Tuesday, April 14, 2009
The Anatomy of Security Disasters (By Ranum)
Marcus Ranum posted this on Tenable blog a couple of weeks ago. As always, great thoughts (though, I dont agree with some of his points).
Wednesday, April 08, 2009
Security Risk Metrics: Measuring the Business Value
Krag Brotby initiated an interesting discussion on Security Metrics. His comment around "plug-and-play strategic and management metrics" caught my eye. He made a good point -
Krag's new books on Security Metrics and Information Security Governance will be released next week.
Today's security metrics continue to focus mainly on tactical technical measures that won't answer the overarching security questions that information security, business and senior management needs to navigate with.In my opinion, first, there is a need for "Security Risk Metrics" (not just Security Metrics). Second, there is a need for "better Security Risk Metrics" -- not to "quantify" the risk but to "pictorify" the risk. Senior Managers dont have time to look at numbers, tables, and charts. Metrics should be like traffic light so that anyone could understand them without needing to explain what Red, Yellow, and Green mean. We all produce good metrics but a good question to ask is -- are they risk based? and are they easy to understand?
Metrics serve only one purpose, decision support and it seems greater granularity and more relevant information is likely to be required to support effective risk and security decisions beyond what can be conveyed by a heat chart.I agree that there must exist underlying data to support each and every heat chart. But, view depends upon who the audiences are and can be adjusted accordingly. E.g., a program sponsor will not be interested in productivity metrics of each individual resource. What he/she would want to know whether all projects were completed on time and within budget.
Krag's new books on Security Metrics and Information Security Governance will be released next week.
Monday, April 06, 2009
Do the Payment Card Industry Data Standards Reduce Cybercrime?
Yes, the title of this post was the discussion topic of Subcommittee on Emerging Threats, Cybersecurity and Science and Technology hearing held last week in Washington, DC. The goal was to examine the effectiveness of PCI-DSS (Payment Card Industry - Data Security Standards). Lately, the Heartland Payment System breach has brought extra attention to the PCI standards, which are known to provide a good foundation for governance and risk management strategy.
So what the two panels discussed whether the PCI standards are really effective in protecting consumer information and identity or not. Results were astonishing - from reasonable criticisms - to National Retail Federation taking aim at PCI Council.
In my opinion, the following Key points will be topics of discussion in upcoming PCI panel discussions and conferences -
So what the two panels discussed whether the PCI standards are really effective in protecting consumer information and identity or not. Results were astonishing - from reasonable criticisms - to National Retail Federation taking aim at PCI Council.
In my opinion, the following Key points will be topics of discussion in upcoming PCI panel discussions and conferences -
- PCI Council noted that if companies follow all requirements of PCI standards, end-to-end encryption is not necessary.
- VISA noted that one possible change is to include a requirement in the PCI standards requiring the monitoring outgoing traffic for unusual activity.
- NRF discussed end-to-end encryption as a control, but noted that it'll be too expensive to implement.
Thursday, April 02, 2009
Data security standards for government and private sector
The Cybersecurity act of 2009, which enforces data security standards for government and private sector, was introduced yesterday. Here is a quick summary of the act.
The act proposes -
* creation of a national cybersecurity advisory office/panel, a group that will advise the President on all aspects of the federal cybersecurity strategy
* creation of new state and regional cybersecurity centers to assist small and midsize companies on information security matters
* development of a cybersecurity licensing and certification program by the Department of Commerce
* creation of a cybersecurity dashboard that can provide real-time information on security threats and vulnerabilities all federal systems.
It also empowers -
* the President to act on the international stage to develop norms and, hence, improve cybersecurity.
* the NIST to establish security standards for computer information systems run by government agencies, contractors, and businesses that support critical infrastructure services, such as banking and power systems.
Last, but not the least, it requires federal agencies, contractors and private-sector supporting critical infrastructure networks to comply with NIST's new security standards.
The act proposes -
* creation of a national cybersecurity advisory office/panel, a group that will advise the President on all aspects of the federal cybersecurity strategy
* creation of new state and regional cybersecurity centers to assist small and midsize companies on information security matters
* development of a cybersecurity licensing and certification program by the Department of Commerce
* creation of a cybersecurity dashboard that can provide real-time information on security threats and vulnerabilities all federal systems.
It also empowers -
* the President to act on the international stage to develop norms and, hence, improve cybersecurity.
* the NIST to establish security standards for computer information systems run by government agencies, contractors, and businesses that support critical infrastructure services, such as banking and power systems.
Last, but not the least, it requires federal agencies, contractors and private-sector supporting critical infrastructure networks to comply with NIST's new security standards.
Subscribe to:
Posts (Atom)
Posts
