleted my account (and then posted the entire email exchange to pastebin). If you post to their site, then don't be surprised if you and your post are abused. If you complain, expect to be told that you don't matter. In the end, despite being urged to reach out to me, they have not taken steps to resolve the matter.

Strong Recommendation: If you're a writer, I cannot urge you strongly enough to avoid or flee InfoSec Island. If you're a reader, then I strongly recommend that you not use their site any further. A business that profits from and exists because of the free contributions from people like me do not deserve continued patronage when they clearly disrespect the people who provide the content upon which they base their business.

This post is derived from an interesting twitter exchange that I had with Branden Williams last week, and that resulted in his writing-up a couple related blog posts. You can read those posts here:
* "Myth Busting With Ben Tomhave"
* "Corporate Responsibility with Ben Tomhave"

The first issue was a simple question I asked about whether or not a QSA was still required if a business had an ISA. To my great surprise, Branden responded that not only was a QSA not required, but it never had been! His response even surprised a couple other QSAs. I'll go into this more below, but suffice to say that when you dig into each card brand's requirements, it turns out that self-certification is allowed with the signature of a company officer.

The second thread that came out of the original discussion revolved around the topics of businesses needing to become competent on PCI requirements (or, what's reasonable to expect), as well as a side-bar about whose risk is actually being managed. We'll discuss these topics as well.

Unless you've been living under a rock for the past month, you've undoubtedly heard about the STRATFOR hack by some anonymous or another. Who did it really isn't all that important to me, nor do I even care all that much about the purported, assumed, inferred, or otherwise construed ideology behind it. The important thing is to hold this up as a squalid, revolting example of IT mismanagement and outright legally indefensible negligence.

Well, it's that time of year again... time for a look back at 2011 and a look forward at the year to come. Of course, the first thing that comes to mind (to me, at least) for 2012 is the pending Mayan calendar transition. It makes me wonder what sort of crazies we'll be seeing as the year progresses. I'm guessing right now that there will be at least one suicide cult identified before things have come and gone. So, pardon me while I ramble a bit in reflection on the past and coming years...

Since I've again been remiss in my own writing this week (hey, there's always tomorrow!;), I thought I'd highlight what I think are the best pieces of the week, if not of the year! :)

First up, you have to read Jack Daniel's "The Pandering Pentagram of Prognostication" as he absolutely hits the nail on the head as concerns the annual prognostications we see.

Next up, you have to watch the Chris Eng's sequel on "infosec thought leadership," titled "The Thought Leader... One Year Later" - it's so spot-on, it's almost eerie to watch. ;)

Happy Holidays! :)

I was first introduced to the concept of the "risk equation" back in 1999 while working for one of the Big N audit firms. It was expressed to me in quite simple terms:

Risk = Threat x Vulnerability x Impact

This is a follow-up to my last post ("3 Common Ways Security Fails People"). After posting it, someone on twitter quickly asked if I had any ideas for fixing these common problems. Well, of course I have ideas! :)

Soooo... rather than be one of those non-constructive criticizers of all things infosec, here are three solutions to the three problems:

Nothing gets me going in the morning like a good ol' fashioned dust-up over "security" measures interfering with my ability to get stuff done. It just reminds me of how far we still have to go in order to fix all the wrongs of our past lives. Here are three (3) areas in which I think infosec fails people and shoots itself in the foot, undermining credibility for the future.

I've felt recently like I've not had the chance to blog for a while, but it wasn't until I went and looked that I realized that it's been over a month already. Yikes! Sadly, it's not for a lack of blogging topic ideas, but because I've been pouring my energy into other projects more work-related.

Here's a wrap-up of some recent news, along with a promise to get back on the blogging beat very soon!

• LockPath officially announced my joining the company as Principal Consultant. I subsequently received a listing in the Kansas City Business Journal in the "People on the Move" column (funny since I'm a remote employee).


• My CRN byline "How to Manage Cloud Risk" was referenced in an article on FierceComplianceIT ("Five key elements in a GRC cloud program").


• LockPath was included in CRN's "10 Hot Emerging Vendors For November 2011"


• I was quoted in DarkReading's "2012 Compliance Checklist" this week.


• And... last, but certainly not least... burying the lead a bit... I am extremely honored to be included in Tripwire's "Top 25 Influencers in Security You Should Be Following" list (btw, it's sorted alphabetically, so don't get too excited about the order;).

Toss in a bit of travel, a holiday, and a heap of sickness and that pretty much rounds out the last month for me. More writing to come soon!

I will be returning to RSA US as a speaker again in 2012. If you're interested in attending and don't have a discount code from anywhere else, then please feel free to use this one for $200 by Jan. 27th: ZSPsyjAphIF

I'm booked into two slots:

LAW-301 - "Hot Topics in Information Security Law 2012" (Panel) - Thursday, Mar 01, 8:00 AM
Abstract: The legal risk and regulatory environment for information security is in a state of constant flux. New regulations, lawsuits and compliance obligations arise on a regular basis. This panel, put on by the American Bar Association's Information Security Committee provides up-to-the-minute reporting on key infosec legal developments, and provides insight into where the law is going in the future.

STAR-304 - "Legal & Ethical Considerations of Offensive Cyber-Operations?" - Thursday, Mar 01, 1:00 PM
Abstract: Certainly nations have the right and in some cases obligation to use cyberspace tools in an offensive manner to defend themselves. What about businesses, do they also have this right? This session will explore the legal and ethical issues surrounding the use of offensive cyberspace by both nations and corporations.

Register here: http://www.rsaconference.com/events/2012/usa/registration.htm