What We're Reading, Week of 3/14

Government Computing News, Telework on the sly: How many feds really work outside the office? Information Week, Amazon Extends Private Cloud Capabilities New York Times, Threats to Traveling Data PC World, Security on a Shoestring...

What We’re Reading, Week of 3/14

Government Computing News, Telework on the sly: How many feds really work outside the office? Information Week, Amazon Extends Private Cloud Capabilities New York Times, Threats to Traveling Data PC World, Security on a Shoestring...

Forward Thinking: Network Security Trends for 2011 Wrap-up

As we gear up to dive into the second quarter of 2011, we’ll wrap up the Forward Thinking series. We’ve had some insightful predictions on network security trends for 2011, so we’ll close this series with thoughts from two more seasoned IT professionals. And now that we’ve completed the series, whose predictions for 2011 did you most agree or disagree with? Latest analysis shows that social networking sites are the new playground for cyber criminals. Another possible attack vectors on the rise are mobile devices and applications, VoIP abuse, and client-side web attacks. – Vladimir Blaskov, System Administrator at Good Karma, Inc. In 2009 it was the type of vulnerabilities – ‘vulnerabilities in protocols and standards’. In 2010 it was the response to vulnerabilities – ‘vulnerabilities in detection and prevention’. In 2011 it’s going to be the overwhelming rate of vulnerabilities – ‘vulnerabilities coming so fast and furious that it becomes difficult if not impossible to keep up’. Basically it’s all the same story. People focus on ‘time to market’ and ‘ship it’ instead of ‘testing’ and ‘security’. Those are ‘revenue drains’ and the former are ‘revenue generators,’ so as long as business runs on profit there will continue to be focus on making money and less focus on the requirements of security that are perceived as costs. – Gregory W. MacPherson, Professional computer security...

Conversation with Branden Williams on PCI and the Cloud, Part 3

VPN Haus continues its conversation with Branden Williams, a seasoned information security specialist. Today we go beyond the cloud and get Branden’s thoughts on other gaps in PCI 2.0, as well as other network security trends. VPN Haus: Other than cloud, what do you think was missing from PCI DSS 2.0? What are the most/least useful updates? Branden Williams: I believe there are still a few things that need to be addressed in PCI DSS. This version introduced language around Virtualization, but completely missed the cloud discussion which as you noted above is more important to fix right now. The Council may get left behind without either appropriate training for QSAs, better Q/A around the process of an assessment with respect to cloud services, or guidance specific to what QSAs should look for in a compliant cloud solution. Sampling is also still a big issue. I believe one of the issues around variance is the fact that there is no standard sampling methodology—it’s up to the QSA to describe their methods and come to some sense of feel-goodery around the population of systems they must assess. A statistically valid sampling methodology would produce more consistent results. Wireless (specifically Wi-Fi) security still falls abysmally short on the detection and protection side. The encryption is where it should be as a baseline, however, companies can easily add additional layers of encryption stronger than the implementations of WPA or 802.11i. VPN Haus: Is there anything else related to network security that you’d like to mention? Williams: Big trends for the next few years until the next revision of PCI DSS include things...

What We're Reading, Week of 3/7

ComputerWorld, Security Manager’s Journal: New Firewalls Should Increase Protection CSO, 9 Security Tips for Protecting Mobile Workers InformationWeek, Electronic Health Records Raise Security Risks The Economist, A Sense of False...