Security Balancetrying to bring balance to the Force |
 |
I was reading the post that I just published when I noted that the post right before that was complaining about attempts to standardize diversity, the curse of the “best practices”. The funny thing is that on the last post I tried to make the case for a big standard, that would probably end up [...]
I was happy to find Anton Chuvakin’s post about the issues of doing security based on risk management a few days ago. As I said on my twitter, “discussions about decision making (risk based vs. others) is the only thing interesting for me today on the security field”. Anton made a very good summary about [...]
Probably not enough content for a post, but certainly for a tweet
It’s common to see on the security standards, frameworks and best practices a lot of “standard” ways of doing things like access control and patch management. The problem is the organizations are extremely different from each other, not only on the technology but [...]
I tried to resist posting about this last discussion. For those who are not aware of it, a very quick overview:
Payment processing company (Heartland) had a breach, leaking thousands of credit card information
Heartland’s CEO complains that they went through the regular PCI-DSS audit and the QSA had not pointed out the issues related to the [...]
The PCI-DSS world has just gone mad this week after Merrick Bank decided to sue Savvis, who gave a clean bill to the well known service provider CardSystems, responsible for a huge breach that lead to thousands of card numbers being stolen.
It is an interesting outcome and raises a series of questions about whether it’s [...]
Trying to be compliant PCI is a tough task. One of the biggest problems is to find good answers to common questions, as the “PCI specialists” are usually very evasive and will hardly give you a definitive answer. So, it’s extremely valuable when someone posts a set of common Q&A about the subject like this [...]
One of the best blog posts I read from last week was the “Consensus Audit Guidelines are still controls” from Richard Bejtlich. I really like that he is looking at some suggestions (in this case, the CAG) and pointing that’s just controls, there is nothing about measuring the outputs. That goes directly to the heart [...]
Martin Mckeay, Mike Dahn, Anton Chuvakin and a lot of others are talking about the impact and/or the meaning of the Heartland breach on PCI. It raised the debate about compliance versus security, with valid points on “doing security first” and “security and compliance only have few points in common”. I agree with [...]
John Pescatore is right when he says that talking about less regulation at this time seems to be not aligned with the current crysis, but the article he is pointing to is very precise on saying that the costs from SOX are pretty high and, as we could see, it wasn’t able to prevent cases [...]
Anton Chuvakin wrote a very good piece about PCI and how regulations like that are usually written and interpreted. He is completely right on defining the problem as:
Mandate the tools (e.g. “must use a firewall”) – and risk “checklist mentality”, resulting in BOTH insecurity and “false sense” of security.
Mandate the results (e.g. “must be [...]
