Categories ArchivesEnterprise Security

Why the Adult Friend Finder Breach Should Concern You standard

Check out this great post by Dave Lewis over at CSO who reports on one of those face-palm realizations that many folks are having today. Adult Friend Finder is a social hookup site that fell victim to a breach with all kinds of data on its members now disclosed to the public. Why is that a big deal? Because an alarming number of users on that site signed up for the service using their corporate email accounts. HR nightmare aside, there is a ton of really great information now available to an attacker. If you use the service, you may have your own issues with your intimate details and preferences being publicly available. As a corporate CISO, you need to ...

Continue Reading

The Impacts of Breaches: New Research! standard

Part of the reason why I went through the enlightening process of my third run through academia as a learner was to be able to contribute research back to the field. I’m happy to announce that my first paper is now public for download. Available for download through the Merchant Acquirers’ Committee is this piece that examines the economic impacts of breaches entitled, The Impacts of Breaches: A Survey of MAC Members on the Realities of Data Breaches. In it, I reveal research that helps to explain some of the economic realities of breaches. Here’s a preview, it’s not as bad as you probably think! I’ve also built an academic manuscript for this paper which goes into much more detail ...

Continue Reading

Life Saving Aviation Tips Applied to InfoSec standard

I came across this humorous little collection of life saving aviation quotes. As a pilot, it’s good to have these little quips tucked away for when things move away from straight and level. A good friend of mine pointed out that he often used one of these quotes in InfoSec-related keynotes he gave, and I thought I’d share some here with InfoSec commentary! Aviate, Navigate, Communicate. When the proverbial crap his the fan, information security professionals may be the key to keeping a company safe (or the catalyst to a bad situation) from a data loss. As a pilot, when things go wrong you have to remember to fly the plane, navigate it to a safe place, and tell controllers ...

Continue Reading

New Whitepaper: Preventing Terminal Tampering standard

PCI DSS 3.0 is here, and from what I can see it appears that companies are scrambling to get the pieces in place to appease their assessors. One of those biggies is new requirement 9.9, which switches from a best practice to a requirement in the middle of this year. If you are just now starting to take a look at how this will affect your compliance programs, I’m afraid to say that you are behind. There are plenty of resources available for you to get into the technical, nitty-gritty components of this requirement. What I found was missing was a business discussion on the options your firm has to meet this requirement. I’m happy to announce a new whitepaper ...

Continue Reading

What am I missing? Outsource payments today! standard

I always enjoy meeting with colleagues in the industry as I learn something every time. I’ve had a chat with a few of you out there and I’m trying to figure out why more companies continue to insource their payment processing and complain about PCI DSS and breaches as opposed to just outsourcing. Thinking back to some of the challenges in previous jobs, I may have helped answer it thanks to a conversation yesterday morning. All providers of IT services want their customers to integrate their product or service into internal IT systems. It creates stickiness and makes it hard to change vendors. Tools like anti-virus, DLP, SIEM, and knowledge management platforms that achieve some level of integration rarely are ...

Continue Reading

Guest Post: Digital Fingerprinting—Do You Know Who You’re Doing Business With? standard

The following is a guest post by Frank Stornello of Verifi. Online fraudsters benefit from the anonymity of a virtual medium. They can invent and reinvent who they are on any given day. And they do. They can change email addresses or IP addresses in just a few clicks. But it’s a little more expensive and time consuming to change the hardware that they’re using to make a purchase—the PC, laptop or smartphone. That’s why “digital fingerprinting” or “device fingerprinting” has become a popular means for fraud prevention. Just as good old-fashioned fingerprinting has been used for over a century to identify criminals and thwart crime, digital fingerprinting can do the same by identifying the fraudsters’ tools, if not the ...

Continue Reading

The Right Way to Present your Security Initiative standard

Going through my RSS the other day, I found this blog post on HBR that everyone in our field should bookmark for future reference. It’s entitled, The Right Way to Present your Business Case, by Carolyn O’Hara. As I was reflecting on the successful (and not so successful) pitches in my career, I thought that this type of message also works perfectly for information security. We have all had that moment in our careers where we knew something needed to be done, but we struggled to communicate it effectively. I distinctly remember a conversation early in my career about adding a security product to a company I worked for and the CEO said, “Until Amazon gets hacked, nobody is going ...

Continue Reading

Shellshock and the Cyber Safety Program standard

I recently had a conversation with Josh Corman of IAmTheCavalry where he shared with me his open letter to the automotive industry. Entitled, the Five Star Automotive Safety Program, it outlines five specific areas that affect information security, and thus will affect the safety of humans that rely on those systems. The five areas are: Safety by Design Third-Party Collaboration Evidence Capture Security Updates Segmentation & Isolation When Josh and I first chatted, I was wary of number 4. Not the fact that security updates are needed, but that there must be a mechanism by which updates can be automatically deployed (not by taking a car to the repair shop). Could someone create a cyber-zombie army by taking over an ...

Continue Reading

Apple Pay is Not P2PE, and Does Not Replace PCI Compliance standard

Apple Pay’s announcement two weeks ago caused a flurry of activity—some of it right here on this blog. I had a chance to catch up with someone who is very close to the design of Apple Pay. I was able to get a few questions answered and I wanted to share those answers here with you all. Apple Pay’s NFC uses EMV. EMV is a standard which was implemented in both the chip and contactless variants for payments. It is effectively the first wide-scale system that uses the EMV Token standard released this year. Apple Pay is software that uses the NFC radio built into the iPhone 6/6+. Why did I make this distinction? Each technology (for example, PayWave and ...

Continue Reading

The Impact of PCI DSS is Up To You standard

After reflecting on the PCI Community Meeting last week, it seems that there is a groundswell building. We’re getting ready to release our updated PCI DSS book on October 24 (pre-order here), and in it (as well as in talks I’ve given since the release) we speculate that the changes in 3.0 are mostly minor and give the merchant more flexibility. While I still stand by this, it seems that the perception in the community does not align with this. I had many conversations last week from disillusioned merchants who are struggling to come up with solid plans for updating their programs. We got detailed in the book on how to address some of these issues, including new chapters on ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!