John Pescatore

Nice piece in Network World on how DISA uses software vulnerability testing, penetration testing, red teams, etc early and often… Of course, you may say “they also can afford to buy $5,000 coffee pots” but the reality is that approach saves them money overall… Imagine if they used their purchasing power to push those requirements up into all of their spending on software… Speaking of that, where is the “security Tang” out of all the NASA space exploration spending?

In the search engine wars, Microsoft Bing came out with default settings of Safe Search on, as does Google – a good thing…. Of course, it is very easy to turn off, this is all consumer-grade technology after all… But increasingly, proxies and gateways let you turn Safe Search back on by inserting the right tags into the query string… Looking for cheap/free way to get some web filtering done? If you don’t mind seeing advertising when someone enters a broken URL, take a look at OpenDNS – I’ve started to see it in action at a number of WiFi hotspots, another good thing…

The uncertain economic climate seems to be forcing a lot of questionable mergers and acquisitions in the security space, but has also definitely given a nudge to some good ones that make a lot of sense… Two sinking ships that tie themselves together rarely float better…

Old fart comment: lots of the new stealth security startups are from people with scads of experience from companies like Google, MySpace, etc vs. the traditional IT or networking companies… That is actually a really, really, really good thing – they are really the first generation of decision makers who grew up in an era where all software was just assumed naturally to be exposed to the Internet or deployed as an Internet service from the get-go… Those “kids” also grew up having to wear helmets when bicycling and never rode in a car without buckling their seatbelts or seeing an email prior to the era of every business saying “we would never ask for sensitive information over email”… Of course, that same generation falls for the old style scams when they come via Facebook or Twitter”…

Another wave of PR hype around recent lawsuits about lack of security due-diligence…. Has any board of directors ever looked at a class action lawsuits and had a light bulb to go off in boards of directors’ heads and say “Aha – information security is important, increase the budget, promote the CISO!!” … More likely, when boards hear “liability” they tend to make sure that the corporate Directors and Officers Liability insurance coverage is sufficient… The actual business damage of incidents is usually the bigger driver for board-level pressure that ends up making the IT security job easier rather than harder.

T-Mobile v1: “We’ve identified the document from which information was copied, and believe possession of this alone is not enough to cause harm to our customers.“…  T-Mobile v2: “the company is conducting a thorough investigation and at this time has found no evidence that customer information, or other company information, has been compromised.“… T-Mobile v3: ”We haven’t confirmed how the information was obtained… T-Mobile continues to monitor this situation and as a precaution has taken additional measures to further ensure our customers’ information and our systems are protected. As is our standard practice, customers can be assured if there is any evidence that customer or system information has been compromised, we would inform those affected as quickly as possible.“… I wonder if any termite inspector has ever found one termite, looked deeper and not found many others?

The most valuable college course I ever took was an MBA course on marketing and advertising… You begin to realize why human behavior doesn’t change and you start to understand why firewall advertising posters in airport gates and shuttles can actually influence a class of firewall purchase decisions… It also helps you realize that that same approach, but with security posters in lunchrooms, does not influence a very different class of decisions… This is why automatic traffic ticket issuing speed cameras result in lower speeds and public safety announcements do not…

2 Comments »

Category: Uncategorized     Tags:

Share