http://daveshackleford.com Musings on Security & Other Stuff Wed, 08 Sep 2010 10:33:27 -0700 http://wordpress.org/?v=2.9.2 hourly 1 http://daveshackleford.com/?p=389&cpage=1#comment-1061 Incite 9/7/2010: Iconoclastic Idealism | Portable Digital Video Recorder Wed, 08 Sep 2010 10:33:27 +0000 http://daveshackleford.com/?p=389#comment-1061 [...] it’s not… – Funny, in last week’s Friday Summary both Adrian and I flagged Dave Shackleford’s hilarious 13th Requirement post as our favorite of the week. If you can get past the humor, there is a lot of truth to what Shack [...] [...] it’s not… – Funny, in last week’s Friday Summary both Adrian and I flagged Dave Shackleford’s hilarious 13th Requirement post as our favorite of the week. If you can get past the humor, there is a lot of truth to what Shack [...]

]]> http://daveshackleford.com/?p=389&cpage=1#comment-1056 Network Security Podcast, Episode 211 — National Cyber Security National Cyber Security Wed, 08 Sep 2010 02:26:54 +0000 http://daveshackleford.com/?p=389#comment-1056 [...] The 13th Requirement [...] [...] The 13th Requirement [...]

]]> http://daveshackleford.com/?p=389&cpage=1#comment-1055 Network Security Blog » Network Security Podcast, Episode 211 Wed, 08 Sep 2010 02:14:31 +0000 http://daveshackleford.com/?p=389#comment-1055 [...] The 13th Requirement [...] [...] The 13th Requirement [...]

]]> http://daveshackleford.com/?p=389&cpage=1#comment-1054 Network Security Podcast » Blog Archive » Network Security Podcast, Episode 211 Wed, 08 Sep 2010 02:13:51 +0000 http://daveshackleford.com/?p=389#comment-1054 [...] The 13th Requirement [...] [...] The 13th Requirement [...]

]]> http://daveshackleford.com/?p=389&cpage=1#comment-1030 Friday Summary: September 3, 2010 | Portable Digital Video Recorder Fri, 03 Sep 2010 12:28:41 +0000 http://daveshackleford.com/?p=389#comment-1030 [...] Rothman: The 13th Requirement. Requirement 13: It’s somebody else’s problem. [...] [...] Rothman: The 13th Requirement. Requirement 13: It’s somebody else’s problem. [...]

]]> http://daveshackleford.com/?p=389&cpage=1#comment-1016 Computer Security: Protecting Your Data « Octavecomm | Network Security Thu, 02 Sep 2010 08:27:11 +0000 http://daveshackleford.com/?p=389#comment-1016 [...] ShackF00 » The 13th Requirement [...] [...] ShackF00 » The 13th Requirement [...]

]]> http://daveshackleford.com/?p=389&cpage=1#comment-1012 Branden R. Williams, Business Security Specialist » links for 2010-09-01 Wed, 01 Sep 2010 22:01:41 +0000 http://daveshackleford.com/?p=389#comment-1012 [...] ShackF00 » The 13th Requirement LOVE this. (tags: PCIDSS FAIL) [...] [...] ShackF00 » The 13th Requirement LOVE this. (tags: PCIDSS FAIL) [...]

]]> http://daveshackleford.com/?p=389&cpage=1#comment-1011 Tweets that mention ShackF00 » The 13th Requirement -- Topsy.com Wed, 01 Sep 2010 16:06:19 +0000 http://daveshackleford.com/?p=389#comment-1011 [...] This post was mentioned on Twitter by The PCI Maven, The PCI Maven. The PCI Maven said: @pcimaven ShackF00 » The 13th Requirement http://bit.ly/9gJUgj http://bit.ly/5ok4B3 [...] [...] This post was mentioned on Twitter by The PCI Maven, The PCI Maven. The PCI Maven said: @pcimaven ShackF00 » The 13th Requirement http://bit.ly/9gJUgj http://bit.ly/5ok4B3 [...]

]]> http://daveshackleford.com/?p=384&cpage=1#comment-978 S Wed, 11 Aug 2010 15:53:43 +0000 http://daveshackleford.com/?p=384#comment-978 Excellent "rant." Some funny, or sad, historical observations I have witnessed in order of your questions: 1. People click because it's there. We are trying to ascribe rational thought to an irrational action, it can't be done. The other answer is because nothing impacts the person that clicked, only the IT people feel the pain in most places. I once heard of an organization that used a trouble ticketing system that automatically scheduled you for remedial training based on the type of tickets you created in the system. This is a great way to stop the "clickers." 2. IDS is purchased without a SIEM implementation so people just give up trying to read the alerts and hand pick one or two to respond to if they happen. They purchase the thing for the illusion of security and so the CIO can say it's there. Unfortunately that's enough to satisfy any current audit or certification procedure because no one audits effectiveness of an implementation only its existence. 3. Whitelisting should be used in so many areas. I think people are just afraid to tell their employees no for email, web surfing, etc.. Yay for antivirus though. 4. What I have heard people start saying when they see these public data breaches is as follows:" Well, there are so many people out there maybe they won't get my data." I have also heard companies taking this same approach which I have dubbed the "anchovy" response. When anchovies are attacked they swarm into a ball and just hope they aren't the ones that get picked off, awesome tactic for InfoSec right? Excellent “rant.” Some funny, or sad, historical observations I have witnessed in order of your questions:
1. People click because it’s there. We are trying to ascribe rational thought to an irrational action, it can’t be done. The other answer is because nothing impacts the person that clicked, only the IT people feel the pain in most places. I once heard of an organization that used a trouble ticketing system that automatically scheduled you for remedial training based on the type of tickets you created in the system. This is a great way to stop the “clickers.”
2. IDS is purchased without a SIEM implementation so people just give up trying to read the alerts and hand pick one or two to respond to if they happen. They purchase the thing for the illusion of security and so the CIO can say it’s there. Unfortunately that’s enough to satisfy any current audit or certification procedure because no one audits effectiveness of an implementation only its existence.
3. Whitelisting should be used in so many areas. I think people are just afraid to tell their employees no for email, web surfing, etc.. Yay for antivirus though.
4. What I have heard people start saying when they see these public data breaches is as follows:” Well, there are so many people out there maybe they won’t get my data.” I have also heard companies taking this same approach which I have dubbed the “anchovy” response. When anchovies are attacked they swarm into a ball and just hope they aren’t the ones that get picked off, awesome tactic for InfoSec right?

]]> http://daveshackleford.com/?p=384&cpage=1#comment-977 InfoSec Africa Wed, 11 Aug 2010 05:50:28 +0000 http://daveshackleford.com/?p=384#comment-977 I couldn't agree with your list more, but you might also want to add that until we as information security practitioners come up with a security stack to replace the OSI & TCP/IP stack we're supposed to be securing, we are selling our customers a false promise of security. Right now all we are doing is triple locking the front door ,which may or may not have the kind of door you would find at the entrance to a bank vault, while the slat at the back of the attic can easily be breached. We are paying lip service to the concept of defence-in-depth and yet the answers to our security problems can be found by doing some research on medieval history. I couldn’t agree with your list more, but you might also want to add that until we as information security practitioners come up with a security stack to replace the OSI & TCP/IP stack we’re supposed to be securing, we are selling our customers a false promise of security. Right now all we are doing is triple locking the front door ,which may or may not have the kind of door you would find at the entrance to a bank vault, while the slat at the back of the attic can easily be breached. We are paying lip service to the concept of defence-in-depth and yet the answers to our security problems can be found by doing some research on medieval history.

]]>