July | 2008 | Branden R. Williams, Business Security Specialist

DNS, Schmee-enn-ess standard

OK, yeah, that was a reach. As long as it makes me giggle, things will be just fine. I assume most of you are away from your RSS readers this week because you are furiously patching your DNS servers. The attack is actually quite genius, and continues to demonstrate the inordinate amount of trust we place in servers and data that should not be trusted. The details of how the attack works can be read in the above linked article if you are interested. You probably don’t have the time right now because you are rushing to patch though. Bruce Schneier takes this opportunity to lash out at the patching process. While some security pundits don’t take Bruce seriously, he’s ...

Oracle Zero Day standard

ZDNet is reporting that Oracle has released an emergency patch today, the first of which that has been released since their quarterly update cycle. I can just hear the Oracle DBAs of the world screaming and bitching about this. I know the Oracle code base is mammoth, but wouldn’t it be nice for them to do a full security code review (which VeriSign’s Enterprise Security Services group offers) to shore up some of these things. I don’t think anyone at Oracle is delusional enough to believe that they are extinction proof, but something like this may go a long way to ensure that the tusky software giant remains in play well into the future. Possibly Related Posts: Equifax is only ...

The Land of Oz standard

No, Toto is not coming. I’m referring to Australia! I’ll be making a trek down under in August to discuss PCI with banks and merchants alike. If you are in the area and want to meet up, please drop me an email! Hope to see you there! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

PCI Council announces DSS Lifecycle standard

I have to admit, I needed some coffee and cobweb remover to decode this message from the Council this morning. They posted their Lifecycle Statement on the standard yesterday. After reading it a few times (and having a cuppa), I believe what they are trying to say is that there will be a new version of the PCI-DSS every 24 months. If you see a major number incremented (say 2.0 from 1.X), it is considered a new version. If a minor number is incremented (say 1.1 to 1.2) it is a revision. Regardless, you still have to do it and you will have some amount of time to implement. The next revision is due out on October 1, 2008 and ...

Confused about DLP? standard

Don’t worry, you are not alone. A partnership of several companies released DLP In Depth today, a website that is set off to unravel the mystery of Digital Loss Prevention (DLP). DLP technologies have been around for some time, but last year we saw a fury of activity in that market as RSA picked up Tablus, and Symantec picked up Vontu. At VeriSign, we regularly recommend using DLP products as part of your security strategy. Knowing where your data lives is the first step to being able to secure it. So if you are looking for more info on DLP, go check out www.dlpindepth.org! Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps ...

Thanks to the EUCI! standard

Thanks to everyone at EUCI and their great hospitality in Vail. I’m looking forward to working with some of you soon! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Are you in Vail for the EUCI Conference? standard

If so, drop me a line! I’m leaving the home base here in a few hours to head there for the conference. I will be discussing personally identifiable information and why it is important to secure. After I speak, I’ll be high-tailing it to Denver International to catch a return flight home. Hope to see you there! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

Looking for a career as a QSA? standard

Well look no further! Come join VeriSign’s Premier Global PCI Consulting practice!! If you are a current QSA in good standing, take a look at the job listings below. If you are a security professional that wants to get into PCI related work, we can train you! Click here and enter keywords “qualified security assessor” to learn more! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

Herding Cats, July 2008 is out! standard

Before you click on the link to read the article, I should warn you. Things got a little silly with this one. I even had to edit a cleverly-placed word as my editor threw up a little when he hit publish on this one. SILLY. Anyway… I hope you enjoy the July edition of Herding Cats entitled, The Forward Looking Future! Oh, and it looks like Twitter lost me. I’m there, but you can’t see my updates. *shrug* Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Mind the Storefront! standard

Dave Taylor has another guest post on StoreFrontBackTalk, this one alluding to a lack of audit resources to mind the storefront (like Minding the Gap!). Store front security continues to be an issue for retailers even outside of PCI. Take physical security for example. Realize that a major retailer’s data center tends to be a hardened facility that is not easily accessed (with the exception of a few notable ones that are for another post). There are security guards, badged access, and sometimes even man traps. Now visit that same retailer’s store front. You might find accessible Ethernet jacks, or worse, a system room door that is unlocked or left wide open. Walk into there with an official ID and ...

Monthly ArchivesJuly 2008