Anton/Brando Aggregator

May 2013 Roundup

Mon, 03 Jun 2013 22:34:24 +0000

Stay Classy, San Diego!

What was popular in May? It’s almost summer time! And of course, we have all kinds of horrific weather impacting parts of the country that many of us call home. I played an extra in a show about hackers (does this mean I need to join SAG?), and have been speaking to all kinds of companies about their products and services. I even spoke at a few shows and did a webcast!

Here are the five most popular posts from the last month:

How Starbucks is Revolutionizing Mobile (Micro) Payments. This post just won’t quit! It switched places with the next post from last month, but it’s still a big deal. You know how you see those crazy fools that pass their phone in front of some magical sensor at Starbucks and never seem to pull out their wallet, yet walk away with coffee? That is really part of a huge master plan to reduce the impact that payments has on the organization. Check out the scenarios discussed!
The Only Customer Service Script You Will Ever Need. Is it a sign that the economy is turning around? Is customer service is less important now that customers are easiser to come by? Check out this diversion from security that will make you think about how you interact with your customers.
The Definition of Cardholder Data. Yet another powerhouse that is keeping on top of the links. It’s still on people’s minds, probably because they are looking for ways to drop systems out of scope of PCI DSS, or because they are looking at the new eCommerce guidance from the Council. Hopefully this is a good benchmark for you.
PCI Requirements Review. Here’s a quick review on Patching and IDS. Back in the top five again, so I wonder if this post with the previous has signaled assessment season is well underway for 2013.
A Few Tips for Getting Ahead of PCI Compliance. The great folks over at Tripwire caught me in the hallway right before my book signing with Anton. Check out this quick video for some timely tips on getting ahead of PCI Compliance!

Thanks for stopping by!

Possibly Related Posts:

Monthly Blog Round-Up – May 2013

anton@chuvakin.org (Anton Chuvakin) — Mon, 03 Jun 2013 10:13:00 +0000

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
“On Choosing SIEM” is another old classic (from 2010) that often shows up on my top list; it covers some tips on choosing SIEM tools.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
“Why No Open Source SIEM, EVER?” contains some of my thinking from 2009. Is it relevant now? Well, you be the judge.
My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current research:

My Next Research Area: Incident Response

Past network forensics research:

Past security data sharing research:

Miscellaneous fun posts:

(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

Monthly Blog Round-Up – April 2013
All posts tagged monthly

No such file or directory, RVM and Rubies!

Sun, 02 Jun 2013 14:09:17 +0000

This is quite a diversion, but it’s something that I want documented and indexed by the G00gles of the world in case someone else has a problem like me. If you are not interested in Ruby, or Rails, or RVM, skip this and will see you later on in the week!

Ruby!

I recently had an issue that stumped me (as well as the great folks in the #rvm channel on Freenode). In the process of setting up RVM, I initially made the mistake of doing it as root on a Debian (Squeeze) machine. Cautionary word, you are good playing with the system rubies provided by APT, but if you want to get to the bleeding edge, do all of your RVM installation and dev work as a user, not root. It caused some interesting conflicts. But no worries, this simple command completely reset my RVM setup (as in, I completely removed everything and started over):

# rvm implode

Fun name for a command, and boy does it work. Next, I went here and ran through their process of re-setting up RVM. Everything completed, and after a quick “rvm reload” I was able to see my RVM infrastructure fine. But trying to validate the ruby installed didn’t work. Doing a ruby -v gave me:

bash: /path/to/my/home/.rvm/rubies/ruby-2.0.0-p195/bin/ruby: No such file or directory

Yet, the file was there, permissions were correct, and by all accounts there should not be any errors. But as you can imagine, when you can’t run the ruby interpreter, nothing is going to work. Like NADA. After some tinkering with the guys on #rvm, they figured out that the binaries they assembled were at fault. So if you are ever in this situation, the command you want to run to avoid binaries and build from source is:

$ rvm reinstall 2.0.0-p195 --disable-binary

Provided you have all the tools needed to build a binary on your machine, this will grab the correct source and build it from scratch. Everything is beautiful now! Working like a champ:

$ ruby -v
ruby 2.0.0p195 (2013-05-14 revision 40734) [x86_64-linux]

So there ya go. Hopefully you never end up getting this strange “No such file or directory” error, but if you do, try disabling a binary build.

Possibly Related Posts:

Adventures in Rails

Fri, 31 May 2013 14:00:49 +0000

It has been quite a while since I did any hardcore coding. Since that time, I have dabbled in various web projects, but programmers who don’t practice tend to get stuck in ruts. Most of the time, I would use my skills to solve small problems using methods and technologies I knew worked. If you want examples of that, go check out Brando Labs. Why do I continually pull tools like Perl, PHP, sed, Bash, and Python out to solve problems? Because I know how they work, and the learning curve to get back into the swing of things is relatively shallow.

Hands on: “MacBook Air”

Back in the Stone days, I ended up taking a week long Java class that had me coding in JSP and servlets for a time. Object Oriented Programming was a struggle for me. I was taught Top-down procedural programming starting in Pascal & C/C++, but it took this class to get the object thing to click. I am bringing this up because I have decided to re-visit a technology I saw in its 1.0 iteration, Rails. Or more specifically, Ruby on Rails.

WOW it has come a long way since 2005!

In the last eight years, it seems to have become the standard for rapid web development. After completing the fabulous tutorial by Michael Hartl, I’m recognizing the constructs everywhere (especially with the Twitter Bootstrap paintbrush). But that’s not the point of this post. There were two things very interesting to me that I observed in the Hartl tutorial that I hope will trickle down into other development courses. Maybe I’ve never been exposed to them because I’ve been out of the professional dev world for so long, or maybe it’s just a fluke, but I think both of these will go a long way to improving the quality and security of software for the developers who follow them.

