RealSecurity

Admittedly, I may not have all the information. Nevertheless, a cursory glance makes me tilt my head in wonder. Last Friday, Facebook was awarded $711M in fines levied against Sanford "Spamford" Wallace, who gained access to numerous accounts on their site to send porn-promoting spam to their unsuspecting friends. This represents the second largest judgment based on the CAN-SPAM Act in history. Interestingly, the largest, $873M was also awarded to Facebook because of Canadian spammer Adam Guerbuez in 2008.

First of all... HEY! I’m back! Well, at least the one or two of you out there may have noticed I wasn’t writing for the last week or so. My previous web host was r-e-a-l-l-y slow so I decided to switch… and it was actually more economical anyway. This one is a bit better. I think some of my performance issues are actually due to the code I use to generate this site. Anywho… nothing ventured, nothing gained. Through the transition the site was always up, but very complicated to keep content flowing, so I just took a break. Nevertheless, what’s up with all those CDs getting shipped out from whitehat MicroSolved out of Ohio?

I see a lot of questions about security pop up asking everything from what’s the best way to secure a PDA to controlling the use of USB ports on laptops. In every case, without exception, there is always someone who pontificates on the need for a policy. Ok, granted a policy can be more than a document stating what is expected and separating good from evil for all to partake. Policies can be technical manifestations, like group policies in Microsoft, Linux, and other systems that set requirements, like minimum password length, but that’s not what I’m talking about. I’m talking about the oldest security-punt of all time, the fall-back point of, “Do you have a policy for that?” Referring to some document that everyone from the CEO down had to approve of when all I wanted was to stop the use of USB ports. Polices are important, but they’re only one part of the picture and not the first step.

I spend a lot of time traveling and always see interesting stuff within the context of security in airports, hotels, and the like. I won't bore you with standard jokes about the TSA’s security practices - way too easy of a target - and I won't go into detail about how hotels are a criminal’s best friend. I’m always astounded by the lack of security, especially when it is implied. I don’t typically bother with it - it’s just how things are in the real world, but it’s still fun to break security controls if even only in your mind. Nevertheless, it seems the practice of putting the word “security” before something - not necessarily a new thing - is increasing in practice and it’s rather annoying.

I read in article recently that finally pushed me over the edge concerning security terminology and how the ISO standards are referred to. The statement that did me in was, “We performed an assessment against the ten tenants of ISO-27001.” The article - interviews with several CSOs - went on and on with quote after quote relating to ISO-27001 incorrectly. May be a little nit-picky on my part, but the reality is security is complex enough without people getting it wrong and it seems everyone is getting it wrong when it comes to ISO-27000 series.

Although information security has gained unparalleled business-level attention in the last few years, people remain enamored by hacker tools and technical tricks of the past. Promoting security based on fear, uncertainty and doubt (FUD) unfortunately remains as the proverbial black hole of the security universe potentially stifling the expansion of security in the business.