Monthly ArchivesDecember 2008

When Not to do Forensics standard

The following is a guest post by Jonathan Care. Jonathan is a Sr. Consulting Manager inside the EMEA practice at VeriSign. Why do we want to do a forensic investigation? The goal of a forensic investigation is to establish certainty of fact in a particular situation, normally as part of an incident response. Therefore one chooses to perform a forensic examination when one needs to establish facts relating to activities performed on a computer. The scenario for forensic computing is usually around a litigation support case, for example, tracing fraud, unauthorised activity, illicit content perpetration, or other computer misuse. Where are forensic investigative results commonly used? Forensic computing reports are normally used as part of a court process, or an ...

Continue Reading

Using OpenSource Tools for Compliance & Security standard

The following is a guest post by JD Smith. JD is a Sr. Consultant inside the PCI practice at VeriSign. PCI DSS 1.2 has several sections that require a security application to be used to satisfy a requirement. Some of these areas are file integrity monitoring, firewalls, encryption, wireless scanners, intrusion detection/intrusion prevention and anti-virus. All of these areas have several tools available to address the specific requirement. However, what if a merchant needs to keep the budget to a bare minimum? What if there is absolutely no way a merchant is able to purchase several of these solutions straight off the shelf and pay the licensing associated with them without severely impacting the business? Open-source solutions exist for practically ...

Continue Reading

Deming Points Applied to Security standard

The following is a guest post by Phil Fuhrer. Phil has many years of experience in the assessment and management of IT systems quality. In addition to his current work at VeriSign his interests include requirements, systems architecture and security technology. Edward Deming is considered the father of statistical quality control .The “Deming Cycle” and his fourteen points for managing quality improvement are the most widely known parts of Deming’s work. The “Deming Cycle” is much like the Systems Development Life cycle and other methods that ratchet change allowing continuous improvement. Less well known is Deming’s insistence that effective quality improvement can not be done without statistically stable quality measurements (Bell Laboratories Deming Quality class about 1996). As a statistician ...

Continue Reading

What the new Service Provider levels mean to you! standard

The following is a guest post by Rob Harvey. Rob is a Consulting Manager inside the PCI practice at VeriSign. ‘Tis the season! Everyone is in the giving mode this time of the year and VISA is no different. VISA announced in the last month a change in the service provider validation levels and reporting. It is also the season for reflecting on the past year and one of the biggest questions we get from our clients is, “Am I a service provider and if so what level do I need to validate against?” Beginning February 2009, VISA will use a modified two level approach for service providers which I hope will add clarity to the question. See the information ...

Continue Reading

Happy Holidays to you and yours! standard

2008 is almost done and the next two weeks hold some of my favorite times of the year. This is my last post for 2008, but don’t stray too far! I have lined up some excellent guest posts for you over the next two weeks. Before I let you go, I wanted to list for you the top X favorite posts from this year. These are posts that I enjoyed writing and in many cases caused some of you to reach out and chat with me! If you are a new reader to this blog, take a tour down memory lane with me! In no particular order, they are: The NRF Goes Past Where The Sidewalk Ends DNS, Schmee-enn-ess The ...

Continue Reading

ACK! No browser is safe!! standard

What a confusing time it is for me those of us who just like sitting around all day and poking at the interweb through a browser. We have a rather nasty 0-Day exploit for Internet Explorer roaming around, and Mozilla Firefox makes Bit9’s list as one of the most vulnerable applications in 2008 (surprisingly, IE is not on there). The Internet Explorer 0-Day is so bad that some experts are urging users to switch to another browser. Naturally, the first choice for a number of users would be Firefox. But now Bit9 has released this telling report saying that it was one of the most vulnerable apps in 2008. So where do you turn? Well, the list is not the ...

Continue Reading

Something is afoot with Cloud Computing standard

Something is going on. I don’t know exactly what it is, but all the sudden I’m hearing more of this buzzword. “Cloud Computing” may be the buzzword for 2008. There are even blogs that dedicate content to it. It sure seems to be thrown around a lot… especially in the economic hiccup we are experiencing right now. Should we blame Gartner for its use? Only for using cloud computing and $3.4 trillion in the same article. I bet that’s the root of the problem. So what is cloud computing? Well, according to IEEE, “Cloud Computing is a paradigm in which information is permanently stored in servers on the Internet and cached temporarily on clients that include desktops, entertainment centers, tablet ...

Continue Reading

Past Issues of Herding Cats now ONLINE! standard

Herding Cats is the monthly column that I write for the ISSA Journal. If you have read my previous posts on Herding Cats, you probably noticed that the links require membership in the ISSA. If you are a reader of this blog and NOT a member of the ISSA, you should join today. Society membership rant aside, I now have a small page that has all of my past columns and publications for the Journal. Please navigate over to http://www.brandenwilliams.com/brwpubs/ to download those versions! These will be posted one month behind the printed version. Navigate over and enjoy! Possibly Related Posts: Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox ...

Continue Reading

PCI 1.2 is taking off! standard

Less than two months after its release, we’ve seen our first announcement from a company that has become compliant! I think that companies will find 1.2 easier to comply with when they examine it in detail. Have you performed a gap analysis yet? If not, maybe the downtime around the holidays (as long as it does not impact holiday lockdown!) would be good to review your last ROC and see what changes you may need to make! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Equifax is only half the problem, your SSN needs a redesign! Orfei ...

Continue Reading

BUSTED! Why passing the blame for a PCI Breach will fail. standard

After the year we had in 2007 with PCI related breaches, who would have thought that 2008 would give us more? I mean, after last year, who would have thought that we would see another major breach given the “lessons” we learned? Um, I did. Fo-sho. Why? Because early in my career I learned that most executives don’t care about problems until they hit close to home. Like right under their nose. We’ve seen two instances this year of companies that had validated compliance with a QSA, but were subsequently breached. Without specifically commenting on either of these cases, we have never conducted an investigation of a compromised entity and learned that they were compliant at the time of the ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!