The first observation was the discussion of security in application code. In a number of instances, Michael specifically calls out tweaks to a rails configuration and the specific code to promote a secure application. He even takes it a step further and makes the faithful reader perform several exercises to promote security. I hope this pushes itself down into the colleges and schools that offer courses on development. Thinking about secure development starts from the first printf(“Hello world.”).

The second observation was the notion of Test-Driven Development (TDD). In nearly all of my development experience, we rushed to get functionality out the door and hastily tested it, passing the builds along to another group to test and tell us what we missed. This is a horribly broken way to build software and requires excess manual effort to complete the testing process which gets more complex with every build. Repeatedly testing the same things over and over again gets monotonous and human nature all but guarantees mistakes.

Patched Tube, by Morten Liebach

In TDD, you write the test before you write the code. It sounds strange, and seems counter intuitive to every fiber in our body that says “STAY PRODUCTIVE,” but it’s one of those long term benefits that pays massive dividends as your application gets bigger and crazier. For example, let’s say you have an application that has users, but you want to add blog items (or microposts in Michael’s tutorial), you first write a test to see if the blog table exists with all the properties you would expect it to have. You run your tests, they fail of course, and then you write the code to make the tests pass (thus adding the functionality you are looking for in the first place!). Now, every time you run your larger application tests, this test will run and you will quickly learn if you break something that makes part or all of your functionality disappear. The same thing goes for displaying information. Write a test to see if the information is displayed (it will fail), then add code to make that test pass.

So while this may be old hat to some of you out there, I found it interesting enough to pass it along to the larger audience. There are tremendous implicaitions for PCI DSS related applications in using both of these methods. Building security tests in will ensure that you don’t introduce bugs that disclose payment card data, logins, or introduce SQL injection vulnerabilities. Going back and building these tests can be a pain, but it’s already a big part of the technical debt your application is carrying. Consider this preventative work—or good work to prioritize in the system even if it causes new features to be pushed down the road.

Possibly Related Posts:

In Favor of Scenario Planning

Tue, 21 May 2013 14:50:25 +0000

Harvard Business Review recently published an article by Angela Wilkinson and Roland Kupers called “Living in the Futures.” In it, Wilkinson and Kupers discuss the function of scenario planning at Shell—a practice that has been going on in earnest since the 1960s at the company. There are a number of great nuggets that we can use here in information security to help us plan for inevitable security events. The main goal of scenario planning at Shell is to open up the minds of managers and executives to the possibilities of events in the future. It’s designed to buck the trend of thinking that the future will be much like the present, such that when things happen they are well poised to make adjustments to weather the storm (or capitalize on the opportunity). In fact, a former head of this program is quoted in the article describing this as a technique to “manipulate people into being open-minded.”

Spoon, by felixtsao

Shell’s scenario planning team builds alternate realities for executives to work through to prepare them to sense change and be prepared to address it. Through this, Shell says they have found ways to be more sensitive to weak indicators that change may be coming.

We need to do the same thing in information security. My formula for scenario planning centers on some kind of security incident (duh). It should be run at least quarterly, and the scenarios should vary such that you can rotate executives in and out of the planning (maybe the COO is in two of the four yearly tabletop exercises) and practice dealing with different kinds of problems. Practicing the same problem over and over will make you good at that, but Murphy will make sure that something else happens instead.

Jimmy Davidson, scenario planning lead in the 60s and 70s, says that scenarios should be more plausible than probable. He says, “(…) you can never identify all the forces at play. If you could, and see their interactions, then real prediction of the future would be simple.” For example, when we build our scenarios for information security we might do a scenario where a contractor for our firm goes rogue and steals a laptop containing IP even if we don’t have any contractors today or plan on them in the future. It’s certainly plausible, and will prepare you for dealing with a number of variations of that same scenario.

Scenarios should be updated as needed and follow current market trends. If we were doing this ten years ago we probably wouldn’t practice falling victim to an advanced threat by a nation state; but we should be doing this today. How do you do scenario planning today? Four IT/IS guys and a box of donuts around a conference table without executive presence? Or full fledged mock chaos?

Possibly Related Posts:

Garmin’s Missed Opportunity

Tue, 14 May 2013 14:55:24 +0000

Businesses are moving faster than ever in this digital economy, and entrepreneurs build and showcase new innovative products or business models every day. The term that is thrown around to describe this phenomenon is called ‘disruption’. As an example, the iPod and iTunes Store disrupted the music industry in a way that forced companies to re-invent their businesses. Remember back in the 1990s when you could find an actual record store? Sure, most of us bought CDs, but it was still a store dedicated to the sale of music. I have fond memories of visiting Blockbuster Music and trying out CDs before I bought them.

The Data Center, by Tu Holmes

But Apple changed all of that. They disrupted an established market where prices were fairly constant and controlled and turned it on its head with both an innovative product (iPod), and an innovative business model (iTunes Store). They forced businesses who didn’t keep up to close. They forced producers to put a more solid set of 10-12 songs on an album since consumers could now just buy the one or two they wanted for a fraction of the cost of the album. This is disruptive innovation, a collection of ideas that largely makes up the work of Clayton M. Christensen’s Disruption Theory¹.

Many established businesses came to be from big innovations that made them the standard in an industry. Garmin is one of those companies—largely known for consumerizing GPS technology. Through the 1990s and 2000s, they continually innovated on their consumer GPS technology² to go from just your lat/long coordinates to breadcrumbs to moving maps for roads, oceans, and airways. They found ways to embed their technology into cars with turn by turn direction. Some of us have the external units that suction cup to the window, and others have it built in.

This market is currently being disrupted something fierce by smartphones and turn-by-turn directions. With few exceptions, I can’t imagine someone with this capability on their smartphone shelling out hundreds of dollars on another device with another cable and another subscription.

/lalala, by striatic

I recently went to investigate updating the maps on my in-vehicle GPS and was shocked to learn that Garmin wanted $250 for the new map package. $250! That’s more than the price of a new external GPS, and don’t forget the package is updated every year.

