Categories ArchivesEnterprise Security

How PCI Can Ruin You standard

No, this is not one of those posts poo-pooing PCI because it is the popular thing to do. But after my marathon writing sessions working on the book, I started to think about all the customers that I had visited over the years, and all the problems I have seen, and how even today the problems that come up are essentially caused by common root issues. BTW, I’m hoping you guys all LOVE the case studies. Some of you readers might even be business owners or playing a part in them!  That was, by far, my favorite part of writing the book.  Maybe I’ll try some bad fiction writing next? (FAIL) Anyway, one of the things that the information security ...

Continue Reading

The Simplicity of PCI, and the best way to complicate it! standard

OK folks, bring on the love.  Ready?  I’m going to stick my neck way out there. PCI is easy. *GASP* OK, taking a company that ignored security (or only focused on one particular element of a good security program) to compliance is hard, painful, and will result in lots of kicking and screaming and other tantrum like actions.  Why?  See this post. But take PCI DSS on the surface.  It’s prescriptive (potentially overly so in some cases), it is based on a good, common set of security practices that, quite frankly, you should already be doing, and its impact to your organization can be limited dramatically depending on how you approach it.  If you look at the high level twelve ...

Continue Reading

Fun Times with Encryption standard

Time for a throwback!  This year, I posted my new article “The Art of the Compensating Control” over a three week period back in April.  A reader recently contacted me about a claim I make in Part 4 of the posting.  He says: In your April 2009 blog The Art of the Compensating Control (Part 4) Tax day special, you stated that using the random function in COBOL to generate your key was in a sense, “a really bad idea”.  I have no knowledge of encryption so I don’t see the fault with the process.  How would this be equivalent to only 53 bits of encryption? Excellent question!  The basis of this post relies on a tool by Mandylion Labs ...

Continue Reading

The Breach You Didn’t Expect standard

Portions of this post originally appeared in the March 2009 Issue of the ISSA Journal. We just got our first severe weather scare of the year in Texas. A tornado was reported less than five miles from my house by spotters on February 11th. Some of my customers have facilities in Tornado Alley and have heavily fortified their data centers to take a direct hit by a tornado. Usually, the secondary data center is also in Tornado Alley. Why would you put two data centers in harms way? When you run the probability calculations, the likelihood of both being destroyed is about the same as an intersection in Montana having a Starbucks on every corner ((OK, I’m going out on ...

Continue Reading

Guest Post: HITECH Alters HIPAA—Will HIPAA be ‘Hip’? standard

The following is a guest post by Bindu Sundaresan, a consulting manager in our Risk & Compliance consulting practice. With the current “non-stimulating” economy, there is a lot of talk about the “stimulus” bill which is impacting all areas of the US economy. One such impact is the reason for today’s blog post. A portion of the new economic stimulus bill, called the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), will have a significant impact on Health Insurance Portability and Accountability Act of 1996(HIPAA). This new law revives HIPAA (which has been around for over a decade), but has many a time gone unnoticed/ not strongly enforced, and no incentive to comply, amongst the other ...

Continue Reading

Why PCI DSS is a good thing for YOU! standard

You know, it’s kinda funny.  Everywhere I go, I see how polarizing PCI DSS is.  If you deal with PCI often, think about your interactions with others when discussing PCI.  This is a response you have probably never heard: “Well, that PCI thing is OH-KAY.  I’m not really thrilled one way or the other…” More likely it was something like “That F&*@ing PCI DSS!  I hate it!” or “God bless those PCI DSS Overlords for giving me a stick to whip my company into shape!”  I tend to hear the former much more than the latter, but that demonstrates the wide difference in corporate cultures faced with PCI DSS. Those of you screaming and complaining about PCI should stop for ...

Continue Reading

Requirement 11.2 Follies standard

Why is Requirement 11.2 one of the most failed by merchants and service providers alike? Requirement 11.2 has shown up here a few times, but after looking back, I never really explored the issues in detail.  Those who have been unfortunate enough to attend one of my sessions where this topic came up know where you can make a mistake. Requirement 11.2 mandates quarterly scans for all hosts in scope for PCI, both internal and external.  Scope reduction techniques like segmentation can do wonders for limiting what needs to be scanned, but makes the biggest impact internally.  In one of my case studies, I talk about a customer that reduced the number of in-scope systems to less than 1% of ...

Continue Reading

Guest Post: Is it better to be secure, or appear secure? standard

The following is a guest post by Matt Wilgus, Technical Services Practice Manager for VeriSign’s Global Security Consulting group. While the aforementioned question rarely gets formally asked, it is a decision information security offices deal with all the time. Often the security office also handles compliance initiatives. Given the limited resources, is it better to comply with requirements, if the opportunity cost is investing in a project which could bolster security, but not meet compliance initiatives? If an organization is secure than the organization should likely appear secure; however, this is not always the case. The extent an organization is secure is open to perception and often boils down to risk tolerance and risk acceptance. However, what really drives tolerance ...

Continue Reading

Guest Post: The DNA of Compliance standard

The following is a guest post by Shaun Fothergill, the EMEA Practice Manager for VeriSign’s Global Security Consulting group. The tidal wave of regulatory compliance issues has intimidated the brave and petrified the frail, those who once played lip service to these issues are now looking for very serious answers from very serious questions. How do I comply? What do I need to do? What will it cost me? How do I keep compliant? The problem is that there are so many regulatory issues we need to consider and each of these seemingly having their own security nuance that needs to be addressed. Listed below are just some of the compliance issues businesses need to take into account: Data Protection ...

Continue Reading

Guest Post: The IT forecast – Cloud-y with a 10% Chance of Effective Security standard

The following is a guest post by Fred Langston, Sr. Product Manager for VeriSign’s Global Security Consulting group. With the stampede to the next big thing gaining speed, Cloud Computing and Cloud Services face the standard, yet utterly preventable, horse-before-the-cart security conundrum. Anytime paradigm-shifting technology that saves money and decreases operational costs hits the market, two things are certain – 1) your company, just like 99% of the other companies in your vertical, will be running with the pack straight towards rapid adoption, and 2) security tools, techniques, and control technologies to find and mitigate the huge business risks associated with the new cloud services are: Lacking in essential functionality, scalability, or cloud-wide scope Not based on well-vetted best practice ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!