[SecurityRatty] tag: companies

Monthly Blog Round-Up November 2008

Tue, 02 Dec 2008 13:24:00 +0000

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is an attempt to remind people of useful content from the past month! If you are “too busy to read the blogs” (!), at least read these.

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics.

Amazingly, this month by far the #1 post is my “'Blogging from DeepSec 2008 in Vienna.” DeepSec was indeed an awesome conference.
Last month, I said that “SIEM bashing reached a new high.” OMFG. What should I say now? I dunno. In any case, “11 Signs That Your SIEM Is A Dog or "Raffy, You Killed SIM!" is on the top list. BTW, “On Open Source in SIEM and Log Management” is also again on the top list, to much of my amazement.
Again and again, PCI compliance is obviously still all the rage: MUST-DO Logging for PCI? post was again propelled to a place in my monthly Top5 list.
Get a firewall AND a fire extinguisher, now, will ya? Is it too much to ask? :-) The post “On Small Companies and PCI Compliance” is on the Top list.
Shockingly, AGAINx2 :-) this month, the "Top 11 Reasons to Secure and Protect Your Logs" came up as on the Top list. BTW, see my other logging polls and my other “top 11” lists.

See you in December. Also see my annual “Top Posts” (2007)

Possibly related posts / past monthly popular blog round-ups:

Technorati Tags: blog,security,loggings,monthly

Opinion: Is there a hidden cost to data protection?

Tue, 02 Dec 2008 02:00:00 +0000

Companies rushed into data protection by the fear of losing precious information may have been too quick to throw together a patchwork quilt of security software, which is now proving costly.

Antivirus programs unreliable during critical coverage gap

Mon, 01 Dec 2008 22:00:02 +0000

Antivirus companies typically bill themselves as offering critical protection when you need it most, but the timeliness of the protection is a matter of concern. There's some reason to suspect AV companies may be moving too slowly on this one, with a majority of scanners failing to detect malware up to three days after it's seen on the web.

The myth of cloud computing

Mon, 01 Dec 2008 02:00:00 +0000

Companies hungry for IT efficiency and cost savings absolutely love virtualization. The idea of reducing racks of servers into smaller and cheaper machine farms is simply irresistible in just about every enterprise.

SOA Security in Real Life

Sun, 30 Nov 2008 14:29:17 +0000

I started off my last article on SOA Security this way:

When I park my car in the garage, I lock it. Why? Well, although I would hate for someone to steal my snow shovel and hockey sticks, my car is much more valuable to me. Security is about managing risk, specifically protecting valuable assets like my car. I have a higher level of protection on my car than on my garage. In dollar terms, the contents of my garage are orders of magnitude less valuable than my car. I could spend a lot of money fortifying my garage, and that would add some security to my car while it is parked there, but it is not a cost-effective investment. First, my car is the asset of value, and second the garage - no matter how well protected it is - doesn't move.
Car manufacturers know this, insurance companies know this, consumers know this. Even media publishers know, yet in the common enterprise, programmers and architects seem to roam in ignorance. Your average download of a Michael Bolton song carries a far higher level of security than valuable user data, like passwords, social security numbers, and credit card details. Why do we keep protecting critical data with point-to-point security solutions (like SSL) that protect the transmission channel, but leave the valuable assets being transported wide open everywhere else? This is a critical question that needs to be answered in order to successfully add an effective layer of security to an SOA.

Well guess what happened last weekend? I always do lock my car in the garage, but last week I came home with an armful of holiday cheer and forgot. I went out to the garage over the weekend and noticed that a local knucklehead who could see that the car was unlocked tried to jimmy the lock on my garage door, and busted off a piece of wood before giving up (probably when they saw the sign that said the garage was monitored).

The response of the police actually further supports my assertion that security is about assets not threats. I called the police and said someone tried to jimmy my garage door. They said its a holiday weekend, call back on Monday and get a case number. This disturbed me not at all. All they are going to do is record a threat (or security event) metric anyway.

Now in a hypothetical scenario if my car was compromised it would have been a completely different response from both me and the police; why is it different urgency? Not because of the threat and intent which were similar in both scenarios, but its the fact that the asset was put into motion that's what makes it important.

