Friday, November 23, 2007
The election for the ISC² Board of Directors is open through Friday, November 30. Although there are over 48,000 CISSPs globally, it is expected that only about 2500 of us will vote. Given the amount of grumbling heard about ISC², I find that appalling.
So, if you are eligible to vote in the election- please vote.
Information on the candidates and voting procedures are on the ISC² website at http://isc2.org
If you are interested in driving change at ISC², I encourage you to check out the positions of Rolf Moulton and Bill Murray at their website- and then vote for the candidates who best represent your views.
Wednesday, November 21, 2007
One thing that is largely missing from discussions of Data Loss/Leak Prevention is the idea that taking some data offline is a simple and effective means of preventing data loss. Information needs to be accessible in our "Information Age", but how accessible is too accessible?
Let's make this more tangible. Suppose you are headed out for a night in "the Big City", are you going to carry all of your financial records, safe deposit box keys and stock certificates with you as you navigate the subway? Or will you carry just enough cash for the evening, only one or two credit/debit cards (maybe just one "firewall account" card), and tone down the jewelry? Good choice- you NEED to have access to all of those high-value things, but you don't need immediate access at all times. In fact, immediate access at all times is a pretty bad idea- that's why you have stuff locked away in the safe deposit box, right?
Maybe you don't need all of your data immediately available, either. Maybe a virtual file or database server can host some of your data- and only be brought online as needed. I know it isn't always that simple and that individual databases often house both mundane and confidential data, or house both frequently and infrequently accessed data (there's another issue, eh?), but think about taking data offline to protect it instead of just adding more layers of defense and complexity.
If you want a thorough introduction to DLP check out Rich Mogull's DLP primers at Securosis. As Hoff pointed out, though, if it takes seven posts and 10,000 words to provide an introduction to something, it may not be ready for prime-time.
Wednesday, November 14, 2007
I chair the New England Chapter of NAISG and am happy to relay the news of a new chapter:
The National Information Security Group (NAISG) is pleased to announce the opening of the New York City chapter of NAISG. The chapter will be led by Tony Costa, who also frequents the New England chapter meetings.
Meetings will occur monthly in Manhattan. We anticipate a formal kickoff in January, but the membership list is already open. Please feel free to check out the chapter site at http://nyc.naisg.org/. (Some site updates still in the works.)
I find NAISG to be a great resource, and a great group of people. If you are in the NYC area please check out NAISG-NY.
There's a fairly new group in Rhode Island, DC401, the local Defcon group. According to their website, "DC401 is a gathering for folks interested in the alternate applications of modern technology, referred to properly as 'hacking'."
Meetings are held on the second Monday of each month in Providence at AS220. This month's presentation was by legendary security podcaster Paul Asadoorian (pauldotcom), on one of his favorite topics, hacking embedded devices. (Paul and co-host/cohort Larry Pesce co-authored "Linksys WRT54G Ultimate Hacking").
I'll be attending DC401 meetings as my schedule allows, if you are in the RI area I encourage you to check them out, too.