Home
OMG! This hits the nail on the head!
- Details
- Category: Information Security
OMG! Dark reading does it again. They released an article labeled "10 Symptoms of Check-Box Compliance"
Do you realize how much time, effort, money is wasted on the focus of "compliance check boxing" than actually getting in and fixing the problems ?
There is not 1 document or standard ever written that "fixes" the problems. They are meant as a guideline, not a fix all !! You have to be able to think and look outside the guidelines (aka "standard") to see what else works!
No 2 problems are ever the same, just like snow flakes. Ever actually see 2 exact duplicates? Never happen.
There are thousands of compliance requirements that many in the Security Industry are labeling a waste of time. These Standards are meant as guidelines NOT step by step instructions on how to do things! That is all that Standards are meant for.
Case in point, look at the Standards for DNS and then compare it to someone like Microsoft. MS created their own standards for their own needs! This is the same for every single Email Server Application in existence! No 2 Email Servers speak the same Standards! Why ? because the "Standards" are meant as a guideline not a defacto, written in stone way of doing something. If company "X" doesn't like the standard, they rewrite it to suite THEIR needs! This is why we have problems sometimes with email servers talking "the same language". The developers follow the standards in a loose form, then add in what they like that may be outside of the "standards". Lotus Notes and Exchange are 2 such servers, Sendmail and Q Mail do things a little differently.
Think about it, if you had 2 exactly working software packages, why do you need 2? If you had 1 manufacturer for a car and only 1 color, why do you need 20 other car Manufacturers and bazillions of colors?
Way too much time and effort is spent thinking that these standards are "it". They are not.
This is also a large part of 'thinking outside the box" which I am notorious for. The box is just a container, a standard to go by. Stepping outside the box into the real world..... there are no standards for that!
Compliance Check boxing never solves or fixes a problem. It creates more headaches and problems waiting for the "next standards release and hoping it addresses a real IT problem". Never happen. you have to interpret the standards to meet your own goals, create your own standards and constantly check to see if they need updating. It is a viscous cycle that is NOT the "end all and be all".
How many Compliance Checklists are out of date ? Does anyone really read these or live 110% by ?
Think about it the next time you are stepping into your car from the only manufacturer in the world, painted with the only 1 acceptable color allowed.
think outside the box people. it's not that difficult!
Twitter DOWN !
- Details
- Category: Personal Cyber Security
Well, according to status.twitter.com, Twitter is officially down and "experiencing problems".
<stands on milk crate>
Computer, network, Cyber Security is not a fix and forget problem. It is an ever evolving issue where things can change or evolve or be mutated at such a rapid pace. Thinking that you can fix the problem once and walk away is another disaster waiting to happen. Hackers, whether state or group funded or even individuals who "can" find these holes are at it every single hour of every single day. You can never leave your guard down. Never.
Vigilance knows no boundaries nor limits of time, space or resources. Reducing or implementing boundaries in any shape, mode or form is another disaster waiting to strike. Security is not a political football, but a hard necessity in today's ever changing environment.
</stands on milk crate>
All in all, I expect a lot more than just Twitter to be down. There was hints that the Home Depot site was down hard this morning and reporting a "404" error.
the old Chinese wish of "may you live in interesting times" is upon us. We do, face it or suffer the consequences.
Stay Vigilant!
6 Data breaches of 2012 or Can we come out of Panic Mode yet?
- Details
- Category: Breach and Disclosure
Dark reading has just posted an interesting article about the "6 Biggest Breaches of 2012, so far". First off, before you continue to read what I have to say, I suggest reading the article.
Ok, so you are back from reading the article, great!
What is the trend you are starting to see here ? Is there a trend ? what can YOU deduce from the following:
I'll get to my point on trend in a second. however, I want to talk about something that is a fact no matter how you look at it. Anyone that knows of me, knows of my philosophy that I push of "Security is an Intangible" fact. You can spend money on tangible items such as:
- Employees
- HealthCare
- Computer & Networking Equipment
- Office supplies
- Cell Phone and plans
- the list goes on and on and on.... ad nauseum.
You can touch or see the benefits of these items, aka, Tangible items. However you can not see or touch the benefits of Data, Infrastructure, or lump everything together into the term "Cyber Security". You can't realize how important it is until you have a catastrophic event occur.
You've heard the higher ups say "we are spending too much, we need to cut back" or even "we can't keep up with it, outsource it". this all works well if the Vendor you selected is above board on everything. But none really are. They all hide certain facts, especially if they can't handle it themselves.
When and if there is a Breach, then it's a full blown Panic Mode to patch and get the right things in place. Remember this one important fact. No one will stand behind the budget cuts they imposed when a Breach does occur.
Hmm, doesn't this resemble a "head in the sand" Management philosophy?
Side note, a vendor during the 20010 Black Hat Event in Las Vegas placed a perfect example of this. I wrote a small article on this here.
What are the right things when each vendor screams their product is better? Do you also realize that many "solutions" cause their own idiosyncratic problems ? "But we need something in place NOW!" Blank Checks are written to plug the hole in the dike with silly putty. There is no other words for it. Silly Putty.
Panic Mode is a killer and makes organizations do extremely rash and foolish things. See article here on Zappos response last year. Besides, it makes "experts" cringe.
Panic Mode can be described as:
The lack of ability to function in a normal capacity due to an event that triggers panic attacks.
Dictionary Dot Com labels Panic as: