Another few weeks has passed and it’s time for another post. It’s difficult keeping up around here – there’s always so much going on. What’s hit the news wires over the past few weeks? Anything truly interesting? Always.
A Yahoo! hack reportedly leaked more than 450,000 voice passwords. The EU has told its banks to assume that all PCs are infected. At least one Information Security and Compliance trend study was released. More Android malware was pulled from Google Play. DarkComet was retired. The FBI turned off the DNS Changer mitigation servers causing a potential “Internet outage” for 250,000 users. ISACA issued COBIT 5 for Information Security. The European Network and Information Security Agency (ENISA) has come out as an advocate of mandatory cyber insurance. And, another Security Automation Developer Days (PDF Agenda) is underway.
I’m sure there are myriad other examples, but the truth is that not much has changed – probably over the past year or two (or five?). We still have password problems, we still have malware and botnet issues, law enforcement makes relatively small gains, vendors are pushing out more of the same data, and we are slowly moving toward a true risk-based approach to security and compliance. Our situation continues to be one in which we are defending increasingly complex systems against well-motivated threat agents under rapidly changing circumstances with scarce resources.
What can you do to help? Participate.
Do you have ideas about how we can replace or mitigate our present over-reliance on username/password credentials? If so, I would encourage you to engage in the discussion happening now in the Internet Engineering Task Force’s Security Area Advisory Group (subscribe to that list here to see what discussions they have – it’s free).
Do you have ideas that would potentially contribute to Security Automation? Get on some of the mailing lists – in particular the Security Automation and Continuous Monitoring mailing list at IETF – and participate.
Don’t care for standards like those being created in the Security Automation community and the IETF? Care more for pragmatic hardening guidance? Then, you should consider contributing to one or more Center for Internet Security benchmarks – these are completely volunteer and consensus driven.
I don’t care if you’re a security professional, IT manager, policy wonk, or end user. We need all perspectives in these efforts to make things work well. Perspectives from theoretical security through to on-the-ground IT operations matter equally.
My challenge to you is to take time to opine. Take one hour out of your week to look around the standards efforts and see what excites you. When you find something, read about it. If you have an opinion – even if you agree with every perspective in what you’ve read – let that opinion be known. Encourage your employer to support this – they, after all, stand to benefit from the end result.
By the way, if you’re in the Vancouver, BC area between July 29 and August 3, you can take the opportunity to attend IETF 84 being hosted by Google. I’ll be there. If you would like to meet up and talk shop, feel free to reach out.