Monthly ArchivesJune 2010

VLANs and Segmentation standard

I was following an email trail from a few colleagues and it dawned on me that I had not written about the use of VLANs with respect to PCI in this blog.  If you purchased Anton & my book, you can get a great, real-life example of VLANs in the second case study in Chapter 4, Building and Maintaining a Secure Network entitled, “The Case of the Large, Flat Corporate Network.” The question that was asked is, “Can a VLAN be used as a way to segment a network?” Of course, the answer (as always) is “It depends on how you are using it.”  If you are using simple 802.1q tagging with no other controls, that is not considered good ...

Continue Reading

The “Should” Rule of Cloud Computing standard

I’ve been asked over the last few months quite a bit about virtualization and cloud computing.  Virtualization is something most people understand, but cloud computing baffles many professionals because there is often not a clear nomenclature used to describe products and services in the space ((I just saw an ad for a “Dynamic Cloud Server.”  For real.)). In fact, my father in law asked me if I was somehow involved in weather forecasting (jokingly) after looking at what my current employer does. It’s like PCI DSS in the vendor space. “Install my product, and I GUARANTEE you are PCI Compliant!” Except in the cloud world, it goes something like: “I got me some sexy, fluffy cloud stuff JUST FOR YOU!” ...

Continue Reading

RSA Security Brief, Secure Payment Services: Card Data Security Transformed standard

RSA, the security division of EMC, recently released a new security brief entitled, “Secure Payment Services: Card Data Security Transformed,” that outlines the security implications and benefits of the emerging category of outsourced secure payment services. In fact, many of the challenges we’ve discussed over the years in this blog can be solved by accomplishing significant scope reduction—the surest way to reduce the impact of PCI DSS on an environment. The authors of the brief include Dr. Anton Chuvakin (Security Warrior Consulting), Sam Curry (RSA), Robert Griffin (RSA), Craig Tieken (First Data), Steven Wilson (Visa EU), and me. The brief offers practical guidance on how retailers, merchants, and other organizations handling card data can improve payment card security and reduce ...

Continue Reading

Do Small Service Providers Scare You? standard

Take PCI off the table for a minute. Do you get nervous when dealing with a small service provider that performs some niche service for your company?  It doesn’t have to be cardholder data related, but it definitely needs to be some kind of data that is either regulated or is classified as something other than public—data like PII, healthcare, or even intellectual property. Smaller providers can sometimes provide higher or better security than larger ones, and that may be beneficial long term—especially when doing the value proposition. But in some cases, smaller providers are providing a niche service to a larger customer, and are operating on a skeleton crew.  Imagine if a company like Ford Motor Company selected Brando’s ...

Continue Reading

Running Security Into The Ground standard

Security professionals are funny.  We are incredibly strong willed and have strong opinions on subjects we live for.  It’s more than passion, it’s Passion++.  Just like regular passion, but with an object oriented framework that makes for the amplification of said passion, but only for those that truly grasp its power. For example, get a security expert that lives and breathes Linux and one that lives and breathes NetBSD in the same room, ask for the most secure, open-source platform, and watch the hilarity ensue. Some security professionals have developed a dangerous attitude that rears its head when people discuss things like PCI DSS or other compliance topics. “Don’t tell me how to do my job!”  This sometimes comes across ...

Continue Reading

Trust but Verify: Words to live by! standard

QSAs have to walk a very fine line with customers.  Especially those that are coming back for years two and three on a multi-year contract. I’ve seen it happen to other companies, and it’s happened to me.  The conversation goes something like this: Me: OK, now that we are on logging, please provide me with the logs you pulled from X server in Y environment. Them: Here you go. Me: This is exactly what we need, but I need a set pulled from recent data, not the ones we looked at last year. Them: But you looked at it last year! I’ll give you access to our change control system and you can see nothing changed on that box. Me: ...

Continue Reading

How Much Backup Media do You Have? standard

Disk space is cheap.  Cheaper than it ever has been.  In fact, if you try to purchase small disks for legacy applications, you might be in for an exhaustive or expensive search. For example, I was looking to replace a 20 Gig 2.5″ PATA drive with a 40 Gig one.  Good luck!  Not only did I not find ANY PATA drives at some local big box retailers, but going to Fry’s yielded me two choices: 160 Gig or 250 Gig.  The price of both of those was cheaper than what I could find online in the 40 Gig range. With disk space being so cheap (sub $100 per terabyte) and data storage growing at insane rates, is it easier to ...

Continue Reading

Pwn3d by the Hoffacino standard

Yep, I did it. And WOW what a ride it was. Chris Hoff (@Beaker) started a movement in fueling today’s security professional, and I don’t even know if he realized the animal he’s unleashed on the world.  It’s called a Hoffacino (or Hoffachino), and boy are you in for some fun if you order one.  This ain’t your daddy’s coffee! Before being allowed to consume one of these things, you should have to present passing results from a full physical and psychological examination. The experience of the Hoffacino starts when you order.  I was slightly embarrassed to order such an intricate drink from my neighborhood Barista. I mean, I might see this fine young citizen at the market! I have ...

Continue Reading

Ask the Question! standard

I spoke at the NetDiligence® Cyber Risk & Privacy Liability Forum this morning, on a panel dedicated to advanced security topics.  Now, while these topics were not the same kind of advanced security stuff you would see at Blackhat, they are advanced for the audience.  In fact, we even had a question about Bluetooth security that suggested this audience was relatively unfamiliar with the risks associated with this new fangled stuff. But that’s not the point, the point is that someone asked the question! How many of us have seen companies end up in a bad situation from a security and technology perspective because someone didn’t ask questions until they understood enough about a solution to understand the risks associated ...

Continue Reading

Herding Cats June: In or Out? standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, In or Out?. This issue’s theme centered on security operations, and our industry seems to be going through a transition.  Do you insource or outsource this critical function? If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today! Possibly Related Posts: Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug Improve Outbound Email with SPF, DKIM, and DMARC Life after G-Suite/Postini

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!