By Paul Kurtz

(Editor’s note: Paul Kurtz, COO of Good Harbor Consulting, LLC, recently testified before multiple House Subcommittees regarding the future of FISMA - The Federal Information Security Management Act. We have published an edited version below, you can also download the full testimony in PDF format)

Click here for complete FISMA Testimony of Paul Kurtz

I am here today to talk about how certain information security developments in the private sector may have an impact on the future of the Federal Information Security Management Act (FISMA) and follow-on information security regulations and controls. FISMA is a good first step in what will surely be a long – and increasingly collaborative – process between the public and private sectors in safeguarding the integrity of the Federal IT infrastructure. However, as timely and well intentioned as FISMA was in 2002, the current law must evolve if it is to be effective in light of new technology and continually emerging threats.

First, I will address the strengths and weaknesses of FISMA as it is currently implemented. Second, I will discuss how changes in the private sector will be a strong factor in how FISMA and general IT security measures within the public sector evolve in coming years. Three specific trends are:

• The need for greater empowerment of federal Chief Information (Security) Officers
• The changing nature of IT and information security
• The global drive towards common security standards

Continue Reading »

Looks like The Munsters are still in the business of scaring people. Black marketeers of credit card numbers, anyway. Data chaffing remains a worthwhile effort. As does watching reruns from the ’60s.

By Jim Reavis

How do we know the toothbrush was invented in Alabama?  The answer to that and other of life’s important questions are contained within.

Today’s information security headlines brought the news that HP has signed a definitive letter to acquire SPI Dynamics, a web application security company based in Atlanta.  I have to admit that it wasn’t shocking news, as I have been an advisor to SPI since 2003, or about a generation ago in infosec time.  The news is somewhat bittersweet, my daughter graduated from high school last week and now SPI has graduated from the security venture community to become a part of the Fortune 500.  But graduations are mostly happy times, the part of you that doesn’t want to let go of the past is outweighed by the excitement at seeing what the future will bring.  The excitement I hold here is to think about how much better off we will all be in surfing an Internet in which SPI has a greater influence.  As successful as SPI has been as an independent company, its solutions have truthfully only been used to secure a small amount of the web applications that are out there, and I expect that HP’s market leading position with its Quality Center software will change that equation dramatically.  But I want to reminisce just a bit, I think SPI’s story has some good lessons, whether you want to be an entrepreneur, or if you are a security architect developing a strategy.
Continue Reading »

By Ira Winkler

I was struck by the cluelessness expressed by “vendors” with regard to their attitudes about adhering to the PCI standards. The specific article is from ComputerWorld.com

Basically the vendor statements say that adhering to PCI requirements do not help them serve their customers. This is insulting to people’s intelligence. They also claim that it doesn’t help their bottom line. The PCI group is protecting their own bottom line, not the vendors’, because clearly the vendors have caused billions of dollars of problems for their customers, banks, and credit card processors.

Given the hundreds of millions of credit cards that have been compromised due to vendor negligence, it is about time that action was taken. The opportunity for self regulation has long passed, with consumers eventually footing the bill. Fundamentally vendors have reaped enormous benefits of taken credit cards. It is now time to accept the fact that there are costs associated with all benefits.

Industry leaders join Neupart’s management team, advisory board and launch educational series

By Jim Reavis (Shameless plug, but hey, it’s MY site - let me know if you want to get involved)

Seattle, WA and Copenhagen, Denmark – June 12, 2007 – Neupart A/S, an industry leading information security risk management and awareness company, today announced the expansion of North American operations and the formation of Neupart Inc, based in the Seattle, Washington metropolitan area.  The business expansion is being fueled by a growing market for security policy automation, standardization and compliance management tools, as well as by an increasing customer demand for security awareness, notification and education solutions that can be customized to meet client requirements.  Neupart’s expansion coincides with the recruitment of several industry experts and leaders to the Neupart team in the U.S.
Continue Reading »

By Kurt Seifried (kurt@seifried.org)

So first a little background: I got married about 6 months ago.

So my wife gets a phone call to her cell phone from someone at the Canada Revenue Agency (”CRA,” the canadian version of the IRS) looking for “Mr. Kurt Smith” (Smith being her maiden name for the purposes of this story). The caller wants to confirm my mailing address and some other details. Now this doesn’t make a whole lot of sense since my name is normally “Kurt Seifried” (it’s what all my underwear says) and my accountant usually acts as my interface to the CRA.

Sound familiar? Sort of like.. you know, a phishing email?

Continue Reading »

I enjoyed sharing war stories on this podcast for PGP, names were changed to protect the innocent (and sometimes ignorant).  Listen to it here.