Categories ArchivesEnterprise Security

The Lack of Understanding in QSAs standard

This topic seems to keep coming back, and it’s getting more frequent. I mentioned this as an element of Sin #2, Compensating Control Chaos in my recent paper, and more companies are coming to my team to help them through an inexperienced QSA’s assessment. The worst part is that it is a self-fulfilling prophecy. If you squeeze the dollars you pay a QSA, they will squeeze the quality and thoroughness of what you are getting. It’s been a while since I have performed an assessment from start to finish. That said, I’ve seen people ((Meaning me.)) guilty of assuming that an Iron Mountain truck seen near a company’s data center equals secure off-site transport and tracking of goods—no questions asked. ...

Continue Reading

I don’t need to know, I can look it up! standard

The pace at which our society produces information is staggering. Even worse, the amount of value of that information is typically only apparent after slicing it up in a particular way. Those of us that are naturally curious and problem solvers have gotten quite good at knowing where to find certain information as opposed to memorizing it. There are certain things you sometimes just need to memorize. For example, driving laws. It’s much better to remember that you must always stop at a red light then having to look it up each time you approach an intersection. We have enough trouble with distracted drivers already. Those of us that have figured out this critical skill often become technical support for ...

Continue Reading

Why Trying to Change the Rules Doesn’t Work standard

Going against the grain isn’t easy. Go back through history and look at individuals that failed and succeeded doing just this. Most of them had incredible hardships and made huge personal sacrifices, including many who gave their life to the cause. OK, so I suppose I should take a moment to clarify. Changing the rules CAN work, just not very often, and none of you are really willing to die changing PCI DSS, are you? Didn’t think so. When PCI DSS was becoming more relevant, I saw two distinct camps of individuals responding to the movement. Typically the security folks were in favor of PCI DSS as they saw it as the justification to get the things they needed to ...

Continue Reading

Security as a Service ≠ Securing the Cloud standard

What a week! The 20th RSA Conference is over and it was great to see the masses back out at the Moscone again. I don’t think it’s been this big in a while, but if the parties are any indication, companies are spending money again. I want to say congrats to all the Social Security Blogger Awards nominees and winners! The selection committee did a great job this year selecting a group of absolutely fantastic individuals. Also, thank you to Securosis for putting on the Disaster Recovery Breakfast. That was much needed, and it also was a place for Anton & I to plan out the 3rd edition of our book! Wait until you see what we have in store ...

Continue Reading

Five things to do for PCI during the freeze standard

IT and security professional that work in the retail and banking space tend to go into lock down during the last half of November, all of December, and the first part of January. We’re all saying our little prayers, and doing whatever rituals we do to keep those systems running worry and breach free until the cash flows come back to normal. So what kinds of things can you do to be productive and prepare for 2011? Get on those quarterly scan results! Hopefully you got a clean scan right before the freeze happened, so you could spend this time planning for your next one to ensure you have clean execution and quick remediation for any items found. Examine data ...

Continue Reading

Physical Security begets Infosec Problems standard

Have you ever noticed how the things we do in the electronic security world mirror the things we do in the physical world? We deploy firewalls at our network perimeter like we put fences near our property lines. We make rules in firewalls to allow certain traffic through just like we have guards that allow authorized parties access to physical assets. In the physical world, visible security controls could take the form of an employee with a badge or a visitor that is escorted. It’s remarkably similar. But what about the bad side of security? You know, those dumb things that smart people do to cause incidents? Most corporate networks are incredibly flat and operate more like a university and ...

Continue Reading

Mixed Mode and PCI DSS 2.0 standard

One way to get the spidey sense of a savvy security professional tingling is to mention the use of “Mixed Mode” virtualization in some kind of IT initiative related to compliance. Companies are trying to figure out how to build security into their virtualized environments in a way that will cover themselves from both a security and compliance perspective, and the industry in general is quite divided over this issue. Mixed mode, in the context of this post, is a term used to describe a virtual infrastructure that hosts both guests with PCI DSS data on them, and those without. Before we delve into the issues associated with the security concerns here, let’s levelset. PCI DSS, in it’s purest sense, is ...

Continue Reading

Where is Cloud in PCI DSS 2.0? standard

It doesn’t take a keen observer to notice that the term cloud doesn’t even exist in PCI DSS 2.0. In fact, the “Find” feature will do that for you. Sure, strides were made to include Virtualization into the fold (even in spite of many individuals arguing you don’t need to include it, just apply the standard to it), but that is only the first of many steps on the journey to the cloud. If you are on the very front edge of the cloud transformational wave, you may have had to discuss how you use cloud with your QSA. My bet? It was a painful discussion that left both parties leery of the other. My comments in this month’s Digital ...

Continue Reading

RSA Europe Recap and the Spread of Regulatory Compliance standard

Why have I been radio silent this week? It’s certainly not because I have a lack of things to say. Even my own team mates are surprised when I tell the recent stories of being out talked. Couple of things are going on that you might be interested in. For one, I am doing a project for the next three weeks for the North Texas Chevy Dealers. In exchange for writing about and videoing my experiences, I have been given a 2011 Chevy Silverado Extended Cab, Texas Edition truck to drive. Follow my adventures over here to see me kick the tires! Outside of driving trucks and blogging about that, I spent the week in London for RSA Europe. The ...

Continue Reading

Is Tokenization Safe? standard

In our industry, topics turn hot and cold in record time.  The hot topic this week seems to focus on the safety of using Tokenization as a solution for reducing compliance and security requirements. I found this blog post on StoreFront BackTalk by Walt Conway that poses the question, “What happens to my data if my token vendor goes bankrupt?” Earlier in the week, as part of my ISSA Editorial Advisory Board duties, I reviewed an article that posed some of the very same questions. Outsourcing the handling of payment data is a critical decision for merchants to consider, and it should not be taken lightly. Just like any other major decision any company makes, merchants should perform a risk ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!