Branden Williams' Security Convergence Blog

Did anyone else giggle a little bit when they saw that Oracle delayed its quarterly patch release because it would coincide with the OpenWorld 2009 Oracle conference? According to Oracle, they didn't want administrators to have to choose between installing updates in a timely manner and attending the conference.

That's funny for me because I have NEVER met an Oracle DBA that was excited about pushing patches to their servers in a couple of days (the original release was slated for October 13, and the conference ends on the 15th). In fact, between Oracle DBAs and z/OS Administrators, I don't know who wins the prize for yelling the loudest about patching within thirty days.

THIRTY days.

Not two days. THIRTY days. OH the screaming that would ensue. "HOW DARE YOU TELL ME HOW TO PATCH MY SERVERS!! There is NO way I can do it in thirty days! I'M SUING EVERYONE!" *stomp* *stomp* *stomp* *stomp* *stomp* *stomp* *SLAM*.

That was a fun day, and I think that gentleman was reassigned shortly after that outburst.

One of my favorite Oracle installs was a database I was assessing a couple of years ago, that had never been patched since it's original installation sometime in 2005. In fact, October 2005 was the first quarterly rollup that this particular version would have received, but of course, it was not present on the server.

So while I do applaud Oracle's decision not to make the two events coincide, I think everyone is giggling a little bit in the background because we all know that nobody (ok maybe 1%) patches their production databases within two days of their release. Sure, starting the process, but not production.

Posted by Branden Williams at 6:57 AM | Permalink | Comments (0)

But we already knew that. I mean, with shows like the Big Bang Theory and Two & A Half Men, who can deny his genius?

Anyway...

For those of you that own televisions and have already realized his genius, you probably know that at the end of his shows there is a 2-4 second blip where he displays his vanity card. Every episode has a unique one, and as most things, the first ones were pretty tame, and they get more and more out there with each passing week (see this blog and Herding Cats in the ISSA Journal for additional examples).

Vanity card #221 struck me as something we see in the compliance and security industries. The first part, anyway, it goes off on a tangent that is unrelated.

We have once again arrived at a moment in history where the truth can be defined as "that which you can make other people believe." The methodology for creating that belief is repetition. Say something enough times and it becomes, for millions of people, the truth.

Think about your last compliance or security assessment. Two plus two equals three. Did you expect to find everything totally peachy, but in reality found some nasty holes that nobody really knew about? Two plus two equals three. Did Joe the firewall engineer go on vacation and while he was out, an auditor happened by to review some active firewall configurations? Two plus two equals three. No problem, right? Two plus two equals three. We've passed these types of reviews before without an issue. Two plus two equals three. But after further review, you find several suspicious firewall rules that open up certain ports for certain individuals in certain sensitive areas.

Or how about this? Two plus two equals three. You walk into an assessment meeting with an assumption about a process because you have been told by multiple people that X process works Y way. Two plus two equals three. But then a savvy assessor (or maybe just a bored one) starts asking questions in a certain way that ends up revealing a major gap that went undetected for months, or years. Two plus two equals three. How did this happen? Two plus two equals three. Exactly like Chuck Lorre said it would. Two plus two equals three. Truth became what one person could get another to believe. Two plus two equals three. Why? Two plus two equals three. Maybe it's apathy? Two plus two equals three. Maybe it's a lack of understanding? Two plus two equals three. Every situation is different.

While Chuck refers to things that are not related to information security, the basic principle of his post rings true. Trust, but verify. The phrase, "But, I didn't know!" only goes so far, and won't help you after a breach.

By the way, how much is two plus two?

Posted by Branden Williams at 6:06 AM | Permalink | Comments (0)

It's April, and what does that mean? It's time for ISSA's 2009 PCI issue! The feature article for that issue, is The Art of the Compensating Control. You can download this version from the website, even if you are not a member, at http://www.issa.org/Members/Journal.html for the rest of the month. If you are reading this after April 2009 and want a copy, let me know.

You readers of the blog are going to get a special treat! The original article was much more casual and entertaining than what we ended up publishing in the Journal. Thom reviewed the first final draft of the article and said that it was much too casual. He was absolutely right. I can't tell you what a joy it is to have a fantastic editor working on your behalf to make sure the best possible quality product is published.

Wait, something's missing. I said you are in for a special treat and all I did was gush over my editor... hrm... what was that treat....

OH YES! I will be posting the original, un-cut, un-censored article RIGHT HERE on the blog over the next few weeks! The original article will be broken into six individual posts that will be put on this blog every Monday and Wednesday for the next three weeks starting on April 6. By the end, I'll have a link to both versions of the article for your downloading pleasure!

I hope you enjoy reading it as much as I enjoyed writing it!

Posted by Branden Williams at 6:46 AM | Permalink | Comments (0)

From the greatness of xkcd.com.

Posted by Branden Williams at 6:18 AM | Permalink | Comments (0)