Monthly ArchivesFebruary 2009

The Threat You Forget standard

Here’s a rare one from me, some Friday Night blogging! Why are you so lucky as to get this? Because I didn’t have time to do it yesterday! In speaking with a customer today, I remembered something that many companies (not this customer) are missing when it comes to building secure and compliant environments. It’s really a scope creep issue when you look at it. Unfortunately, a very dangerous one. What could this mystical threat be? That of core systems. Those systems that provide IT services to the larger server population. Here are a few systems to think about. Domain Controllers Anti-Virus Servers Log Aggregators Patch Management Remote Access Network Monitoring Why are these a threat? Let’s take a look ...

Continue Reading

Satellite Hacking on the Cheap standard

Are you one of the many companies that rely on satellites to communicate with your, uh… satellite offices? We security professionals often ask hard questions about how that data is protected en-route and usually are quickly dismissed with a “Oh, it is too hard to do and would require a six-figure investment in hardware to accomplish.” Well, thanks to Adam Laurie, you can do it for around $1,000! If you are relying on satellite communications, you should now be asking those hard questions of your provider, and making sure that you have acceptable encryption on those lines preventing someone from intercepting or injecting traffic into that stream. Possibly Related Posts: Improve Outbound Email with SPF, DKIM, and DMARC What’s the ...

Continue Reading

New Data Sheet on PCI Program Management standard

Ever wonder how you can bulls eye the moving target that is PCI? It’s possible! Many of our customers are rolling out our program to do this. You have often heard me talk about our PCI Program Management service that was developed based on our customers asking for ways to sustain compliance and security between assessments. BitPipe now has our PCI Program Management Services data sheet available for download. Go check it out! Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization? Is All Good News REALLY Good News?

Continue Reading

Rolling the Dice on PCI standard

Here’s a line you have heard many times–“but wait, don’t look at this in black and white. You have to take a risk-based approach.” We hear it all the time as a QSA. Sometimes there is a legitimate reason to take a sane, risk-based approach. In fact, the Council tells QSAs that PCI must be applied using a risk-based approach. That allows for some latitude in some areas, but can create problems in others. Wait… problems? Why problems? We don’t have a single, industry-wide risk model to measure risk. This means that each QSA is empowered to use their discretion on how to measure and accept risk, leading to variance in interpretation and opinion shopping by companies hiring a QSA. ...

Continue Reading

Payment Security Professional of the Year standard

It’s official, I was selected as Payment Security Professional of the Year by the Society of Payment Security Professionals! The Society has gained a ton of momentum in the industry and launched their two excellent certifications, the Certified Payment-card Industry Security Manager (CPISM), and Certified Payment-card Industry Auditor (CPISA). If you are looking to get into this industry, or work for a company subject to PCI compliance and have responsibility for PCI, you should have these certifications. This training is better than the training that we receive as QSAs for a few reasons, but mainly because it covers a much wider base than just PCI-DSS. Anyone that has heard me speak about the negatives associated with a breach and/or non-compliance ...

Continue Reading

QSA Requal for 2009, DONE! standard

I’m sitting in my big metal tube ready to depart ORD for DFW. Thank you to the Council for putting together our requalification training! We enjoyed our new trainer, Jeff Foresman, and I thought of several good blog posts for next week. Don’t worry Bob… I won’t bust a copyright 🙂 Look for some posts next week about how things will evolve over 2009, and some thought provoking discussion (hopefully) on the acceptance of risk and rolling the dice! Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization? Is All Good News REALLY Good News?

Continue Reading

Really Peter? 219K Sites? standard

I’m not Seth Meyer. I’m not a television star. I don’t have a team of writers feeding me stuff on cue cards. That said…. According to an article by Fred Aun, Peter Alguacil from Pingdom released a report recently suggesting “there are probably 219,000 sites with outdated SSL certificates.” Probably. Fred, who rounded the original 219K figure from Peter up to 250K in his posting, goes on to describe the “bit of math” that Peter used to come to this conclusion using data from two different sources. First, Netcraft estimates there are one million sites with valid SSL certificates. Next, a report by Venafi released in 2007 suggests 18% of Fortune 1000 sites had expired certificates. So then Peter does ...

Continue Reading

From the Vault standard

Rick Moy and I sat down at the PCI Community Meeting in Orlando and discussed some of the trends that we see for PCI. While this video was created almost six months ago, the content is still relevant! The audio is a bit low, so you will need to get some headphones or just turn the volume up. There are no mean tricks like a scary zombie screaming or anything, so you should be safe. Just remember, all of your OTHER audio will be much louder too. Just saying, don’t spit out your coffee because Outlook reminded you of something. Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to ...

Continue Reading

Does your data flow free? standard

The first challenge to securing your data (or meeting compliance) is understanding where your data lives. An alarming number of people I speak with in the industry have no idea how bad their problem is because they only know where half of the data lives and goes. HALF! That is a BIG problem. Engaging in data flow mapping exercises can be painful. So painful, that you might be forced to look outside your organization for help! Yes, VeriSign has a service that does this… OK, shameless plug complete. Where do you start? In an article that I published last year entitled, “Data Flows Made Easy,” I detail an adaptation of the Design Structure Matrix that can be used to help ...

Continue Reading

Want more information on Heartland’s breach? standard

Anton Chuvakin has assembled three fantastic roundup posts that pull both news articles and prominent bloggers opinions together for a couple of hours worth of reading (if you hit everything). Check them out: On Heartland I On Heartland II On Heartland III Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!