Categories ArchivesEnterprise Security

Top Five PCI DSS Mistakes that Lead to a Breach standard

RSA Conference is over, but that just means that all of those side conversations and meetings that we had will start to make themselves into blog posts! One that is a biggie for me is the top five mistakes that merchants make that lead to a compromise. I often get questions from small merchants asking for the top three to five things they should do to make sure they do not suffer a breach, specifically after they are overwhelmed by SAQ-D. While there is no substitution for complying fully with PCI DSS, there are a few common themes in breaches that businesses should address to avoid one. Keep in mind, while this applies to all setups, the ones getting hit ...

Continue Reading

GRC in the NextGen Data Center standard

The new data center is service oriented and less focused on the physical assets when compared to virtualized and utility computing that may or may not be on-premises. This makes GRC a bit more challenging as the governance piece slips out of the direct control of the IT organization and compliance requirements increase in numbers and the sheer amount of stuff required to demonstrate your compliance. In order to have a healthy GRC function in your IT environment, you must have an IT GRC platform that: Define IT policies and controls based on external and internal requirements Manage policy content Map policies to technical and process controls Evaluate IT risk Automate the auditing and regulatory reporting Keeping in mind that ...

Continue Reading

Trusting Identities in the Cloud standard

While next-gen IT and cloud infrastructure continues to grow in relevance and adoption, there are still some serious issues that have yet to be universally solved. One of those issues is the assertion of continuous trust in identities as they move around the cloud. RSA and Zscaler announced today a collaboration to deliver trusted access for cloud computing by jointly developing a cloud-based solution to provide that identity assertion. It will integrate risk-based authentication and identity federation from RSA’s Cloud Trust Authority and RSA’s Adaptive Authentication along with the inline web security capabilities of Zscaler’s Cloud Security service. Want more information? Stop by the RSA booth in the Expo hall! Possibly Related Posts: Improve Outbound Email with SPF, DKIM, and ...

Continue Reading

Implementation is Everything standard

Last week gave way to a flurry of activity around RSA and an alleged cryptographic flaw in the algorithm based on this report by Arjen K. Lenstra, James P. Hughes, Maxime Augier, Joppe W. Bos, THorsten Kleinjung, and Christophe Wachter. RSA’s Sam Curry writes a post here, as well as posts by Dan Kaminski, Nadia Heninger, and this New York Times article. As I was reading through this whole mess and understanding the technical issues at hand, I started thinking that the description of the problem, ultimately a lack of entropy in a particular implementation, is something that the security industry has dealt with before. You don’t have to look very far to see implementation problems that cause both minor ...

Continue Reading

PCI Compliance for…. standard

We are almost done with the next edition of the book! Anton & I are cleaning up a few last edits in the first manuscript and it will be in the publisher’s hands. One topic that we kept coming back to when writing this edition was broadening our scope to go beyond big, Level 1 merchants and service providers. We even dedicated a chapter to small businesses in this edition, and give you tips for what to do when starting a business that needs to accept payment cards. But one thing that strikes me as I reflect upon writing that chapter is the overwhelming urge to make the chapter three words long. Those three words would be: Just. Outsource. It. ...

Continue Reading

Hardware Security, the New Frontier? standard

RSA Conference is right around the corner, and I’m excited to actually be able to see some talks this year. I’m on a panel with Dave Navetta and Serge Jorgensen on Tuesday covering the Dark Side of a Payment Card Breach (LAW-107, Room 131, 2:40pm). I am sure if you are there, we will bump into each other somewhere along the way! One of the topics that I want to explore with other security folks while I am there is a shift to hardware-focused exploits whereby you bypass software and focus on firmware to control machines. It’s not a new concept and has been seen in both theoretical and actual attacks on systems. But as software vulnerabilities are closed, the ...

Continue Reading

Intelligence-Driven Security standard

RSA released the ninth installment of the Security for Business Innovation Council report last week, and through a series of blog posts on Speaking on Security, we’re going to analyze the various areas highlighted in the findings. Today I’m going to explore the concept of Intelligence-Driven Security. In our world, intelligence-driven means that information coming in from all of our available sources will influence our actions—some of which will become automated over time. The report makes a pretty sad claim about the global state of information security, one that has been explored here in the past and largely derivative of the old subject of my blog. Security programs tend to be compliance driven, or even worse, simply optimized for compliance. ...

Continue Reading

Corporate Responsibility with Ben Tomhave standard

This is part two in a conversation that I had with Ben Tomhave (@falconsview) last week over Twitter. What started out as a quick question about busting PCI myths turned into corporate responsibility. If you haven’t seen this article about a company who is facing massive penalties, give it a read. It will help set up my position on corporate responsibility for promoting longevity. My position: Companies must make security and compliance a core part of their competency if they choose to operate in a manner that puts them in the cross-hairs of regulation. During the conversation, we moved to overall organizational competency around areas that arguably sit on the fringe of their core business. Restaurants that make pizza should ...

Continue Reading

Myth Busting with Ben Tomhave standard

I love our industry! There is no shortage of truly talented and smart folks, and one of the best parts of being in this industry is getting to have conversations with these folks often. Ben Tomhave (@falconsview), a noted security pro and blogger, kicked off a fury of tweets that really went into two directions. First was for a common myth about PCI DSS validation which I will address here (and ensure it is much clearer in the next edition of the book). “Can merchants (including Level 1) self assess?” lead us to a conversation about the functions of audit, the industry in general, and corporate responsibility. We’ll get into THAT discussion next week. The discussion on Twitter began with ...

Continue Reading

We Must Hunt standard

Security people are often viewed as gatherers. We gather security event data, collect logs for review, build documentation based on information about our environment, and group informational assets in like-valued groups to focus our defenses. I think we’ve got the gathering part down. It’s similar to our propensity to react. We may not be great at reacting (or more likely, we’re great at reacting at only a few things), but we get plenty of exposure to it. You cannot be a successful security professional by only being a gatherer, and your team won’t be successful if you only hire and employ gatherers. Just like most societal norms that evolved over thousands of years, you need hunters to fill a need ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!