Garmin is missing a massive opportunity to control in-vehicle navigation in the mobile market. I can assure you, I would rather have a touch screen with all kinds of vehicular automation without a GPS feature than be forced to pay each year to update the map. I’m not saying that Garmin needs to give it out for free, but if they do choose to charge for it they should pick a small price to create subscription revenue. Something like $20/year for the new maps would be acceptable.

Some investors in major funds have taken a bearish attitude toward Garmin, so maybe this may help adjust expectations. Even though Apple has shown us that turn-by-turn navigation in a smart phone isn’t perfect, for the most part it is an acceptable analog—especially when you need an address on a street that didn’t exist a few years ago.

Possibly Related Posts:

Google this for tons and tons of stuff.
Including that failed call phone product, remember that?

April 2013 Roundup

Mon, 06 May 2013 22:53:30 +0000

Stay Classy, San Diego!

What was popular in April? April was a rough month for many folks (as it historically has been). We have had crazy weather all over the US, and I was able to experience a few new cities with El Wiforino. Thank goodness for the great food choices in London! I’m so glad that was our last stop.

Here are the five most popular posts from the last month:

The Only Customer Service Script You Will Ever Need. This is the post that keeps on bringing people back! Maybe spring break travel issues? Check out this diversion from security that will make you think about how you interact with your customers.
How Starbucks is Revolutionizing Mobile (Micro) Payments. For the fourth month in a row, this post is really keeping people moving. I even had an industry colleague talk to me about it as we were buying coffee at said coffee chain. You know how you see those crazy fools that pass their phone in front of some magical sensor at Starbucks and never seem to pull out their wallet, yet walk away with coffee? That is really part of a huge master plan to reduce the impact that payments has on the organization. Check out the scenarios discussed!
The Definition of Cardholder Data. Another oldie but goodie for the seventh month in a row. It’s still on people’s minds, probably because they are looking for ways to drop systems out of scope of PCI DSS, or because they are looking at the new eCommerce guidance from the Council. Hopefully this is a good benchmark for you.
PCI Requirements Review. Here’s a quick review on Patching and IDS. Back in the top five again, so I wonder if this post with the previous has signaled assessment season may have kicked off early this year.
A Few Tips for Getting Ahead of PCI Compliance. The great folks over at Tripwire caught me in the hallway right before my book signing with Anton. Check out this quick video for some timely tips on getting ahead of PCI Compliance!

Thanks for stopping by!

Possibly Related Posts:

Monthly Blog Round-Up – April 2013

anton@chuvakin.org (Anton Chuvakin) — Wed, 01 May 2013 14:07:00 +0000

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
“On Choosing SIEM” is another old classic (from 2010) that often shows up on my top list; it covers some tips on choosing SIEM tools.
“SIEM Bloggables” covers a few high-level SIEM use cases and my view (at the time) of key SIEM functions.
My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current network forensics research:

Current security data sharing research:

Miscellaneous fun posts:

(see my published Gartner research here)
Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.
Previous post in this endless series:

Monthly Blog Round-Up – March 2013
All posts tagged monthly

The Gotchas of EMV for the US Consumer

Thu, 25 Apr 2013 13:46:16 +0000

Some of you may know that I spent a little over a week on vacation with my wife traipsing through Europe this month. And even though I was constantly yelled at for walking too fast or running to check out some grey squirrel (they are tan here in the US), we had a fabulous time. We had a few hitches in our travels as any trip will, but one in particular caught us very much by surprise.

Chip, by Declan Jewell

I made it a point to get my most commonly used credit cards (unfortunately, the one tied to my checking account is WAY behind the times here) re-issued with a chip in them so I would have plenty of fun over in Europe looking like a local and entering my PIN into all of these mobile readers. But something peculiar was happening that didn’t make sense to me until I had a few transactions rejected.

If you recall, the implementation of EMV here in the states is going to be Chip and SIGN, not Chip and PIN. So instead of inserting your card in the slot and punching in a PIN, it reads the chip, sends off the authentication info, and then you sign the slip just like you would here in the US for a normal swipe transaction. 95% of the time this worked just fine. I had one instance in a pub in Florence (yes, I found an Irish pub and had to sample some of their delicious beers because let’s face it, Peroni and Moretti are meh) where I watched the bartender SWIPE my card for it to be quickly denied. Lesson 1, if there is a chip reader available, there may be a security feature in the card that requires you to use the chip slot and not the swipe. Once he used the chip slot, things went through as normal.

Now, flash forward a few days to Barcelona. I’m particularly excited because the weather was very nice, the sun was shining, and we were a bit northeast of Barceloneta, so we needed to take the Metro. I thought, sweet. No problem! This would be a chance for me to use the PIN I assigned to both of the cards because there is no way that there will be a person down there to accept the card for signature. I was right about the lack of personnel support, but boy was I wrong about the PIN thing.

DENIED!

I felt like that one day in college where I thought I was going to be a big shot and buy a round for the bar. “Don’t worry, guys! I’ve got a MASTERCARD!” Aaaaand, over its limit.

So I found some cash, fed the hungry ticket machine, and got us fare for two days on the metro. But I was confused! Wasn’t this whole chip thing supposed to solve my problems with paying in Europe?

my bank sucks, by B Rosen

I spent a few minutes on the phone with my bank when I got back and figured something out. My card that is issued in the US and made to work with US systems ONLY works the US way. Meaning, as it stands today, my card CANNOT be used in a Chip & PIN scenario, and ONLY can be used with Chip & SIGN. This means that any automated machine will not be able to accept my cards because they all require the Chip over the swipe if present and the only way they can accept my Chip card is with a signature.

That, my friends, is EMV’s manifestation of the Catch-22.

So as you are issued your new EMV card here in the US, be aware of the limitations (including your ATM cash retrieval limits if you get in a bind!) of the implementation before you stand for ten minutes in a line that will just get stuck with you fumbling around with your non-standard card.

