36 posts categorized "compliance"

November 17, 2009

The return of the Captain Renault award

It has been sometime since I have handed out a Captain Renault award. I thought they were going to be retired. For those who don’t remember the immortal Captain from the film Casablanca:

casablanca Rick: How can you close me up? On what grounds?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
[aloud]
Captain Renault: Everybody out at once!

So who is so deserving to pull this award out of its retirement? None other then the Ponemon Institute (I am sorry I just think of Pokemon whenever I hear that name, but it may have to do with me having young sons).  They were recently commissioned by Lumension Security to conduct a survey on the global state of endpoint security.  Some of the results they came up with were not surprising to say the least:

In the US, for both IT Security and IT Operations personnel only about 40% of the respondents felt that their organizations CEO was a big supporter of security and data protection. 

No kidding Sherlock, welcome to the world of the security pro. Isn’t that the biggest problem in security, getting executive buy-in to do what has to be done?  But here is the real irony and problem in security, go ask those CEO’s from the 60% of organizations where the IT staff does not think the CEO is a big supporter - and they will tell you with a straight face, that they absolutely are big fans of security. In fact it is one of our top three priorities!  How long have we all heard that fairytale?  How many times are analysts and institutes and others who sit and talk to these people going to swallow and regurgitate to us that our CEOs think security is a top priority? There is an old saying where I come from.- actions speak louder than words! Until we see more action and less talk around supporting security, things are not going to change.

There were equally dismal responses around whether an organization was putting enough resources in place for security and data protection and whether security was strategic across the organization.  Again obvious to those of us doing this everyday, but shocking to the crowd who keep telling us security is a top priority all the time. One thing interesting is that across the board, international responders were more optimistic then their US counterparts. That is encouraging.  In fact consistently the responders in Germany had the most encouraging responses about security and data protection. Not sure what they are doing right over there, but good for them.

There is actually a ton of other good data that the Lumension folks have made available in both a pdf of the report and a ppt file. If you get a chance, you should really download and have a look.

Posted at 10:30 PM in compliance, General Security, other security companies, the security industry | | TrackBack (0)

August 21, 2009

SAS 70 Type II – Should you care?

SAS70Logo In technology and certainly in government we seem to live by an alphabet soup of acronyms. Often times these names take on a life of their own and people don’t even remember what they stand for and why they are important. A great example is HIPAA (or as some people refer to it, HIPPA).  People will tell you vaguely it is regarding health care information and that is very often good enough.  So what does complying with HIPAA mean?  Well that is for another article, but another example is the SAS 70, Type II.  We see this one all the time.  Is a type 70 better than a type 69? Would a SAS type 71 better than a 70? Is there a type 69 or 70?  Do you even care? What about Type II versus Type I? What is the difference?

Lets start with some basics for those of you reading this and too ashamed to admit that you have no idea about the answers to these questions. I found an excellent site called SAS70.com (surprise). Here are some definitions:

Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA).  A service auditor's examination performed in accordance with SAS No. 70 ("SAS 70 Audit") is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes.  In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers.  In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.

SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format.  The issuance of a service auditor's report prepared in accordance with SAS No. 70 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm.  The service auditor's report, which includes the service auditor's opinion, is issued to the service organization at the conclusion of a SAS 70 examination.

Service Auditor's Reports
One of the most effective ways a service organization can communicate information about its controls is through a Service Auditor's Report.  There are two types of Service Auditor's Reports:  Type I and Type II.

A Type I report describes the service organization's description of controls at a specific point in time (e.g. June 30, 2003).  A Type II report not only includes the service organization's description of controls, but also includes detailed testing of the service organization's controls over a minimum six month period (e.g. January 1, 2003 to June 30, 2003).  In a Type I report, the service auditor will express an opinion on (1) whether the service organization's description of its controls presents fairly, in all material respects, the relevant aspects of the service organization's controls that had been placed in operation as of a specific date, and (2) whether the controls were suitably designed to achieve specified control objectives.

In a Type II report, the service auditor will express an opinion on the same items noted above in a Type I report, and (3) whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified.

That is a great start. In the next article in this series we will examine why its important to you.

