Monthly ArchivesJune 2014

Don’t Listen to this ConsumerReports Advice standard

Lifehacker recently posted something from ConsumerReports where an author suggested asking a hotel manager for their [PCI DSS] Attestation of Compliance. Asking someone for an AoC is en exercise in futility. There is one piece of advice that is good (use credit not debit), but the constructs of asking for an AoC is really not good advice. There are a number of reasons for this. Many hotels with your favorite brands are actually smaller properties owned and operated by individual owners. Even if they have an AoC, it’s probably done from the perspective of a Self Assessment Questionnaire which does not require a third party to review. I promise you that the vast majority of front desk clerks and managers ...

Continue Reading

Try the Middle of the Current (Just for Fun) standard

I was having a fantastic discussion with a close friend yesterday about how the security industry harbors people that fight battles just for the sake of fighting battles. It’s the stuff that makes Sun Tzu shake his head knowing that you are on the losing side. My friend said, “Hey, didn’t you write about something like that a while back?” Once again, Past Brando hosed Future Brando. One of Sun Tzu’s biggest teachings is that the preferred method to win a battle is to win without fighting. If I were to take some literary liberty with this edict and apply it to the security space, it’s better to win within the established rules of the game instead of spending all ...

Continue Reading

The Funny Thing about Scoping standard

Scoping is not a new topic for PCI DSS, and it could arguably be one of the most debated topics that we face. Several years ago the Council formed a Special Interest Group (SIG) to try and address this, but the results were mixed. You can find something called the Open PCI Scoping Toolkit that can provide some additional guidance, but the danger here is that it is not sanctioned by the Council, therefore it is not official documentation to be used to determine the scope of an assessment. In the next version of our PCI Compliance book, due out later this year, we spent some more time on scoping. The results are still virtually the same, however. Removing things ...

Continue Reading

More Hacks! standard

It’s been a busy weekend. Since last week, we’ve seen annoucements from PF Chang’s, AT&T Mobility, and Domino’s Pizza, all with varying levels of disclosure. PF Chang’s looks to be yet another payment card breach while Domino’s Pizza was a privacy-related breach in Europe (no cardholder data apparently disclosed). But the AT&T Mobility one is the kicker with an unknown number of customers impacted, and the big no-no is on this one—social security numbers. Lovely! All that aside, because at this point none of this is really exciting or unexpected, I want to direct your attention to a short and sweet blog post from Mike Rothman who discusses a comparison (with reference) to emergency managers and information security professionals. It’s ...

Continue Reading

More Fun with EMV standard

Yes, it’s time to go hit your local university library again (or just join the Association for Computing Machinery) to see a great article from Anderson & Murdoch entitled, “Inside Risks EMV: Why Payment Systems Fail.” For those of us in the US that are now on the cusp of a wide-scale EMV rollout, there are still many questions that need to be answered. Drs. Anderson and Murdoch do a great job of summarizing the issues that we will face here in the US, including some of the attacks that were common in other implementations of EMV. Turns out, the French may be the best experts at cracking this thing. EMV tokens make an appearance in the article, but there ...

Continue Reading

EMV as an E-Commerce Fraud Driver standard

Oh what a year it has been so far. Breach here, breach there, breaches everywhere! EMV to the rescue, right? RIGHT?!? Well, yes and no. EMV does add tremendous security (when configured properly) to a Card Present (CP) transaction, but EMV does nothing to help the security of Card Not Present (CNP) transactions. And given the increased digitization of business and commerce, we would expect that over time the number of CNP transactions would increase at the expense of CP transactions. Meaning, as more digital business models drive people to purchase goods and services without physically presenting their card for purchase, people will opt for that style as it could be seen as more convenient. Don’t forget that CNP transactions ...

Continue Reading

Theory of Constraints for Knowledge Work standard

It’s hard to be in the IT world today without hearing something about the Theory of Constraints. It could be from The Phoenix Project or the latest DevOps presentation you saw. Most questions I hear sound like, “How does some analysis of a factory help me make IT more efficient?” Go read The Phoenix Project to learn more about that. Gene Kim links to a fantastic set of resources in his blog on Kanban resources, but one key resource is a case study on how a failing Microsoft development team used the Drum-Buffer-Rope technique of Theory of Constraints to completely revamp their operations. Do yourself a favor and invest the time to read the Microsoft case study. Check the other ...

Continue Reading

January to May 2014 Roundup standard

Ok, I promised you guys that it was time to ramp back up, and I’m not kidding. It’s been a great first half of the year. I’m lucky enough to have accomplished some pretty awesome things, I’ve learned a ton, and I’ve been able to get closer to some of you as a result. So what has been big this year so far? Few conferences, some travel, and breaches! Here’s what you guys liked the most from January to May. How Starbucks is Revolutionizing Mobile (Micro) Payments. This one was pretty popular last year, and it is still making waves in 2014—by almost a factor of three. You know how you see those crazy fools that pass their phone in ...

Continue Reading

I’m Running for the ISSA International Board standard

If you are an ISSA member, you will be receiving your notification to vote in the upcoming election. Along with a number of other members, I am running for the ISSA International Board. In the last edition of the ISSA Journal, you can read about my platform. If you have read my column in the ISSA Journal, you probably know that my platform focuses on the business of information security. I want your vote! The ISSA has a long legacy of being THE professional information security organization, and I’m hoping I can represent you while serving. Polls open in about an hour, so look for that email and submit your vote!

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!