Monthly ArchivesNovember 2012

The Biggest Thing The PCI Council Can Do standard

The PCI Council has been pretty influential in our lives since its inception on September 7, 2006. They were handed control of the PCI Data Security Standard and have turned it into a cascading group of standards that govern (or recommend controls) for nearly every aspect of payment acceptance and processing. So it almost seems like this PCI problem is sort of solved, doesn’t it? When you look at the PCI DSS ecosystem, many of the big rocks have already been addressed. This has some interesting side effects, one of which is a camp of merchants that have been hounded to get compliant (Levels 1-3) and a mass of merchants that have no clue about PCI DSS until they are ...

Continue Reading

RSA Releases Advanced Threat Summit Findings standard

RSA hosted the second annual Advanced Threat Summit in Washington DC this past September where over 100 top CISOs and government officials concerned with information security met to discuss critical issues we all face in our daily battle against the bad guys. This week, we released the findings from that summit, which you can download here. I encourage you to download and read the findings, but here are the highlights: By far, the greatest perceived threats are Nation States and Organized Crime (75%). Top attacks include injected malware running attacks from memory (including in-memory decryption), using root-kits to cover up activities, exploiting application logic flaws, attacking high-value targets via their informational supply chain (not directly), and using DDoS or other ...

Continue Reading

PCI Council Releases Risk Assessment Guidelines standard

The PCI Security Standards Council announced today a new set of guidelines for risk assessments, as output from one of the major Special Interest Groups selected by the Participating Organizations in 2011. This topic is one I have written about before, and in fact it was one of the SIGs that I voted for. I’ve been through the output and I must say, I don’t see it as any different from any other risk guidance out there. It’s fairly comprehensive when it comes to listing common risk methodologies, it gives some sample frameworks and processes, and aims to give some clarity to the larger 12.1.2 subrequirement of PCI DSS. As with most risk-related topics, you will have people hailing its ...

Continue Reading

So you want to guest post? standard

Bloggers get pelted with requests for guest posts all the time, and I’ve had a string of relatively strange ones lately. They all start with something like this: Hi, I’m Scheizenfreud McGilicutty and I love to write. I saw your website and I was wondering if you allow guests posts? Here are some samples of posts I have done on other blogs. Let me know if we can work something out. Then this is followed by seemingly unrelated blog posts like “The Top 10 Ways to Check your Email” or “A Home Security System You Can’t Miss!” It’s SPAM, but targeted SPAM. It’s not quite targeted enough where someone had to type out an email specifically for me, but it ...

Continue Reading

PCI Compliance Book Giveaway! standard

OK folks, our PCI Compliance book has been out for a couple of months now, and Anton & I thought it would be fun to give a way a couple of copies with a contest! We have assembled a group of three independent judges that will take a whittled down list and pick winners for each competition. The winner will receive a free, signed copy of the book! So, on to the first contest. Our book attempts to draw a middle line between the black & white “audit” style of looking at PCI DSS and the loosey-goosey anything goes view. We want to take a compliance-friendly, practitioners line. But we’ve all been in those meetings when you look at a ...

Continue Reading

Securing Distributed Infrastructure standard

With Harvard Business Review calling the Data Scientist the sexiest career for the next 10 years, security professionals are going to have their hands absolutely full with securing the distributed infrastructure that powers big data analytics. The Hadoop infrastructure isn’t just one tool that you download to get you some Big Data fun, it’s really a framework of a multitude of tools (and options for substitution) that each carry out specific tasks in a distributed and flexible way. Part of the driving force behind wide-scale Hadoop environments is the notion that it is easier to move computation capabilities than it is to move data. This means that nodes will have some slice of data, but the end result analytics would ...

Continue Reading

Game Theory and Cyber Defense standard

One of my colleagues is working with a bunch of crazy-smart people at RSA Labs to explore how attacker-defender games can be used to help model behaviors and outcomes in the cyber defense realm. Notice how I am not saying “Information Security.” I know a lot of you hate the term “cyber,” but in this case it is a more accurate usage of what these games really teach us about. Check out this latest blog by Bob Griffin. In it, he discusses how game theory is making its way into the information security mainstream starting with several presentations at RSA Europe 2012 (and next week at GameSec in Budapest). The FlipIt game that these guys created is quite ground breaking, ...

Continue Reading

October 2012 Roundup standard

What was popular in October? We had the PCI European Community Meeting kick off another round of discussions on everything that is right (and wrong) with PCI DSS. The Board of Advisors met after that meeting, and we had a little frankensnor’eastercain cause billions of damage on the coast. I’m also interested to watch how some of the same posts keep coming back. Three of the top five were here last month as well. Here are the five most popular posts from the last month: The Definition of Cardholder Data. Man, here’s another oldie but goodie for the second month in a row. It’s still on people’s minds, probably because they are looking for ways to drop systems out of ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!