Reblog this post [with Zemanta]

Posted at 08:04 AM in compliance, General Background | | TrackBack (0)

August 12, 2009

Heartland CEO thought QSA’s would make him compliant and secure

Bill Brenner (one of my favorite real media types) has a great interview up on CSO online with the CEO of Heartland. Robert Carr, Heartland Payment Systems CEO blames his QSA’s for not investigating the already known “common attack vector” that allowed the malware to be planted on his systems. In reading the article it was pretty apparent to me that he made a common mistake. He thought the QSA’s where there to make him both secure and compliant.  They are not the same and the QSA job is tomake him compliant. I guess they did, but that didn’t help him be secure.

Of course after the fact everyone gets religion.  Carr says that PCI is just a minimum set of standards and does not make you secure.  Mr Carr that does not make your QSA audits fraudulent as you call them though. It just means you were only compliant. But PCI was not the only thing Carr was compliant about. He was compliant with not taking security seriously.  Doing the minimum and spending the minimum to do what he had to. Now of course he is creating industry groups to share security info. He is spending millions on security products to protect and encrypt.

Isn’t that the real travesty of our industry though?  Only after the cows have run out and the barn has burned down does anyone really give a crap.  Even by his own admission with what happened to him and his company, when he goes to talk to others in his industry the feeling is still it can’t happen to them. What will it take? Does every single one need to to have a security incident?

I am sorry to say that this just proves what many of us already knew. People don’t take security seriously until it is too late!

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 11:17 PM in compliance, Current Affairs, General Security, identity theft | | TrackBack (2)

August 06, 2009

Do SMB’s (or others even) want to move beyond the checkbox?

There has been much discussion lately about the fact that being PCI compliant does not necessarily make you secure.  The simple answer is of course it doesn't. It does make you compliant perhaps, but not truly secure. The regulations were meant as a minimum, not as the be all, end all.  But with that being the case, what makes you think that most businesses, especially SMB’s give a hoot.  For most of these people being compliant is where its at.  They have not budget or will to move beyond that whether it be SaaS, MSSP or anything else.

So it was with a chuckle I read Steve Smith’s Alert Logic blog post on how and why SMB’s should be moving beyond checkbox compliance. Steve what makes you think they want to? In fact the evidence is overwhelmingly that they don’t.  Once you get past Steve’s somewhat annoying incessant Alert Logic selling (hint: Steve be a little less “sales-y” in your blog posts), Steve reverts to a FUD argument.  Citing the Pokemon (spelling mistake intentional on my part) Institute, Steve talks about how expensive a data breach can be.  But my experience is that most SMBs and even larger companies don’t believe it will happen to them. Getting them to spend money based upon the fact they could suffer an incident is a tough sell in the current economic environment. It is the herd mentality. They know someone is going to get burned, but there are so many, what are the odds of it happening to them.  It is only after the fact that they believe it can happen to them.

Here is the bottom line: The best customer for a security vendor – product, SaaS or MSSP (and Steve MSSPs give customers control over their security too, if they want it, which is a whole other story) is one who has already had a security breach.  They get religion real quick after an incident.  But trying to convert one who has not had an incident is better left to missionaries.  In other words, companies are told they have to meet PCI guidelines to do business. That is the bar they are going to aim for.  Asking to them go beyond that is pushing rope up the hill I am afraid.

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 10:48 AM in compliance | | TrackBack (1)

July 30, 2009

SSAATY Podcast: PCI Wireless with an all star cast

new podcast Please join me in this new series of podcasts in the StillSecure, After all these years series. I am hosting these myself and inviting some of my friends in the industry.  In today’s episode I am joined by my friends JJ (Jennifer Jabbusch) of securityuncorked blog and CAD, Inc., Mike Rothman (not grumpy no more) of security incite and eIQ Networks and Dominick Genzano of STI Group. We talk about the recent guidelines issued on wireless networks and PCI compliance.  It is a good discussion that strikes a decent balance between technical aspects of compliance and business drivers. I hope you will find it interesting and helpful!

If you have any questions or suggestions for the podcast you can write me at podcast@stillsecure.com

Enjoy!


Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 11:36 AM in compliance, podcasting, Security Incite | | TrackBack (0)

May 04, 2009

Lexis Nexis allowed cybercriminals to use its information for 3 years. I am shocked!

casablanca From the classic movie Casablanca:

Rick: How can you close me up? On what grounds?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
[aloud]
Captain Renault: Everybody out at once!