Possibly Related Posts:

A Funny Thing Happened On The Way To The Vatican

Tue, 16 Apr 2013 14:30:33 +0000

As a global traveler, I tend to be subject to more than anyone’s fair share of security checks. This means that I am ready for them, and also tend to find patterns in things. For example, if you are in a domestic US airport (where security is TSA, not private), you don’t have to take your liquids out. I have been putting them in the top pocket of my roll aboard for years now and have only been stopped in Bozeman, MT (private security), where all the bad guys go. But try that same trick through London Heathrow, and you are guaranteed a 15-45 minute delay.

Chris & I at Trevi Fountain.

I visited the Vatican on Saturday, and thought the security was peculiar. For example, getting through the Vatican Museum (the only way commoners can go to see the Sistene Chapel) requires a basic security check, but I only had to put my camera down on the belt and the metal detector didn’t go off with my phone in my pocket. After going through there, we went to see St Peter’s Basilica and were forced to wait in yet another security line. This one was pretty amusing as EVERY third person or so set off the metal detector, but the guard just waved everyone through without even looking at why we set off the alarm. I guess it pays to tour when there are crowds.

Security controls really have two major characteristics that make them enforceable and respected. The must be relevant to the user (I would expect to have a complex password or be checked for guns when entering St Peter’s), and consistently enforced (if there is a complexity requirement in policy, machines better enforce it when I test it). The human element may bring some challenges here where people try to test parts of the control (if I think passwords are stupid, I just write them down somewhere), or find creative ways to subvert it. Compliance initiatives sometimes hurt us here because users don’t see the relevance, and systems don’t properly enforce the controls… just like what I saw at St. Peter’s.

The most accurate representation I have seen thus far was in Florence at one of the MANY museums. My phone set off the metal detector and the guard asked to see what was in my pockets. I showed him, and he let me through. That seemed to be a much more appropriate use and enforcement of controls. So as you design your controls, think about the user experience (and be sure you are subject to the same control!).

Possibly Related Posts:

Monthly Blog Round-Up – March 2013

anton@chuvakin.org (Anton Chuvakin) — Mon, 01 Apr 2013 16:35:45 +0000

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
“On Choosing SIEM” is another old classic (from 2010) that often shows up on my top list; it covers some tips on choosing SIEM tools.
“SIEM Bloggables” covers a few high-level SIEM use cases and my view (at the time) of key SIEM functions.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current network forensics research:

Current security data sharing research:

Consumption of Shared Security Data
On Trust in Security Data Sharing
On Security Data Sharing Research
On Security Data Sharing
Our Log Standards Paper Publishes (mentions select data sharing standards)
More on DoS and Shared Security

Miscellaneous fun posts:

Previous post in this endless series:

Monthly Blog Round-Up – February 2013
All posts tagged monthly

A few tips for getting ahead of PCI Compliance

Tue, 26 Mar 2013 13:22:23 +0000

The great guys at Tripwire found me outside of the bookstore at RSA Conference this year and wanted to have a quick chat about PCI Compliance! Check out the video below for a few tips that might be helpful for you as you continue your way down this journey.

Possibly Related Posts:

To Catch a Plagiarizer

Tue, 19 Mar 2013 17:54:20 +0000

I’m not a young pup anymore. Not that I’m nearing retirement anytime soon, but I find it amazing how much things have changed in the academic world since I first started my bachelors degree in 1996. I can’t prove it (yet), but I can almost guarantee that students in grades six through twelve have no real experience or knowledge of encyclopedias. I remember being envious of friends of mine who had those books in their houses. All that knowledge right at their fingertips, and here I was going to the library, LIKE A SUCKER!

Streeter Seidell, Comedian, by Zach Klein

Now that I am working on my third spin as a student through the academic world (just under eight years from my last exit as a student and about five years from my exit as a professor), I see escalations on both sides of the plagiarism problem—the students (and professionals) abusing the system and organizations trying to stop it. When I was a professor, plagiarism was relatively easy to spot. A good number of my students were not native English speakers, and the ones that were had escaped their bachelors degree without a refined ability to express themselves through written prose. So you can imagine that when I would receive a paper with some awkwardly worded paragraphs and see a beautifully formatted and written grouping of sentences right in the middle, I started asking questions about where this text was lifted from. And thanks to the expansiveness of Google, it’s pretty easy to find plagiarism.

In the worst case, I had a student that plagiarized nearly half of his paper from another source without any references. We always tried to give the student the benefit of the doubt, but could not accept the work as-is (immediate zero plus a potential to turn it back to the university for disciplinary action). As someone who had taught higher-education, I felt very prepared for the lectures we would get on plagiarism in my doctoral program. For the most part, nothing was too surprising. It’s a serious offense to publish something as your own when it is not. The biggest trick to avoiding plagiarism is to only write in your own words but reference the sources you use to build those words. That is, avoid direct quotes and never use the copy and paste functions prevalent in every word processor.

My first couple of quarters were absolute killers on writing for me. I had to develop my academic voice and get used to standing on the backs of other scholars. Imagine my surprise when I used the same techniques in the past on a total whim to discover another student plagiarizing. Accidental or not, it’s still a serious issue that is unpleasant for everyone to deal with.

To close out this post, I wanted to offer some tips to avoid plagiarism so you don’t end up in a bad situation as you move through your academic and professional career. Everyone makes mistakes, but this short guideline should help ensure you don’t end up plagiarizing:

Realize that your papers (and students before you) are probably added to one of a few databases to check for plagiarism, so don’t give away your past work and don’t copy another learner’s work.
When in doubt, cite. Go find a solid reference if you need to back a claim up.
NEVER USE COPY/PASTE!
Don’t try to play the “All I need to do is change a few words and it’s not plagiarism” game after violating the above rule. Just write it in your own words.
Do not turn in one of your old papers as new/current work.
Google can be a great research tool, but it can also be a great whistle blower. If you can access something through it, so can your professor.
It’s better to confront problems in the learning process with a professor before risking plagiarizing to meet some deliverable date.

