June 2010 Archives

*sigh* Unhelpful PCI Advice

In scanning through my morning reading, I ran across this gem of a piece from Help Net Security. I'm really starting to wonder what is going on in the industry. This is seriously some of the worst advice I've seen regarding PCI DSS compliance in recent months.

"Two things are infinite: the universe and human stupidity; and I'm not sure about the universe." -Albert Einstein

The subtitle for this piece could easily be "a whole lotta stupid goin' on." Is it something about summertime, or have we really gotten to a place in our civilization where we just can't progress any farther? It really seems like regression is the only option to which most people will avail themselves today. Attack the science, attack that which isn't understood, and let's just rely on supposition (or, so it seems).

I've been mulling this piece over for more than a week now as all the drama has played out in Congress around building up a better "cyberwar" capability (as if that's something well-defined and understood). At the same time there has been an up-tick in mindless rhetoric railing against risk assessment, analysis, and management. Quite frankly, it all belies woeful ignorance and a wanton disregard for the sane. In both cases we see people making wild claims about things they clearly do not understand. Risk management is more than qualitative risk assessment, and "cyberwar" is a delusion perpetrated by those who desire to FUD us into ceding yet more power to the Executive Branch.

Researching DLP Solutions

I recently had a project to help spec out a DLP project for a customer from a high-level perspective. Having never done anything with DLP previously I embarked on a research mission. What I found was interesting. There's not much out there on the intarwebs. As such, I thought I'd offer a few quick suggestions, just in case you want to go research solutions, too.

1) Start with Securosis! Their reports are freely available, comprehensive, and more informative than anything else I found.
2) Search for Gartner and Forrester reports. While these analyst firms charge for their reports, vendors will often post them for free. Specifically, try these search strings:
---> forrester wave content security suites
---> gartner magic quadrant data loss prevention
3) Beware DLP (as in Digital Light Processing) from Texas Instruments. You might need to use advanced search functions to -television -TI and so on.

Happy hunting!

Free Advice for Adobe

"The thing about free advice is that you often get what you pay for." -Unknown

I've been mulling over Adobe for the last couple days, and intermittently for the last few years. Here we have a company that has, by all accounts, been highly successful, and yet seemingly has an absolutely terrible reputation in the security community (and now in the tech community with the Apple dispute over Flash). It makes me wonder "what are these leaders thinking?" each time I hear reports about another issue, and see very little in the way of satisfactory responses from the company.

From this perspective of outside-looking-in pondering, I thought I'd (perhaps arrogantly) postulate 5 steps that I think Adobe could take to help right the ship a bit, and maybe, just maybe, improve their perception in the industry. Can the phoenix rise from the ashes? Sure... but only with some major cultural changes...

There has been a lot of negative, cynical chatter lately about risk assessment and risk management. The average person doesn't understand it, and people who should understand it oftentimes throw up their hands in despair when citing examples such as the failures of Wall Street that led to the current economic mess. Unfortunately, all of this despair and cynicism seeks to throw out the baby with the bath water, as if to say that one bad apple spoils an entire orchard.

To me, I think the biggest challenges to risk management today lie in a few key areas: accountability, consequences, and formalized assessment methods. The first two areas are easy to explain. If you're doing a good job assessing and managing risk, then you can start holding people accountable for their decisions and actions. That accountability should then lead to consequences (positive or negative). Unfortunately, we live in an era where we fear failure, and thus pad ourselves, our families, our investments, and our country against suffering negative consequences. Without negative consequences, what is the point of managing risk?

Since this has come up a couple times in the past week, I thought that I'd take a moment to elaborate on why I bristle at the phrase "best practice." It's quite simple, really, and often comes down to semantics (which, despite the frequent dismissal, can be quite important). To this end, I think there are a couple key points we should all keep in mind when we encounter the phrase.

My Other Pages

Support Me

Support EFF

Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10