The latest winner of the Captain Renault award is Lexis Nexis and its corporate sister, Choicepoint. It seems that cybercriminals were using their service for 3 years to obtain information that was used to obtain fraudulent credit cards. Then to make matters worse Lexis Nexis apparently asked for and received permission to wait for 18 months to notify people whose information may have been compromised.  This is of course not the first time that Choicepoint has been duped into giving out confidential data.

When are we going to put enough bite into the penalties so that these companies will take protecting this data seriously. How do they dare sit on this for 18 months to two years before notifying victims?  This is the kind of stuff that makes politicians want to do something, its about time they did!

 

 

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 11:56 AM in compliance, General Security, identity theft | | TrackBack (0)

March 18, 2009

RSA is on the way! March 18, 2009

rsa OK I got back early from California (because someone I was meeting had to be hospitalized I am afraid) so have some time to blog.  It has been tough lately, but there are lots of stories to touch on.  First of all we are in full swing for the pre-RSA season.  My calendar is already filling up with appointments while I am out in San Fran.  I will be presenting at the Americas Growth Conference again this year on the Monday before RSA.  The AGC event has become a staple over the years and in these challenging times should be even more interesting this year.  Of course there is the security bloggers meet up with planning in full swing ready to rock (SBN members get an invite). Also the SC Magazine awards dinner and event which I was invited to and will be attending.  Thursday morning I moderate an all star panel on what to do about security in this economy.   All in all, RSA is shaping up as a great time! 

While I am registered as a speaker, an exhibitor and 5 year member, I was surprised that this year to attend just the expo and keynotes, there were no free passes.  In some ways it is good, it may keep some people out who are adult trick-or-treaters or resume pushers.  In other ways if you are in the local area the 75 dollars for an expo pass may stop you from attending.  Well here is where I can help. I have 4 expo passes to RSA to give away.  Leave a comment with why you deserve one and if you can convince me you win one. I wish I had full passes to give out to all of the tracks and all, but those are hard to come by. Hope to see you at the conference.

Couple of other stories:

1. Vyatta adds security to the router. I don’t know about you but this is so Cobia 2007!  Come on guys we did this at StillSecure with Cobia 2 years ago.  Plus reading the press on it, it is hard to see what special sauce if any Vyatta adds over the plain vanilla open source offerings that it is based on.  I guess it was to be expected, but I think they are going to have to do better then this to be successful.

2. Is Sun going to rise at IBM? – Looks like Big Blue might be picking up what is left of Sun.  Great, that gives IBM another database to work with (they already have DB2 and Informix), some open source stuff and another silicon design.  On the other hand, Sun has to do something as I am not sure what the future holds for them as a stand alone.

3. How to evaluate if MSSP is right for you- article in searchsecurity about how to properly evaluate whether MSSP is the right for you.  Pretty elementary stuff, but a start to making the decision.

4. NAC, its not just for compliance anymore. – Tim Greene’s article this week calls out how NAC for compliance is yet another great use of NAC.  Yes NAC can be quite the Swiss army knife of security, but is NAC as a compliance tool enough to drive a new NAC sale or just another use for a tool you already bought?  That is the big question about the NAC market.

Posted at 04:31 PM in awards and PR, Cobia, compliance, MandA, NAC, SC Magazine, Tim Greene | | TrackBack (0)

March 10, 2009

Spring Ahead - March 10 2009

spring_ahead Well this weekend was the start of daylight savings time. I always think of it as spring ahead, as opposed to fall back. It usually takes me a good week to get used to being an hour ahead.  But are you really an hour ahead. Yes it is still dark when many of us get up and it stays light longer in the evening, but do you think of it as being an hour ahead?  Maybe you should.  What is so bad about thinking of getting out ahead of things?  Nothing at all.  Especially in security, so much of what we do is reactive, after the fact.  Maybe a good security strategy would be to spring ahead.  Get out ahead of the security issues before they become incidents or big problems.  Why not make that a mantra.  The clocks have been set ahead, try to stay ahead of bad guys yourself and enjoy the extra daylight at the end of the day!

Have a great day.