Possibly Related Posts:

Monthly Blog Round-Up – February 2013

anton@chuvakin.org (Anton Chuvakin) — Mon, 04 Mar 2013 15:21:50 +0000

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
“On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on choosing SIEM tools.
“SIEM Bloggables” covers a few high-level SIEM use cases and my view (at the time) of key SIEM functions.

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current network forensics research:

Current security data sharing research:

On Trust in Security Data Sharing
On Security Data Sharing Research
On Security Data Sharing
Our Log Standards Paper Publishes (mentions select data sharing standards)
More on DoS and Shared Security

Previous DLP research:

Previous post in this endless series:

Monthly Blog Round-Up – January 2013
All posts tagged monthly

Monthly Blog Round-Up – December 2012

anton@chuvakin.org (Anton Chuvakin) — Fri, 01 Feb 2013 16:47:54 +0000

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
“On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on choosing SIEM tools.
My classic PCI DSS Log Review series is popular as well. The approach is useful for building other types of log review processes and procedures, whether regulatory or not.
“SIEM Bloggables” covers a few high-level SIEM use cases and my view (at the time) of key SIEM functions.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:
Current DLP research:

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.
Previous post in this endless series:

Monthly Blog Round-Up – November 2012
All posts tagged monthly

Annual Blog Round-Up – 2012

anton@chuvakin.org (Anton Chuvakin) — Fri, 01 Feb 2013 16:47:31 +0000

Here is my annual "Security Warrior" blog round-up of top 10 popular posts/topics in 2012.

“Simple Log Review Checklist Released!” was again the most popular this year. The checklist, a list of critical things to look for while reviewing system, network and security logs when responding to a security incident
PCI DSS Log Review series of posts take the #2 spot; they are about planning and executing PCI DSS-driven log review at an organization
“On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
“On Free Log Management Tools” is another perma-popular post, presenting a companion resource to the log checklist above
“Top 10 Criteria for a SIEM?” is an EXAMPLE criteria list for choosing a SIEM.
“Log Management at $0 and 1hr/week?” is pretty much what it is. How to do log management under extreme budget AND time constraints?
“Updated With Community Feedback SANS Top 7 Essential Log Reports” and an older “SANS Top 5 Essential Log Reports Update!”
“SIEM Bloggables” has one possible view on higher-level SIEM use cases and basic functionality, and a quick discussion of SIEM user types.
“How Do I Get The Best SIEM?” is a discussion (circa 2010) about approaches to choosing SIEM tools and matching functionality to requirements.
2009 post called “Log Management + SIEM = ?” gives some quick architecture advice on combining SIEM and log management

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.
Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Monthly Blog Round-Up – January 2013

anton@chuvakin.org (Anton Chuvakin) — Fri, 01 Feb 2013 16:47:05 +0000

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
My classic PCI DSS Log Review series is popular as well. The outlined log review approach is useful for building other types of log review processes and procedures, whether regulatory or not.
“On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on choosing SIEM tools.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
“SIEM Bloggables” covers a few high-level SIEM use cases and my view (at the time) of key SIEM functions.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:
Current network forensics research:

Network Forensics Defined?

Previous SIEM research:

My SIEM Papers Are Out

Previous DLP research:

Monthly Blog Round-Up – December 2012
All posts tagged monthly

Links for 2013-01-10 [del.icio.us]

Fri, 11 Jan 2013 08:00:00 +0000

Links for 2013-01-07 [del.icio.us]

Tue, 08 Jan 2013 08:00:00 +0000

Links for 2013-01-06 [del.icio.us]

Mon, 07 Jan 2013 08:00:00 +0000

2013 Prediction – It’s a Mad, Mad, Mobile World

Links for 2013-01-03 [del.icio.us]

Fri, 04 Jan 2013 08:00:00 +0000

2013 Open Group Predictions, Vol. 1 | The Open Group Blog

Links for 2012-12-27 [del.icio.us]

Fri, 28 Dec 2012 08:00:00 +0000

Browsing Security Predictions for 2013 « Hackmageddon.com

Links for 2012-12-26 [del.icio.us]

Thu, 27 Dec 2012 08:00:00 +0000

Links for 2012-12-22 [del.icio.us]

Sun, 23 Dec 2012 08:00:00 +0000

PCI Compliance Book Giveaway #2

anton@chuvakin.org (Anton Chuvakin) — Fri, 14 Dec 2012 00:09:40 +0000

OK folks, our PCI Compliance book has been out for a few months now, and Branden & I thought it would be fun to give away a copy with another contest! We have assembled a group of three independent judges who will look at the submissions and pick winners for each competition. The winner will receive a free, signed copy of the book! In fact, it would be one of those rare “dual-signed” copies with both of our signatures (and the book will have to travel from TX to CA – or from CA to TX – for this )

So, on to the second contest (first one).

Our book attempts to draw a middle line between the black & white “audit” style of looking at PCI DSS and the loosey-goosey “anything goes” view. We want to take a compliance-friendly and security-friendly, practitioners line. However, sometimes even a compliance guy has to be CREATIVE!

So our second challenge to you, in the comments below, please tell us about your MOST CREATIVE PCI DSS CONTROL you implemented, assessed or even witnessed.

HOWEVER, it will help your submission if such control was also ACCEPTED by a QSA. We will absolutely reject the creative control submissions that have no chance of making your environment PCI DSS compliant…

You’ve got about a week (until the end of December 21st), and we will announce the winners after the holidays!

It doesn’t matter if you comment here or on Branden’s blog, we will capture all of them.

