Yearly Archives2014

Heartbleed and Passwords standard

Right around this same time last week there was a flurry of activity for those responsible for deployments leveraging OpenSSL. Yep, I’m talking about Heartbleed. So after we go through all of the patching and re-keying, it’s now time to consider password changes. This post isn’t about Heartbleed, it’s about passwords and what the bad guys already know. Melanie Pinola from Lifehacker wrote a very interesting piece on Friday about how our password tricks don’t fool the modern hacker. I’m not sure what happened to recommendation number 3 in her piece, 1, 2, and 4 are spot on. What’s the solution? Ultimately it comes down to using some software to help you out. Password managers are now built into some ...

Continue Reading

Would you pay for a PCI DSS 2.0-3.0 class? standard

The PCI Council released a training course on PCI DSS 3.0 (via Security Innovation) dubbed an “Insider’s Guide” to the new standard. The training has a price tag to get access to the materials, and some might deem it a bit hefty considering it is only a 90-minute course. In fairness, the Council is competing with free here as a number of experts have already built, delivered, and recorded courseware for on-demand viewing on these differences. So any price for materials might appear to be “hefty.” Also, don’t forget the Council already released this freely available document which should theoretically cover all of the same materials. Is there overlap with existing training offerings? If you are relatively new to PCI ...

Continue Reading

Subject to PCI DSS? Time for defense! standard

For those of you that have been reading this since it was part of the VeriSign blogging program, you know that my posts tend to follow what is most important in my daily life. Or, if not most important, the loudest thing in my daily life that really needs a comment or two. After joining RSA, I spent quite a bit of time talking about advanced threats, especially after the breach. I also sat on the PCI Board of Advisors during that time, but the reality is that my daily work around information security and what the Board was tackling were very far apart. Given the release of 3.0 and the commentary from that to date, I would still agree ...

Continue Reading

PCI Compliance, 4e! standard

You read that right! The Fourth Edition of the book is now green-lit (pre-order it here), and Anton & I are hard at work bringing you new updates for PCI DSS 3.0, the SAQs, and two new chapters focused entirely on Cloud/Virtualization and Mobile. We expect the book to be out later this year through your favorite channels. Now, this is where YOU come in. We have had such amazing feedback on the book over the years and this is your chance to influence the content. This book is, and always was, for you! If you have suggestions for the book, drop them down in the comments below. We will keep you posted on our progress, and in fact you ...

Continue Reading

Swing and a Miss: Target and the Council Respond standard

I happened upon the Council’s news page today and saw a couple of great attention grabbing headlines entitled, Time for Smartcards and PCI Council Responds to Critics. I found both of these interesting given the landscape of breaches we have seen over the last couple of months, but I found that both missed key points in their communication. Let’s start with the Council’s response. First, we should be clear. What Russo is saying is absolutely accurate. The majority of breaches that happen, including the Target one, happen due to basic security failures that are already covered in the standard. Go take a look at requirement 8.3 and 8.5.6.b which directly address the latest disclosures surrounding the event. I also agree ...

Continue Reading

Data Discovery, It’s A Thing! standard

Those of you who have been following me for a while know that I am a proponent of data discovery tools, and Data Loss Prevention tools where appropriate. I partnered with one while running the consulting business at VeriSign, and worked with the teams at RSA that developed their product. I even talked about finding the data as the security equivalent to Dave Ramsey’s first Baby Step for security. It’s becoming even more critical with PCI DSS 3.0 as data flow maps must be maintained and validated (to some degree). At Sysnet, we have tools for doing all kinds of scanning including data discovery scans. One of the challenges with most of the DLP solutions available is that the vendor ...

Continue Reading

2013 Roundup standard

It’s been an interesting year, but now we can welcome 2014 with wide open arms! It’s already shaping up to be both a busy and interesting year, but let’s take a moment to look back at 2013 and talk about the top posts! How Starbucks is Revolutionizing Mobile (Micro) Payments. This one was pretty popular last year, and it is still making waves in 2014. You know how you see those crazy fools that pass their phone in front of some magical sensor at Starbucks and never seem to pull out their wallet, yet walk away with coffee? That is really part of a huge master plan to reduce the impact that payments has on the organization. Check out the ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!