2009 | Branden R. Williams, Business Security Specialist

Sanity DOES Exist! standard

I know, it seems rare when we find it. I would have been hauled off along time ago and locked in the loony bin if I had stopped down every insane security discussion I was having by screaming SERENITY NOW! I spoke with a retailer this morning that started a conversation with “We do security in an unconventional way.” At this point, my finger is moving toward the giant eject button I carry with me for situations just like this. Think about the “Easy Button,” but instead of easy, it says EJECT and flies me far, far away. Then the individual surprises me and says, “We treat our network as compromised instead of trusted, and adjust our security practices and ...

Time to get caught up! standard

I’ve been lazy lately. Well, not lazy, just busy. I forgot to put up links to the Feb edition of Herding Cats! This one is entitled, Cloud Computing is Heavy, where I throw a little spin on the security of Cloud Computing. Fun stuff. Also, look for an upcoming surprise in the next issue of the ISSA Journal! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

The Problem with PCI standard

Uh oh, is he really going to go there? No way… he can’t go there! YES! HE IS GOING THERE! One thing that cracks me up about reading blogs on PCI is the massive amount of individuals who have no idea what they are talking about. Just like that vendor that you run into at RSA that says “I SOLVE ALL PCI PROBLEMS! I AM A SILVER BULLET,” there are those out in the blogosphere that throw out claims without substance and pure drivel. Some even do it so well that the media will run with the claim. Like the so called “second processor breach” of last month. Actually, that makes me laugh more! There have been people that argue ...

Funny how??! standard

I’m too tall to even come close to pulling off Joe Pesci. So just think about the scene in Goodfellas where Tommy DeVito is pulling Henry Hill’s leg in the restaurant. How am I funny?! Anyway, if you are looking at my blog and you see a little badge on the upper right with a link to the Social Security Award and are wondering what that funny business is, I’ll tell ya! The Security Blogger Meet-Up at RSA is coming soon, and they are going to have some awards this year! There are five awards that will be given out. They are: Best Security Podcast – Who is the voice you listen to week after week? Best Technical Security Blog ...

The Threat You Forget standard

Here’s a rare one from me, some Friday Night blogging! Why are you so lucky as to get this? Because I didn’t have time to do it yesterday! In speaking with a customer today, I remembered something that many companies (not this customer) are missing when it comes to building secure and compliant environments. It’s really a scope creep issue when you look at it. Unfortunately, a very dangerous one. What could this mystical threat be? That of core systems. Those systems that provide IT services to the larger server population. Here are a few systems to think about. Domain Controllers Anti-Virus Servers Log Aggregators Patch Management Remote Access Network Monitoring Why are these a threat? Let’s take a look ...

Satellite Hacking on the Cheap standard

Are you one of the many companies that rely on satellites to communicate with your, uh… satellite offices? We security professionals often ask hard questions about how that data is protected en-route and usually are quickly dismissed with a “Oh, it is too hard to do and would require a six-figure investment in hardware to accomplish.” Well, thanks to Adam Laurie, you can do it for around $1,000! If you are relying on satellite communications, you should now be asking those hard questions of your provider, and making sure that you have acceptable encryption on those lines preventing someone from intercepting or injecting traffic into that stream. Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers ...

New Data Sheet on PCI Program Management standard

Ever wonder how you can bulls eye the moving target that is PCI? It’s possible! Many of our customers are rolling out our program to do this. You have often heard me talk about our PCI Program Management service that was developed based on our customers asking for ways to sustain compliance and security between assessments. BitPipe now has our PCI Program Management Services data sheet available for download. Go check it out! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Rolling the Dice on PCI standard

Here’s a line you have heard many times–“but wait, don’t look at this in black and white. You have to take a risk-based approach.” We hear it all the time as a QSA. Sometimes there is a legitimate reason to take a sane, risk-based approach. In fact, the Council tells QSAs that PCI must be applied using a risk-based approach. That allows for some latitude in some areas, but can create problems in others. Wait… problems? Why problems? We don’t have a single, industry-wide risk model to measure risk. This means that each QSA is empowered to use their discretion on how to measure and accept risk, leading to variance in interpretation and opinion shopping by companies hiring a QSA. ...

Payment Security Professional of the Year standard

It’s official, I was selected as Payment Security Professional of the Year by the Society of Payment Security Professionals! The Society has gained a ton of momentum in the industry and launched their two excellent certifications, the Certified Payment-card Industry Security Manager (CPISM), and Certified Payment-card Industry Auditor (CPISA). If you are looking to get into this industry, or work for a company subject to PCI compliance and have responsibility for PCI, you should have these certifications. This training is better than the training that we receive as QSAs for a few reasons, but mainly because it covers a much wider base than just PCI-DSS. Anyone that has heard me speak about the negatives associated with a breach and/or non-compliance ...

QSA Requal for 2009, DONE! standard

I’m sitting in my big metal tube ready to depart ORD for DFW. Thank you to the Council for putting together our requalification training! We enjoyed our new trainer, Jeff Foresman, and I thought of several good blog posts for next week. Don’t worry Bob… I won’t bust a copyright 🙂 Look for some posts next week about how things will evolve over 2009, and some thought provoking discussion (hopefully) on the acceptance of risk and rolling the dice! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Yearly Archives2009