Related posts:

PCI Compliance Book Giveaway–Results

anton@chuvakin.org (Anton Chuvakin) — Tue, 04 Dec 2012 22:32:59 +0000

Our PCI Compliance Book Giveaway has ended – with a bang! The winning entry (submitted here) is below:

"Hilarious in a sad way, the worst PCI fail I ever had was getting
solicited by a Wedding / Bridal catalog company to assist them in
improving their online ordering and bridal catalog subscription
service. I had no contract with them, this was just a preliminary
"Let's see what we can do for you." They sent us their website, and
also e-mailed me a copy of their site's source code.
In the source code was an SQL dump of over 7 years of brides personal
information including names, addresses, birthdays, and FULL credit
card numbers, expiration dates, CCVs, card type, phone numbers, email
addresses, and unencrypted passwords.
In shock of seeing this, I called the potential client, said we
couldn't help them and deleted the data as completely as I could.
Eek!"

The winner, “James P”, please mail your address to authors@pcicompliancebook.info and we will mail you your signed copy of The PCI Book, 3rd edition. And, no, we won’t charge your credit card for that

The runner-up entries were:

“A very large retailer decides to reorganize their IT department to be more responsive and reactive. As part of that reorganization, they create a group titled 'Enterprise Monitoring' that is responsible for the care/feeding of the log management and analysis solutions. Centralized personnel that actually do the monitoring are pushed out to the business units where, according to IT management, the actual monitoring belongs. Everyone at the meeting announcing this decision says that the name. Enterprise Monitoring, needs to be changed because it gives the impression that the group does the monitoring, but they are over ruled.
Spin ahead almost a year later to their PCI assessment. The monitoring personnel that were pushed out to the business units were, surprise/surprise, were seen as new bodies that could be used for everything BUT monitoring. So, we have great log management and analysis solutions running, but no one has been monitoring anything for almost a year! When asked, the business units point to the Enterprise Monitoring group and say that it is their responsibility because they are 'Enterprise Monitoring'. DUH!” (source)

and

“I work with a stadium and arena concessions operation that once told me they were compliant because they put their card swipe readers on the counter and turned them around to face the customer. They no longer touched the cards so this made them compliant. True story.” (source)

and

“It’s a not a fail, but I certainly found humor in this. When enrolling in training with the PCI Security Standards Council, if you would like pay by credit card they ask that you write your CC#, CVV, Expiration, etc on the invoice and fax it or mail it to them. They note, it is a secure and password protected fax. I expected something a little more from the people who create the standards, but hey that’s one way to reduce your scope. Upon receiving the invoice, it was an LOL moment. ” (source)

MORE PCI Book CONTESTS ARE COMING!! Stand by….

Monthly Blog Round-Up – November 2012

anton@chuvakin.org (Anton Chuvakin) — Mon, 03 Dec 2012 15:43:12 +0000

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it really needs another update)
“PCI Compliance Book Giveaway!” announces our new contest and its prize – The PCI Compliance book. We will announce the winner any day now.
My classic PCI DSS Log Review series is popular as well. The approach is useful for building other types of log review processes and procedures, whether regulatory or not.
“On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on choosing SIEM tools.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current DLP research:

Previous post in this endless series:

Monthly Blog Round-Up – October 2012
All posts tagged monthly

PCI Compliance Book Giveaway!

anton@chuvakin.org (Anton Chuvakin) — Thu, 15 Nov 2012 23:51:35 +0000

OK folks, our PCI Compliance book has been out for a couple of months now, and Branden & I thought it would be fun to give a way a couple of copies with a contest! We have assembled a group of three independent judges that will take a whittled down list and pick winners for each competition. The winner will receive a free, signed copy of the book!

So, on to the first contest.

Our book attempts to draw a middle line between the black & white “audit” style of looking at PCI DSS and the loosey-goosey anything goes view. We want to take a compliance-friendly, practitioners line. But we’ve all been in those meetings when you look at a particular defense of a control (or lack thereof) and you can’t help but laugh a little bit on the ridiculous nature of what was presented.

So our first challenge to you, in the comments below, please tell us about your MOST HILARIOUS PCI FAIL.

You’ve got a week (until the end of Wednesday, November 21st), and we will announce the winners after the US Thanksgiving holiday!

It doesn’t matter if you comment here or on Branden’s blog, we will capture all of them.

Monthly Blog Round-Up – October 2012

anton@chuvakin.org (Anton Chuvakin) — Thu, 01 Nov 2012 17:48:20 +0000

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it needs another update)
“On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on choosing SIEM tools.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
My PCI DSS Log Review series is popular as well. It actually needs no introduction.
SIEM use cases (however they are defined) seem to be on a lot of minds and so “SIEM Bloggables” post (and this one too) is on my top list.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current DLP research:

Recent SIEM research:

Previous post in this endless series:

Monthly Blog Round-Up – September 2012
All posts tagged monthly

Monthly Blog Round-Up – September 2012

anton@chuvakin.org (Anton Chuvakin) — Mon, 01 Oct 2012 16:14:09 +0000

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it needs another update…)
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
“On Choosing SIEM” is another old classic (from 2010) that shows up on my top list; it covers some tips on choosing SIEM tools.
My PCI DSS Log Review series is popular as well. It actually needs no introduction
“The Myth of SIEM as “An Analyst-in-the-box” or How NOT to Pick a SIEM-II?” is about how some organizations want to buy a SIEM and pretend they now have security monitoring

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current SIEM research:

Other fun Gartner blog posts:

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

Monthly Blog Round-Up – August 2012
All posts tagged monthly

Monthly Blog Round-Up – August 2012

anton@chuvakin.org (Anton Chuvakin) — Mon, 10 Sep 2012 14:46:57 +0000

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version, and, yes, I know it needs another update…)
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
My PCI DSS Log Review series is popular as well.
“On Choosing SIEM” is another old classic (from 2010) that shows up on my top list.
Next is “SIEM Resourcing or How Much the Friggin’ Thing Would REALLY Cost Me?” While reading this, also check this presentation.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current SIEM research:

Other fun posts:

Previous post in this endless series:

Monthly Blog Round-Up – July 2012
All posts tagged monthly

One Year at Gartner!

anton@chuvakin.org (Anton Chuvakin) — Thu, 02 Aug 2012 17:28:52 +0000

Believe it or not, but I've been at Gartner for a year. One whole year has passed since that infamous blog post. I don't feel like diving into deep reflections and long contemplations about it, but I wanted to share how it was. During this year, I …

learned a lot, and expanded my security knowledge into new areas such as denial of service defense
found out that being an analyst is a lot of fun
realized that there are many levels of writing excellence beyond the level that I thought I had …
interacted with a lot of smart people both within and outside Gartner
helped dozens of our clients – both security vendors and large enterprises - with their security challenges, some simple and some pretty esoteric
discovered that a lot of companies are not where our industry pundits and "thought leaders" say they are (“what is more common today at large organizations, cloud or Windows 2000?”)

