Tuesday, March 11, 2008

Carnival of the Security Catalysts Community for 03/11/08

Like many others, I have been a member of the Security Catalysts Community for a while. When I first joined, I did not really take advantage of my membership as much as I should have, but I have made up for it in the last few months.

When Micheal Santarcangelo started the weekly Carnivals, I was more than happy to participate. If you are not yet a member of the Security Catalysts Community, or SCC as it is lovingly known, please do pay us a visit.

Some of the topics that caught my attention in the last week were:


  • Credit card testing. Regulatory and contractual compliance score high in corporate board rooms all over the world. Among the well-known ones are HIPAA and Sarbanes-Oxley.
    Another one that impacts just about anyone who accepts, processes, or transmits credit card information is PCI DSS. The payment card industry's data security standard sets a minimal set of requirements that must be met by anyone who is in scope. Not complying with PCI DSS may lead to contractually imposed fines, or at worst, a situation where companies will not be able to process credit cards at all.
    One author posed an interesting question on the forum regarding developing and testing applications that use credit cards. The post lead to some very high-quality responses and pointed out clearly that even test/development environments are subject to PCI DSS requirements, and should minimally be protected at the same level as production environments.
    Anyone who develops or tests software, or who is responsible for compliance and/or information security should read this post!

  • Club Penguin: It's no longer just intellectual. Like many parents out there (myself included), Martin McKeay worries about social networks focusing at young children. Martin kicked off a post on the SCC forums, followed up with a more detailed post at his own blog.
    In the post, Martin introduces a set of rules that he set for his children

    1. Club Penguin is a privilege, not a right
    2. The door to your room has to be open or you have to play Club Penguin on a computer in the common area
    3. Tell Mommy or Daddy immediately if anyone asks you for your real name, address or phone number.
    4. No logging into your brother's account!!

    Very sane advice!
  • Protecting our Families Online. Martin's post prompted another one, which aims to help all parents by providing a list of resources that will help you in the way you protect your family online.

  • What's the difference between a sinkhole and a honeynet? Michael Farnum asked this question on February 24 and the responses are still flowing in. The reason that I included it here is to illustrate that the Security Catalysts Community caters to information security professionals at all different levels. Some of us are highly technical, while others have a more strategic focus. This topic is somewhere in between.
    One answer to the question that I liked a lot was posted by Allen Baranov. Allan runs his own blog too.
    The main reason for having a honey-net is to monitor and see what attacks are being performed on your network. TO use ISC2 terms - it is a detective control. Obviously the attacker is wasting his time and it hopefully prevents him from moving onto your other machines. So a side benefit is that it happens to be a preventative control at the same time.
    A sinkhole is really like a honey-net without the monitoring aspect. It is primarily a preventative control in that it makes scanning and attacking a network take longer. If you hook up some sort of monitoring to the sinkhole then it can also have the benefit of giving information about attacks but this is not its primary function.

  • Digital Forensic Training. Andy Willingham started this post on February 26 to find out which good trainings were available.
    While the post drifted away from the original question that was asked, some very interesting and thoughtful responses were made. Statements like

    I cannot tell you the number of times where I will receive a call and find out during that call that no basic troubleshooting was done and no information was maintained at all. That's extremely frustrating due to the questions that same customer will ask me. I actually get questions like, "we shut the system down immediately, took it off the network and now we want you to tell us what was going on on the system at the time we shut it down."

    must strike a cord with anyone who was ever been in a position where s/he was the first responder to an information security incident and ran into this. Very anecdotal and (unfortunately) very common.

  • It's my computer... I will install any program I want to. One of the more scandalous backdoors that I have seen in a long time. Tim Krabec reminds us in a blog post of two important lessons:
    1. Use a different password on every site you visit, or at the least use a group of passwords 1 or 2 for throw away registrations, ie local newspapers, national papers, other sites that do you would not give person/private information to.
    2. It is important that you know what programs you have on your computer, and that if you have and IT department or a computer guy/gal that they know what programs you have installed on your computer.

    I would like to add to that, that it is important to make sure that you have some form of anti-malware installed and up-to-date. While this attack would not have been prevented, hopefully the anti-x vendors will pick up on it and add signatures for this product to prevent the damage from spreading further.


In addition to the blogs already mentioned above, there are a few more worth mentioning, in no particular order and limited to five.

To get involved with the Security Catalyst Community, please visit the forums and register.
To ensure a high-level of content, there are some rules:

  • You have to sign up with your real name;
  • All membership applications are reviewed manually and approved (or rejected) individually

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.