2009 | Branden R. Williams, Business Security Specialist

Really Peter? 219K Sites? standard

I’m not Seth Meyer. I’m not a television star. I don’t have a team of writers feeding me stuff on cue cards. That said…. According to an article by Fred Aun, Peter Alguacil from Pingdom released a report recently suggesting “there are probably 219,000 sites with outdated SSL certificates.” Probably. Fred, who rounded the original 219K figure from Peter up to 250K in his posting, goes on to describe the “bit of math” that Peter used to come to this conclusion using data from two different sources. First, Netcraft estimates there are one million sites with valid SSL certificates. Next, a report by Venafi released in 2007 suggests 18% of Fortune 1000 sites had expired certificates. So then Peter does ...

From the Vault standard

Rick Moy and I sat down at the PCI Community Meeting in Orlando and discussed some of the trends that we see for PCI. While this video was created almost six months ago, the content is still relevant! The audio is a bit low, so you will need to get some headphones or just turn the volume up. There are no mean tricks like a scary zombie screaming or anything, so you should be safe. Just remember, all of your OTHER audio will be much louder too. Just saying, don’t spit out your coffee because Outlook reminded you of something. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the ...

Does your data flow free? standard

The first challenge to securing your data (or meeting compliance) is understanding where your data lives. An alarming number of people I speak with in the industry have no idea how bad their problem is because they only know where half of the data lives and goes. HALF! That is a BIG problem. Engaging in data flow mapping exercises can be painful. So painful, that you might be forced to look outside your organization for help! Yes, VeriSign has a service that does this… OK, shameless plug complete. Where do you start? In an article that I published last year entitled, “Data Flows Made Easy,” I detail an adaptation of the Design Structure Matrix that can be used to help ...

Want more information on Heartland’s breach? standard

Anton Chuvakin has assembled three fantastic roundup posts that pull both news articles and prominent bloggers opinions together for a couple of hours worth of reading (if you hit everything). Check them out: On Heartland I On Heartland II On Heartland III Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down

January Issue of Herding Cats now online! standard

This month’s article entitled “Trust THIS” tackles Trusted Computing and the role it might play in corporate security today. There’s a mini iPhone rant in there… and while I don’t have one (yet), it certainly would irk me if I did. Click here to read Trust THIS, or go see the whole repository of articles! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug

End to End Encryption is NOT the PCI Silver Bullet! standard

Evan Schuman of StorefrontBacktalk has a pretty shocking article today. Apparently, the Heartland malware hid in the unallocated file space. Right on the heels of my last blog post too. Nuts. Our forensic examiners at VeriSign look for this type of malware during every investigation because it is not a new trick. It surprises me that it was almost missed. Even still, I stand by my original premise which is that the standard (properly implemented) would prevent this. In order to get the malware on there, a software flaw or credential had to be exploited. Both of those vulnerabilities are addressed by PCI-DSS. What is more troubling is the same noise that came out after the Hannaford breach last year. ...

What CEOs (and CISOs!) Can Learn from Heartland standard

It’s one week later. With limited public announcements, what is this post going to tell you? Well, let’s start off by stating what it won’t tell you. You won’t find any gory details about the breach or the other parties involved. You won’t find anything here that cannot be deduced using public information sources. You won’t find anything here that has not been stated before. So what use is it? How about we assemble some key points and do a little bit of analysis to understand how something like this can be prevented in your company. According to the original press release, the investigation uncovered malicious software that compromised data that crossed Heartland’s network. Before we start attacking PCI and ...

PCI Compliant Companies Don’t Suffer Breaches standard

We’ve got another one in the news. Heartland Payment Systems recently reported a breach that may have affected up to 100 million cards. That’s a lot. Heartland joins another elite group of companies that suffered a breach, but was also validated as compliant by a QSA. I want to make something very clear in this next paragraph, but before I do, none of the comments here should be tied directly to any incident that has been in the news. We keep our customer lists private unless we get permission to use one as a reference. There is a big misnomer out there that needs to be cleared up. I’ve even written about it before in this blog. In our investigations ...

Discover Matches Merchant Levels (pretty much) standard

James DeLuccia IV noticed that Discover has officially matched their merchant levels to Visa (sorta). While this is a big step for Discover, I think most will find that they become Level 1 merchants of Visa before they become Level 1 merchants of Discover. There are exceptions. Some merchants are exclusively Discover. Those merchants will have to double check their levels (if Discover has not already told them they are a Level 1) to see if they have new compliance requirements. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Equifax is only half the problem, your SSN ...

Free Compliance Webcast! standard

Greetings all! Join me for a Free Compliance Webcast put on by BrightTALK! I’m one of the featured speakers and will be discussing “Beating PCI in 2009!” You can review the agenda and register here: http://www.brighttalk.com/webcasts/2158/attend. You should also be able to look below this paragraph and log in and register there! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down

Yearly Archives2009