That's about it - I am really looking forward to my second year!

Monthly Blog Round-Up – July 2012

anton@chuvakin.org (Anton Chuvakin) — Wed, 01 Aug 2012 15:05:23 +0000

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
Next is “SIEM Resourcing or How Much the Friggin’ Thing Would REALLY Cost Me?” While reading this, also check this presentation.
“On SIEM Services” appearance on this list reminds me that the Internet has a mind of its own as this post is closely related to what I am working on right now
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
Finally, “Book Review: “UP and to the RIGHT: Strategy and Tactics of Analyst Influence: A complete guide to analyst influence” by Richard Stiennon” made it to the top 5 as well.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Current SIEM research:

Other fun posts:

How Are We Doing Compared To Peers?

Also see my past monthly and annual “Top Posts” – 2007, 2008, 2009, 2010, 2011.

Disclaimer: all this content was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

Monthly Blog Round-Up – June 2012
All posts tagged monthly

Metricon 7 Workshop Reminder

anton@chuvakin.org (Anton Chuvakin) — Fri, 20 Jul 2012 00:20:39 +0000

Just a quick reminder about the Metricon 7 workshop on security metrics.

Date: August 7, 2012

Location: Bellevue, WA (co-located with USENIX 12)

Registration:https://www.usenix.org/conference/usenixsecurity12/registration-information (pick just the metrics workshop or the entire event)

Agenda:

1. Introduction to Metricon, security metrics and workshop goals by Anton Chuvakin (9:00-9:30)

2. “Even Giant Metrics Programs Start Small” by David Severski (9:30-10:30)

3. Break (10:30-10:45)

4. PANEL: “Rules of the Road for Useful Security Metrics” (10:45-11:30)

5. Mini-talk 1 and 2 – TBD (11:30-12:00)

6. Lunch break (12:00-1:00)

7. “What We Want to See in Security Metrics” by Christopher Carlson (1:00-2:00)

8. PANEL: “What We Know to Work in Security Metrics” (2:00-2:30)

9. “Application Security Metrics We Use” Steve Mckinney (2:30-3:00)

10. Break (3:00 – 3:15)

11. "Threat Genomics and Threat Modeling” by Jon Espenschied (3:15-4:15)

12. Discussion time, everybody shares lessons, highlights, etc (4:15-5:00)

13. Conclusions, results and action items by Anton Chuvakin (5:00-5:15)

Additional details: here

See you there!

Book Review: “UP and to the RIGHT: Strategy and Tactics of Analyst Influence: A complete guide to analyst influence” by Richard Stiennon

anton@chuvakin.org (Anton Chuvakin) — Tue, 17 Jul 2012 17:09:01 +0000

This is not a book for everybody (and your grandmother probably does not need to read it; neither does an average IT professional). However, I think that this book is pure gold for those tasked with interacting with analyst firms.

I am an analyst, and I wish every vendor client read this book and followed some of the advice given there. It would reduce pain on both sides of the conversation, as well as make the interactions more valuable for – again! - both sides.

Obviously, this is not a book to guarantee your IT product a favorable placement in analyst research. It is also not a book on how to bamboozle the analysts, despite its focus on analyst influence. However, it is definitely a book to make sure that well deserving products, developed and marketed by good teams of people, don't get sidelined.

Some of the specifics that I liked include the influence pyramid concept, social media techniques, a careful approach to managing corporate Wikipedia entries, specific approaches to various analyst activities (such as calls, reports, advisory days and conferences), etc. My favorite sections (both fun to read as well as insightful!) are the one on “guerrilla tactics” and the obligatory “what not to do” chapter (the latter has a few sad case studies of IT vendors who screwed themselves up). Another great chapter covers the role of a vendor sales team in both helping the interaction with the analyst firm and avoiding some embarrassing mistakes.

In fact, this book makes me proud to be an analyst. Then again, maybe it is my ego talking as the book seems to project an impression that “an analyst is the most important person in the world“, at least as far as IT vendors are concerned.

Finally, if you are a IT vendor marketer, remember: when you say “holistic," some analysts think “imaginary.” Richard suggests to scrub your presentations of silly meaningless words like “synergy” and “holistic.”

All book reviews.

Monthly Blog Round-Up – June 2012

anton@chuvakin.org (Anton Chuvakin) — Mon, 09 Jul 2012 22:10:25 +0000

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
My PCI DSS Log Review series is popular as well.
“On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm.
“Log Management at $0 and 1hr/week?” is where a lot of companies still are, thus this post became popular again.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Denial of Service research:

Other fun posts:

Monthly Blog Round-Up – May 2012

"PCI Compliance", 3rd edition - Out On August 6, 2012

anton@chuvakin.org (Anton Chuvakin) — Wed, 13 Jun 2012 06:05:07 +0000

A new edition (3rd) of our book "PCI Compliance" is coming out on August 6, 2012.
It covers PCI DSS 2.0, as requested by many of our readers. Other new materials include Emerging Technology and Alternative Payment Schemes, PCI for the Small Business, etc. A full ToC for this new edition is here.

Get the book in print or for Kindle!

