From the online mailbag

The November SC Magazine had some of my heroes, like Whitfield Diffie and Martin Hellman, but also missed one I'd like to have acknowledged, namely Shon Harris.

I'm studying for my CISSP right now.  I've got two books on my desk, the Official ISC2 Guide by Susan Hansche, John Berti and Chris Hare, and CISSP All-in-One Exam Guide by Shon Harris. The first I use for structure, and the other for content. I can't imagine anyone that has done more for IT security than Shon. Her opinions about the CISSP exam and the CBK are on the mark. Her relentless advocacy of really knowing security and not just the tools has resulted in fostering well-rounded security professionals for decades. Her work and her attitudes toward being grounded in real knowledge (rather than memorizing questions and answers) make her a world-class leader in IT security.

I'm disappointed that your fine publication didn't mention Shon Harris. Perhaps it was an oversight. How many of us (Bank of America, RSA, Defense Information Systems Agency, Department of Defense, West Point, and National Security Agency) owe our careers to Shon's foundational teachings?

Victor Wunschel, Affiliated Computer Services (ACS)In response to a November 17 news story, Survey finds Mac, PC users are equal cybercrime victims:

One of Apple's marketing lines for Macs has been that they do not suffer from the same virus infections that PCs have. This clearly has nothing to do with Macs being more stable than PCs, it is because fewer people own Macs than own PCs. Cybercriminals are looking to infect as many machines as possible because this is how they create profit. It only makes sense that they would create viruses and other malware specifically designed for the Windows operating system. There are more Windows users, so there are more potential cybervictims and more profit to be made out of attacking Windows users. But that tide seems to be shifting.
Tim Cronin

Maybe criminals will target Mac users next when they realize Mac users are normally loaded with cash, and more artsy than techie.

In response to Tim Cronin: while it is true that fewer people use Macs (roughly eight to 10 times fewer Macs than PCs), the ratio of PC viruses to Mac viruses is far greater (thousands to one). Macs have fewer viruses than other Linux- and Unix-based platforms with far smaller user bases than the Mac has, so it's not just number of users either.

In response to an Opinion, The data discovery challenge, by Prat Moghe, CEO, Tizor:

Pretty cool stuff. Hey, do you know any data discovery tools available in the market?

Yes, Imperva offers a solution for data discovery and assessment. The solution will discover databases on your network, classify the data they hold and assess their vulnerabilities. This allows you to manage different data classes by the type of risk they are exposed to.

You can also include DAM (database activity monitoring) and DBF (database firewall) to protect that data. Through the integrated SecureSphere Data Security Suite, you can implement a complete data security and compliance lifecycle.

Application Security has an awesome product called Appdetective Pro. We use it extensively in our audit process.

Schema Detective from Orbium Software lets you find your sensitive data, as well as its application relations (i.e., applicative foreign keys).
Mike Oren

Check out Identity Finder. It's a very, very effective solution for finding all types of sensitive data and even provides tools to help secure the data. It also searches remote machines without an agent, so is ideally suited for large organizations.
Michael Doherty

In response to a November 19 news story, Health insurer Health Net loses 1.5 million medical records:

Health Net is not telling the truth. This data can easily be viewed in any TIFF viewer.

Unfortunately, breaches like this will happen. Hard drives are lost or stolen and information is lost. This is why it is important to encrypt stored data whether it is stored offsite or onsite.
Tim Cronin

In response to Dan Kaplan's feature story, Seizing management power, in November:

Dan, good article. Seizing power is not the same as keeping it though. Funny thing about the CISO position that unless mandated to have one by statute (feds), they come in, they put a program in place and they move on. How many stay beyond a year or two at most? This is why I think the CISO role is best filled by a consultant who comes in with a pre-defined and approved blueprint and methodology and fixed price. I have written more on my blog at www.ashimmy.com/ 2009/11/seizing-management-power-is-not-keeping-it.html.

Alan Shimel

The opinions expressed in these letters are not necessarily those of SC Magazine.