Monthly ArchivesJuly 2010

2010 Verizon Business Data Breach Report Released standard

Verizon Business released their 2010 Data Breach report hours ago, and with the combination of Secret Service data for the 2010 report, there is a ton of interesting things in here.  Here are a few of the highlights that I took from the report: Financial & Hospitality Beware: These two categories represent 56% of the groups involved in breaches1.  Those of us in the industry know the ridiculously poor state of security in the hospitality sector.  Now with the economy on its way to recovery, these businesses will once again see an uptick and criminals will see an opportunity to capture valuable data. Medium-Sized Businesses are in the Crosshairs: The grouping of victims had between 1,001 and 10,000 employees. In ...

Continue Reading

A Thought to Take You to the Weekend standard

It’s been a crazy week, and I’ve been busy gearing up for BlackHat on top of all the fun stuff my day job entails.  To close out the week, I wanted to throw something at you that I thought about while discussing how to better approach compliance initiatives. It’s a simple one liner that really describes why companies should invest in security instead of compliance: A good information security program makes compliance with any standard a tweak, not an overhaul. Compliance should not be the notion that drives security in your organization. Security, among other things, should support and drive compliance. Compare that to your approach.  Does that fit with how you execute your security strategy?  If not, why?

Continue Reading

PCI Council, How About a Map? standard

When I started writing this post, I was trying to think of a metaphor for a map and a journey of some sort, but everything came out dripping with Cliché Cheese1 or would have made sense only to a limited audience (Shout out to the P1, between the devil and the deep blue sea, and kick the tires and light the fires… as it were). The point I was trying to make, however, was in light of PCI, we seem to be navigating a changing world with a semi-static map.  Like that GPS I bought seven years ago that freaks out every time I drive on a road that was completed four years ago. As I wrote about last week, ...

Continue Reading

Tokenization and Chargebacks standard

The NRF released a brief yesterday discussing the clarification Visa made to the operating regulations related the storage of full card data after the transaction. As suspected, some acquirers and processors were interpreting the rule to mean that Visa required merchants to store the full card number for things like chargeback processing1. Of course, with a phone call, acquirers quickly seemed to learn what the real intent of the rule was. I can only describe this second hand, but here’s what I know for sure. Over the last 6+ years, I have worked with many merchants to help them rid their systems of PANs. In exactly zero instances, I have had an acquirer or processor require a merchant to store ...

Continue Reading

Level 2 Merchants, Are Your Folks Trained? standard

Is anyone thinking about June 30, 2011 yet?  If you are a Level 1 or Level 2 merchant, you certainly should be!  Here’s why: MasterCard had a rough time last year. They made some new rules, they changed the rules, and then they removed many of those rules.  This year, they worked out the kinks (arguably something they should have done before the first announcement) and have a revised set of requirements. Remember us talking about reciprocity last year? From the excellent post by Chris Mark on the end of the Level 4 Merchant to the retraction and strange website posts and commentary by MasterCard, reciprocity was a hotly debated issue.  As of this writing, the reciprocity on MasterCard’s website ...

Continue Reading

PCI Security Standards go to Three Year Lifecycle standard

On June 22, the PCI Security Standards Council announced that effective October 2010, all of the standards under its care will move to a three year development lifecycle from the current two year lifecycle we have enjoyed since the standard was originally released on December 15, 2004. I had a chance to sit down with Bob Russo (VIRTUALLY that is) and discuss some of the changes and how that affects the standard going forward. According to Russo, the change is “a direct result of feedback from [sic] our board of advisors [sic] and participating organizations1.”  He believes the change is “a win-win for everybody.” In the linked press release above, the Council cites feedback from key stakeholders as the primary ...

Continue Reading

Herding Cats July: Back to Basics standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Back to Basics. This issue’s theme centered on the basics of information security, and what better time to take a step back and really evaluate what we’re doing? Are we actually accomplishing our goals? Or just treading water? And do you want to take away my man card after reading this one? If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today!

Continue Reading

No More WEP, Did You Make It? standard

Well, last week saw the passage of June 30, 2010.  Do you know where your WEP is? For those of you subject to PCI DSS, you are no longer allowed to use WEP to “protect” your in-scope networks (Requirement 4.1.1, in the italics).  Remember when PCI DSS 1.2 came out and you thought you had plenty of time?  Hopefully you planned well. I have not run into too much WEP on in-scope networks in the last year or so.  I still see it in retail locations for inventory control or other types of wireless networking, but those are usually firewalled off from the POS environment. Is anyone out there still using WEP?

Continue Reading

June 2010 Roundup standard

What was popular in June? Would it shock you to know that my most popular post by far this month was the review on the Hoffacino?  It’s second all-time to my post on Upgrading to Snow Leopard. So if any other prominent information security pros want to have me try and review their crazy Starbucks creations, bring it on! Here are the five most popular posts from last month: Pwn3d by the Hoffacino. As @Beaker says, another one bites the dust.  I did it.  I rode the carmel colored, caffeine loaded pony known as the Hoffacino.  Who says living life through chemical stimulants isn’t fun? This was BY FAR the most popular post. Why ISAs are Good for QSAs. This ...

Continue Reading

PCI Doesn’t Take Vacations standard

I was lucky enough to spend some quality time away from the tubes last week, and while I am not part of a rogue PCI enforcement militia, I do tend to observe how organizations tackle security and compliance issues.  For the first time, I found a rather unique disclaimer that was mere feet away from the Point of Interaction.  It shocked me so much, I snapped a picture to make sure I got the wording correct.  It plainly stated: WARNING: The method used to authenticate credit card transactions for approval is not secure and personal information is subject to being intercepted (the original sticker said ‘intercetped’) by unauthorized personnel. I promptly copied the phone number down and passed it to ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!