Monthly Blog Round-Up – May 2012

anton@chuvakin.org (Anton Chuvakin) — Fri, 01 Jun 2012 15:37:24 +0000

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Log Management at $0 and 1hr/week?” is where a lot of companies still are, thus this post became popular again.
“Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
“Why No Open Source SIEM, EVER?” (and this) is next – for some weird reason. I suspect a lot of people still crave a free open source SIEM tool.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm.
“On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Denial of Service research:

Monthly Blog Round-Up – April 2012

Book Review: “Security De-Engineering: Solving the Problems in Information Risk Management” by Ian Tibble

anton@chuvakin.org (Anton Chuvakin) — Fri, 18 May 2012 22:44:56 +0000

This book is probably the most thought-provoking book on security I read in the last 5-7 years! While I'm somewhat known from my proclivity to exaggerate, I assure you this is not an exaggeration. As I was reading it, I felt like I connected to deep layers of the subconsciousness of security industry.
In fact, the influence this book already had on me is palpable: I found myself using some of the terms (such as author’s favorites, “intellectual capital” and “CASE”) and concepts on the next day after I started reading it.

As a brief summary, the book investigates the evolution of the way we do information security from the “hacker-lead” late 1990s to “compliance-heavy” late 2000s and today. The author also highlights dramatic problems with today's approach to security and suggests some of the solutions in the way people think and operate around security.

In fact, it might be one of the most influential books ever written in history of security industry - the one that appeared at the best possible time when it’s most needed. Along the same line, I have grown worried about the ranks of security professionals who are not hands-on with technology and who have never secured production systems. Just as the author, I've been grown frustrated with the ranks of idiots who equate compliance and security. Even author’s rant about ethics is something I've been thinking for years.

The author slaughters a few of the sacred cows of security industry: one that “executives are clueless” and the one that we “must have reliable actuarial data on incidents to stay relevant.” He also highlights a few categories of security products, which are notorious for not delivering value and explains the reasons for that. Most of his points are backed up by specific cases from his experience, going back to the end of 1990s when the security industry was born.

And, of course, as with any thought-provoking writing, I cannot say I agree with every word I read. For example, I am much less negative on the vulnerability assessment technology than the author (I don't think they give you 50% “false negatives” on common platforms today). Furthermore, I abhor the use (misuse, really) of “ROI” for justifying security spending. Style-wise, the author is a little too fond of repetitions to my taste. However, having a summary after each chapter is a great idea.

Finally, despite the unreasonably high price, I feel that every member of the security community MUST read this book. Literally every chapter will have insights that will make you a better security professional today.
All book reviews.

Monthly Blog Round-Up – April 2012

anton@chuvakin.org (Anton Chuvakin) — Wed, 02 May 2012 03:11:27 +0000

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
“Why No Open Source SIEM, EVER?” (and this) is next – for some weird reason. I suspect a lot of people still crave a free open source SIEM tool.
“On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.
“Log Management at $0 and 1hr/week?” is where a lot of companies still are, thus this post became popular again.
“Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Denial of Service research:

Availability, Security and Why is DoS Fun?

Cloud security monitoring research:

Future SIEM analytics research:

Monthly Blog Round-Up – March 2012

Metricon 7 Call for Papers

anton@chuvakin.org (Anton Chuvakin) — Mon, 30 Apr 2012 16:54:30 +0000

This is a Call for Papers (CFP) for Metricon 7.

Key stats first:

Conference date: August 7, 2012
CFP deadline: May 31, 2012
Conference location: Bellevue, WA
Cost to attend: free (but you’d need to add value to discussions).

CFP follows below and can be found at SecurityMetrics site.

Metricon 7 - Security Metrics: Useful or Bust!!

How to define, generate, and communicate security metrics you can use TODAY!

This year, Metricon 7.0 is excited to issue a call for participation to the information security community. The event will occur August 7th 2012 collocated with USENIX in Bellevue, WA.

Given that this is the 7th event, we think it is time to finally say it: security metrics MUST be useful NOW! Thus, the focus this year is on useful and usable metrics – not conceptual and theoretical stuff that sounds great, but cannot and will not be used in today’s organizations. Also, presentations and panels that talk about “How?” and “What?” will be strongly prioritized over “Why?”(and “whine”). Enterprises and tool vendors are both welcome to present! Academic researchers tacking the real-world problems are welcome as well.

We want to see:
• How you achieved “quick wins” with security metrics?
• How you define useful metrics, whether risk or operational?
• What metrics you track are the most useful?
• How did you solve a particular challenge in security metrics area?
• How your tool helps (not “can help”!) with collecting and analyzing security metric data?
• Who gets the metrics you create? How do they use them?
• What metrics you use to determine that security controls are effective?
• How organization generate actionable advice from security metrics?
• How to track that your security is improving using metrics?

We do not want:
• Uncollectable and unusable metrics
• Metrics philosophy
• Uncooked metrics that sound vaguely “interesting”

Send submissions and your ideas for panels and presentations to metricon7@securitymetrics.org

Deadline for presentation and talk submissions is May 31st, 2012. Submissions should be sent to Metricon7@securitymetrics.org.

Monthly Blog Round-Up – March 2012

anton@chuvakin.org (Anton Chuvakin) — Mon, 02 Apr 2012 17:17:08 +0000

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:

“Simple Log Review Checklist Released!” is often at the top – the checklist is still a very useful tool for many people
“Updated With Community Feedback SANS Top 7 Essential Log Reports DRAFT2”, “SANS Top 5 Essential Log Reports Update!” and their predecessor “Top5 SANS Log Reports Update DRAFT” also show up close to the top. IF YOU WANT TO VOLUNTEER TO FINISH THIS DOCUMENT- PLEASE EMAIL ME!
My classic PCI DSS log review series is still on my Top 5: “Complete PCI DSS Log Review Procedures”; they are also useful for other compliance or security log review and log monitoring.
“On Free Log Management Tools” is a companion to the checklist below (updated version)
“On Choosing SIEM” is about the least wrong way of choosing a SIEM tool – as well as why the right way is so unpopular.

In addition, I’d like to draw your attention to a few posts from my Gartner blog:

Monthly Blog Round-Up – February 2012