Categories ArchivesEnterprise Security

Guest Post: The DNA of Compliance standard

The following is a guest post by Shaun Fothergill, the EMEA Practice Manager for VeriSign’s Global Security Consulting group. The tidal wave of regulatory compliance issues has intimidated the brave and petrified the frail, those who once played lip service to these issues are now looking for very serious answers from very serious questions. How do I comply? What do I need to do? What will it cost me? How do I keep compliant? The problem is that there are so many regulatory issues we need to consider and each of these seemingly having their own security nuance that needs to be addressed. Listed below are just some of the compliance issues businesses need to take into account: Data Protection ...

Continue Reading

Guest Post: The IT forecast – Cloud-y with a 10% Chance of Effective Security standard

The following is a guest post by Fred Langston, Sr. Product Manager for VeriSign’s Global Security Consulting group. With the stampede to the next big thing gaining speed, Cloud Computing and Cloud Services face the standard, yet utterly preventable, horse-before-the-cart security conundrum. Anytime paradigm-shifting technology that saves money and decreases operational costs hits the market, two things are certain – 1) your company, just like 99% of the other companies in your vertical, will be running with the pack straight towards rapid adoption, and 2) security tools, techniques, and control technologies to find and mitigate the huge business risks associated with the new cloud services are: Lacking in essential functionality, scalability, or cloud-wide scope Not based on well-vetted best practice ...

Continue Reading

More on NRF’s Letter to PCI SSC, and the Wireless Network that Could standard

A couple of weeks ago, I jotted down a few thoughts on the letter from the NRF to the PCI-SSC about the PCI Standards. My post was a bit rant-ish, but Anton Chuvakin threw down a great review in his blog yesterday. The only point that I wanted to add a different opinion on is the use of WEP. I’ve been a proponent for wide open wireless networks in corporations for a few years. I argue that because network compromises are either hit-or-miss with advanced encryption technologies, most hackers default to attacking hosts instead. One of our own testers is known to breach networks that security professionals thought were virtually impenetrable. He didn’t do it by packing a Cray into ...

Continue Reading

Are you passionate about security? standard

People often come up to me and say things like, “Wow, you really are passionate about your work!” Aside from the old “Do what you love, and love what you do” adages our great grandparents regurgitate to us when they see us struggling with some arguably trivial thing in our work lives, passion is something that people can see on you. We’ve all sat through one of those talks at a conference or an association meeting where it is clear that the speaker is just going through the motions. Maybe they are not just reading right off the slides, but you can tell that the only thing they are thinking about is hitting the tables, bar, or airport. Did you ...

Continue Reading

The Ready-Fire-Aim Method to Software Security standard

It’s now day two of WWDC, and amidst the AT&T iPhone 3G customers crying foul at the upgrade price to the 3GS, we’ve seen previews of the newest revision of the OS X series, Snow Leopard. After listening to the keynote (btw, I am not actually there, just living vicariously through the twits that are), I finally understand why Apple did a total stoner’s give-up on the name to the new OS. At first, I was a little bummed. I mean, can’t you imagine what the Apple commercials would look like if it were code named Cougar? Rawr! Snow Leopard is largely based on Leopard, but with several core components rewritten or enhanced to add amazing new functionality that is ...

Continue Reading

Application Assessment Prep Tips standard

VeriSign consultant Nick Coblentz published seven quick tips for preparing for an application assessment. If you use custom applications for any of your business, you should have them regularly assessed. Developers are human, and we (I used to do dev work) make mistakes. I’d like to augment the list based on recent client experience. These are really two ways to say Build a Contingency Plan. Expect thing to go wrong – ESPECIALLY if you are testing against production systems. Expect that the whole application will bomb. How will you recover? Do you have staff on-call that can restore services in hours or minutes? Remember, the most relevant tests will be against production critical applications. Applications that, if inactive, will impact ...

Continue Reading

Voltage Releases Data Breach Map standard

Voltage has a new feature on their website, a map of data breaches with an approximation of the affected geographic area (or at least the location of the breached entity’s HQ). This is a nice compliment to the Privacy Rights site which lists all reported breaches, chronologically, since the Choicepoint breach in 2005 that exposed a reported 163,000 records. I spent some time clicking around and really enjoyed playing with the different views and getting a perspective on where these things happen. Looking at the map, it’s really not a big surprise, but the most significant thing is the lack of global breach announcements (or lack of data). The number of countries affected are in the low teens, which we ...

Continue Reading

Retail Security Followup Webinar: Maintaining Security standard

VeriSign has a new webcast! On a day where I was not feeling totally top notch, Melissa & I recorded this for your consumption. Here’s a synopsis of the webcast. Security in retail is hard. Retailers have never heavily invested in information security, and with threats increasing and the available investment money dwindling, many retailers are going to be in for an interesting ride. The consulting group at VeriSign realizes that security is not a one-size-fits-all problem. Each company requires a custom solution to maximize their results. This presentation outlines two distinct approaches, one from security and one from compliance, and gives some helpful tips to start your own process to bolster your security. If you are interested, simply send ...

Continue Reading

Chuck Lorre is a GENIUS! standard

But we already knew that. I mean, with shows like the Big Bang Theory and Two & A Half Men, who can deny his genius? Anyway… For those of you that own televisions and have already realized his genius, you probably know that at the end of his shows there is a 2-4 second blip where he displays his vanity card. Every episode has a unique one, and as most things, the first ones were pretty tame, and they get more and more out there with each passing week (see this blog and Herding Cats in the ISSA Journal for additional examples). Vanity card #221 struck me as something we see in the compliance and security industries. The first part, ...

Continue Reading

Do Data Breach Laws Push Compliance? standard

CIO Australia recently posted an article suggesting that data breach notification laws drive compliance. Bob Russo is quoted quite a bit in the article, but there is a part that is missing. It’s not Bob’s fault, he is speaking from the Council’s perspective. He hit the bullseye. But what Bob does not say is what is really driving compliance. I’ve been doing PCI/CISP compliance work since 2004, not quite two years AFTER the September 26, 2002 filing of California’s SB 1386–the first State Data Breach Law. Unfortunately, many companies did not pay too much attention to it until several years later when other states started passing similar laws, especially when Minnesota passed the Plastic Card Security Act in 2007. Being ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!