Blog of Blogs

Bruce Schneier offers thorough coverage of the CIA’s reports of cyber security threats to public utility systems. Schneier suspects the threat may be overblown, but we laud him for laying out the information for reader evaluation before offering his opinion. This definitely raises his credibility. In a related note, BigFix is on the record with solutions for implementing National Energy Reliability Corporation (NERC) best practices.

Christopher Hoff grabs his gladius and steps into the arena to thrust and parry against armored NACs and ghostly virtualized desktops.

CSO’ Magazine’s Scott Berinato is not writing as a blogger, but as a card-carrying member of the mainstream media. No matter—it’s a nicely done piece.

Consolidating Controls Causes Chaos and Certain Complexity?

Don Weber wrote a post last week describing his thoughts on the consolidation of [security] controls and followed it up with another today titled “Quit Complicating our Controls - UTM Remix” in which he suggests that the consolidation of controls delivers an end-state of additional “complexity” and “higher risk”

Read the full post here.

“A new class of malicious software contains a feature specifically designed to thwart online security technology implemented by Bank of America and many other financial institutions that allow their customers to monitor and make changes to their accounts via the Internet.”

Read the full post here.

 From Tao Security, November 26, 2007

“In brief, too many organizations, regulators, and government agencies waste precious time and resources devising and auditing “controls,” regardless of the effect these controls have or do not have on security. They are far too input-centric; they should become more output-aware. They obsess over recording conditions they believe may be helpful while remaining ignorant of the ’score of the game.’ They practice management by belief and disregard management by fact.”

Read the full post here.

Our own Amrit Williams has been out at night podcasting on other sites, in this case Martin McKeay’s Network Security Blog.  We don’t mind a bit.

Network Security Podcast, Episode 85

Podcast Rich and I were joined tonight by a former co-worker and friend of Rich’s, Amrit Williams.  Amrit is the CTO of BigFix and blogs over at the Observations of a digitally enlightened mind blog.  This was less of an interview and more of three security professionals getting together on a Saturday morning to talk about the events going on in our sphere of influence.  And as you might expect from us, the podcast went longer
than we aim for, but only a little.  But most importantly, we had good audio quality for the entire podcast.  Or at least Rich wasn’t fading in and out.  The bad part is we don’t think we changed anything, which means we’ve just been operating at the whims of Skype and the Internet, but we’ll be keeping an ear out for problems in the future.
Read the full post here.

Richi Jennings shares a particularly amusing variant of the venerable Pennies From Heaven scam.

Minneapolis Telephone Network (MTN)
Foundation’s Officer
125 Allen Avenue,
Lagos-Island
Nigeria.

Concern:Winner,
The Minneapolis Telephone Network (MTN),
would like to notify you that you have been
chosen by the board of trustees as one of the
final of a cash Grant/Donation for your own
personal, educational, and business
development.The Minneapolis Telephone
Network (MTN) was established by the Multi-
Million groups in 1993

Read the full post.

Excerpt:

“That’s right, INERTIA. We in the technology space, and specifically the security space act more out of inertia than anything else. We can laugh about seeing Macbook Pros everywhere, but in reality Apple still only has a fraction of the market. Why? Inertia. Everyone just buys the PC because they’ve got installed base and existing business processes and lots of other reasons why it’s just easier to keep doing what they are doing.”

Read the complete post.

Security and Disruptive Innovation Part I: The Setup

As a follow-on to my post on security and innovation here, I’m going to do a series based upon my keynote from ISD titled “Why Security Should Embrace Disruptive Technology” with a brief narrative of each slide’s talking points.

Read the complete post.