Security Balancetrying to bring balance to the Force |
 |
I was thinking about writing something about the problems on the PCI standard. I didn’t find the time to do it, but Mark Curphey did it, and very well. I really agree with almost everything he pointed on his article. I’m also seeing a huge distance between measured Risk and security controls when companies try [...]
Again on Security Incite, Mike says that there is no need for personal firewalls anymore, as the one provided by the OS seems to be enough for most cases. I agree with him when he says that where it is not enough you’ll need it from a bundle of other things, like AV and AntiSpyware. [...]
I was reading a comment from Mike Rothman about the need for SSL and then I found this expression, “path of least resistance”. I really liked it on the context of security. There are lots of easy things to do to remove paths of least resistance. Depending on the level of exposure of your organization, [...]
Four years ago I coined the term Honeytoken while discussing how honeypots could be used my companies with Lance Spitzner. Now they made their way into “professional” publications, like Network World. Good to see that the idea is growing. I believe that honeytokens can be a very good way to implement data monitoring for PCI [...]
Sometimes I see on the discussion lists some posts that I think we should “hang on the wall”. Today Marcus Ranum sent two paragraphs to the log-analysis list that were so great that I’m almost printing them to put on my office wall: “All the current trend toward legislating compliance hasaccomplished is setting the bar [...]
Mr. Antonopoulos has got a point on this article for Network World. I don’t think security is aligned to the business drivers that are conducting the virtualization fever. He used good examples, as the security trend towards appliances. Is it aligned to the virtualization model being used today? I don’t think so.
I’ve recently found some time to take a look at Cobit 4.0 version. I was glad to see that ISACA aligned Cobit to other documents, like ISO17799 and ITIL. It was a very important change, as the organizations will usually deploy their processes following best practices guides like ISO17799 and ITIL and will have their [...]
I was recently reading the excellent documents from Ross Anderson on Information Security Economics. A good reading tip for those interested in the subject is the famous Freakonomics book. After reading Anderson’s texts I realized that the reason for the lower quality of the External Audit that I’ve been seeing is strictly economic. There are [...]
Anton Chuvakin liked that I called his article on encryption mistakes a “masterpiece”. But it really is! In fact, encryption mistakes are in focus now that PCI is getting stronger. Everybody is looking for ways to encrypt card data. And it’s exactly at this time that they are more vulnerable to vendors pitches. I’m seeing [...]
Anton Chuvakin wrote a masterpiece about the most common mistakes regarding data encryption. They are: – Not encrypting when it’s easy and accepted- Creating your own encryption- “Hard-coding” secrets- Storing keys with the encrypted data- not handling data recovery (or “where are those f* keys????”) I think that every professional responsible for PCI compliance projects [...]
