Categories ArchivesEnterprise Security

Managed Security Services ≠ Light Switch standard

RSA 2009 has been in the can for over a week now, and I’ve had some time to reflect on the state of security since the economy broke it’s nose on the market floor. Gartner released reports saying that security spending was not cut as hard (if at all) when compared to other areas inside companies. People on the expo floor had mixed experiences as well. The four common themes I discovered were: Non-essential security spending was cut (but things you have to do like SOX and PCI are fine) Headcount was cut No change My hair is on fire Regardless of the theme, more security professionals are warming up to the idea of Managed Security Services. While most of ...

Continue Reading

An alternative to PCI standard

PCI is still a hotly debated topic nearly four and a half years after its initial release on December 15, 2004. You didn’t have to visit too many after hours parties or exhibitors at RSA to see that. Most of the criticism of PCI comes from people who really don’t understand it, or understand how to use it to their advantage. And those people fall into two categories themselves; those who are green to PCI and are overwhelmed, and those who love their soap box. Those in the former bucket just need time to get up to speed. PCI, like Rome, was not built overnight, and it requires weeks of study to fully grasp how it will affect your environment. ...

Continue Reading

Are you going to be at RSA? standard

I hope to see you there! I arrive on Monday and will be at the welcome reception about halfway through, and am leaving at lunchtime on Thursday. You can find me at the VeriSign ESS Booth (not the big one up front) at Booth #1454. It’s in the back, so you have to look for it! I will be manning the Retail Security area of our booth on Wednesday from 11:00 to 2:30. Come by and see me! Also, if you have not done so already, follow me on Twitter (http://twitter.com/BrandenWilliams/), I’ll be tweeting from the conference and the booth! Who knows, maybe we’ll end up at the same crowded bar filled with people arguing the merits of DLP! Possibly ...

Continue Reading

Simplified DLP in a Cost Conscious World standard

I’ve been writing Herding Cats for over a year now, and with all this talk about DLP, I wanted to dust off my FIRST EVER Herding Cats. Have you ever wanted to see if sensitive data your company protects exists outside of designated areas? Maybe you are looking for Personally Identifiable Information (PII), intellectual property, or cardholder data that might be sitting around in flat files. I suggest turning to Grep ((http://www.gnu.org/software/grep)), a GNU searching tool that is included on most Unix-based operating systems (and there are MS ports)! Grep can use the power of regular expressions to quickly search for patterns in files. The results obtained will help you triage data leakage that may occur through the normal course ...

Continue Reading

Do you think about skimmers? standard

I’ll admit, I’m not the insomniac whose brain refuses to shut down because of something like a skimmer. They do scare me. Less from a personal liability perspective and more from a corporate liability perspective. Have you ever seen a real-life example of an ATM that has been doctored with a skimmer? Today is your lucky day! One Gizmodo reader submitted his pictures and story. Maybe I’m crazy, and maybe it’s just not that big of a deal anymore. The bad guys are getting very crafty now, and able to fit skimmers to specific ATM models. It used to be that if you used an ATM regularly, it would be very easy to tell if someone had tampered with it. ...

Continue Reading

OWASP Code Review Guide standard

Have you seen it? OWASP recently released their Code Review Guide to the general public for download! I’m very happy to say that one of our own consultants was a contributing author, Jenelle (Chapman) Davis! This book goes through the basics of preparing for a review, understanding how threats may present themselves, to the more advanced topics of reviewing code for technical controls, to even giving suggestions for common languages or platforms on where to start. If you are interested in code review, you should understand the concepts in this book at a minimum. Slowly, but surely, we’re starting to see more and more information be made available on this topic, and hopefully this will begin to spread around the ...

Continue Reading

I want your old data! standard

Kotaku recently reported that a cache of Xbox 360s and PlayStation 3s offloaded to Circuit City has tons of fun data on them. Smaller merchants are buying these things for pennies on the dollar in hopes to resell them for a profit in their stores. I’ve heard that these things are everywhere! Folks, don’t forget, that every one of these devices that you plug into the wall or has a battery is basically a computer. Sure, it may not be the one that you are reading this post on, but it is a scaled down version of the same technology. You know that VOIP phone sitting on your desk? Yep, a computer. Aside from the data security issues associated with ...

Continue Reading

How a Little Push can put you into a Freefall standard

Last week I moderated a panel at a PCI focused dinner in Chicago. Big props to the folks that helped to plan this (Alex, Melissa, Ben, and Diana from VeriSign), the event was great! The panel participants were heavy hitters from the industry including Anton Chuvakin from Qualys, Davi Ottenheimer from Arcsite, and Bill Cook from Wildman Harrold. Anton has a few great points from the event that he has posted on his blog here. We had a fantastic discussion, and there were even great discussions among the panelists that revealed conflicting opinions. We had so much discussion that we were unable to go through the entire list of questions I had prepared. I had thirteen, and we only were ...

Continue Reading

What SHOULD Keep You Up At Night standard

Times are tough. Unless you are just now coming out of your winter hibernation, you are probably so beaten by that phrase that you are not far off from striking the next person that vomits it upon your day. Listen up executives, this one is for you. Breaches cost money. OK fine, I know that is not paradigm shattering knowledge I just dropped like it was hot. Still, executives miss the mark when trying to securely manage or grow their business. We know this because of the nearly daily additions to the breach list that PrivacyRights.org manages. Executives have been failing at managing long term expectations for years. Any of us that work for a public company know that an ...

Continue Reading

Companies need PCI++ (not just PCI) to be safe! standard

Going through some email over here and looked through the recent edition of The Aegis from the Society of Payment Security Professionals, and found a great little snippet from Chris Mark entitled “Wear Your Seatbelt…and Maybe a Helmet.” In it, he pulls a quote from the PCI SSC that seems directed at detractors of the PCI DSS. They state: “The PCI SSC believes that the best way to protect cardholder data that is stored, transmitted, and processed is by implementing the PCI DSS and remaining in full compliance.” Chris points out that this seems to imply that PCI DSS is the high water mark, not the baseline from which you should build a program. It may just be that a ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!