Monthly ArchivesApril 2010

To Europe: Have You Found Your QSA? standard

I’m writing this from the lovely (and quite steamy today) Terminal 3 of London’s Heathrow Airport after spending a week talking to clients, partners, and industry professionals about information security issues in Europe.  It’s clear that PCI DSS is one of the biggest issues facing security professionals in Europe, and will likely dominate many of their lives for the next 12-24 months1. My question to you is, “Have you found YOUR QSA?” PCI DSS is something we’ve lived with for many years now in the US, and if there is any piece of advice that I’d like to impart to my friends across the pond, it’s that your most important investment will be a good quality QSA to guide you ...

Continue Reading

Pushing Virtualization to the Store standard

One of the key areas that stands to benefit from wide adoption of virtualization is the retail store front.   It’s an expensive road to get there, but would be a long-term benefit to retail. Why is it expensive?  For one, you have the problem of scale.  It’s difficult to stomach an investment that requires touching all of your stores.  The long term benefits can be substantial depending on how you approach it. If you touch all of your stores ONCE with an upgraded, beefy machine that can run a hypervisor, you can continue to stand up and offer new services for quite some time without physically touching your stores.  This can be a huge benefit for companies looking to roll ...

Continue Reading

Views on Application Security standard

I had an interesting conversation with a client the other day, and while shocking at first, it made a ton of sense long term when looking at how to apply security controls to assets based on risk.  I’ve blogged and written about things like this in the past, but the concept was interwoven as a theme to a different concept, or all together buried under links to YouTube. The conversation was with a customer that wanted to put out a small informational site in support of a minor product feature, but also wanted to have the ability to dynamically update content through a web browser from anywhere in the world as he and some of his less technical staff thought ...

Continue Reading

Avoid Looking Like a Rookie standard

In my recent presentation, “The Mistakes QSAs Make,” one of the mistakes I highlighted is that QSAs will often send the F’ing New Guy (FNG) to perform your assessment.  Now before we go bagging on junior consultants, I want to be clear that (most) of these guys are both capable and qualified.  Starting this year, new QSAs have to take a closed book exam which should cause the amount of late night partying and drinking to decrease during training, and push the fail rate up (which is not necessarily a bad thing). Let’s say that you are the FNG.  Step Zero to avoiding looking like a rookie is to admit to yourself that you are the FNG.  Once you admit ...

Continue Reading

Getting Support for PCI DSS standard

For the record, I LOVE it when people send in emails requesting a specific blog topic.  I can’t get to them all, but it sure helps set the direction.  The part of the writing process that is sometimes hardest for me is finding a starting point. Thank you for this one (I’ll keep this person anonymous as their email bounced)! In the book we discuss how to manage a project to completion (Chapter 10), and one of the key steps is getting buy in from senior management. A reader emailed me this week asking about how to go about getting this support. Specifically (paraphrased for brevity): How do I make executive management (C-level) aware of the necessity for, and importance ...

Continue Reading

What’s a Token? standard

Along with the confusion on the term End to End Encryption, Tokenization (or just simply tokens) is a term used to describe many things.  But what is a token really?  The PCI Council does not provide any guidance other than the definition for an Index Token in the glossary: A cryptographic token that replaces the PAN, based on a given index for an unpredictable value. But even this does not really help us.  To make matters worse, the term “token” itself is defined in the PCI DSS Glossary in the context of a 2-factor authentication device like SecurID.  I’m going to take a crack at defining it and discussing what the variants might be and how they could be weaker ...

Continue Reading

March 2010 Roundup standard

What was popular in March? Consumer security and various news posts topped the list! I’m also working out the kinks on getting my daily links posted here. Here are the five most popular posts from last month: The Social Security Office, an Identity Thief’s Heaven! You know your spouse cares about your livelihood when she (he) points out massive identity theft opportunities at your local Social Security Office!  Check out this wacky story based on my wife’s experience. The Mistakes QSAs Make. This one is a brand new post, but is getting a ton of attention. Well, it’s getting reads, but NO COMMENTS!  I need your comments folks!  I presented to the DFW PCI group my thoughts, but want to ...

Continue Reading

Herding Cats April: Spread the Disease standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Spread the Disease. This issue’s theme was the Psychology of Security, and I decided to compare the thought process behind security to a psychosis.  It’s fun! If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, go sign up!

Continue Reading

Key Logger Attacks on the Rise (this is no joke!) standard

Visa released a report yesterday on their website (dated March 17) warning merchants about the rising threat of key logger and screen capture attacks.  I went back looking through my archives to see if I’ve written about this danger before, but I think my examples are ones that I typically talk about.  But don’t worry, I’ll put one for you here! This particular alert from Visa targets software key stroke and screen captures.  At the bottom of page two, Visa puts some MD5 sums for various malware probably obtained while investigating merchant breaches.  They also provide eight mitigation strategies to be used as preventative measures for areas that are likely to be targeted for malware installation. My real world example ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!