Last year the country of Japan suffered a devastating disaster of unspeakable proportions. A massive earthquake on the eastern coast of the country triggered a deadly tsunami that caused the flooding of the Fukushima nuclear power plant. Three dominos fell at once, resulting in a significant and tragic loss of life and property. I visited Japan earlier this year. As I traveled throughout the Tokyo area, I couldn’t see any evidence of these disasters. I asked several residents of the city and all told me that the earthquake did not affect the rest of Japan very much. They all discussed how ready Japan was for earthquakes, having suffered many over the centuries. It was in Tokyo that I learned that not many people actually died as the result of the earthquake. Most of the deaths were the result of drowning in the flood waters created by the tsunami. Over and over again, the people I met wanted to talk about how well their buildings were designed to resist the destructive force of earthquakes.
In 2003 a much smaller earthquake struck Iran. Measuring 6.6 on the Richter scale, the Bam earthquake had much less energy but was more destructive than the 2011 Japanese earthquake, which had a magnitude of 9.0. (Data provided by United States Geological Survey.)
Now, I wasn’t born in Texas, but I got here as soon as I could. I’ve lived in Dallas, TX for 30 years so I consider myself an adopted native-Texan. I’ll be at South-by-Southwest Interactive this weekend, so I thought I’d share some tips for all my current and future friends. For those of you from out-of-state – known as furriners – I hope you’ll find this advice helpful.
The legendary British Prime Minister Benjamin Disraeli is said to have noted that “There are lies, damn lies, and statistics.” Much of the technology world is focused on statistics and metrics. You’ve often heard it said, “If I can’t measure it, it doesn’t exist.” Known as the McNamara fallacy — named after the business tycoon turned Vietnam-era Secretary of Defense — this famous idea failed miserably as a strategy. While it sounds good to the CEO’s ears, there is a corollary bubbling up below him that implicitly states that “If my boss wants to measure something that doesn’t exist, then I’ll invent it!”
Yesterday, WikiLeaksreleased emails taken in the highly-publicized Stratfordata breach. While many of the emails are innocuous, such as accusations regarding a stolen lunch from the company refrigerator; others are potentially highly embarrassing to both Stratfor and their corporate clients. The emails reveal some messy corporate spycraft that is usually seen in the movies and rarely is illumined in real life. For example, one email suggests that Stratfor is working on behalf of Coca-Cola to uncover information to determine if PETA was planning on disrupting the 2010 Vancouver Olympic Games.
At Forrester's Security Forum 2011 in Miami, November 9-10, we will be reprising the wildly successful "Hackers Vs. Executives" track session. There will be two leading security professionals sitting on the panel representing the executive viewpoint, and they will be joined on stage by two noted researchers who will provide a hacker's-eye for this session. Rodney Joffe of Neustar will give us a live guided tour of the “Invisible Internet” – the IRC chat rooms and carder forums where the underground cybercrime economy lives. Michael Hamelin of Tufin Technologies – a noted white hat hacker and multiple winner of the DefCon “Capture the Flag” competition – will do another demo to help us understand how attacks work. We will then turn to our panelist representing the executive viewpoint to start an interactive discussion about current and future threats and how best to understand them and protect against them.
Last year this session was packed. It was highly interactive with lots of provocative questions coming from the audience. I encourage you to join us in Miami, November 10th from 11:35 a.m. to 12:20 p.m. for this unique and informative presentation.
Go to the security forum website for more information. Hope to see you there!
Companies often demand to know what their peers in a particular vertical market are doing within the realm of information security before making new decisions. “We’re in retail” or “healthcare” or “financial services” they will say, “and we want to do what everyone else in our industry is doing.” Why? The TCP/IP revolution has changed everything, including how vertical markets should be viewed. In the old analog world, you could define yourself by your product or service, but no longer. Today it doesn’t matter if your company sells plastic flowers or insurance — what defines you is your data and how you handle it.
When advising Forrester clients on InfoSec, the first question I ask is, “what compliance mandates are you under?” Like it or not, compliance determines how data is handled and that defines your vertical in our data-driven society. For example, I often say that, “PCI is the world’s largest vertical market.” It is a single global standard that affects more companies than not. You may think you are a hotel and your vertical is hospitality, but if you handle credit cards your real vertical — from a data perspective — is PCI.
Data defines markets. Look at your data, your transactions, and your process, and map them to your compliance initiatives. That will determine your digital — not analog — vertical. Using this measure, you can determine your security baseline and compare yourself to companies who must handle data in the same manner as you to help guide your security decisions.
Today EMC’s security division RSA announced the acquisition of NAV (Network Analysis and Visibility) vendor NetWitness. Some pundits have suggested that this is a direct result of the recent breach of RSA, but Forrester has been aware that this acquisition was in the works long before the breach was known. In fact, the public announcement of the acquisition was delayed by the breach notification. It is fortuitous timing, however, as the RSA attack shows the need for improved situational awareness.
The Washington Post is reporting a new wrinkle in cyberwarfare. In the article Defense official discloses cyberattack, the Post reports that “malicious code placed on the [flash] drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military's Central Command.” Perhaps SkyNet has become self-aware, as this malware appears to be able to “upload” itself onto a military network. We ARE nearing August 29th…
According to Deputy Defense Secretary William J. Lynn III, "It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary." This must be one awesome piece of code – sentient, silent, and “poised.”
The PCI Security Standards Council released the summary of changes for the new version of PCI — 2.0. Merchants, you can quit holding your breath as this document is a yawner — as we’ve long suspected it would be. In fact, to call it 2.0 is a real stretch as it seems to be filled — as promised by earlier briefings with the PCI SSC — merely with additional guidance and clarifications. Jeff, over at the PCI Guru, has a great review of the summary doc so I won’t try to duplicate his detailed analysis. The most helpful part of the doc is an acknowledgement that more guidance on virtualization — the one function per server stuff — will finally be addressed.
Suffice it to say, it doesn’t look good for all those DLP vendors looking for Santa Compliance to leave them a little gift under the tree this year. I’ve been hearing hopeful rumors (that I assume start within the bowels of DLP vendor marketing departments) that PCI would require DLP in the next version. Looks like it’s going to be a three year wait to see if Santa will finally stop by their house.
Remember that this is a summary of changes so there’s not that much meat yet. The actual standard will be pre-released early next month with the final standard coming out after the European Community Meeting in October.
Last week I published two research reports on the hottest topic in PCI: Tokenization and Transaction Encryption. Part 1 was an introduction into the topic and Part 2 provided some action items for companies to consider during their evolution of these technologies. Respected security blogger, Martin McKeay, commented on Part 1. Serendipitously, Martin was also in Dallas (where I live) last week and we got an opportunity to chat in person about the report and other security topics.
Martin’s post highlighted several issues that deserve some response. He felt that I, “glossed over several important points people who are considering either technology need to be aware of.” Let me review those items:
Comment: “This is one form of tokenization, but it completely ignores another form of tokenization that’s been on the rise for several years; internal tokenization by the merchant with a (hopefully) highly secure database that acts as a central repository for the merchant’s cardholder data, while the remainder of the card flow stays the same as it is now.”