Going Around In Circles

Let's not start that again...

As of late there has been a heated debate among the community that various forms of standards and compliance are effective/ineffective at actually securing systems and networks. Just a quick note:

First post I read today is from Ascension Risk Management. There was a point/counterpoint that was detailed that, suffice to say, leaned towards the fact that standards and compliance are not effective. In order for something resembling standards to be effective, it must be made too narrow or not actionable. This is a good argument, but it doesn't tell the whole story.

The next blog post I read is from Emergent Chaos. This post was about the fact that after Former/embattled/kind-of/not Senator Norm Coleman's campaign's infrastructure was broken into, and there may possibly have been a breach, donors found out via Wikileaks, rather than the campaign. One quote sticks out:
We need public, documented and debated standards of how such decisions should be made. With such standards, organizations could better make decisions about risk. Additionaly, both regulators and the public could be more comfortable that those piping up about risk were not allowing the payers to call the tune.
So within the same day, there is one school saying that standards are ineffective and there is another stating that we need more standards in order to shuffle through the varied methods people use in regards to security related tasks. What a vicious circle.

I am on the fence. I think that without standards, there are a good amount of small and medium sized businesses that would have no security or extremely lax security. Standards do help to push these organizations into doing more to protect data. On the other hand, with a competent security practitioner, these standards are simply "fill in the box" tests that people adhere to. That security practitioner is likely doing things to secure the infrastructure more than the standard accounts for.

I think standards are simply not scalable. If there must be policy, it should reflect the end result, not the means. It is better to say "you are liable for any breach that occurs" than "you are not allowed to have SSLv2 on your hosts". In this way, it should create an incentive to have network owners and operators think about how to go about security. If there's a breach, they are liable, after all.
Posted on 5:09 PM by Tim Cronin and filed under | 1 Comments »

Thoughts on Conficker


well, if you can call them thoughts

Long time since my last post. There has been a lot going on in the personal aspects of my life. One of the things that I am happy about, though, is that Red Sox baseball is now in full swing. Today is the first of the infamous Red Sox/Yankees games.

So, speaking of Conficker...

Today's game is turning out to be as hyped up with no results as Conficker. Even the blogosphere is less active about Conficker Since April 1st. Admittedly, this worm is the first really widely spread worm since my intro to the technology industry. I was expecting to hear of/see infections first or secondhand, but I have not. While I'm happy the Conficker was contained in my area of the planet, It was hyped up quite a lot.

Today's game is not going so well for the hype either. Joba Chamberlain's outing was uneventful. This is similar to the April Fools Day event. Lots of hype, but no substance. In fact, Youk was walked twice - not beaned.

All of that being said, today's game will have a winner and there will be some events that are worth cheering or booing. This is like Conficker - there is substance, but it is not in the exciting, ratings grabbing manner. Daily attendants of either will find something interesting and there will be something new to learn.

Edit: This game (and the series as a whole) was actually quite exciting. Maybe the best is yet to come from Conficker...
Posted on 9:11 PM by Tim Cronin and filed under , | 2 Comments »

Happy April Fools' day!

Quick Update: Conficker did not display "Happy Birthday Vovo!" like I had hoped. (nor did it do much at all - but that doesn't mean it is any less troublesome).

My favorite new April Fool, the funny RFC, actually make a little bit of sense this year. In the past, it told you how to send IP in the most efficient manner to how to monitor your network properly. This year it is a way to teach IPv6 and get more IP addresses out there. It is a joke, because these addresses are not "real" but it's an interesting thought. I think I will use the analogy to explain IPv6 from now on... (I'll always give credit to rfc 5514). They actually made a facebook app :o)

Google introduced an automated you for gmail, but I liked the printed and mailed emails idea better (from a previous year).

And in case you want squeeze bacon, see ThinkGeek
Posted on 10:46 PM by Tim Cronin and filed under | 2 Comments »