Categories ArchivesEnterprise Security

The Right Way to Present your Security Initiative standard

Going through my RSS the other day, I found this blog post on HBR that everyone in our field should bookmark for future reference. It’s entitled, The Right Way to Present your Business Case, by Carolyn O’Hara. As I was reflecting on the successful (and not so successful) pitches in my career, I thought that this type of message also works perfectly for information security. We have all had that moment in our careers where we knew something needed to be done, but we struggled to communicate it effectively. I distinctly remember a conversation early in my career about adding a security product to a company I worked for and the CEO said, “Until Amazon gets hacked, nobody is going ...

Continue Reading

Shellshock and the Cyber Safety Program standard

I recently had a conversation with Josh Corman of IAmTheCavalry where he shared with me his open letter to the automotive industry. Entitled, the Five Star Automotive Safety Program, it outlines five specific areas that affect information security, and thus will affect the safety of humans that rely on those systems. The five areas are: Safety by Design Third-Party Collaboration Evidence Capture Security Updates Segmentation & Isolation When Josh and I first chatted, I was wary of number 4. Not the fact that security updates are needed, but that there must be a mechanism by which updates can be automatically deployed (not by taking a car to the repair shop). Could someone create a cyber-zombie army by taking over an ...

Continue Reading

Apple Pay is Not P2PE, and Does Not Replace PCI Compliance standard

Apple Pay’s announcement two weeks ago caused a flurry of activity—some of it right here on this blog. I had a chance to catch up with someone who is very close to the design of Apple Pay. I was able to get a few questions answered and I wanted to share those answers here with you all. Apple Pay’s NFC uses EMV. EMV is a standard which was implemented in both the chip and contactless variants for payments. It is effectively the first wide-scale system that uses the EMV Token standard released this year. Apple Pay is software that uses the NFC radio built into the iPhone 6/6+. Why did I make this distinction? Each technology (for example, PayWave and ...

Continue Reading

The Impact of PCI DSS is Up To You standard

After reflecting on the PCI Community Meeting last week, it seems that there is a groundswell building. We’re getting ready to release our updated PCI DSS book on October 24 (pre-order here), and in it (as well as in talks I’ve given since the release) we speculate that the changes in 3.0 are mostly minor and give the merchant more flexibility. While I still stand by this, it seems that the perception in the community does not align with this. I had many conversations last week from disillusioned merchants who are struggling to come up with solid plans for updating their programs. We got detailed in the book on how to address some of these issues, including new chapters on ...

Continue Reading

Will this Band-Aid help? standard

You know when you get a paper cut in the webbing of your fingers? How many of you just shuddered at the thought of such a minor, but memorable malady? Now, think about one of the times that you got in there really deep and had to find a band-aid. Those normal ones just don’t work! You need a special band-aid with the butterfly flaps on it. Then you can get on with your day without spreading more of your DNA on everything you touch. With all these POS breaches (like Home Depot this week), we need to address a paper cut. The paper cut here is the POS system. We can describe them as two machines with different life ...

Continue Reading

Is PCI DSS Effective? standard

Another week, another breach. SuperValu is the latest entity to suffer a breach involving credit cards, and I saw a tweet over the weekend that inspired this post. It was along the lines of “I’d hate to be the guy who has to explain how PCI DSS is effective against breaches.” While there is some humor in the tweet, there is more than just the standard in play here. PCI DSS by itself is a good baseline for handling cardholder data. I’ve written articles, blogs, books, and given talks on the merits of PCI DSS1. PCI DSS also has flaws, compared to other compliance initiatives, that are very difficult to fix. To make matters worse, there are a number of ...

Continue Reading

Why won’t you change your password? standard

There was a very interesting post by Punam Keller last week on the HBR Blog Network on the psychology of passwords. This isn’t like the previous posts you have seen on this blog. While I tend to focus on the technical problems and ways around them, Keller explores the behavioral aspects of passwords and our general resistance to do what we all know is right. She highlights four attitudes that people have when it comes to passwords: People who don’t know they should change their passwords—most likely by intentionally ignoring information that indicates they should. People who know they should change it, but avoid doing it because they think password theft and misuse will happen to someone else. People who ...

Continue Reading

Locking your Door is a Bad Analogy for PCI DSS Compliance and InfoSec standard

Storytelling is a pastime that spans all of human existance. Famous stories like cultural parables or classics like Romeo & Juliet attempt to tackle complex or conflicting ideas and relate them to someone. We use it to pass information from place to place, to captivate audiences when delivering unexpected information (See TED talks), and to explain to a lay person why they should take some action. Pick a security standard or compliance initiative, and you will find hundreds of analogies that attempt to reduce their complexity to a tagline or short list of tasks. One in particular that is quite popular in the PCI DSS and information security space is comparing compliance with locking your front door. Of course you ...

Continue Reading

The Art of Inquiry standard

The information security industry can sometimes fall into a rut when it creates and publishes requirements. Even in the corporate world we fall into these ruts. Go check out one of your build or hardening guides and see how much or how recently it has changed. In some respects, we don’t want to have drastic changes even when the world around us changes drastically because it makes it harder to meet those requirements. It’s that old “Your Security Rules are a Moving Target” chestnut. An old mentor of mine once told me that “compliance comes and goes, but security is here to stay”. In some respects, I think compliance is the manifestation of a purpose-built set of security rules driven ...

Continue Reading

Try the Middle of the Current (Just for Fun) standard

I was having a fantastic discussion with a close friend yesterday about how the security industry harbors people that fight battles just for the sake of fighting battles. It’s the stuff that makes Sun Tzu shake his head knowing that you are on the losing side. My friend said, “Hey, didn’t you write about something like that a while back?” Once again, Past Brando hosed Future Brando. One of Sun Tzu’s biggest teachings is that the preferred method to win a battle is to win without fighting. If I were to take some literary liberty with this edict and apply it to the security space, it’s better to win within the established rules of the game instead of spending all ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!