Politically Correct Way to Say Merry Christmas

Please accept with no obligation, implied or implicit, my best wishes for an environmentally conscious, socially responsible, low-stress, non-addictive, gender-neutral celebration of the winter solstice holiday, practiced within the most enjoyable traditions of the religious persuasion of your choice, or secular practices of your choice, w ith respect for the religious/secular persuasion and/or traditions of others, or their choice not to practice religious or secular traditions at all. I also wish you a fiscally successful, personally fulfilling and medically uncomplicated recognition of the onset of the generally accepted calendar year 2011, but not without due respect for the calendars of choice of other cultures whose contributions to society have helped make America great. Not to imply that America is necessarily greater than any other country nor the only America in the Western Hemisphere. Also, this wish is made without regard to the race, creed, color, age, physical ability, religious faith or sexual preference of the wishee.


Nevada SB227 Mandates Personal Information encryption

I’m not sure if many of you have heard, but Nevada’s SB227 mandates that all “personal information” be encrypted. During the introduction of this law there originally was a clear definition of what “personal information” was that was later removed by the 716 amendment which stated this bill would rely on the definition provided in NRS 603A.040 which defined Personal Information as  the following:

1.  Social security number.

2.  Driver’s license number or identification card number.

3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.

The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.


The passed SB227 does not define what is meant by “Personal Information”, which means that it seems they wish to have lawyers define it in case law. Who knows where this will go in our future…..



Is compliance making security more difficult?

I’ve not blogged in quite some time, mostly due to being very busy these days. However I felt I should talk a bit about compliance and how it seems to have changed security from eliminating threats to eliminating compliance gaps.

In the last few years, many regulations have emerged that are now controlling our security initiatives and goals. PCI, SOX, HIPAA, SB1386, Massachusetts Privacy Law, and more on the way. Now, I’m not one to say that regulation does not help in some respects, but often it has undesirable effects that cause many security professionals much discomfort.

What I feel has changed in the security landscape is rather than targeting the latest “threats” we find ourselves doing burdensome business processes which do little or nothing to improve the overall security of our companies. One notable pain point is in an area of PCI that I think drives many of us nuts. The “log review” provision.

In PCI 1.2, the requirement for daily log review in and of itself is well intentioned and something that I cannot argue cause most of us don’t do enough of it. What I find difficult is that we find ourselves reviewing things such as “successful logins” or “failed logins” to comply with these stated controls and I feel there is very little value to doing so. Many companies mandate that system owners review these logs on a daily basis, is our investment really giving us a return? For instance, most companies utilize domain policies that cause account lockout to occur at 5 times and complex passwords to be employed. This represents a compensating control and therefore monitoring and reviewing failed logins is burdensome and unnecessary. That being said, there is still residual value if you receive alerts or reports of extremely high numbers of login failures so it does make sense to monitor for those.

Another issue that I see happening across the industry is when executives  make financial decisions based on whether or not they meet these minimum regulations. Often my friends have told me that their companies are cutting back their budgets once they receive their PCI ROC, or their HIPAA compliance report etc. This causes security professionals to face the daunting task of justifying their budgets to mitigate threats against a management who’s already met the minimum bar. Quite a quandary for many of us. I am very hopeful that PCI will continue to morph so that it addresses threats more directly by requiring harder line approaches such as actual inline IPS’s being mandatory and in a blocking state. Or ensuring that application Firewalls are mandatory. Gone are the days you can expose an application to the dirty internet without all your defenses in an active state.