Interesting post by Michael Dahn at pcianswers.com discussed (again) the difference between compliance and security. Do you know the joke about the difference between a canary? Apparently, its one leg is the same. Well, according to the post, the difference between compliance and security is... there is no spoon. I'm sounding facetious, but the post is actually not bad. Read more…

But actually, there was another part of the post that caught my eye. Its the comments about 'Attack Vector based Risk Management' or 'AVRM'. Not much is said about this except:

This means simply that you cannot economically defend your home until you better understand the evolving threat landscape. For example, if you know that attackers are breaking into cars in your neighborhood and stealing the 8-track players then putting another lock on your front door will not solve the problem. You need to start parking your car in your garage or putting a better surveillance system outside your house. Sure you could build a fortress to keep all your systems inside but that’s not economically feasible (especially these days.)

And later:

Try to imagine a world where there are not QSAs making point-in-time assessments but an internal and ongoing process of review and maintenance. It is only then that you will realise the truth, which is to say that it’s not compliance you dislike but the attackers, and only by understanding their motivations and patterns can you better protect against them.

There's not much more on the topic (anywhere on the net), but it resonates quite a bit with our own thinking about 'Corporate Threat Modeling' (Slides on CTM from CSi NetSec 07). I'd be interested to see more on how this works...

/charl