October 2010 Archives

Ok, to be fair, GRC has only been around for about a decade, so it's a bit disingenuous to suggest your mother would know anything about it, but nonetheless, you might have missed the exciting 10/10/10 release of LockPath Keylight. LockPath was founded by two former Archer officers with the sole intention being to reinvent the GRC product space. Thus far, I think they're off to a great start.

To be clear up front, I'm a bit biased in favor of these guys as we've been chatting about their product for the better part of the past 2 years. It's been very interesting getting to watch the product evolve and grow. It incorporates a lot of key characteristics that have been missing from other products, or were simply not done well. What differentiates LockPath Keylight from the competition is that they started fresh with nearly a decade of experience in the product space.

There's a new consumer-oriented report out from NSS Labs today, and it's more of the same-old-same-old. Unsurprising, AV suites are not silver bullets, nor are they perfect. Perhaps a bit disturbing is how poor many are at detecting known malware, but it's also a wee bit disconcerting that many claim to stop known exploits and yet seem to fail miserably. Per the report, the average lame criminal has about a 10% chance of being successful with a web malware exploit, and around a 1 in 4 chance of running an exploit past these security tools.

None of us should find this terribly surprising. AV suites are just one piece out of the overall self-protection puzzle. Other key components include regular OS patching, use of host-based firewalls, and use of additional security tools, such as IE8's SmartScreen filtering technology. For that matter, Google's safe search capability helps supplement your own consumer security.

I was asked to pass this info along... flyer here.

"Career and Academic Night" co-hosted by ISSA NoVA, ISACA (NCAC), and IIA (NoVA).

When: Tuesday, October 19, 2010, from 5:30 p.m. – 8:30 p.m.

What:
An event designed to allow qualified candidates in the technical security and auditing professions to connect with potential employers as well as obtain information regarding academic opportunities. The event is free and open to both experienced professionals and recent graduates. We will have a “match-making session” where attendees who arrive early to sign up may have the opportunity to meet with certain potential employers for a “speed- interview.” Additionally, three speakers will give short, informational presentations.

Who:
Companies, agencies and academic institutions scheduled to attend1: Ryan Sharkey, Freddie Mac, Morgan Franklin, KPMG, PwC, Grant Thornton, CACI, Hirestrategy, Jefferson Wells, SANS, Watkins Meegan, Williams, Adley and Company, Cotton and Company, Clifton Gunderson, CompTia, QSSI, Secure IT, Bowie State, ISC2, Cyber Watch, UMUC, Duval & Associates, Customer Value Partners.

Where: NRECA building, 4301 Wilson Blvd, Arlington, VA 22203 (www.nreca.org) Just two blocks southwest of the Ballston Metro station on the Orange line.

How: Free, but needed, registration at: http://www.isaca-washdc.org/careernight

Proving that writing a book does not make you right... Anton has a new blog post up (cross-posted, in fact) titled "On Scope Shrinkage in PCI DSS" - a sad little piece based on a lot of bad assumptions, and rooted in his blatant fanboyism for the standard that many have come to loath. In my typical fashion, here are some quotes and my thoughts on them...

Traditional rules of engagement suggest a winner and a loser at the end of a conflict. Of course, in the modern era, having seen the stalemate in Korea and Vietnam, we know that sometimes there's a third option that rests between "win" and "lose." Sometimes compromise is the best path forward. In other cases, you simply need to redefine the game to a more favorable outlook that allows you to see things for what they are. As the late, great Grandmaster Helio Gracie once said in his advanced age: he may not beat you, but you'll definitely never beat him. Sometimes surviving attack is a far greater victory than any other option.

In infosec, this is our problem today. Traditionally we've held the mindset that we "win" if we stop the attackers. This mindset is sheer folly. To "win" in this scenario we need to successfully defend against 100% of attacks, whereas the attacker need only succeed once (probabilistically this works out to being far less than 100%). This outdated mindset is also rather naive in that it assumes that your defensive capabilities can outweigh any adversary, as if our IT budgets are bottomless.

It's taken me a couple weeks to get this note out, but better late than never, right? I had the opportunity to attend the 6th EnergySec Summit in Denver, CO, a couple weeks ago. EnergySec was interesting in that it brought together people from all levels of the business, along with vendors, regulators, and consultants. It was great to meet a lot of people, and even better to start gaining a better understanding of the problems facing this industry.

Perhaps the most striking impression I had in walking out of the Summit was just how crushed (and paralyzed) the industry is as a result of well-intentioned, misguided regulations. If you think that PCI is challenging, then multiple it by a million, and be sure to introduce a number of contradictory and incompatible requirements. That seems to be where this sector is today, which is a bit troubling considering just how vital it is to our very existence.