Categories ArchivesEnterprise Security

More on NRF’s Letter to PCI SSC, and the Wireless Network that Could standard

A couple of weeks ago, I jotted down a few thoughts on the letter from the NRF to the PCI-SSC about the PCI Standards. My post was a bit rant-ish, but Anton Chuvakin threw down a great review in his blog yesterday. The only point that I wanted to add a different opinion on is the use of WEP. I’ve been a proponent for wide open wireless networks in corporations for a few years. I argue that because network compromises are either hit-or-miss with advanced encryption technologies, most hackers default to attacking hosts instead. One of our own testers is known to breach networks that security professionals thought were virtually impenetrable. He didn’t do it by packing a Cray into ...

Continue Reading

Are you passionate about security? standard

People often come up to me and say things like, “Wow, you really are passionate about your work!” Aside from the old “Do what you love, and love what you do” adages our great grandparents regurgitate to us when they see us struggling with some arguably trivial thing in our work lives, passion is something that people can see on you. We’ve all sat through one of those talks at a conference or an association meeting where it is clear that the speaker is just going through the motions. Maybe they are not just reading right off the slides, but you can tell that the only thing they are thinking about is hitting the tables, bar, or airport. Did you ...

Continue Reading

The Ready-Fire-Aim Method to Software Security standard

It’s now day two of WWDC, and amidst the AT&T iPhone 3G customers crying foul at the upgrade price to the 3GS, we’ve seen previews of the newest revision of the OS X series, Snow Leopard. After listening to the keynote (btw, I am not actually there, just living vicariously through the twits that are), I finally understand why Apple did a total stoner’s give-up on the name to the new OS. At first, I was a little bummed. I mean, can’t you imagine what the Apple commercials would look like if it were code named Cougar? Rawr! Snow Leopard is largely based on Leopard, but with several core components rewritten or enhanced to add amazing new functionality that is ...

Continue Reading

Application Assessment Prep Tips standard

VeriSign consultant Nick Coblentz published seven quick tips for preparing for an application assessment. If you use custom applications for any of your business, you should have them regularly assessed. Developers are human, and we (I used to do dev work) make mistakes. I’d like to augment the list based on recent client experience. These are really two ways to say Build a Contingency Plan. Expect thing to go wrong – ESPECIALLY if you are testing against production systems. Expect that the whole application will bomb. How will you recover? Do you have staff on-call that can restore services in hours or minutes? Remember, the most relevant tests will be against production critical applications. Applications that, if inactive, will impact ...

Continue Reading

Voltage Releases Data Breach Map standard

Voltage has a new feature on their website, a map of data breaches with an approximation of the affected geographic area (or at least the location of the breached entity’s HQ). This is a nice compliment to the Privacy Rights site which lists all reported breaches, chronologically, since the Choicepoint breach in 2005 that exposed a reported 163,000 records. I spent some time clicking around and really enjoyed playing with the different views and getting a perspective on where these things happen. Looking at the map, it’s really not a big surprise, but the most significant thing is the lack of global breach announcements (or lack of data). The number of countries affected are in the low teens, which we ...

Continue Reading

Retail Security Followup Webinar: Maintaining Security standard

VeriSign has a new webcast! On a day where I was not feeling totally top notch, Melissa & I recorded this for your consumption. Here’s a synopsis of the webcast. Security in retail is hard. Retailers have never heavily invested in information security, and with threats increasing and the available investment money dwindling, many retailers are going to be in for an interesting ride. The consulting group at VeriSign realizes that security is not a one-size-fits-all problem. Each company requires a custom solution to maximize their results. This presentation outlines two distinct approaches, one from security and one from compliance, and gives some helpful tips to start your own process to bolster your security. If you are interested, simply send ...

Continue Reading

Chuck Lorre is a GENIUS! standard

But we already knew that. I mean, with shows like the Big Bang Theory and Two & A Half Men, who can deny his genius? Anyway… For those of you that own televisions and have already realized his genius, you probably know that at the end of his shows there is a 2-4 second blip where he displays his vanity card. Every episode has a unique one, and as most things, the first ones were pretty tame, and they get more and more out there with each passing week (see this blog and Herding Cats in the ISSA Journal for additional examples). Vanity card #221 struck me as something we see in the compliance and security industries. The first part, ...

Continue Reading

Do Data Breach Laws Push Compliance? standard

CIO Australia recently posted an article suggesting that data breach notification laws drive compliance. Bob Russo is quoted quite a bit in the article, but there is a part that is missing. It’s not Bob’s fault, he is speaking from the Council’s perspective. He hit the bullseye. But what Bob does not say is what is really driving compliance. I’ve been doing PCI/CISP compliance work since 2004, not quite two years AFTER the September 26, 2002 filing of California’s SB 1386–the first State Data Breach Law. Unfortunately, many companies did not pay too much attention to it until several years later when other states started passing similar laws, especially when Minnesota passed the Plastic Card Security Act in 2007. Being ...

Continue Reading

Compliance & Security Diverge on Private Label Cards standard

Here’s one of those areas where security and compliance stare at each other angrily across the table instead of skipping down the trail together singing, “Tra-la-la.” I was speaking to a friend of mine at a birthday party about this because guys don’t stay inside for the Hannah Montana makeover, we go outside and talk about beer, sports, and information security. OK, SOME of us do that. So what if I like my toes painted? Anyway, he was telling me that his company was taking the stance that private label cards, or those cards that have the company name on them instead of a Visa, MasterCard, American Express, Discover, or JCB logo on them, should be included in their PCI ...

Continue Reading

Seth Godin Gets Risk Management standard

On a recommendation from a friend, I picked up Tribes by Seth Godin. I’ve read many of Seth’s great books, the most popular probably being The Purple Cow, and each time I marvel at human nature’s rationalization that complex equals better. Complexity sometimes equals better, but don’t you think it’s funny how sometimes the simplest ideas are the ones that far exceed the complex ones? These are the ones that end up leaving a red mark on your forehead from your hand after you smack yourself and say “Dammit, why didn’t I think of that?!?” Man crush aside ((Yeah, I have a small man crush on Seth Godin.)), security professionals need to read his books. If there is anything negative ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!