For infosec what do we learn? Infosec is spending waaayyyy too much time and money protecting garages and not enough protecting assets.

Online Finance Flaws: An Awareness Campaign

Sat, 29 Nov 2008 19:08:00 +0000

Here begins a series regarding web application security inadequacies in online financial service offerings. The services to be discussed will include banks, credit unions, credit card companies, and others. As the economy struggles profoundly, and much of the blame points at the financial sector, I believe it important to point out the false sense of security so many brand-name financial services wrongly instill in their customers.
Often this sense of security is coupled with a typical "security badge" provider, helping drive conversions rather than security, as we will also legitimize how often the badge providers miss the mark on their promises.
Accountability in loan making decisions and practices might have prevented the sub-prime market collapse and the subsequent credit crunch that has hogtied our economy.
Accountability with regard to web application security while providing online financial services is now all the more important as cybercrime will continue to increase at a pace proportionate to economic woes.
Each post relevant to this campaign will include Online Finance Flaw in its title for tracking purposes.
Look forward to surprising flaws in financial services brands you'll recognize.
Perhaps, the more attention we draw to services that should place security above all else, the more likely it is they'll commit to improving their security posture.
Feel free to comment or contribute; we'll begin in a day or two.

Mumbai terrorism, worm warning, holiday woe

Thu, 27 Nov 2008 21:00:00 +0000

A wave of coordinated terrorist attacks across Mumbai late Wednesday dominated the news this week, with bloggers and people using Twitter helping to get information to families and friends of those affected. Multinational technology companies are not expected to change their business strategies as a consequence of the stunning attacks, which targeted westerners.

LinkedIn Updates Privacy Policywith Only a Brief Notice to Users

Wed, 26 Nov 2008 09:08:00 +0000

If you haven’t logged in to your linked in account in a while you’ll be greeted with a quick notice next time:

“We’ve updated! On November 14, 2008, LinkedIn published revised versions of our Privacy Policy and our User Agreement. Using LinkedIn means you consent to these policies, so please take a few minutes to read and understand them.”

However, if you log out and back, the notice will be gone– so if you weren’t looking too closely, you might not even realize you’ve just consented.

Rebecca Herold at Realtime IT Compliance looked into this and found that the FTC doesn’t much like this kind of implicit privacy changes. Instead, companies should be getting explicit consent, also called “Affirmative express consent,” says the FTC:

As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers.

This would imply that if LinkedIn is updating its privacy policy with such a minimal notice, it may not have changed in any way “materially different” from before. But if it is different, they might face a bit of trouble.

Links for 2008-11-25 [del.icio.us]

Tue, 25 Nov 2008 21:00:00 +0000

The Myth of Software Support « Chris Swan’s Weblog
More On Why I Think Free Microsoft AV Will Be Good For Consumers | securosis.com
My belief is that we essentially have both conditions today (low innovation, easy evasion), and the nature of attacks will continue to change rapidly enough to exceed the current capabilities of AV.
Idiocy | securosis.com
The Impact Of Free Antivirus From Microsoft | securosis.com
This gives them enough time to avoid suddenly losing 40% (don’t quote me on that, I’m on an airplane and just guessing) of profits over 12 months. The real losers will be the consumer-only AV companies without diversified portfolios or a larger enterprise base.
Rich Mogull: 7 Infosec Trends for 2009 - CSO Online - Security and Risk
Safe bets for IT spending in '09 | Business Tech - CNET News
Second, security management will merge with log management. That works for ArcSight, RSA, LogLogic, and LogRhythm.
Dark Matters: Land of Confusion
InternetNews Realtime IT News - Enterprise SaaS Buyers Want More Than Uptime
High Tower Software Shuts Down | socalTECH.com
Aliso Viejo-based High Tower Software, a venture-backed developer of security, compliance, and log management software, has shut down.

Microsoft warns of malware exploiting known vulnerability

Tue, 25 Nov 2008 21:00:00 +0000

Microsoft is warning users of a rise in attacks on a vulnerability in Windows that could trigger a worm infestation on networks, and the company is encouraging companies to apply an emergency patch released in October.