* Posts by Tim Holman

2 publicly visible posts • joined 15 Apr 2008

MoD: We lost 87 classified USB sticks since 2003

Tim Holman

Over-use of secrecy leads to bullethole in foot?

I disagree. Even if secrecy were not involved and this was all unclassified data, there's still no excuse in losing it. The point is, data (of all types) is continually being lost. Losing Top Secret data is pretty bad, but then so is losing unclassified information. Unclassified information could potentially become Top Secret once it's been classified, but point is, something in the department is broken and staff are unknowingly putting data at risk. USB sticks and PDAs are in common use in the MoD, namely because the desktop/email systems are too locked down and staff's own home PCs or PDAs get the job done quicker. Staff don't realise they are breaking the law.

The good news (I hope) is that the MoD will be unearthing more of these events as it undertakes their action plan in response to the Burton review of April 2008. The bad news is that the press will now run riot over anything the MoD subsequently releases and forums will go wild...

Burton Review:


MoD's response and action plan here:


Line #15 in the Burton Review says it all:

"15. Outside MOD HQ, with a few notable exceptions, there is very limited understanding of the Department’s obligations under the Data Protection Act."


"31 a. Too large and unwieldy. JSP 440, the Department’s chief document on security, runs to hundreds of pages. System and Security Operating procedures are commonly 90-100 pages. The language used is often specialist and impenetrable to lay readers."

Something VERY definitve and conclusive is being done about data protection issues by the MoD. The MoD now have a Head of Data Protection and Information Assurance (as of January 2008).

I know it's too much, too little and probably too late, but I fully support the actions of the MoD in resolving this problem. Just wish they could do it a little quicker... :)

Regulatory compliance 'irrelevant' to security

Tim Holman

No standard is ever 100% secure, but...

..PCI was never intended to make merchants invincible to attack. It does, however, go a lot further than the likes of ISO 27001 and SOX in prescribing some very effective ways in which a small organisation without the money to invest in a CSO can reduce exposure.

Being prescriptive is a drawback - one size certainly does not fit all and many organizations have fallen victim to interpretation issues around the standard and been led into expensive, vendor-laid traps, sponsored by the QSA whom has delivered the gap analysis, solid remediation solutions and completed the final audit. Does something sound fishy here?

If you take PCI at face value, which is a top 12 list of things you should do to improve security posture, at mostly a technical level, then I think it serves it's purpose very well. Try throwing ISO 27001 at the millions of merchants that present a security risk to the card schemes. It's not going to work - 99% of these companies are just too small and an ISMS cannot be scaled downward to fit.

Fully agreed there are some unscrupulous companies whom allegedly forcefeed their customers with over-the-top, expensive products or even managed services, but this isn't a problem with the standard, it's an problem with PCI SSC, an infant organization that is supposedly there to regulate the hundreds of firms and thousands of QSAs and make sure they all behave. Taking some firm steps such as separating companies that offer gap analyses and those that can audit and booting useless QSAs off the programme would go a long way.

It is far too easy for a merchant to gain certification - I'm sure there are many merchants whom just tick yes to each of the questions, submit their SAQ and get the certification without giving it a second thought. After all, what's really there to stop them? What are the consequences of lying on a SAQ? Will anyone ever find out, or is one merchant safe amongst millions of others...?

Last, but not least, it's far too easy to become a QSA, and even though the QSA programme says that QSAs should not show bias toward remediation solutions from which they benefit, this practise is VERY commonplace. For example, if you looked at a reputable QSA that rhymes with Dave, their salesmen are ONLY incentivised to sell their own remediation solutions and managed services (and heavily, at that). So which side of the fence do you think the apple will fall... ? Even Protegrity could become a QSA (or any other vendor, for that matter). I'm sure they'd make a very good one, too! :)

Come on PCI SSC - pull your finger/s out and start forcing some change before things get out of control.