Monthly ArchivesMarch 2010

Another Security by Obscurity FAIL standard

I was doing some technical testing for a friend of mine the other day1, let’s call him George, and came across yet another bad example (or a good one) on security by obscurity failing miserably. George just set up his first online service portal for his customer base.  He’s running a Pro Shop for a small, independent country club, and is trying to cut back on costs.  He decided to invest in a simple online tee-time reservation system, and move all of his reservations there.  He went to a managed service (that he probably found via the same method in the footnote below) to handle this for him, and they fired up a small blade with a basic Linux installation.  ...

Continue Reading

The Mistakes QSAs Make standard

Aside from a rather embarrassing moment last night with Keynote1, I spoke to a local group of PCI DSS enthusiasts about the mistakes that QSAs make, and how to deal with them.  I came up with several, but would really like to see what YOU FOLKS out there think! Submit comments below anonymously or with your name, either way.  This is open to anyone!  QSAs, ASVs, acquirers, issuers, merchants, service providers, ISOs, security professionals, PCI HAY-TAHs, payment brands, Council members, Jim, forensic investigators, and other PCI experts. Don’t worry, we’ll find time to pick on others as well, but for today, let’s focus on this.  What I’m not looking for is X QSA said that two-factor authentication had to be ...

Continue Reading

More Advice when using Public WiFi standard

Scott Carmichael from the great travel blog Gadling published a post yesterday with tips on keeping your data safe when connecting to public wireless hotspots.  There are some really good tips for everyone here, but I wanted to add to a few of the options. One of the recommendations is to get a 3G or 4G data card.  In working for a Telco for a few weeks, I did learn a thing or two about these networks and how laptops of employees can be locked down almost to be unusable.  This is definitely a fantastic recommendation but has two key drawbacks—cost and usability. While data cards can be obtained reasonably cheap, and depending on how you connect to the internet ...

Continue Reading

Sample Book Chapter posted! standard

Anyone know I didn’t write a book with Anton Chuvakin last year?  If not, I’ll tell you ALL about it. OK, seriously, I know I’ve talked a lot about it here.  If you have not bought it and are still skeptical, go check out the sample chapter we have posted on CSO Online.  This chapter, entitled “The Art of the Compensating Control,” is an expansion of the article of the same name.  There are some case studies at the end, and more details on compensating controls.  If you are like most people dealing with PCI, you probably have lived the compensating control euphoria turned nightmare turned compromise. If you still have not bought one and want a chance to win ...

Continue Reading

Securing your Social Networking Brand standard

This post originally appeared on Jennifer Leggio’s Social Business blog at ZDNet (now with more links!). Social networking sites as innocent as LinkedIn and as provocative as Twitter (have you seen my stream?) have now become a personal branding vehicle for many professionals. Some of us have had the unfortunate experience of losing a job we barely had thanks to social networking. Others have seen it as the boost to their career they have been wanting for years. Let’s talk about security in the context of the latter. When I moved my blog to a setup I administered, I made two commitments to myself. The first is that I would make frequent backups because there has yet to be a ...

Continue Reading

Herding Cats March: The Business of Security standard

Have you checked out ISSA Connect yet?  The next issue is up there with my column, The Business of Security.  In it, I discuss the business side of security and the transition that has to happen for security leaders to be more effective and valuable to their corporations. If you are a member, log into ISSA Connect and join the discussion!  Interact with great professionals globally as well as the authors that you enjoy reading every month.  If you are not a member, go sign up!

Continue Reading

The Social Security Office, an Identity Thief’s Heaven! standard

My wife is not into technology.  Or security.  Or UNIX.  Basically she looks at her Macbook as a way to check email, buy shoes, organize photos and videos, and make checklists for the babysitter.  So when she takes an interest in what I do, I REALLY perk up. She is very attentive to the things I do with our mail and sensitive information, only because she hears me talking about it all the time.  She knows not to give out passwords or personally identifying information.  She shreds expired cards and junk mail. She’s definitely more in tune to security than the average citizen. We recently noticed a reporting error from the Social Security Administration and the only way to clear ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!