Security Trends Blog

Step by step the longest march can be won, can be won
Many stones can form an arch, singly none, singly none
And by union what we will can be accomplished still
Drops of water turn a mill, singly none singly none

From "Step by Step" - John McCutcheon

 

Since 2002, the US Federal Trade Commission has punished 48 US companies for violating their published privacy policies and exposing consumer personal data. That list includes big names like CVS, Eli Lilly, Microsoft and Twitter, as well as smaller companies such as Dave and Busters, Franklin Budget Car Sales and something called RockYou.

In all that time, I haven't seen a bit of lobbying by the FTC for new laws or regulations - they have been enforcing their existing charter as the consumer world evolved:

FTC Mission

To prevent business practices that are anti-competitive or deceptive or unfair to consumers; to enhance informed consumer choice and public understanding of the competitive process; and to accomplish this without unduly burdening legitimate business activity.

Recently, the FTC has received the ultimate compliment: business lobbying groups are trying to attack the FTC's ...

Watching a fire doesn't put it out, or prevent the next conflagration.

 

The Payment Card Industry Standards Council recently published a document that previews the changes in the coming Version 3.0 of the PCI Data Security Standards. A short summary of the changes:

• More reporting - PCI DSS 3.0 will require card holder data flow diagrams, inventory lists of what is in-scope and evaluations of "evolving malware threats for systems not commonly affected by malware" For you Critical Security Controls fans, these map to Controls 1, 2, 5 and 19 so they are valid security areas. But they do add more documents that an organization must product to satisfy QSAs.


• Clarification - it appears there will be additional explanatory guidance around penetration testing, application vulnerabilities, acceptable methods of authentication and details of acceptable key management processes. Those are all areas

...

The Department of Homeland Security recently awarded the first phase of the Continuous Diagnostics and Mitigation (CDM) Blanket Purchase Agreement contract. This award is to 17 system integrators and about 19 product vendors, providing products and services that cover mostly the first four of the Critical Security Controls:

1. Inventory of Authorized and Unauthorized Devices


2. Inventory of Authorized and Unauthorized Software


3. Secure Configurations for Hardware and Software


4. Continuous Vulnerability Assessment and Remediation

The good news for government agencies is that the funding covers procurement and deployment of many of the most popular products across those areas, along with a few related products.This can be a very powerful vehicle for government agencies to upgrade their capabilities in network discover, vulnerability assessment and patch management - badly needed upgrades.

However, many

...