Categories ArchivesHeadlines

EMC/RSA Expand Security Consulting Services standard

If you call yourself a “security guy,” this week represents one of the pivotal industry-related weeks every year.  I’m speaking, of course, of the RSA Conference.  The conference turns 19 this year, and there is quite a buzz going on!  I’ve not even arrived and I’m hearing about the excitement. What I wanted to tell you about today is our release on the expanded Security Consulting services that we announced earlier this morning.  The full release is here.  You can follow all the news coverage here, and there seems to be quite a bit!   If you are out in San Francisco, be sure to stop by the RSA booth around lunchtime tomorrow, and we can discuss this in detail! ...

Continue Reading

New Ponemon Study (and other fun metrics) standard

The Ponemon Institute released its latest analysis on the cost of data breaches, and this year they posit that the cost of breaches is still on the rise.  While new legislation and increased savvy and persistence from attackers is continuing to drive the cost of breaches up, I also believe that this very same legislation is forcing more breaches to be reported.  If anything, managers should take this information as a sobering reminder that the bad guys are out there and they still want your data. I’ve discussed these studies in the past, and I’m not terribly supportive of one of the key metrics that Ponemon analyzes: the cost per breached record.  Non-security managers (and unfortunately some new security managers) ...

Continue Reading

Don’t run IT as a business, run it as a business? standard

That’s what I felt like the theme of Bob Lewis’s article entitled “Run IT as a business—why that’s a train wreck waiting to happen.”  I understand that having people on different sides of an issue can lead to a more productive result, so this perspective is entertaining if nothing else. At a minimum, reading the article will expose a key problem IT organizations face, but the solution is no different than what vendors propose every single day. Have you noticed the push to “solutions” and “solution-based selling” over the last few years in the IT space?  CIOs don’t give a rip about some fancy whiz-bang technology.  What they do care is if you can solve a (business) problem for them.  ...

Continue Reading

Kicking Off 2010! standard

Greetings everyone! 2010 is going to be a pretty interesting year if we can keep this economic momentum going.  Here are a few things to start your year off! Check out my new article “Will End to End Encryption Save Us All?” where I attempt to define various forms of End to End Encryption (E2EE) and figure out how they could be used to secure PCI DSS related data. EMC/RSA buys Archer.  This one is a game changer, folks. The January issue of Herding Cats is also available!  “Corned-Beef PCI DSS” expands and refines a blog post I did here about using hashing as a data protection method, specifically as it relates to PCI DSS (PCI DSS is the focus ...

Continue Reading

The Problem with Logging standard

Kim Zetter from Wired Magazine put Wal-Mart back in the news recently with information about an alleged incident that occurred in the 2005-2006 timeframe.  One of the key issues making the rounds is the following assertion made by Zetter: The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis. Logs serve multiple purposes, and for that reason they tend to grow rapidly.  Sure, storage is cheap nowadays, but every company still struggles with this very basic concept.  While I won’t speak specifically to the Wal-Mart incident (Evan Schuman has some great additions), I will address some of what I see with my customers and their struggles with logging. Over-Logging This is more typical than ...

Continue Reading

MasterCard/Visa Remove Reciprocity standard

Thanks to a fellow reader for pointing this out!  It appears that MasterCard and Visa (sorta) have removed the reciprocity statements from their level definitions.  Discover still has the reciprocity statement on their levels, American Express and JCB never used reciprocity for their level definitions (to my best recollection). Several industry insiders have been told that it was never the intent of MasterCard to force a merchant that accepts a single JCB card to go through an on-site assessment if they did not meet the MasterCard threshold.  Now it appears that this is the case as the official merchant level definitions reflect exactly this. Unfortunately, the road does not end there.  In fact, it starts forking like crazy. Now that ...

Continue Reading

Visa Releases Data Field Encryption Guidance standard

Earlier this week Visa, Inc. released a best practice bulletin on data encryption that details five security goals1, and thirteen best practices that companies can implement to meet them. The five goals as listed in the bulletin are: Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption. Use robust key management solutions consistent with international and/or regional standards. Use key-lengths and cryptographic algorithms consistent with international and/or regional standards. Protect devices used to perform cryptographic operations against physical/logical compromises. Use an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs ...

Continue Reading

Herding Cats, October 2009 standard

Is now available!  This month?  “Using the Popular Press.”  Lots of SQUIRREL references for all you fans of Up, and of course, @Beaker. Check it out here! Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Continue Reading

Oracle cracks everyone up standard

Did anyone else giggle a little bit when they saw that Oracle delayed its quarterly patch release because it would coincide with the OpenWorld 2009 Oracle conference?  According to Oracle, they didn’t want administrators to have to choose between installing updates in a timely manner and attending the conference. That’s funny for me because I have NEVER met an Oracle DBA that was excited about pushing patches to their servers in a couple of days (the original release was slated for October 13, and the conference ends on the 15th).  In fact, between Oracle DBAs and z/OS Administrators, I don’t know who wins the prize for yelling the loudest about patching within thirty days. THIRTY days. Not two days.  THIRTY ...

Continue Reading

Visa Gets RSS! standard

Celebrate from the mountain tops!  Visa got some RSS!  Hopefully they will be dutifully (or have scripts) updating the feed, unlike the PCI SSC’s feed (which currently does not include their latest skimming guide) that traditionally lags behind.  RSS is a GREAT way to keep your stakeholders in touch with your programs, but you really do have to stay on top of it! Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!