Branden R. Williams, Business Security Specialist

PCI DSS 4.0 and TLS standard

In 2015, I published an addendum to our PCI DSS 4th Ed. book that covered version 3.1. I titled it, “PCI DSS 3.1: The Standard that Killed SSL” because that version removed the ability to use old and outdated versions of the standard in favor of the improved TLS standard originally released in January 1999. Now eight years later, we’re still struggling with moving past version 1.0 of TLS, something that the Council required after June 2018. Outdated versions of these protocols still exist in certain embedded devices, and are only allowed in limited scenarios. Version 4 of the standard pushed the remainder of TLS version requirements to your routine vulnerability scans—prioritized by the resulting CVSS score. You will find ...

Why APA is Important in your Masters Journey standard

Another semester has closed and the reviews are in. As always, I had one student who rails on their hatred of APA formatting and one student who loved it. OK, maybe not loved it, but mentioned that it made a positive impact on their journey. The goal of this post is to help provide some context on why I take points off of papers for poor APA formatting. If you are one of my current students reading this, please take some notes. I make APA 7th Ed. an optional text because there are freely available resources you can use to learn what you need to do. You should also use the services of the writing coach provided by the university ...

Writing a Book in Markdown with GitHub standard

December is the month! PCI Compliance, 5th Edition is ready for pre-order and will be shipping on the 22nd. James & I are so excited to hear what you think! But of course, this project is several years in the making. Even before James & I sat down in early 2020 to hammer out where we wanted this to go, I’ve been involved in this book since the 2nd edition in 2009. Back in the old days, Microsoft Word was the tool we used to get things done. But we have such better options these days to collaborate on projects like this. As we talked with several industry folks about the project and our progress, one of you asked me ...

HowTo: Kindle Paperwhite Night Mode standard

I’ve been a kindle reader for a very long time—pretty much since the first version of it. I traveled with one, had a waterproof case for the pool, and generally consumed the vast majority of my fiction reading on it. While my previous device was still cranking along just fine, the cases were not. After breaking my second waterproof case and learning they were not made anymore, I joined the masses and got a new Paperwhite Kindle. All was well for a while! It’s absolutely brilliant to read from outside, and I never had problems in normal light inside a house or building. I’ve recently started taking up some reading before bed to help slow things down in my brain ...

PCI DSS 4.0 Released plus BOOK DETAILS! standard

It’s been nearly six years since we had a major release of PCI DSS, and March 31, 2022 was the day that the final version of PCI DSS 4.0 released. For those that had access to the last discussion draft (released early this year), there are virtually no changes from that (with the exception of refining Requirement 9.4.1 and inserting 9.4.1.1). But don’t go changing your assessment processes yet! PCI DSS 3.2.1 won’t sunset until March 31, 2024 (see page 36). This means, you have to START your last PCI DSS 3.2.1 assessment BEFORE March 31, 2024 (better if you complete by then), and then you have a year to prep for the base PCI DSS 4.0 until the extended ...

Managing to a State of Abundance standard

As practitioners, we are often asked to solve problems or simply change the state of something to remove a negative influence on our success. We’re not even necessarily tasked with turning a negative into a positive—but more often only removing the negative state. A great example of that is our own health. When we are ill, we seek help to cure the illness. But does a pill alone guarantee something other than the absence of illness (if even that)? In Kim Cameron’s “Developing a Teachable Point of View,” he details his method for the WHAT and HOW of teaching. The relevant excerpt for us is the concept of abundance—or a plentiful amount of the positive things in life. Cameron defines ...

12th of October, 2021
In: Consumer Security, Enterprise Security
0
0

Preventing Account Takeover, Enable MFA! standard

Welcome to October where we celebrate National Cybersecurity Awareness Month! In a previous job, we would host a Cybersecurity Expo and learn together. Last year, I presented a version of this presentation to a large audience with representation across the business (not just IT folks) and I wanted to make a version of it that could be consumed anywhere. This all was created from a conversation with a former consultant who made it her personal crusade to get everyone she knows to turn on some form of MFA for their GMail accounts. Just think about all the information someone could learn about you from your email. From there, I wrote this post that urges you to disable SMS and use ...

Aviation Apps I Use standard

A friend of mine suggested this as a blog post, the top aviation apps that I use on my phone. Now, keep in mind, I’m a pilot. So some of the apps I use, such as ForeFlight, wouldn’t make much sense unless you are a pilot (or have had some kind of pilot training). I’m not including pricing on these simply because they could change, but some have both a free and paid tier. Another disclaimer, the links below are to the iOS versions. Most of these are also available in the Google Play store, so you can search there to find them if you are on Android. So, here’s the list! FlightRadar24: Ever wonder which plane just rattled the ...

Sellers Buying 5-Star Amazon Reviews standard

tl;dr: A seller who sold a terrible product is offering me $50 to change my review from 2 stars to 4 or 5. November 1 Update: The product has been removed and I can’t find the seller’s store anymore. March 9 Update: Updated review is live that talks about the $50 offer. I’m not even sure where to start with this one. It’s a scenario that I’ve never experienced before even as one of the earliest of early adopters of Amazon (like, when they only sold books and this Unix nerd was deep into the O’Reilly series). I shop on Amazon for the convenience. They don’t always have the best selection or price, so I still shop around. In some ...

2nd of November, 2020
In: Consumer Security, Enterprise Security
0
0

Proofpoint Patches URL Sandbox Bypass Bug standard

Or, how a travel website’s newsletter clued me in to a huge security gap in a popular email protection service. tl;dr: I discovered URLs of sufficient length (over 770 characters) would bypass Proofpoint’s URLDefense service leaving the original link untouched, allowing malicious links directly into users’ email inboxes. Proofpoint let me know this week that they finally have patched all the instances of their service that had this particular bug, so it’s time to disclose how I discovered it. Many of you know I switched my personal email protection away from Postini/Google Apps for Business to modusCloud by Vircom. My users and I are 100% satisfied with the service! One of the technologies powering Vircom is Proofpoint Essentials, and one ...