Monthly ArchivesMay 2010

Why ISAs are Good for QSAs standard

The PCI Security Standards Council recently announced their Internal Security Assessor program (ISA)1 and it seems like the response is overall positive.  I have spoken to a few QSAs that are afraid this may contribute to a decline in the business as there is dissension in the ranks of those being assessed2. ISAs are GOOD for QSAs, and as a QSA you should prefer to assess companies that have installed them in their teams. I was speaking to a colleague late last year at a PCI gathering and he mentioned that his last internal PCI assessment consumed over 3,000 hours. Three thousand hours, folks. This was not a giant company either (Level 1 merchant).  Using standard consulting rates, you are ...

Continue Reading

A Facebook Reality Check standard

It has been a pretty tough couple of weeks for Facebook. I find the reaction to the privacy controls and the people leaving Facebook in droves especially entertaining. People get fired over comments they put on Twitter, pictures they are tagged in on Facebook, and content posted online using their employer’s assets, yet we are still shocked when our online profiles are disclosed? The real shock to me is, how have we not figured this out yet? My first internet account was a Netcom shell account in the early 90s. Soon after, I had my very own Linux installation (kernel 1.2.8) running on my school’s network, and not long after that I figured out I could read all of the ...

Continue Reading

What Security Professionals can learn from BP Oil Spill standard

One of my favorite things to do is take a case study or real world situation and apply it to our industry or my job.  The first time I did this in earnest, I wrote Data Flows Made Easy. I was inspired by an article published in the Harvard Business Review that described the disconnect between different groups of designers and engineers1.  I was somewhere on a plane (SURPRISED!?!?) and as I read through the article, it struck me that this method could be directly applied to data security and the challenges that my clients lived through. When there is a major event not directly related to information security, I like to think about what types of things I can ...

Continue Reading

PCI Council Releases New PTS Standard standard

The PCI Security Standards Council released a unified PIN Transaction Security (PTS) standard yesterday under the title Point Of Interaction (POI) Modular Security Requirements.  The new PTS POI unified what was previously three separate standards: the Unattended Payment Terminal (UPT) Security Requirements, POS PIN Entry Device Security Requirements, and the Encrypting PIN Pad (EPP) Security Requirements which now sunset on May 12, 2011. According to the release: The standard introduces a new modular approach for testing all PTS points of interaction, which includes two new optional modules in addition to minor updates to the existing requirements. The Open Protocols module addresses the security of PIN Entry POI devices that utilize external connectivity, and the Secure Reading and Exchange of Data (SRED) module is designed for ...

Continue Reading

On Scope Shrinkage in PCI DSS standard

This is a guest post by Anton Chuvakin (RSS), co author on our PCI Compliance book.  Follow him on Twitter at @Anton_Chuvakin. People who came to PCI DSS assessments and related services (such as compliance gap analysis and even implementation of PCI controls) from doing pure information security often view scope reduction as “a cheap trick” aimed at making PCI compliance undeservedly easier. They only think of scope reduction as of limiting the area where PCI DSS security controls apply—with negligence, supposedly, reigning supreme outside of that sacred area. However, PCI DSS scope shrink is not just a cop out aimed at not protecting data. It is not just a “PCI project cost reduction” measure. Some half-witted analysts propagate this ...

Continue Reading

What Egress Filters Should I Use? standard

Another reader comes to the rescue!  This reader asks: Like everyone else, I have been so involved doing ingress filtering, that I have neglected egress filtering. To me, ingress filtering is easy: Block everything except what is absolutely necessary. Egress filtering is another animal. Everyone tells me I should do it, but no one tells me what I should be filtering for. Can you suggest a basic scheme for a small to medium business (SMB) to follow? Great question!  And you are most definitely correct in that the majority of guidance on firewalls focuses on how to limit traffic from un-trusted networks into trusted networks.  Outbound traffic tends to be much trickier for several reasons like: You have to do ...

Continue Reading

Herding Cats May: Love the Lawyer You’re With standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Love the Lawyer You’re With. This issue’s theme centered on information security and law, so I wanted to challenge security professionals thinking about their lawyer comrades. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, go sign up!

Continue Reading

April 2010 Roundup standard

What was popular in April? Consumer security and various news posts topped the list! I’m also working out the kinks on getting my daily links posted here. Here are the five most popular posts from last month: What’s a Token? This post is inspired mostly by the “vendor marketing machine” as we as security professionals try to break through the FUD to get to an apples to apples comparison1.  This post tries to put a little bit of sanity back into our lives by offering up a definition of what we can call a token. Avoid Looking Like a Rookie. History was created with this one as I finally earned myself a TROLL!  Of course, he was too cowardly to ...

Continue Reading

PCI SSC Launches Internal Security Assessor Program standard

The PCI Security Standards Council announced on Friday the creation of the Internal Security Assessor (ISA) program.  If you recall, we had some fun with MasterCard last year when they floated and then retracted some changes in their SDP program.  The one change that stuck will be causing a small subset of Level 1 merchants pain—the inability to self-assess. If you recall, Level 1 merchants have always been able to self assess IF they have a C-Level executive sign off on it. Self-assessing sounds attractive until that last part.  While the vast majority of Level 1 merchants choose to use a QSA, there are a few that have been self assessing for years.  In fact, one colleague in particular discussed ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!