Security's Everyman

Security's Everyman

Saturday, October 21, 2006

Week in Review

It's Saturday afternoon and I've got a lot of catching up to do. With vacation and sick servers at work I've had very little time for blogging. I saved my favorite stories from the week and hope to catch up on them now.

PRIVACY CONCERNS (or lack of concern)

I've started reading the series on Privacy on MSNBC that Martin McKeay recommends. I've only read a few paragraphs and it's already making me sick, angry and scared. There are 9 different articles on this and I've only skimmed a few of them. I'm sure once I've digested them I'll have more to say.

Martin also points out a good article on Identity Theft protection here.



It seems that many people couldn't wait for the first security flaw to be found in IE 7. It had only been out 24 hours when the news was full of reports of the first reported flaw. They did sort of get vindicated because the flaw was not in IE 7 but in Outlook Express.

I almost feel bad for MS because the whole world almost expected it. Of course there are going to be flaws found. It happens in ALL software not just MS software. I know that they have had a pretty rough track record but the wolves just couldn't wait to jump on them.

Then when they do finally come out with some serious security practices there are those who complain about that. I wrote about not liking the idea of having MS being in charge of my AV and security as well as the OS. As I've read more about their PatchGuard technology in the 64bit version of Vista I'm not so sure that I wouldn't like it in all versions. If it really keeps software from hooking into the kernel then that will stop a lot of malware that we deal with today. Symantec, McAfee and others who want access to it don't seem to realize (actually they do, they just know that the end of malware puts a big hit on their bottom line) that if they get to hook then so will the bad guys. I'm sure that before this all gets ironed out security will be reduced and/or the bad guys will find a way around this and we will still have more to do than we can handle. Job security at it's finest.

It's also good to see that I'm not the only one who is confused on this subject. Pete Lindstrom of the spire security blog has a good post that links to other writeups on this.



I've written before about how I feel strongly that our job as Security Professionals it to know more than the technology behind what we do. We need to know the reasons behind why a technology will or will not help our company meet it's business objectives. We need to understand business process as well as technology. We also need to understand the regulations that affect our industry so we can best meet the audit and regulatory requirements that they bring with them. Michael Santarcangelo of the Security Catalyst website is also supporting this mindset. He is developing what he calls Security 2.0 to help those of us in security to better understand this and learn how to implement it into our daily practices. I encourage everyone to check out what he has to say.


FINAL THOUGHTS (for today)

Diebold has once again let source code "slip through" the cracks. I'm in talks with Diebold to provide some equipment for my company but their total lack of professionalism in how they have handled this whole voting issue is giving me severe second thoughts. They have demonstrated complete incompetency in all of this. If they can't seem to get anything right on the evoting side of the business how am I supposed to trust them with the financial side of things? has an article that when I first saw it I thought "good grief why do they keep writing about the obvious", but then I remembered that even in IT and Security we have more than our fair share of slackers who need to be reminded about such basic things. Unfortunately my company does not have a policy in place currently that prevents IPODS and other such devices from being connected to machines, but I do hope that it happens in the near future.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.