Monthly ArchivesSeptember 2008

PCI-SSC, you are such a tease. standard

I wandered over to the PCI-SSC site today and noticed that they have reposted the press release from August 18 reminding everyone that the new version of the standard will be announced TOMORROW. Thanks for the reminder; I’m pretty sure we all have that date etched into our brains via green laser. Tease…. Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization? Is All Good News REALLY Good News?

Continue Reading

Thank you PCI-SSC and Orlando! standard

The US PCI Conference is now over, and what a quick two days. There are many changes coming for the new standard, and I’m very excited about talking to you all. We are putting together a webinar to discuss, in detail, the changes that you will be facing. Look for an announcement on that soon. It was great talking with many of you about the issues that we all face every day. I look forward to talking again soon and helping you build creative solutions to these challenges. Oh, and a quick tidbit for you all. If you get a business card from a processor, sometimes even when you put it in a blazing fire pit, it will not burn! ...

Continue Reading

LiveBlog: PCI 1.2 Review, On to the break! standard

OK, the questions have not been really earth shattering. I’m heading to a customer call in a few, so will not be live blogging the latter half. We do have coverage and I will post anything crazy here shortly. Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization? Is All Good News REALLY Good News?

Continue Reading

LiveBlog: PCI 1.2 Review, Anti-Virus standard

We’re just reviewing these changes and before hundreds of people queued up at the microphone, the intent of the change is to prevent an “automatic exclusion” of Unix or Mainframe technologies. Looks like Anti-Virus is now a case-by-case basis for review. My opinion is that ANY desktop computer with access to the internet should have A/V on it as it is at a higher risk for compromise. In some cases there can be exceptions, and technologies like Solidcore and/or Bit9 can be excellent compensating controls. Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization? Is ...

Continue Reading

LiveBlog: PCI 1.2 Review, Wireless Technologies standard

Clarification that wireless technologies are defined as any point where you make a jump over air. That could include things like Satellite, Microwave, RFID, WiFi, GSM/GPRS, etc. This may become problematic for some users as I believe some QSAs have only been focusing on WiFi and Cellular technologies. The only piece that is somewhat left open here is “carrier-based” technologies. Some network links provided by the Telco include jumps across microwave. Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization? Is All Good News REALLY Good News?

Continue Reading

LiveBlog: PCI 1.2 Review… Network Segmentation standard

I’m sitting here in the back of the session where the 1.2 version of the standard is reviewed, and it looks like Network Segmentation is the stop down. After hearing many people state their case on segmentation, I really have to stand behind the Technical Working Group here. I’m not sure how much clearer it could be made. The standard states that: Without adequate network segmentation (sometimes called a “flat network”) the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network. The TWG was asked to clarify further and the only ...

Continue Reading

PCI-SSC Annual Conference in Orlando! standard

Are you here? If so, drop me a line! I am here with our PCI Assessment & Remediation Practice Lead, Steve Levinson, and one of our PCI Consulting Managers, Rob Harvey. We’ll be manning the VeriSign booth during the networking hours, so please stop by! Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization? Is All Good News REALLY Good News?

Continue Reading

65% of Oracle DBAs Pants are Down standard

According to this article from Information Week, “only 35% of Oracle users continuously monitor for suspicious activity.” Ouchtown, population YOU, bro. Well 65% of you. Let’s assume that this study is accurate (based on the installations of Oracle that I have seen, I would guess it is pretty close if not optimistic). This means that there are databases out there, probably with sensitive data in them, that are compromised and the DBAs or security teams don’t even know it. Many DBAs simply give up on patching these installations thanks to a rather messy process, so the problem could even be worse. The study specifically states that continuous monitoring (minus a definition on what that means) is performed by 35% of ...

Continue Reading

Two weeks until PCI 1.2! standard

While the official release does not happen until two weeks from today, many key stakeholders now have a copy of the pre-release version. What can you expect? You can expect THIS blogger to honor his NDA! Seriously though, are you ready? Version 1.1 has been around for over two years now (birthday was September 7, 2006), and by now you should have been able to validate as compliant to that version of the standard. If you are still struggling with 1.1, there is good news along with the bad. The bad news is that in some cases your remediation targets may have shifted slightly in one direction. This will apply to you if you have been doing the absolute bare ...

Continue Reading

September Herding Cats is available! standard

Another month, and another dose of brain vomit by me! September’s edition of Herding Cats is entitled, The Softer Side of Security. In here I give you four tips on how to be more effective as a security professional. Yes, the touchy-feely crap has entered our model for success. As a side note, I’ll be writing closer to 750 words of content excluding the bio now. Hopefully that will let me fill all three columns. While you are looking at this month’s ISSA Journal, please also take a look at Bindu Sundaresan & Jennia Hizver’s (two brilliant consultants in our Global Security Consulting practice) new article entitled, 10 Tips on How to HACK the PA-DSS! Possibly Related Posts: Improve Outbound ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!