An IF-MAP in Juniper’s future? – Juniper updated their NAC solution yesterday for the first time in 2 years.  It seems like the big news is that NAC is now part of the fabric because it can interact with other security technologies using IF-MAP the the Trusted Juniper Computing Group’s standard for data sharing. Of course the problem is that it takes two to MAP.  If other products don’t support it and use it, Juniper by themselves is not going to do it.  What does it give you, you ask?  Well Juniper says according to this article by Sean Michael Kerner that now you can enforce quarantine and NAC after a device has been on the network. I say BFD to that, most NAC solutions have some sort of post-connect capability already (except Cisco of course), Juniper is just playing a bit of catch up there. But at the end of the day Juniper is all about beating Cisco so I guess that is what counts!

eEye’s any means possible – Those wild and crazy guys at eEye (they have not been as wild and crazy lately frankly) announced a new service yesterday based on services they have been providing for years (according to them anyway). It is a super-penetration testing service called any means possible.  Based on eEye research and super hacking techniques as well as social engineering., the eEye team seems to be going whole hog into services.  I don’t have a problem with it, but what does that mean about its commitment to Blink endpoint security not to mention the forgotten Retina/REM suite?  Maybe the products are not paying the bill and the any means possible name refers to eEye’s determination to keep the lights on?  In this economy no one is immune!

PCI sends two QSA’s to the principles officeMartin reports on article in tech target about two QSA’s who have been called out by the PCI council about their PCI auditing.  OK, so they are going for a proctology exam.  Are they being made examples as a warning to other QSA’s or is this the start of the PCI council starting to get more serious about enforcing standards around the huge infrastructure they have fostered?  I have a great PCI podcast panel being scheduled now, we will be discussing this very topic, so stay tuned!

Posted at 08:01 AM in compliance, NAC, vulnerability management | | TrackBack (0)

February 27, 2009

Google search for real

millenium_tree We have all heard of the millennium generation. Generally it refers to people born after 1985 through now.  The older millennials are already young adults and their impact is being felt in social networking, politics and many other fields.

But it is the younger millenniums who are going to blow us away.  They are growing up in a world where the internet, ubiquitous connectivity and unfettered access to information is the norm.  They never saw an encyclopedia made out of paper. I was reminded of this tonight while getting Google tips from my 7 year old son Bradley.  Bradley was working on some Pokemon character and was looking for a picture that he needed edited.  He asked me to Google the character’s name and then grab a picture and edit it.  When I Googled the name no pictures came up.  Bradley said, “Dad put “for real” after the characters name.” When I asked why, he said that is what he does when he can’t find something on Google.  Frag (Battlestar Galactica word) if that didn’t work!  How did Bradley come up with this?  Is Google aware of it? It must change the search algorithm or something. Glad I have web filtering on the machine.

What is going to happen when Bradley and his friends grow up? What challenges will this present for the security industry?  Maybe they will help with security. I don’t know, but I do know that they have an instinctual intuitiveness around computers and such that previous generations on the whole don’t have.

Anyway, here is something you very rarely get with Mike Rothman’s Incite – a report on Friday!  Have a good weekend!

  1. When open is open only if  or its about the platform stupid – Hoff has a good point today about VMware’s use of the terms open and interoperable.  These two abused terms get tossed around alot. Open used to really mean open source. You had access to the source. Interoperable in my meant that out of the box it would work with other platforms and products. Then open was not really about source, but at least the openness of the product to use generally accepted means of communication. In my mind SQL and ODBC connectivity in databases is a perfect example of this. But I think what Hoff is getting at but is not saying clearly is that now it is all about the platform.  VMware wants to be the platform here. They want you to use tools and applications, as long as you use their platform. By having to use their APIs to connect, you are locked into their platform. That is the real hook and makes it not very open at all.
  2. Can IT Vendors be Objective? Probably not – Michael Farnum has a guest post up from a vendor friend of his venting about the fact that he has been “discriminated” against because he is a vendor and therefore deemed not objective.  I agree that most people out of hand say you are a vendor and therefore not objective.  Not that you can’t try. I have been accused of the same thing.  But being objective on this question, I have to say vendors can’t be objective. Not to say we would lie, but if we didn’t believe that our products were better, could we sell them? So yes IT vendors are not going to be objective.  But here is the kicker, neither can anyone else.  We all bring our own views and prejudices to the game and that effects our objectivity.  Therefore it is up to the audience to filter what they think is truth from fiction, opinion from fact. I think most people recognize that and perform that task.
  3. Mogul calls BS – Rich Mogull calls out Bob Russo of the PCI council.  Seems Russo says that no business that are PCI compliant have ever been breached.  They may have been compliant once, but when they were breached they were not. Rich rightfully I think calls bull on this. I am not sure if Russo is playing semantics here or what.  Maybe he means that having a breach automatically puts you out of compliance? I don’t know but have invited Rich and a few friends I know on the PCI advisory council to appear on a podcast. Stay tuned!

