Monthly ArchivesJanuary 2010

Healthcare Security, the New Front standard

HIPAA tried to address it, HITRUST and HITECH are the newest entrants into the mix, but health care is just he latest example of an industry’s information technology significantly outpacing its ability to secure it.  If you’ve heard me speak on where I think the next big area that hackers will go after, you’ve heard some stories about what I would do if I were the bad guy. Last week I had a routine doctor checkup, and I watched my doctor type in a four digit password to access all of my records (and presumably any record in the practice).  Any security professional reading this has had a similar experience with someone in authority accessing data with weak credentials, and ...

Continue Reading

New Ponemon Study (and other fun metrics) standard

The Ponemon Institute released its latest analysis on the cost of data breaches, and this year they posit that the cost of breaches is still on the rise.  While new legislation and increased savvy and persistence from attackers is continuing to drive the cost of breaches up, I also believe that this very same legislation is forcing more breaches to be reported.  If anything, managers should take this information as a sobering reminder that the bad guys are out there and they still want your data. I’ve discussed these studies in the past, and I’m not terribly supportive of one of the key metrics that Ponemon analyzes: the cost per breached record.  Non-security managers (and unfortunately some new security managers) ...

Continue Reading

Don’t run IT as a business, run it as a business? standard

That’s what I felt like the theme of Bob Lewis’s article entitled “Run IT as a business—why that’s a train wreck waiting to happen.”  I understand that having people on different sides of an issue can lead to a more productive result, so this perspective is entertaining if nothing else. At a minimum, reading the article will expose a key problem IT organizations face, but the solution is no different than what vendors propose every single day. Have you noticed the push to “solutions” and “solution-based selling” over the last few years in the IT space?  CIOs don’t give a rip about some fancy whiz-bang technology.  What they do care is if you can solve a (business) problem for them.  ...

Continue Reading

The Power of Service standard

There is a book called The Ultimate Question by Fred Reichheld that discusses how all customer satisfaction can be boiled down to one question: How likely is it that you would recommend this company to a friend or colleague? Using the data received from a survey of your customers a metric called the Net Promoter Score (NPS) is created, measuring your customer satisfaction.  This book was a hit last year, and I even saw the NPS formula used in a kickoff presentation last week. I spent the day yesterday on the road, and had an interesting conversation when I returned my rental car.  Interesting only because I have never been asked the following question before, the topic was fresh on ...

Continue Reading

So who wins the contest? standard

It’s been a month since our new book was released, and it’s time to make good on the little contest I had going here!  Four people responded with the correct answer, and they were numbered based on the order they entered. Lindsey Brothers Bergert Laroussi And with no further delay, congrats to Mr. Brothers!  He was randomly selected by random.org’s random number generator!  He wins a $30 Gift Certificate to Amazon.com! Congrats, and thanks for reading!

Continue Reading

Forrester Unleashes PCI standard

John Kindervag, prominent analyst from Forrester, released a report this week entitled PCI Unleashed, where he talks history, dispels myths, and gives practical tips for companies trying to get a handle on PCI DSS.  John doesn’t waste any time getting started, and throws out a couple of points to shock the reader.  In fact, I’m kind of shocked they are in there, but it’s refreshing to see an organization of Forrester’s stature putting them into writing. While many agree that PCI DSS should be blamed on the payment brands, John asserts that it should not.  While I agree that the result (the standard itself) should not necessarily be blamed on the payment brands, its evolution is a direct result of ...

Continue Reading

The Yes/No PCI Assessment standard

Chris Mark over at the PCI Answers blog wrote a fantastic post on The Rise of the Defensive PCI Assessment toward the end of last year.  I read it right after he posted it, and knew that I wanted to add to his thoughts.  It’s taken me about this long to get my thoughts together. I’ve been busy! I totally agree with his assessment, and I have run into some situations where this has come up with other QSAs.  Some QSAs have altered their interpretations (or made them more literal, I should say) because they realized that they were interpreting the standard incorrectly, or they priced the assessments so low to get the business that they can’t afford to understand ...

Continue Reading

Do Mainframes Get A Pass? standard

When I first started doing PCI DSS work under the then CISP and SDP standards, one of the biggest problems I ran into was what to do with one of those fancy mainframes.  In this job, you see ALL manner of mainframes.  I’ve seen super shiny, brand new z/OS multiplexes to aging, but functional Tandems to an OS/390 system that literally had no changes performed on it in more than two years. How does anti-virus apply to those again? I recently fielded a question about mainframes, and if they still “get a pass” when it comes to certain requirements like anti-virus (Req 5), and encryption (Req 3.4).  As is with most of PCI DSS interpretation questions, it certainly depends on ...

Continue Reading

December 2009 Roundup standard

What was popular in December? There sure was a lot to talk about.  MasterCard Here are the five most popular posts from last month: MasterCard’s Got Its Flippy-Floppies. OK guys, I’m not picking on them.  Seriously.  It’s just been a newsworthy year from MasterCard.  This was a hot topic for companies faced with PCI DSS, including the multitude of new QSAs that started based on their original announcement. The Book, It’s Out Baby! See!  I wasn’t kidding when I said I was working on a book with Anton Chuvakin.  It’s finally out, and we’re really proud of it!  Click the link above to figure out how you could win a $30 Amazon.com gift card! Hackers Love Social Media. Social media ...

Continue Reading

Kicking Off 2010! standard

Greetings everyone! 2010 is going to be a pretty interesting year if we can keep this economic momentum going.  Here are a few things to start your year off! Check out my new article “Will End to End Encryption Save Us All?” where I attempt to define various forms of End to End Encryption (E2EE) and figure out how they could be used to secure PCI DSS related data. EMC/RSA buys Archer.  This one is a game changer, folks. The January issue of Herding Cats is also available!  “Corned-Beef PCI DSS” expands and refines a blog post I did here about using hashing as a data protection method, specifically as it relates to PCI DSS (PCI DSS is the focus ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!