Tags Archivessecurity

Running Security Into The Ground standard

Security professionals are funny.  We are incredibly strong willed and have strong opinions on subjects we live for.  It’s more than passion, it’s Passion++.  Just like regular passion, but with an object oriented framework that makes for the amplification of said passion, but only for those that truly grasp its power. For example, get a security expert that lives and breathes Linux and one that lives and breathes NetBSD in the same room, ask for the most secure, open-source platform, and watch the hilarity ensue. Some security professionals have developed a dangerous attitude that rears its head when people discuss things like PCI DSS or other compliance topics. “Don’t tell me how to do my job!”  This sometimes comes across ...

Continue Reading

Bob Carr: “QSAs let us down.” And Things Never Heard by a QSA standard

Bob Carr was recently quoted in a Computerworld article saying that QSAs let [Heartland] down.  Of course, he is not referring to his most RECENT QSA, but I’m sure that was an editorial change to make the story more interesting. The article is a fantastic read, but also slightly humorous in nature. I’m going to leave Heartland’s situation out of this post, and look at how other companies that have dealt with breaches. If you want to see what others are saying, check Rich Mogul, Mike Rothman, and Andy Willingham. Nearly every company I have worked with suddenly “Gets Religion” after a breach.  Prior to it, security is not top of mind, therefore things like PCI become burdensome as opposed ...

Continue Reading

How PCI Can Ruin You standard

No, this is not one of those posts poo-pooing PCI because it is the popular thing to do. But after my marathon writing sessions working on the book, I started to think about all the customers that I had visited over the years, and all the problems I have seen, and how even today the problems that come up are essentially caused by common root issues. BTW, I’m hoping you guys all LOVE the case studies. Some of you readers might even be business owners or playing a part in them!  That was, by far, my favorite part of writing the book.  Maybe I’ll try some bad fiction writing next? (FAIL) Anyway, one of the things that the information security ...

Continue Reading

Fun Times with Encryption standard

Time for a throwback!  This year, I posted my new article “The Art of the Compensating Control” over a three week period back in April.  A reader recently contacted me about a claim I make in Part 4 of the posting.  He says: In your April 2009 blog The Art of the Compensating Control (Part 4) Tax day special, you stated that using the random function in COBOL to generate your key was in a sense, “a really bad idea”.  I have no knowledge of encryption so I don’t see the fault with the process.  How would this be equivalent to only 53 bits of encryption? Excellent question!  The basis of this post relies on a tool by Mandylion Labs ...

Continue Reading

Guest Post: HITECH Alters HIPAA—Will HIPAA be ‘Hip’? standard

The following is a guest post by Bindu Sundaresan, a consulting manager in our Risk & Compliance consulting practice. With the current “non-stimulating” economy, there is a lot of talk about the “stimulus” bill which is impacting all areas of the US economy. One such impact is the reason for today’s blog post. A portion of the new economic stimulus bill, called the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), will have a significant impact on Health Insurance Portability and Accountability Act of 1996(HIPAA). This new law revives HIPAA (which has been around for over a decade), but has many a time gone unnoticed/ not strongly enforced, and no incentive to comply, amongst the other ...

Continue Reading

Requirement 11.2 Follies standard

Why is Requirement 11.2 one of the most failed by merchants and service providers alike? Requirement 11.2 has shown up here a few times, but after looking back, I never really explored the issues in detail.  Those who have been unfortunate enough to attend one of my sessions where this topic came up know where you can make a mistake. Requirement 11.2 mandates quarterly scans for all hosts in scope for PCI, both internal and external.  Scope reduction techniques like segmentation can do wonders for limiting what needs to be scanned, but makes the biggest impact internally.  In one of my case studies, I talk about a customer that reduced the number of in-scope systems to less than 1% of ...

Continue Reading

Are you passionate about security? standard

People often come up to me and say things like, “Wow, you really are passionate about your work!” Aside from the old “Do what you love, and love what you do” adages our great grandparents regurgitate to us when they see us struggling with some arguably trivial thing in our work lives, passion is something that people can see on you. We’ve all sat through one of those talks at a conference or an association meeting where it is clear that the speaker is just going through the motions. Maybe they are not just reading right off the slides, but you can tell that the only thing they are thinking about is hitting the tables, bar, or airport. Did you ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!