Security Balancetrying to bring balance to the Force |
 |
Two posts in a day…I’m probably sick or something like that
I was reading an interesting article by Bill Brenner on CSO Online, “Five Security Missteps Made in the Name of Compliance”. Although I don’t disagree with what is listed as missteps (in fact I think they are quite correct), something in the last [...]
Folks, this is serious and important. A lot of us has several complaints about the way that the CISSP certification is modeled, the quality of the questions and how it is interpreted by the industry. Seth Hardy is asking for support to be included in the (ISC)2 Board of Directors election ballot. He needs 633 [...]
I tried to resist posting about this last discussion. For those who are not aware of it, a very quick overview:
Payment processing company (Heartland) had a breach, leaking thousands of credit card information
Heartland’s CEO complains that they went through the regular PCI-DSS audit and the QSA had not pointed out the issues related to the [...]
There is a ongoing discussion on some forums about the “fallacy” that the damage to the security reputation of an organization due to a security incident is not as bad as security professionals use to say. This is based on this post from Larry Walsh.
I’m sure there is a lot of exaggeration on the effects [...]
There’s a lot of interesting discussions about the value of SIEM solutions. There’s also some discussions about the possibility of doing that with open source, like OSSIM (I personally think it is possible for some organizations – specially those that have the open source culture already).
I like to say that SIEMs are for security what [...]
The PCI-DSS world has just gone mad this week after Merrick Bank decided to sue Savvis, who gave a clean bill to the well known service provider CardSystems, responsible for a huge breach that lead to thousands of card numbers being stolen.
It is an interesting outcome and raises a series of questions about whether it’s [...]
Trying to be compliant PCI is a tough task. One of the biggest problems is to find good answers to common questions, as the “PCI specialists” are usually very evasive and will hardly give you a definitive answer. So, it’s extremely valuable when someone posts a set of common Q&A about the subject like this [...]
Sometimes it’s funny to see the face of people when you ask that. Sometimes it is about an organization, sometimes about a product. Usually, the answer comes in form of a bunch of acronyms, standards and nice phrases like “risk management process”. Fun starts when there’s also stuff like “100% secure”, “certified against hackers” and [...]
I was glad to be one of the contributors of the “unsecured economies report”, sponsored by McAfee. It’s certainly a very good report and it’s nice to see my name in the same list as Ross Anderson and Gene Spafford.
However, McAfee is saying since the Economic Forum in Davos that the losses due to loss [...]
Today I went to the CFI-CIRT Professional Development Day, organizad by the Canadian Financial Institutions to provide content to their employees. It was awesome as it brought several good speakers to a single day conference, concentrating a lot of good content. I had the opportunity to hear Marcus Ranum, Dan Geer and Stephen Northcutt, something [...]
