You can't secure what you don't acknowledge.SM

Tuesday, April 21, 2009

Funny post about today's RSA keynotes

Here's some funny insight from my colleague Mike Rothman into the caliber of speakers that RSA pulls in for their keynotes. Funny, amazing, sad.

I'm becoming more and more glad that I didn't go out there!

RSA news: virtual machine security, finally!?

Now vendors and developers have a way to ward off down those dreaded virtual machine vulnerabilities plaguing every network. It's VMware's VMsafe API to the rescue. Finally a virtual machine security solution!

Now if we can just find a way to get people to:
  1. Require strong passwords on their virtual machines
  2. Patch their virtual machines
  3. Disable unnecessary and unsecured network shares on their virtual machines
  4. Turn off unneeded services on their virtual machines
  5. Encrypt the drives on their virtual machines
  6. Backup their virtual machines
  7. Test for security vulnerabilities on their virtual machines
To me - and this is just my humble opinion - unless and until network admins and security managers put the most basic security controls in place, why even bother with all this fancy virtual machine hypervisor API stuff?

'nuff said.

I'm on Twitter

Not sure why yet but figured I'd check it out and hopefully provide some value while gaining some exposure.

Isn't this what HIPAA was for?

I read the first paragraph in this piece regarding Obama's mandate that we move to electronic medical records (a big step in nationalizing healthcare in this country). It says "The aim is to improve medical care, increase the efficiency of heath care delivery and ultimately cut health care costs." When I co-wrote our book on HIPAA compliance back in 2003, improving medical care, increasing the efficiency of heath care delivery and ultimately cutting health care costs was a big part of why HIPAA came about in the first place.

What am I missing here? This is a prime example of our own government not enforcing the laws already on the books. Read what I said about this very thing last August. Simply amazing. A case of politicians trying to be busybodies to justify their jobs...and their existence.

Monday, April 20, 2009

Neat open source SIM tool

I attended a local networking event here in town last week where a representative from AlienVault presented their open source security incident/event management tool called OSSIM. I had to endure a painful sales pitch (that wasn't supposed to be a sales pitch, mind you) and a simple-minded "use this product for all your needs" approach to information security...but the tool actually looks promising. It's a "free" way to pull together all of your event logs, alerts, etc. across multiple platforms into one central location. Definitely a legitimate part of managing information security that most organizations have zero control over.

There are tons of (expensive) commercial tools out there that have been around for years. But if you're having trouble getting your arms around everything your systems are spitting out - especially in the name of compliance - OSSIM is certainly worth taking a look at.

America's next step?

Is this some insight into where the world is headed with regards to information privacy and security?:
UK launches massive, one-year program to archive every email

I'll be curious to see how such control and monitoring affects international business long term in the U.K and across Europe. Some organizations outside Big Brother-ville may not want to take this on. But then again, many in management have their heads buried only thinking short-term about privacy and security. Maybe this is just a passing headline and soon to be way of life for us all...?

Don't get me wrong - I'm not being a doom-and-gloom cynic. I'm just calling it like I see it.

RSA this week

Since our Imperial Federal Government wants more of its "fair share" of taxes from me for 2008, I'm focusing on minimizing my overhead this year. This means no traveling out to RSA for this week's show.

I was originally going to go - especially since I can get in for free on a press/blogger pass. But once I started adding up the other costs (plane, hotel, transportation, meals, and other fees/taxes/etc. in the big government town of SFO) I just couldn't justify it. It came down to spending that $1,500-$2,000 on networking and furthering my career and the field we work in OR me contributing that money to Obama so he can, in turn, spend it on one of his (and Bush's) ridiculous government programs we don't need. They have the guns, and thus, they win this battle...But not the war.

Pardon, I just had to get that off my chest.

Anyway, I'll be tracking the goings on in SFO this week and if I see anything worth mentioning I'll be sure to put in my two - I mean one - cent worth.

Have a great week!