Categories ArchivesEnterprise Security

The Un-Sexy Process of Vulnerability Management standard

This week I wrote a blog post over at AlienVault entitled, Internal Scanning for PCI Compliance—Not Sexy but Necessary. Many of us who work in security started our careers doing some kind of vulnerability chasing. It’s our version of firefighting. Look for a vulnerability, patch it, and repeat. As our environments grow, the fervor with which we perform this endless cycle builds until we realize that it’s ultimately unsustainable. That’s when we start to look to treat the cause with the symptom. Go check out the post and let me know what you think. Does IT Hygiene end up being one of the root causes to vulnerability wildfires in our organizations? How do small businesses with little to no IT ...

Continue Reading

Game Theory and Payment Security standard

For those of you who do not know, the Federal Reserve branches (the head ones for each district) all conduct and publish research and facts on their respective webpages. The Kansas City Fed is one of my favorite places to go to look for current (and historical) research that is relevant to our industry. Last month they released a summary from the 2015 International Payments Policy Conference which included a session on applying Game Theory to payment security. I’m fascinated by game theory. It’s an area of applied mathematics where even someone like me (who is NOT a math whiz) can grasp. The primary models they applied appear to focus on the EMV liability shift to examine payoffs and equilibria before and ...

Continue Reading

The Cost of EMV Re-Issuance standard

It’s nearly November, and many of us in the payments space are still reeling from EMV. Nothing like waiting until the last minute to convert, right? One of the topics that has not been covered as much from a breach perspective is the consideration of the cost of re-issuance in a post-EMV world. Graves, Acquisti, and Christin (2014) published a working paper discussing some of the challenges that issuers face when it comes to the decision of re-issuance. Through their analysis they suggest investing in analytics to only re-issue when fraud losses begin occurring on lost cards. When a payment card is known to be included in a card dump from a breached merchant, issuers have a choice to make. Should they ...

Continue Reading

Samsung Pay is Here standard

The first major challenge to Apple Pay is now here (I’m not counting the Google Wallet as it predates Apple Pay). While I hate the name (seriously Samsung? You accuse Apple of copying you all the time), there is a very cool technology (Thanks LoopPay) that allows for some backwards compatibility that is not present with Apple Pay. These features are part of the Samsung Galaxy S6 and S6 Edge. Couple of key highlights: There are two method of payment, Contactless EMV using Near Field Communications (NFC) and Magnetic Secure Transmission (MST). MST is backwards compatible with (most) existing terminals and will transmit payment information by creating a field that the magnetic stripe reader can interpret. As far as the ...

Continue Reading

Pleeeeze Stop Exposing Weaknesses in my Code! standard

In the latest round of “I just don’t get it” moments from Mary Ann Davidson of Oracle, a blog post escaped the PR department that just explains how ridiculous her views on information security are. Thankfully, the Internet never forgets. Before going any further, go read that post. Then when you are done, enjoy this previous gem where she insults anyone who has ever performed an audit function. And here are my comments from 2011. Davidson really wants to be considered a security person. She reminds me of Jerry Jones wanting to be known as a Football Man. She ran for and sits on the ISSA International Board of Directors. She has keynoted several conferences as a security expert. Yet, based on ...

Continue Reading

Why the Adult Friend Finder Breach Should Concern You standard

Check out this great post by Dave Lewis over at CSO who reports on one of those face-palm realizations that many folks are having today. Adult Friend Finder is a social hookup site that fell victim to a breach with all kinds of data on its members now disclosed to the public. Why is that a big deal? Because an alarming number of users on that site signed up for the service using their corporate email accounts. HR nightmare aside, there is a ton of really great information now available to an attacker. If you use the service, you may have your own issues with your intimate details and preferences being publicly available. As a corporate CISO, you need to ...

Continue Reading

Life Saving Aviation Tips Applied to InfoSec standard

I came across this humorous little collection of life saving aviation quotes. As a pilot, it’s good to have these little quips tucked away for when things move away from straight and level. A good friend of mine pointed out that he often used one of these quotes in InfoSec-related keynotes he gave, and I thought I’d share some here with InfoSec commentary! Aviate, Navigate, Communicate. When the proverbial crap his the fan, information security professionals may be the key to keeping a company safe (or the catalyst to a bad situation) from a data loss. As a pilot, when things go wrong you have to remember to fly the plane, navigate it to a safe place, and tell controllers ...

Continue Reading

New Whitepaper: Preventing Terminal Tampering standard

PCI DSS 3.0 is here, and from what I can see it appears that companies are scrambling to get the pieces in place to appease their assessors. One of those biggies is new requirement 9.9, which switches from a best practice to a requirement in the middle of this year. If you are just now starting to take a look at how this will affect your compliance programs, I’m afraid to say that you are behind. There are plenty of resources available for you to get into the technical, nitty-gritty components of this requirement. What I found was missing was a business discussion on the options your firm has to meet this requirement. I’m happy to announce a new whitepaper ...

Continue Reading

What am I missing? Outsource payments today! standard

I always enjoy meeting with colleagues in the industry as I learn something every time. I’ve had a chat with a few of you out there and I’m trying to figure out why more companies continue to insource their payment processing and complain about PCI DSS and breaches as opposed to just outsourcing. Thinking back to some of the challenges in previous jobs, I may have helped answer it thanks to a conversation yesterday morning. All providers of IT services want their customers to integrate their product or service into internal IT systems. It creates stickiness and makes it hard to change vendors. Tools like anti-virus, DLP, SIEM, and knowledge management platforms that achieve some level of integration rarely are ...

Continue Reading

Guest Post: Digital Fingerprinting—Do You Know Who You’re Doing Business With? standard

The following is a guest post by Frank Stornello of Verifi. Online fraudsters benefit from the anonymity of a virtual medium. They can invent and reinvent who they are on any given day. And they do. They can change email addresses or IP addresses in just a few clicks. But it’s a little more expensive and time consuming to change the hardware that they’re using to make a purchase—the PC, laptop or smartphone. That’s why “digital fingerprinting” or “device fingerprinting” has become a popular means for fraud prevention. Just as good old-fashioned fingerprinting has been used for over a century to identify criminals and thwart crime, digital fingerprinting can do the same by identifying the fraudsters’ tools, if not the ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!