So that is it for this week.  Have a great weekend!

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 12:19 AM in Chris Hoff, compliance, Michael Farnum, open source, rich mogull | | TrackBack (0)

February 25, 2009

Spring is in the air

Maui_Whale_Watch I know you may not be feeling this way depending on where you live, but Spring is in the air.  How do I know? Easy, my anniversary has just passed.  For the 19 years I have been married, I know that once my anniversary is over it will soon be Spring.  Sort of my own bird like instinct maybe.  When we were first married we used to go to Maui every year for our anniversary.  It is always Spring in Maui, but by the time we would come home in early March, Spring was certainly on the way. Of course with the kids we don’t get to Maui much, but I watched a pre-season baseball game today, what more proof do you need then that?

So what does Spring have to do with anything?  Spring represents a rebirth. I think we need a rebirth.  We need to stop dwelling on the negative and start making our own luck and our own positives! To quote a greater thinker than I, “we have nothing to fear but fear itself”.  So take my word for it, Spring is on the way.  Start thinking about how you are going to break out of the winter/economy doldrums and attack your job, your life and your problems head on. 

Good luck with that!

  1. Mike Rothman gave me a nice shout out yesterday in his blog about copying his format.  Besides thanking Mike, I want to say that I am thinking of this as just doing a few short blog/comments in one post.  I will of course add my own Shimmy schtick to it, but I like it. I will still do full posts when I see something I want to talk about. I am interested though if you readers like this type of blogging. Let me know.
  2. The law of conservation of energy – Adrian Lane over on Securosis has a nice commentary up on the recent Symantec/Ponemon FUD that employees leaving their employment are taking IP and confidential data with them and that this number has gone up drastically.  As Adrian points out, no crap Sherlock! With all of the people being laid off, there are certainly more people leaving work.  The real issue though is how many of these people actually dong anything with this information. It reminded me studying science with my oldest son Landon.  The law of conservation of energy says that the amount of energy doesn’t change, just the form does. So really this is a potential threat, like potential energy. It remains to be seen if it will translate into anything more than that. Adrian says no, I say it desperate people do desperate things.
  3. Dead men walking – While reading this story about Nortel laying off another 3200 people today I was reminded of a potential customer call I was on a while back for NAC. They were also looking at Nortel’s NAC solution and the CIO was telling me how good he felt dealing with a company Nortel’s size and the stability it offered over StillSecure. My how the mighty have fallen!
  4. Its not a product, its a feature – Hoff loves to spout that one. I was reminded of the same thing today reading the article in Computer World by Mark Everett Hall that SaaS is not a market, just another channel. I actually agree with that statement and is one of the driving forces behind StillSecure’s recent ProtectPoint acquisition.  While many folks including Rothman question an organizations ability to sell service and product, I view the service offering as just another distribution channel.  Customers can buy our products as a hardware appliance, software or as a service. I think long term that view of SaaS is going to proven correct.
  5. Firewall tools – I recorded a great podcast earlier this week with Secure Passage CTO Jody Brazil.  Jody is the former CTO of Fishnet and Secure Passage was originally spun out from Fishnet with the Firemon product. It is totally independent of FishNet now and is coming out of stealth mode.  My recording equipment messed up and am waiting on Mitchell to send me his file to edit. In the meantime Brian Prince of eWeek has a good interview with Jody. My view on this one is that PCI is totally driving this market.  The issue is will it be a victim of its own success. If it becomes big enough the firewall vendors will do a better job of packaging management tools with the firewalls and the 3rd party tools will find it hard to compete.  But who knows, maybe they get bought out by then.
Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 11:39 PM in compliance, Current Affairs, General Security, identity theft, SaaS | | TrackBack (0)

Next »
My Photo

Subscribe to my blog

Lijit Search

MyBlog Log Community

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search

Blog Networks

  • Find the best blogs at Blogs.com.

Categories

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About