central iowa security geeking out rundown

You’re moving to Iowa and you’re a security geek. Or you’re new to the profession and looking to get on with your career. Where do you go to hob-knob with your people? Here’s a quick 2017 rundown of what I know about the central Iowa/Des Moines security scene.

SecDSM – Probably the most informal of the groups here and stays vendor-neutral. Has a Slack that I’ve not visited. No registration, so just show up! Meetings are after working hours
ISSA – 4th monday of every month, meetings should usually be open to the public.
ISACA – third Tuesday of every month, meetings do often have a door fee attached, with discount for ISACA members.
Infragard – most meetings require pre-vetted membership, so inquire before attending. Background check is part of the vetting process.
ISEAGE Red Team events – get yourself on the mailing list for invites to be part of the red or blue (green?) teams for regular events every year hosted in Ames (usually) for high school and college level competitions.

BSidesIowa conference – April 22, 2017 (Saturday)
SecureIowa conference – October 3, 2017 (Tuesday)
DataConnectors – traveling tour of security presentations and marketers, which just visited Des Moines earlier this month.

And here are some local-ish businesses and friends that make for great places to check into for upcoming events beyond things listed up above. I know I particularly love seeing a major geeky movie at Flix Brewhouse for free with my friends and co-workers!
Cisco West Des Moines Office (I don’t actually know how to track this one. I usually hear this through the grapevines…) If you’re a purchaser of Cisco products, check with your local rep/seller to get on this mailing list!

What else is sort of nearby? Typically, events in Cedar Rapids, Iowa City, Ames, Omaha (NE), and Kansas City (MO) are attendable if you don’t mind the various drive distances. Chicago (IL) and Minneapolis/St. Paul (MN) regions are also doable.

And, if nothing else, there are tons of places to hang out, have fun, or eat sushi (or anything else) and drink away some security frustrations with small groups and friends.

it is still not time for pci dss to die

Saw an article saying that Arby’s has reports of a mid-January data breach of more than 350,000 credit and debit cards. This echoes a breach from 2016 by Wendy’s. I would link to this article, but it’s not necessarily a source I usually look at. If I find this mentioned elsewhere, I’ll add the link. If true, I’m at least interested in the short gestation time for that malware being present and someone noticing it! (Just like every breach, I’d love the full, un-redacted story from infection to discovery so I can gauge how truly impressed I may or may not be.)

One comment I noticed was asking if it’s time to ditch the useless PCI framework and get back to real security?

That’s a good question, and an easy answer for any company that is already enlightened about digital security.

But many are not, and PCI has been the only driver for any type of interest in security. Granted, those companies may still just be filling the checkboxes of the PCI requirements and not really doing much of anything of real ongoing value, but it does do a few things.

First, it mandates pen tests and third party examinations of an environment. You’re still only getting what you pay for, but this could at least expose some low hanging fruit.

Second, it gets a few extra tools in place that a company may normally not even bother with, such as IDS/IPS and code reviews or a WAF or firewall rule reviews. How many SMB environments run any sort of vulnerability assessment internally if they’re not asked to by a regulation? Very few. And those reports expose many small and large issues that can be fixed for little effort and high value.

Third, some of these checkboxes are in part driving the UTM market and other conglomerated boxes that combine many tools into one pane of glass and management umbrella. This is (arguably) good for everyone, and especially so as prices go down (a little) and quality goes up (a little), especially in comparison to an environment that just has outdated Antivirus, an old firewall, and nothing else.

Security efforts (and even things like making sure backups are successfully created) are things that almost always fall into second place behind revenue-generating events or tasks that support revenue generation. They just get done “tomorrow.”

We also need to remember that PCI DSS was created more to cover the butts of the card processors than it was to protect merchants and end-users. It’s also not the ultimate answer to security; it’s a framework that needs to be implemented properly for an environment and continuously effective. So maybe crying about the state of PCI isn’t even the correct place to be looking.

And no discussion of this topic would be complete without diving into the world of cyber/data breach insurance. If we don’t want to abide by rules, maybe we’ll just start eating the costs and call it part of business lumped into the insurance payments.

And lastly, it’s our duty in security to accept that axiom that breaches are inevitable. Even if you have a great security team or follow PCI DSS to the letter, you still have to assume a breach will occur. Hopefully many are prevented and the successful ones are detected and mitigated quickly.

If someone wants to say PCI DSS is useless, I’d really want them to offer up alternative solutions that can be applied to enterprises in many industries and or many sizes. Don’t just say, “Do *real* security now.”