Yearly Archives2010

The Mistakes QSAs Make standard

Aside from a rather embarrassing moment last night with Keynote ((Note to self, make your FIRST and LAST slides different, and actually test MOVING slides before the room is filled with expectant eyes boring holes through my skull into the screen behind me.)), I spoke to a local group of PCI DSS enthusiasts about the mistakes that QSAs make, and how to deal with them.  I came up with several, but would really like to see what YOU FOLKS out there think! Submit comments below anonymously or with your name, either way.  This is open to anyone!  QSAs, ASVs, acquirers, issuers, merchants, service providers, ISOs, security professionals, PCI HAY-TAHs, payment brands, Council members, Jim, forensic investigators, and other PCI experts. ...

Continue Reading

More Advice when using Public WiFi standard

Scott Carmichael from the great travel blog Gadling published a post yesterday with tips on keeping your data safe when connecting to public wireless hotspots.  There are some really good tips for everyone here, but I wanted to add to a few of the options. One of the recommendations is to get a 3G or 4G data card.  In working for a Telco for a few weeks, I did learn a thing or two about these networks and how laptops of employees can be locked down almost to be unusable.  This is definitely a fantastic recommendation but has two key drawbacks—cost and usability. While data cards can be obtained reasonably cheap, and depending on how you connect to the internet ...

Continue Reading

Sample Book Chapter posted! standard

Anyone know I didn’t write a book with Anton Chuvakin last year?  If not, I’ll tell you ALL about it. OK, seriously, I know I’ve talked a lot about it here.  If you have not bought it and are still skeptical, go check out the sample chapter we have posted on CSO Online.  This chapter, entitled “The Art of the Compensating Control,” is an expansion of the article of the same name.  There are some case studies at the end, and more details on compensating controls.  If you are like most people dealing with PCI, you probably have lived the compensating control euphoria turned nightmare turned compromise. If you still have not bought one and want a chance to win ...

Continue Reading

Securing your Social Networking Brand standard

This post originally appeared on Jennifer Leggio’s Social Business blog at ZDNet (now with more links!). Social networking sites as innocent as LinkedIn and as provocative as Twitter (have you seen my stream?) have now become a personal branding vehicle for many professionals. Some of us have had the unfortunate experience of losing a job we barely had thanks to social networking. Others have seen it as the boost to their career they have been wanting for years. Let’s talk about security in the context of the latter. When I moved my blog to a setup I administered, I made two commitments to myself. The first is that I would make frequent backups because there has yet to be a ...

Continue Reading

Herding Cats March: The Business of Security standard

Have you checked out ISSA Connect yet?  The next issue is up there with my column, The Business of Security.  In it, I discuss the business side of security and the transition that has to happen for security leaders to be more effective and valuable to their corporations. If you are a member, log into ISSA Connect and join the discussion!  Interact with great professionals globally as well as the authors that you enjoy reading every month.  If you are not a member, go sign up! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

Continue Reading

The Social Security Office, an Identity Thief’s Heaven! standard

My wife is not into technology.  Or security.  Or UNIX.  Basically she looks at her Macbook as a way to check email, buy shoes, organize photos and videos, and make checklists for the babysitter.  So when she takes an interest in what I do, I REALLY perk up. She is very attentive to the things I do with our mail and sensitive information, only because she hears me talking about it all the time.  She knows not to give out passwords or personally identifying information.  She shreds expired cards and junk mail. She’s definitely more in tune to security than the average citizen. We recently noticed a reporting error from the Social Security Administration and the only way to clear ...

Continue Reading

February 2010 Roundup standard

What was popular in February? Healthcare seems to be a popular topic and I’ll be posting more on it as the new security requirements mature. Here are the five most popular posts from last month: Personal Liability for QSAs. I had a colleague ask me if he should take out personal liability insurance in case something bad happened on one of his assessments after he left his company.  Check out what I found out from Dave Navetta! Healthcare Security, the New Front. Boy, what a mess I caused.  After watching my doctor type in a four digit numeric password to access all of my medical records, I sent a letter over complaining about the lack of security and poor standard ...

Continue Reading

Healthcare Letter Follow Up standard

Frequent readers may remember that I sent a letter to a healthcare provider (who is anonymously referred to as Dr. Leo Spaceman) because he used a four digit, numeric PIN to access all of my medical records (assuming that he would also be using that same one for ANY patient).  Well, Dr. Spaceman responded. OK, I’m sure his admin responded, not personally him. But the response is a classic example of someone who has been asked a question like this before and had a pre-canned answer prepped.  I don’t think I’m the only person to observe Dr. Spaceman doing this. Dear Resident ((No, he didn’t say resident, but I think it would be funny and fitting if he did)): I ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!