Around the Blogosphere and Back
Hey everybody. I’ve got a travel day and indeterminate amounts of access. But I did catch the following:
Hacks
Bank hacks don’t scare me. Even the larger ones on record. In reading this, I think it’s cool that Dark Reading points out the ability of MFA to help in this case. It’s also very nice of the bank to refund the money. I was once sitting with some VPs at a really good, large bank, and one said, “You know, sometimes we forget that one of the fundamental purposes of banks has traditionally been to keep people’s money safe.” The fact that this was Swedish makes me wonder . . . How homogenized is the banking industry in Sweden. Are there only a couple of targets? I’ve no clue. Man, I have got to get to Stockholm for vacation some day.
You know what does scare me? People messing with the water system. That’s just not cool.
Penetration Testing
Dave G. over at Matasano cracked me up talking about the Ranum vs. Schneier cage match articles on penetration testing in the recent issue of Information Security Magazine.
Structurally, here are my issues with this piece:
- It’s pretty clear that there was no real point counterpoint. These were two seperate articles,
- Which makes them boring because they aren’t very far off in opinion,
- Which would be fine, but it also sounds like neither of them have been anywhere near a penetration test since 1997
In response to Dave, Michael over at MCWresearch adds his $.02 in a very good defense of the traditional reasons for penetration testing.
And of course, if there’s someone who will capture my thoughts on the subject exactly, it’s going to be Layer8. They’re just the best.
Spotlight on Compliance, Holes in Your SOX? Go Barefoot!
Luther Martin (what a great name) wants SOX repealed. Good enough reason to write an article. But check this out:
…security industry analysts estimate that there is roughly a 10 percent chance of a laptop being lost or stolen in a given year. ….One recent poll of laptop users suggested that the data on their laptops was worth an average of roughly $1 million.
WARNING, REALLY BAD RISK EQUATION AHEAD - HIDE THE CHILDREN
Using this $1 million estimate for the value of the data on laptops, we see that using a laptop causes roughly $100,000 in risk (the 10 percent chance of loss multiplied by the $1 million value of the loss).
The TCO of laptop encryption is roughly $150 per user per year, and is an extremely cost-effective way of mitigating the risk of data loss caused by using laptops.
It’s even cheaper if you’re using OS X (Sorry for the Apple snarkiness).
On the other hand, because information security projects are now often unfunded in favor of SOX compliance projects, many laptops that could otherwise be protected with encryption remain unprotected. Thus many firms find themselves in the position of accepting risks that would otherwise be mitigated due to the lack of funding for risk-mitigating technology. So one side-effect of SOX is that the government has effectively restricted the ability of businesses to manage risk in other areas than those covered by SOX itself.
Horrible Risk equation, but great point. Too many times dumb compliance efforts mean real risk is left unmitigated. There’s got to be a better way, and maybe there is.