Enterprise Security | Branden R. Williams, Business Security Specialist

The Problem with Logging standard

Kim Zetter from Wired Magazine put Wal-Mart back in the news recently with information about an alleged incident that occurred in the 2005-2006 timeframe. One of the key issues making the rounds is the following assertion made by Zetter: The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis. Logs serve multiple purposes, and for that reason they tend to grow rapidly. Sure, storage is cheap nowadays, but every company still struggles with this very basic concept. While I won’t speak specifically to the Wal-Mart incident (Evan Schuman has some great additions), I will address some of what I see with my customers and their struggles with logging. Over-Logging This is more typical than ...

The Lost Assessment standard

Like many fans of Dan Brown’s character Robert Langdon, I was one of the first to tear through The Lost Symbol last month. Symbology in ancient and modern cultures is fascinating, and somehow while I was reading the book, I made a parallel between this final lost symbol (no spoilers here, you need to go read the book!) and the quest for security and compliance nirvana. In the book, Mal’akh is searching for what he believes is the final piece to a puzzle that will make him an all powerful, deity like creature. His quest began while imprisoned in a Turkish prison (yes he HAS seen the inside of a Turkish prison, Clarence) with the son of a prominent 33rd ...

Blame MBAs for PCI Remediation Costs! standard

Do you ever wonder how we got into this situation? Where merchants are facing tremendous fines for non-compliance, companies are being compromised by hackers here and overseas, and data security programs seem to be non-functional at best (if not non-existant)? I’ll tell you how… MBAs. Yep, those pesky folks that learn the inner workings of how to take advantage of numbers to best increase their own personal compensation? Yes, another MBA dog-pile. And I feel qualified to pick on my MBA brethren because I are one. All seriousness aside (did I do that right?), let’s think about how payment systems started inside retailers. This is a classic example of the Build vs. Buy problem in every single MBA finance class. ...

Herding Cats, the September Edition standard

It’s live folks! Check out the latest edition of Herding Cats entitled, “Risk Management Follies!” Possibly Related Posts: Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug Improve Outbound Email with SPF, DKIM, and DMARC Life after G-Suite/Postini

Herding Cats, Bringing You up to Date! standard

I’ve been neglecting you all. I usually post PDF versions of Herding Cats here on the blog for you all to read! If you are not an ISSA Member, stop what you are doing and click here to join. If you are, you can catch Herding Cats in an ISSA Journal online or in print! The last edition I posted was from April. Here are the ones that I have published since then: The Perimeter has Left the Building, 08/09 Security is a Mindset, 07/09 The Cost of Ethics & Integrity, 06/09 The Breach You DID Expect, 05/09 Don’t forget, you can see all the editions right here on the site! Possibly Related Posts: Selective Domain Filtering with Postfix and ...

PCI SSC Releases Skimming Prevention Tips standard

Skimming (in the credit card world) is commonly defined as capturing magnetic stripe data during the normal payment process by swiping it through an external (or even inline) device before or after the authorization swipe. External devices are commonly found in stores where a payment instrument is presented, and someone takes the card away from view to process, like at a restaurant. Inline skimming occurs where the cardholder is present during the swiping, and usually involves tampered swipe devices. The PCI Security Standards Council recently released an EXCELLENT guide with tips on preventing skimming, with sample forms that you can use to track your progress. Most of the skimming techniques employed can be addressed with physical inspection, something with which ...

The End of PIN-Debit for Fuel? standard

PIN-based debit authorization rates have recently increased dramatically, some merchants complaining that their auth rates have increased up to four times their previous rate. In some armchair research, I learned that Interlink (Visa) and Pulse (Discover) have removed interchange caps on transactions. For most merchants, it is still cheaper to process a PIN-Based Debit transaction than a credit card transaction (on a per transaction basis), but for others it is about the same. Or at least the difference in cost is so minimal that their volumes don’t force an advantage one way or the other. Visa is enforcing PIN Entry Device (PED) mandates, effective on July 1, 2010, whereby all PEDs must comply with the PCI PED Standard. For retailers ...

Splain it, Brando!, and Finding your Data standard

On Thursday, I threw out a blog post which I hope to be the start of a series playing on Dave Ramsey’s style for financial peace, and realized I played the role of a consultant PERFECTLY (just like Marshall Eriksen might LAWYER you). SK pointed that out for me when he asks me to elaborate. In a back to school fashion, imagine this conversation as played through your teenage daughter’s cell phone. “I was all, ‘Just find the data!’, and he was all, ‘Whatever.'” I am so in touch with today’s youth. SK brought up a good point. Let’s say you are working with an enterprise that does not have any of the following: 1) a working DLP solution, 2) ...

Dave Ramsey Applied to Security, Baby Step #1 standard

I’ve been on a Dave Ramsey kick lately. I like his message and his concept of declaring war on debt. One of his mantras can save people TONS of cash if they would just use basic things they learned in school. “Do the math!” Everyone out there has a brother-in-law, church buddy, or friend of a friend who is “a finance guy.” We tend to listen to people we consider experts without questioning their motives, simply because we don’t believe we can comprehend the complexity of the question enough to figure the answer out ourselves. For example, several years ago I went to a car dealership to buy my wife a new car. I had just recently graduated with my ...

Bob Carr: “QSAs let us down.” And Things Never Heard by a QSA standard

Bob Carr was recently quoted in a Computerworld article saying that QSAs let [Heartland] down. Of course, he is not referring to his most RECENT QSA, but I’m sure that was an editorial change to make the story more interesting. The article is a fantastic read, but also slightly humorous in nature. I’m going to leave Heartland’s situation out of this post, and look at how other companies that have dealt with breaches. If you want to see what others are saying, check Rich Mogul, Mike Rothman, and Andy Willingham. Nearly every company I have worked with suddenly “Gets Religion” after a breach. Prior to it, security is not top of mind, therefore things like PCI become burdensome as opposed ...

Categories ArchivesEnterprise Security