Monthly ArchivesOctober 2011

Where is your Chaos Monkey? standard

Netflix has been in the news quite a bit lately. Regardless of the side you pick on this first world problem, there is something really neat that they do that I wanted to share with a larger audience. If you read Harvard Business Review, you already know what I am talking about. Andrew McAfee published an article entitled “What Every CEO Need to Know About the Cloud.” In this basic primer for business folks, McAfee describes something that Netflix created called the Chaos Monkey, a process largely credited for preparing the company to weather the Amazon ECC outage with minimal issues of their own while others, like Foursquare, experienced problems for days. McAfee talks about this in the section of ...

Continue Reading

Transformational Security standard

It seems like the industry always says things like, “the traditional way of securing things simply doesn’t work anymore.” I’ve been doing security for many years now, and we’re always behind. Even today in a landscape of targeted, advanced threats, we are too far behind the bad guys and are struggling to catch up. Those of you that have been reading my blog lately may have noticed that I finally made good on my promise to talk more than just PCI DSS. Payment security is something that I am passionate about, but I love some of the new things I am being exposed to and that means that I get to share them with you as well. It’s part of ...

Continue Reading

To Win, you must Know Everything standard

I hate when people use the term “cyberwarefare” outside of its original context—a true war of nations trading bombs for bytes in the tubes. Sure, organizations are being attacked by nefarious groups that seem to be marching toward specific and fruitful goals, but is it really cyberwarfare? Regardless of what you want to call it, you still must act and react like someone is launching a digital missile campaign against your information. You can either sit and wait for someone else to tell you that you have been compromised, or you can take ownership of the problem and start up-leveling your intelligence gathering and analysis. It’s the Big Data problem of security. Your enemy is doing this, so why aren’t ...

Continue Reading

Operation Swiper (No Swiping!) and EMV Migrations standard

Last week we saw a major indictment of 111 individuals from an “identity theft operation” based in Queens, NY. I suppose we will learn more details as the prosecutors make their case, but from the original reads it looks more like a counterfeit credit card operation versus a full identity theft operation. One key difference between the two is someone using your identity to open new lines of credit as opposed to just capturing your card data and making a duplicate to go on a shopping spree. Many are now citing this case as a specific reason to get moving on their widescale EMV adoption. I’ve already discussed MasterCard’s and Visa’s thoughts, and would agree on principal that an EMV ...

Continue Reading

Living in a State of Compromise standard

Imagine for a second that your boss came up to you and said, “We’ve been compromised. Assume trust doesn’t exist. Now define our new security organization and architecture!” Unfortunately, it may take events like that to change our perceptions or actions when approaching securing our organizations. Depending on who you talk to, we already are living in a state of compromise. I prefer removing the element of trust form my strategy as much as I can, and focus on how I would secure a system, application, or network if I knew there were hostile elements in it. Changes your perspective a bit, doesn’t it? All of the sudden, those satellite locations start looking less like friends and more like foes. ...

Continue Reading

Attack the Humans First standard

Information security professionals live in exciting times. It’s a constant battle of escalations between the new ways technology can be used to conduct business, and the new ways the bad guys can incorporate technology in their overall strategy to steal information. But an interesting trend emerged this year that has always been around, but now is used in a much larger sense when going after data: Human hacking. The nice way to say it is “social engineering.” How do I convince Sally in Accounting to give me information that i can then use for my own personal financial gain? It’s not a new concept, and frankly tamer versions are used daily by politicians, sales professionals, and children. The challenge for ...

Continue Reading

Herding Cats: Build Security In (October 2011) standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Build Security In. I’ve been on a kick lately talking to people about built-in security. Humans make too many mistakes to rely on a bolt-on mentality for security, and building it in is one great way to add in a fail-safe wall for protection. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today!

Continue Reading

Walls Aren’t Enough standard

The bad guys are getting smarter, more creative, and more persistent, so what are we doing in response? I can’t tell you how sad it is to hear things like this when I ask how companies are shifting their security programs in order to combat advanced threats: We’re upping our patch schedules from one month to two weeks. We’re deploying anti-virus signatures faster. We’re consolidating all of our user laptop images to a gold master. We’re deploying outbound content filtering. Sure, those things help. But individually they are largely ineffective in shifting the balance in your favor. Think about how IT evolves through bolted-on enhancements. What did day one of the business look like from an IT perspective? What does ...

Continue Reading

A Conversation with MasterCard standard

And finally, my conversation with John Verdeschi, Senior Business Leader, Payment Systems Integrity will wrap up my interviews and posts from the PCI Community Meeting that happened two weeks ago in Scottsdale, AZ. MasterCard is widely known as a major influence in the payment industry and is the number two player in the market behind Visa. If you have ever had to hire an Approved Scan Vendor (ASV) or filled out a Self-Assessment Questionnaire (SAQ), you can thank MasterCard as both of those items are largely distilled from their Site Data Protection (SDP) program. One of the first things that I had to ask about was how MasterCard’s new PCI DSS Risk-Based Approach framework compared to Visa’s Technology Innovation Program ...

Continue Reading

September 2011 Roundup standard

What was popular in September? The PCI Community Meeting in Scottsdale was one big highlight! I spent a week in AZ dealing with all manner of PCI-related topics. And we also saw Oracle’s CSO go out on a limb she probably shouldn’t have, especially in light of the MySQL defacement that happened last week. Be sure to check out all my “Conversation” interviews! Here are the five most popular posts from last month: PCI Community Meeting Day 1 Observations. This month is all about PCI, and specifically the community meeting and things leading up to and following. What was Day 1 like? Check this post for a preview of the social-media heavy meeting! PCI Community Meeting 2011, That’s A Wrap. ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!