On Whitelisting ASVs standard

This topic has made the rounds again—both due to the community meetings happening over the last four weeks and with some customer discussions I became involved in. Essentially, the issue is this. ASVs need the ability to scan through perimeter defenses like IPS and companies being scanned want to showcase their defenses such that they activate (like they should) upon a scan. Both groups have valid points. The ASV is following the program guide. In order to provide passing scans they must be able to scan through perimeter defenses to the actual systems to generate an accurate vulnerability report. Having a scan instantly blocked doesn’t necessarily eliminate the possibility that a vulnerability could be exploited, it just stops that scan’s ...

Continue Reading

Slow Down Patching? standard

The whole discussion around patching and vulnerability management is a big problem in general, but typically exacerbated by compliance initiatives like PCI DSS. Companies want to be secure, in general, but they have different risk procedures that can change the manner in which they do things like patching or how they lock down desktop controls. A good friend of mine turned me on to a presentation that happened at the San Diego ToorCon this past weekend that I am curious about. The abstract pushes us into dangerous territory, that of interpretation of QSAs (something we have often chatted about here). In the abstract, the presenter takes the opinion that rushing to patch is undesirable (potentially agree) and that the language ...

Continue Reading

The Power of Inference standard

Last week I spoke at RSA Conference about using social engineering techniques as a form of espionage—a way to “game” big data, as it were. I believe that our current estimation of what can be derived from innocuous appearing data is not only lacking, but it’s nearing the level of irresponsibility. In our talk, we discussed how an attacker might go after a prized piece of information, say the formula for Coca Cola. If an attacker wants to re-assemble such a formula, he could apply techniques often used in social engineering. Social engineers don’t bluntly ask targets for their social security number, they ask them for pieces they can use to reconstruct it. For example, people tend to give out ...

Continue Reading

“Non-Observables” standard

Security professionals are fraught with crazy obstacles unseen in other parts of the technology space. For example, we are often fighting enemies we cannot see. They out-maneuver us by attacking our partners, informational supply-chain, and even the people. But they are not completely invisible if we know what to look for. There was a recent thread on the SIRA mailing list that discussed the concept of “non-observables,” or elements in the security space that cannot be feasibly observed by defenders. These elements, in theory, would be critical in event detection, thus providing defenders with better capabilities to shrink the window of vulnerability. This is a foolish notion that leads security people into an unnecessary state of helplessness. Consider Locard’s Exchange ...

Continue Reading

September 2012 Roundup standard

What was popular in September? Well, we certainly couldn’t get enough of the new iPhone (and by the way, I think Samsung’s commercials are ABSOLUTELY GENIUS!). We enjoyed cooler weather for all, and a fantastic Oktoberfest. We had the PCI North American Community Meeting kick off a whole new round of discussions on everything that is right (and wrong) with PCI DSS. Oh yeah, and good ol’ Brando forgot to renew the domain, so the site was down for a couple of days. It’s back up now, so we can all rejoice and be glad. Here are the five most popular posts from the last month: PCI DSS Feedback 2012. The Council released some highlights from the feedback process including ...

Continue Reading

The Dissolving Perimeter standard

IT and IS professionals have long acknowledged and lamented the dissolution of the network perimeter amid a global economic crisis and shrinking IT budgets. We must do more with less, be more efficient, and create and leverage economies of scale and scope to achieve all of this. But that doesn’t necessarily represent why the perimeter is dissolving, so what is going on? Businesses are exchanging information in real time (both providing and consuming) over public networks as opposed to frame relay or MPLS links behind the scenes. The number of telecommuters ((The State of Telework in the US – Five Year Trend and Forecast.)) in the US grew 61% from 2005-2009. This means more laptops over desktops, and now more ...

Continue Reading

RSA Announces Advanced Cyber Defense Service standard

A very long time ago I worked at a company called Internet America. For those that remember, we were the 1-800-Be-A-Geek company. Back on the early side of the Internet explosion (this is 1996) I remember walking into server rooms in absolute awe of the big machines that powered our customers’ experience and the respect I had for those that ran them. One particular guy I remember is Gordon. Gordon was a typical middle-aged geek (before it was chic) and he had a catch phrase that always made me smile. When you asked Gordon how he was doing, he would say, “The bugs are winning today.” Back then, we had a lot of days like that. Over the last two ...

Continue Reading

The Only Customer Service Script You Will Ever Need standard

I have had a few run-ins with some customer service departments in the last month that drove me a bit crazy (and one that went QUITE well). There are several indicators that the economy is getting better; one of those being as the economy gets better, customer service gets worse. There is apparently less of a need to deliver service because if I defect, there are others waiting in line to take my spot as a “valued customer.” I’ve always scratched my head when people talk about how big-box retailers kill small businesses. I disagree. I think it forces small businesses to both innovate and fill the service gap left by those big-box retailers. Small business owners that cannot retool ...

Continue Reading

PCI DSS Feedback 2012 standard

The PCI Security Standards Council released a statement this morning outlining some of the highlights from the feedback period we just finished this year as part of the PCI DSS lifecycle. If you are going to be at the community meeting next week (or later in October for EU), I strongly suggest you attend the session on the feedback and potential proposed changes to the standard (if they have the ability to turn that around this quickly). Here are a couple of notes from my analysis (note some of the wording is similar to the press release, go read it): Scoping is still an issue. I think we all agree that at some point the framers of PCI DSS will ...

Continue Reading

August 2012 Roundup standard

What was popular in August? We sure had our fair share of speculation on Apple products including a big settlement that could have lasting effects on the mobile device industry. We had a new OS released (with a ton of side effects). RSA China came and went (one of the more challenging speaking gigs I’ve ever had), and RSA 2013’s CFP closed. And while summer is winding down, it’s clear that infosec is not done for 2012! Here are the five most popular posts from the last month: Mountain Lion Troubles and Solutions. In a departure from the norm, the top post this month is all about Mountain Lion. Some folks had no problems, others like me had massive issues. ...

Continue Reading