April 19, 2007
I don’t think this needs any “smart” commentary. The comments by the minister stand up in their own right! 
Comments (2)
April 15, 2007
They did have a go at my latest PCI blog with What’s the difference between QSAs? But hey, it seems like a good site regardless.
SecurityFocus has one of the better stories on; US Agency Security.
Its always been a source of amazement for me how bad some of these guys can be. Makes you wonder what hope others have if these guys with their enormous budgets and “world-leading” expertise just can’t get the basics right.
Don’t tell me what this guy did was rocket science: Gary McKinnon Story.
April 12, 2007
SearchSecurity reports on Visa’s push for PCI Compliance.
Finally, some figures that look almost realistic. You can take these figures to really mean that 60%+ of these businesses do not have good basic security controls in place. Let’s be realistic….as much as PCI has copped criticism, it’s really doing no more than stating, these are good security practices – nothing overly fancy – you should be deploying them.
Even companies who don’t fall in under the PCI program should have a look at the PCI DSS and see how they compare. Is the standard definitive? No…but its one of the better ones out there in the public arena. Would we base a whole state of security review around the PCI DSS Checklist? No way, but we’d certainly make sure that we’d covered the requirements at a minimum and then added our additional checks. But hey, we’re like that!
The linked story goes on to state; “For example, a security lapse flagged by one auditor may not be considered an issue by another”…………”Clearly there needs to be more consistency between the way assessors interpret the requirements,” Adams said.”
COULD NOT AGREE MORE!! But you can’t always blame the standard itself. While there are grey areas in terms of interpretation that does not forgive basic incompetencies…..QSAs need to accept blame where it surely rests with them.
We’re generally pretty close to time estimations on our jobs for clients. Sour grapes – we’ve lost 2 recent bids for Tier 1 Onsite Audits. I don’t stress it too much, because we can’t compete and, nor do we want to compete in scenarios where we have quoted 30 days and get beaten by someone quoting 5 days. Let’s be honest, for most companies, PCI is a pain – they want the tick in the box and to forget it for another year. It’s the classic case of compliance going one way and security the other. Why would you want Security-Assessment.com poking around finding bad stuff for 30 days when you could get a Big guy in for 5 and you know you’ll probably do quite well?
We had a call from a Tier 1 (service provider) a couple of months ago. The Big guy who did their Onsite Audit last year is no longer in the game, so they were looking for a new QSA for this years audit. Somehow, Big guy pulled this audit off in 4 days last year and passed them! We were told in no uncertain terms that should we be hired, they would expect the job done in a similar time and they “expected to be passed!” ………Bull to a red rag……….We sized the job, quoted 3-4 weeks and stressed we’d really rip it up – finding EVERYTHING! Needless to say, we never heard from them again. So yeah, quotes like that talking about QSA inconsistencies are pretty much on the ball.
The guys at Support Intelligence have been gathering some information on botnets on corporate networks. Worth a read at http://blog.support-intelligence.com/.
Without doubt a huge problem – far more than most expect. We’ve covered this before but it’s worth repeating – most companies have little idea of what some of their perimeter systems are doing. We see it all the time! But, hey, a patch will fix that won’t it?! …. If only spam was the only concern.
As mentioned, we still see figures in the vicinity of 90%+ of businesses who don’t want to know what may have been happening on their systems when we detect a compromised or potentially compromised system(s). Why? Pretty obvious ……..
It’s a bit like knowing someone has broken into your house and your first reaction is to come home, sit down, watch TV and carry on life as normal. You decide to replace the lock after a few days, and then hope that sometime in the future you don’t stumble upon something broken or missing.
Gees, if I was the CEO or a shareholder, I’d want to know this stuff is happening.
April 11, 2007
Pipes has done a really good job in putting together the dailyinfosec IT Security News site and it’s getting better all the time. Few sites out there are as comprehensive in putting together the best of what’s happening at the coalface. It’s almost the only site you need! Comments, suggestions most welcome.
April 4, 2007
We’ve just gone through another period of “worry” and “gripes” about how long it’s taken to patch another “Zero Day”. (Aside: gees, it doesn’t seem that long ago that some were calling “zero days” myths! Remember that? I could never understand that….but then again, I suppose it depends upon the company you keep).
It’ll be interesting to see how long some of those expressing concern take to actually deploy the patch. You know where I am coming from………………….
We’ve lost track of the number of times we’ve reported bad things/bad vulnerabilities at a client site….. to the extent where we state, this is beyond patching – you’re more than likely owned…..only for little or nothing to happen! (Even fewer as I’ve stated before are keen to engage us further to actually do an investigation to see what may have happened and who may own the systems and what they’ve been doing!).
So it amuses me at times to see the uproar, knowing that a good percentage of those whinging are probably happy they have something to do (whinge), and someone to point the finger at! (ie; justifying their existense?)
Scary really…but hey, us security dudes are always exaggerating as we know…or rather are told.