Tags Archivesdo it right

Another Security by Obscurity FAIL standard

I was doing some technical testing for a friend of mine the other day1, let’s call him George, and came across yet another bad example (or a good one) on security by obscurity failing miserably. George just set up his first online service portal for his customer base.  He’s running a Pro Shop for a small, independent country club, and is trying to cut back on costs.  He decided to invest in a simple online tee-time reservation system, and move all of his reservations there.  He went to a managed service (that he probably found via the same method in the footnote below) to handle this for him, and they fired up a small blade with a basic Linux installation.  ...

Continue Reading

Compliance, Easier than Security! standard

My undergrad is in Marketing.  I sometimes call myself a marketing guy, but only right before I rip on one that hypothetically might do something causing a technical guy to lose his weekend.  One of my favorite marketing guys is Seth Godin, and every once in a while he posts something that works not only in the Marketing world, but in our world. On Friday, his post “It’s easier to teach compliance than initiative” reminds me of how our business works.  Isn’t it WAY easier to talk about some kind of security-related compliance versus actually talking about security?  Think about your past interactions with information security.  Did you have a chance to create a 3-5 year plan detailing how you ...

Continue Reading

Subscriptions Deal with Transactions Times Twelve standard

I was talking to a company that accepts credit cards for monthly subscription or service dues (think something as simple as paying your electric bill with your credit card) and when I asked them what level merchant they were, I was shocked to have them tell me they were at the top end of the Level 3 bracket!  While I do not advocate focusing your PCI DSS efforts based only on your validation requirements, but it is interesting to consider what might happen if you were to reduce the number of payment cards you process in one year. Is there a way to game the system?  Well, maybe two ways.  First is to delete PCI DSS data, but that’s not ...

Continue Reading

Satellite Hacking, Not Just for Pros! standard

I found a great article by Stan Shyshkin last week on hacking internet satellites. Satellite networking has always interested me, especially when it comes to learning how to take advantage of foolishly trusted links.  Most of these links manifest as a form of a “carrier grade” link such as MPLS or Frame Relay.  These links are inherently considered private, even though they typically do not take advantage of encapsulated encryption. Fifteen years ago we extended our network footprint through private network links.  Companies extended their WAN in the form of a frame relay in 64-Kbit increments1. These links were rarely (if ever) encrypted partly due to the technology at the time and to inherent trust in telcos. Companies running frame ...

Continue Reading

Data Destruction is YOUR Responsibility! standard

Matt Springfield (formerly of I-Net Solutions, those were the days) posted about a problem he is having with his Apple Time Capsule, and what happens to the data when they blow up.  In his situation, a bad power supply prematurely ended the life of his device.  When he asked an Apple representative what they do with the old hard drive contained inside the device, she responded that there was no data destruction policy. No data destruction policy?  Wow, there must be some fun stuff in old equipment at Apple. For the record, I’m a Mac user.  The first computers I used were early generation Macs (think System 6), and then I switched to a PC for a while in college.  ...

Continue Reading

Don’t run IT as a business, run it as a business? standard

That’s what I felt like the theme of Bob Lewis’s article entitled “Run IT as a business—why that’s a train wreck waiting to happen.”  I understand that having people on different sides of an issue can lead to a more productive result, so this perspective is entertaining if nothing else. At a minimum, reading the article will expose a key problem IT organizations face, but the solution is no different than what vendors propose every single day. Have you noticed the push to “solutions” and “solution-based selling” over the last few years in the IT space?  CIOs don’t give a rip about some fancy whiz-bang technology.  What they do care is if you can solve a (business) problem for them.  ...

Continue Reading

The Power of Service standard

There is a book called The Ultimate Question by Fred Reichheld that discusses how all customer satisfaction can be boiled down to one question: How likely is it that you would recommend this company to a friend or colleague? Using the data received from a survey of your customers a metric called the Net Promoter Score (NPS) is created, measuring your customer satisfaction.  This book was a hit last year, and I even saw the NPS formula used in a kickoff presentation last week. I spent the day yesterday on the road, and had an interesting conversation when I returned my rental car.  Interesting only because I have never been asked the following question before, the topic was fresh on ...

Continue Reading

Forrester Unleashes PCI standard

John Kindervag, prominent analyst from Forrester, released a report this week entitled PCI Unleashed, where he talks history, dispels myths, and gives practical tips for companies trying to get a handle on PCI DSS.  John doesn’t waste any time getting started, and throws out a couple of points to shock the reader.  In fact, I’m kind of shocked they are in there, but it’s refreshing to see an organization of Forrester’s stature putting them into writing. While many agree that PCI DSS should be blamed on the payment brands, John asserts that it should not.  While I agree that the result (the standard itself) should not necessarily be blamed on the payment brands, its evolution is a direct result of ...

Continue Reading

The Yes/No PCI Assessment standard

Chris Mark over at the PCI Answers blog wrote a fantastic post on The Rise of the Defensive PCI Assessment toward the end of last year.  I read it right after he posted it, and knew that I wanted to add to his thoughts.  It’s taken me about this long to get my thoughts together. I’ve been busy! I totally agree with his assessment, and I have run into some situations where this has come up with other QSAs.  Some QSAs have altered their interpretations (or made them more literal, I should say) because they realized that they were interpreting the standard incorrectly, or they priced the assessments so low to get the business that they can’t afford to understand ...

Continue Reading

Kicking Off 2010! standard

Greetings everyone! 2010 is going to be a pretty interesting year if we can keep this economic momentum going.  Here are a few things to start your year off! Check out my new article “Will End to End Encryption Save Us All?” where I attempt to define various forms of End to End Encryption (E2EE) and figure out how they could be used to secure PCI DSS related data. EMC/RSA buys Archer.  This one is a game changer, folks. The January issue of Herding Cats is also available!  “Corned-Beef PCI DSS” expands and refines a blog post I did here about using hashing as a data protection method, specifically as it relates to PCI DSS (PCI DSS is the focus ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!