Monthly ArchivesMarch 2012

Facebook isn’t Professional Networking standard

I was checking into the happenings on Facebook last night and had a very strange request come up. Someone that I know and respect sent me a request through a product called BranchOut. While their about page does more to confuse than to clarify, what I understand it to be is a way to create a professional network of contacts with Facebook—or in easier terms, think about LinkedIn-type functionality sitting on top of your Facebook network of contacts. Frankly, this is a terrible idea. For those of us that use social media in our jobs, we tend to have things we keep professional (LinkedIn or Facebook Page), things we have that are personal (Facebook personal profile), and things we make ...

Continue Reading

Reducing the Risk of Passwords standard

On Wednesday we discussed passwords and their contribution to the people security problem. At the end of the post, I asked what we could change to take weak passwords out of the equation. If having passwords is a requirement to doing business, what things could we add to the mix that might be able to reduce the risk of using them? Strong Authentication. Obviously, adding an additional factor of authentication can go a long way to improve the risk scores associated with data access. Positives include a significant number of solutions with a few leading their respective packs. Disadvantages can include cost to deploy and manage as well as poor integration with every technology you may use. Risk-based Authentication. Keep ...

Continue Reading

Passwords and the People Security Problem standard

We can only blame people for so long. After all, we traditionally secure access to the critical resources on our network, whether that is customer information, price lists, salary information, or the secret recipe to our best selling product, by requiring users to log on with a username and a password. Usernames allow us to grant authorizations and track activity, and passwords authenticate the username, theoretically providing assurance that the owner is the person using the credential. Over the years, humans have demonstrated their poor ability to create and use strong passwords. We try to teach them about strong passwords, give them examples, set policies to require strong passwords, and yet we still get users with passwords like P@ssword. Our ...

Continue Reading

Herding Cats: Hunt (March 2012) standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Hunt. Continuing on our thoughts from last month, security professionals must hunt for intrusions in their environment, not just wait for the phone call from someone telling them they have been breached. Gatherers have a role in information security, but so do hunters. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today!

Continue Reading

February 2012 Roundup standard

What was popular in February? RSA Conference was absolutely awesome this year. Not only was it packed, but the types of conversations we were having were much more security sounding (and less compliance sounding). Even the vendors on the edges (which is where the really good stuff is) talked about how valuable the show was for them. Here are the five most popular posts from last month: PCI Comliance For… The manuscript for the latest revision of the book is now complete! Here I reflect on a chapter I wrote about PCI Compliance for the Small Business. RSA Conference 2012, Are You Ready? I hope you made it out to RSA Conference this year. The buzz and excitement around the ...

Continue Reading

Top Five PCI DSS Mistakes that Lead to a Breach standard

RSA Conference is over, but that just means that all of those side conversations and meetings that we had will start to make themselves into blog posts! One that is a biggie for me is the top five mistakes that merchants make that lead to a compromise. I often get questions from small merchants asking for the top three to five things they should do to make sure they do not suffer a breach, specifically after they are overwhelmed by SAQ-D. While there is no substitution for complying fully with PCI DSS, there are a few common themes in breaches that businesses should address to avoid one. Keep in mind, while this applies to all setups, the ones getting hit ...

Continue Reading

Top 3-5 Things to Remove from PCI DSS standard

PCI DSS 2.0 has been out for over a year now, and the feedback period is almost closed (ends April 15). If you have not submitted feedback yet, do so! But here’s an interesting challenge I would suggest. If you could pick three to five requirements to REMOVE from PCI DSS, what would they be, and why? I’m looking for options to simplify the standard without compromising its goal as it stands today. I’m looking to make this a serious exercise in improvement that we can submit as part of the feedback period. Comments below are open! Debate below and I’ll forward this entire thread over to the Council for review.

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!