Categories ArchivesEnterprise Security

Using OpenSource Tools for Compliance & Security standard

The following is a guest post by JD Smith. JD is a Sr. Consultant inside the PCI practice at VeriSign. PCI DSS 1.2 has several sections that require a security application to be used to satisfy a requirement. Some of these areas are file integrity monitoring, firewalls, encryption, wireless scanners, intrusion detection/intrusion prevention and anti-virus. All of these areas have several tools available to address the specific requirement. However, what if a merchant needs to keep the budget to a bare minimum? What if there is absolutely no way a merchant is able to purchase several of these solutions straight off the shelf and pay the licensing associated with them without severely impacting the business? Open-source solutions exist for practically ...

Continue Reading

Deming Points Applied to Security standard

The following is a guest post by Phil Fuhrer. Phil has many years of experience in the assessment and management of IT systems quality. In addition to his current work at VeriSign his interests include requirements, systems architecture and security technology. Edward Deming is considered the father of statistical quality control .The “Deming Cycle” and his fourteen points for managing quality improvement are the most widely known parts of Deming’s work. The “Deming Cycle” is much like the Systems Development Life cycle and other methods that ratchet change allowing continuous improvement. Less well known is Deming’s insistence that effective quality improvement can not be done without statistically stable quality measurements (Bell Laboratories Deming Quality class about 1996). As a statistician ...

Continue Reading

ACK! No browser is safe!! standard

What a confusing time it is for me those of us who just like sitting around all day and poking at the interweb through a browser. We have a rather nasty 0-Day exploit for Internet Explorer roaming around, and Mozilla Firefox makes Bit9’s list as one of the most vulnerable applications in 2008 (surprisingly, IE is not on there). The Internet Explorer 0-Day is so bad that some experts are urging users to switch to another browser. Naturally, the first choice for a number of users would be Firefox. But now Bit9 has released this telling report saying that it was one of the most vulnerable apps in 2008. So where do you turn? Well, the list is not the ...

Continue Reading

Something is afoot with Cloud Computing standard

Something is going on. I don’t know exactly what it is, but all the sudden I’m hearing more of this buzzword. “Cloud Computing” may be the buzzword for 2008. There are even blogs that dedicate content to it. It sure seems to be thrown around a lot… especially in the economic hiccup we are experiencing right now. Should we blame Gartner for its use? Only for using cloud computing and $3.4 trillion in the same article. I bet that’s the root of the problem. So what is cloud computing? Well, according to IEEE, “Cloud Computing is a paradigm in which information is permanently stored in servers on the Internet and cached temporarily on clients that include desktops, entertainment centers, tablet ...

Continue Reading

Past Issues of Herding Cats now ONLINE! standard

Herding Cats is the monthly column that I write for the ISSA Journal. If you have read my previous posts on Herding Cats, you probably noticed that the links require membership in the ISSA. If you are a reader of this blog and NOT a member of the ISSA, you should join today. Society membership rant aside, I now have a small page that has all of my past columns and publications for the Journal. Please navigate over to http://www.brandenwilliams.com/brwpubs/ to download those versions! These will be posted one month behind the printed version. Navigate over and enjoy! Possibly Related Posts: Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox ...

Continue Reading

BUSTED! Why passing the blame for a PCI Breach will fail. standard

After the year we had in 2007 with PCI related breaches, who would have thought that 2008 would give us more? I mean, after last year, who would have thought that we would see another major breach given the “lessons” we learned? Um, I did. Fo-sho. Why? Because early in my career I learned that most executives don’t care about problems until they hit close to home. Like right under their nose. We’ve seen two instances this year of companies that had validated compliance with a QSA, but were subsequently breached. Without specifically commenting on either of these cases, we have never conducted an investigation of a compromised entity and learned that they were compliant at the time of the ...

Continue Reading

Your Doctor does not take Security Seriously standard

Probably. Well, at least one of mine doesn’t. Let me take you through the scene I lived as I completed a routine checkup at my doctor’s office last week. After arriving and being called back, they did the standard how tall are you (thankfully, I have not shrunk), how much do you weigh (PRE-thanksgiving, thanks!), do you have a pulse, and is your blood pressure somewhere in between dead and explodingly high. Yep, I said it. Explodingly. It’s a smashup between a gerund and an adverb. An “adverunderb.” So after all the basic stuff, we sit down and review my medical history as they have it, including any surgeries or medications I have been on prior to my visit. As ...

Continue Reading

Where to get good PCI Training standard

Yep, it’s been a PCI heavy week. Want me to discuss other topics? T and suggest one! Last week I sat through the Certified Payment-card Industry Security Manager training here in Dallas. The folks at Aegenis planned it at a hotel that happened to be about 10 minutes from my house, so getting there was easy. There were several bigwigs from the information security and PCI industry there with me in the sold out training, and the industry perspectives were valuable. If you are not an employee of a QSAC and are looking for a GOOD source of training around PCI, data breach laws, and a detailed look into the payment industry, this training is for you. If you opt ...

Continue Reading

Fun with Phishing standard

Here at VeriSign, our email filtering is pretty effective. We have a corporate solution run by Postini (Google) that I am sure processes an amazing amount of SPAM for us. In most cases, one email that I would consider truly SPAM might slip through every couple of months. Not a bad track record. Today one of those messages got through, and I was amazed at what the bad guys doing to try and commit fraud nowadays. I remember several years ago that one effective method to get money out of large corporations was to just send an invoice for a small amount to the Accounts Payable department. Somewhere in the next two months, a check for that amount would show ...

Continue Reading

Win a free pass to CSI2008 in DC! standard

Thanks to the Security Blogger’s Network, I am pleased to offer one free pass to CSI 2008 in DC! You will need to put some thought into your entry as this is not just some easy give away. To enter into this contest, all you need to do is email me your favorite security related story. Something that you saw that was clearly a huge security problem. Like if you saw a metal detector in a building that was maybe turned off, or maybe a NEXT box running an e-commerce web server in the last year. Here are the rules: All entries must be received via email by Thursday, November 6th, 5PM Central time. One entry per person. Your entry ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!