Categories ArchivesEnterprise Security

Compliance & Security Diverge on Private Label Cards standard

Here’s one of those areas where security and compliance stare at each other angrily across the table instead of skipping down the trail together singing, “Tra-la-la.” I was speaking to a friend of mine at a birthday party about this because guys don’t stay inside for the Hannah Montana makeover, we go outside and talk about beer, sports, and information security. OK, SOME of us do that. So what if I like my toes painted? Anyway, he was telling me that his company was taking the stance that private label cards, or those cards that have the company name on them instead of a Visa, MasterCard, American Express, Discover, or JCB logo on them, should be included in their PCI ...

Continue Reading

Seth Godin Gets Risk Management standard

On a recommendation from a friend, I picked up Tribes by Seth Godin. I’ve read many of Seth’s great books, the most popular probably being The Purple Cow, and each time I marvel at human nature’s rationalization that complex equals better. Complexity sometimes equals better, but don’t you think it’s funny how sometimes the simplest ideas are the ones that far exceed the complex ones? These are the ones that end up leaving a red mark on your forehead from your hand after you smack yourself and say “Dammit, why didn’t I think of that?!?” Man crush aside ((Yeah, I have a small man crush on Seth Godin.)), security professionals need to read his books. If there is anything negative ...

Continue Reading

Managed Security Services ≠ Light Switch standard

RSA 2009 has been in the can for over a week now, and I’ve had some time to reflect on the state of security since the economy broke it’s nose on the market floor. Gartner released reports saying that security spending was not cut as hard (if at all) when compared to other areas inside companies. People on the expo floor had mixed experiences as well. The four common themes I discovered were: Non-essential security spending was cut (but things you have to do like SOX and PCI are fine) Headcount was cut No change My hair is on fire Regardless of the theme, more security professionals are warming up to the idea of Managed Security Services. While most of ...

Continue Reading

An alternative to PCI standard

PCI is still a hotly debated topic nearly four and a half years after its initial release on December 15, 2004. You didn’t have to visit too many after hours parties or exhibitors at RSA to see that. Most of the criticism of PCI comes from people who really don’t understand it, or understand how to use it to their advantage. And those people fall into two categories themselves; those who are green to PCI and are overwhelmed, and those who love their soap box. Those in the former bucket just need time to get up to speed. PCI, like Rome, was not built overnight, and it requires weeks of study to fully grasp how it will affect your environment. ...

Continue Reading

Are you going to be at RSA? standard

I hope to see you there! I arrive on Monday and will be at the welcome reception about halfway through, and am leaving at lunchtime on Thursday. You can find me at the VeriSign ESS Booth (not the big one up front) at Booth #1454. It’s in the back, so you have to look for it! I will be manning the Retail Security area of our booth on Wednesday from 11:00 to 2:30. Come by and see me! Also, if you have not done so already, follow me on Twitter (http://twitter.com/BrandenWilliams/), I’ll be tweeting from the conference and the booth! Who knows, maybe we’ll end up at the same crowded bar filled with people arguing the merits of DLP! Possibly ...

Continue Reading

Simplified DLP in a Cost Conscious World standard

I’ve been writing Herding Cats for over a year now, and with all this talk about DLP, I wanted to dust off my FIRST EVER Herding Cats. Have you ever wanted to see if sensitive data your company protects exists outside of designated areas? Maybe you are looking for Personally Identifiable Information (PII), intellectual property, or cardholder data that might be sitting around in flat files. I suggest turning to Grep ((http://www.gnu.org/software/grep)), a GNU searching tool that is included on most Unix-based operating systems (and there are MS ports)! Grep can use the power of regular expressions to quickly search for patterns in files. The results obtained will help you triage data leakage that may occur through the normal course ...

Continue Reading

Do you think about skimmers? standard

I’ll admit, I’m not the insomniac whose brain refuses to shut down because of something like a skimmer. They do scare me. Less from a personal liability perspective and more from a corporate liability perspective. Have you ever seen a real-life example of an ATM that has been doctored with a skimmer? Today is your lucky day! One Gizmodo reader submitted his pictures and story. Maybe I’m crazy, and maybe it’s just not that big of a deal anymore. The bad guys are getting very crafty now, and able to fit skimmers to specific ATM models. It used to be that if you used an ATM regularly, it would be very easy to tell if someone had tampered with it. ...

Continue Reading

OWASP Code Review Guide standard

Have you seen it? OWASP recently released their Code Review Guide to the general public for download! I’m very happy to say that one of our own consultants was a contributing author, Jenelle (Chapman) Davis! This book goes through the basics of preparing for a review, understanding how threats may present themselves, to the more advanced topics of reviewing code for technical controls, to even giving suggestions for common languages or platforms on where to start. If you are interested in code review, you should understand the concepts in this book at a minimum. Slowly, but surely, we’re starting to see more and more information be made available on this topic, and hopefully this will begin to spread around the ...

Continue Reading

I want your old data! standard

Kotaku recently reported that a cache of Xbox 360s and PlayStation 3s offloaded to Circuit City has tons of fun data on them. Smaller merchants are buying these things for pennies on the dollar in hopes to resell them for a profit in their stores. I’ve heard that these things are everywhere! Folks, don’t forget, that every one of these devices that you plug into the wall or has a battery is basically a computer. Sure, it may not be the one that you are reading this post on, but it is a scaled down version of the same technology. You know that VOIP phone sitting on your desk? Yep, a computer. Aside from the data security issues associated with ...

Continue Reading

How a Little Push can put you into a Freefall standard

Last week I moderated a panel at a PCI focused dinner in Chicago. Big props to the folks that helped to plan this (Alex, Melissa, Ben, and Diana from VeriSign), the event was great! The panel participants were heavy hitters from the industry including Anton Chuvakin from Qualys, Davi Ottenheimer from Arcsite, and Bill Cook from Wildman Harrold. Anton has a few great points from the event that he has posted on his blog here. We had a fantastic discussion, and there were even great discussions among the panelists that revealed conflicting opinions. We had so much discussion that we were unable to go through the entire list of questions I had prepared. I had thirteen, and we only were ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!