A network of some of the leading IT security blogs on the net. Vendors, analysts, users anyone blogging on security can be included.Recent Network Content
Day 3 - PCI DSS & Stockholm Syndrome
We’ve had PCI DSS discussion on our blog for 3 days in a row. That’s one heck of a tail-wind. Computerworld’s Ben Rothke has an interesting opinion piece today, “Battling information-security Stockholm syndrome.” Yesterday I mentioned that in my opinion, organizations fail to adopt or even take PCI DSS seriously because of the lack of incentive (carrot) or penalty (stick). Take it a step further and look at the example in Ben’s article where the CIO of the National Retail Federation says that “PCI DSS… was supposed to prevent [data theft] crimes…” further leading to the perception that PCI is a “failed” standard.
I wouldn’t go as far as Ben and say that organizations sympathize with the hackers, script kiddies, and identity thieves (as he suggests using the Stockholm Syndrome-label). IT shops aren’t sympathizing with the malicious underworld — they’re just looking for guidance with measurable results. It’s not surprising they become overwhelmed, frustrated and disillusioned by the reality of threat management.
The truth is that for most small retailers, PCI is the first time they have been subject to ANY IT regulation or standard. Compliance in IT is a new concept for them, and most have neither budget or process in place to deal with it.
As good security professionals we know that there is no “Holy Grail” to prevent theft, DoS, etc. But we need to convince organizations that they need to take a more holistic approach to security, and that doing so isn’t “hokey-poky” or ambiguous. The threats are dynamic, and the mitigation needs to be just as dynamic and multi-layered (defense-in-depth).
The PCI Security Standards council needs to get out the stick, carrot and soap box and get to work before DSS gets a bad rap.
802.1X, so much to learn, so little time
» Network Computing BlogNetwork Computing | Network Access Control Immersion Center Blog
802.1X is a relatively simple protocol once you understand how it works. Its all the moving parts like EAP,… Read More »
The Difference Between Knowledge and Wisdom
If you haven't heard about this, you need to. All Debian-based Linux systems, including Ubuntu, have a horrible problem… Read More »
Social Media Release: Crutch for the Weak?
I’ve been speaking up on Twitter about my concerns around Social Media Releases (SMRs). I’ve apparently been flapping my… Read More »
Instant AppSec Alibi?
» Trey Ford - Security Spin Control
May 1st WhiteHat Security hosted a luncheon in San Francisco where Jeremiah and I spoke on PCI 6.6 and WhiteHat’s… Read More »
Interesting Information Security Bits for May 14th, 2008
Hi folks. Good afternoon. Here are a few things to look at today. There is a post on the… Read More »
A High-End Sniffer/Analyzer/Recorder: NetWitness
I was introduced to a company a couple weeks ago that I think everyone should learn a little bit… Read More »
Crossdomain.xml Invites Cross-site Mayhem
This week I took a renewed interest in crossdomain.xml. For those unfamiliar this is Flash’s opt-in policy file that extends… Read More »
Third sql injection wave and the impact on Belgian websites [Security4all]
» Belgian Security Blognetwork
Warning: I strongly suggest that readers do NOT visit websites mentioned here. They should be considered dangerous and capable of… Read More »
Warner Brothers Sez: Remove Your Cancer Charity Auction Right Now
» Vitalsecurity.org - A Revolution is the Solution
Unbelievable. Someone gets a bunch of very well known comic artists to produce work for a children's cancer charity, the… Read More »
Nessus "registered" plugin feed to be discontinued
I came across this post by Martin McKeay on the Network Security Blog today talking about changes to the… Read More »
