Branden R. Williams, Business Security Specialist

12th of June, 2014
In: Consumer Security, Enterprise Security, PCI
0
5

More Fun with EMV standard

Yes, it’s time to go hit your local university library again (or just join the Association for Computing Machinery) to see a great article from Anderson & Murdoch entitled, “Inside Risks EMV: Why Payment Systems Fail.” For those of us in the US that are now on the cusp of a wide-scale EMV rollout, there are still many questions that need to be answered. Drs. Anderson and Murdoch do a great job of summarizing the issues that we will face here in the US, including some of the attacks that were common in other implementations of EMV. Turns out, the French may be the best experts at cracking this thing. EMV tokens make an appearance in the article, but there ...

10th of June, 2014
In: Consumer Security, Enterprise Security
0
4

EMV as an E-Commerce Fraud Driver standard

Oh what a year it has been so far. Breach here, breach there, breaches everywhere! EMV to the rescue, right? RIGHT?!? Well, yes and no. EMV does add tremendous security (when configured properly) to a Card Present (CP) transaction, but EMV does nothing to help the security of Card Not Present (CNP) transactions. And given the increased digitization of business and commerce, we would expect that over time the number of CNP transactions would increase at the expense of CP transactions. Meaning, as more digital business models drive people to purchase goods and services without physically presenting their card for purchase, people will opt for that style as it could be seen as more convenient. Don’t forget that CNP transactions ...

Theory of Constraints for Knowledge Work standard

It’s hard to be in the IT world today without hearing something about the Theory of Constraints. It could be from The Phoenix Project or the latest DevOps presentation you saw. Most questions I hear sound like, “How does some analysis of a factory help me make IT more efficient?” Go read The Phoenix Project to learn more about that. Gene Kim links to a fantastic set of resources in his blog on Kanban resources, but one key resource is a case study on how a failing Microsoft development team used the Drum-Buffer-Rope technique of Theory of Constraints to completely revamp their operations. Do yourself a favor and invest the time to read the Microsoft case study. Check the other ...

January to May 2014 Roundup standard

Ok, I promised you guys that it was time to ramp back up, and I’m not kidding. It’s been a great first half of the year. I’m lucky enough to have accomplished some pretty awesome things, I’ve learned a ton, and I’ve been able to get closer to some of you as a result. So what has been big this year so far? Few conferences, some travel, and breaches! Here’s what you guys liked the most from January to May. How Starbucks is Revolutionizing Mobile (Micro) Payments. This one was pretty popular last year, and it is still making waves in 2014—by almost a factor of three. You know how you see those crazy fools that pass their phone in ...

I’m Running for the ISSA International Board standard

If you are an ISSA member, you will be receiving your notification to vote in the upcoming election. Along with a number of other members, I am running for the ISSA International Board. In the last edition of the ISSA Journal, you can read about my platform. If you have read my column in the ISSA Journal, you probably know that my platform focuses on the business of information security. I want your vote! The ISSA has a long legacy of being THE professional information security organization, and I’m hoping I can represent you while serving. Polls open in about an hour, so look for that email and submit your vote! Possibly Related Posts: Top Posts from 2015 October 2015 ...

Time to ramp back up! standard

At some point in every bloggers life, they get distracted or burned out. Well, it happened to me—the last six months had me with a little bit of both. I’m finally climbing out of my backlog a bit and I have a few news items for you. You will find me at a few shows throughout the rest of the year. Unfortunately, I will be missing one of my favorites, BSidesDFW. I’m bummed, but I’ve got a fun trip planned in its place. In lieu of that, I will see you at a the CircleCityCon, PCI Community meeting, BlackHat, MWAA, MasterCard ARM, and WSAA. Come say Hi! We’re wrapping up the final changes to the PCI Compliance, 4e manuscript right ...

Product and Service Innovation standard

Some of you know I’ve been diving into strategy and innovation lately, and I’ve published the first of many blogs on different kinds of innovation. Check out the first one here at the Metroplex Technology Business Council’s website! Possibly Related Posts: pgMail 1.5 Released! Let’s Encrypt for non-webservers When Man Pages Go Weird Aviation Apps I Use Sellers Buying 5-Star Amazon Reviews

Lizard Brain and Surprise Reactions standard

Have you ever had a moment in your life where you made what you thought was an innocent comment or asked a simple question, but was met with a verbally violent response? This happened multiple times in my career, going back to the PCI DSS assessment days, to living in management, to even personal interactions with individuals. Admittedly, my brain to mouth filter has been maturing over the years—so in some respects that may have been to blame. But recently, I started analyzing these responses and situations when they happened. Kind of a, “how did I get here and what should I do now” analysis. Let’s explore what I have learned. Let’s discuss the concept of Lizard Brain. This is ...

MasterCard Offers Incident Response Planning Webinar standard

Requirement 12.10 has been present in all versions of PCI DSS and earlier versions of the CISP standard, yet clearly people either struggle with meeting the requirement or with executing an incident response plan. MasterCard announced yesterday a new, upcoming webcast that delves into the details behind requirement 12.10 in PCI DSS 3.0. It’s free, so go register! In the meantime, I have a few older posts that you might enjoy around incident response. Check them out! The Apple Incident Compliant Compromise (Guest post by Frank Castaneira) Boss, I Think Someone Stole our Customer Data Contracts & PCI (Guest post by David Navetta) Man Up MDs! Enjoy! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses ...

15th of April, 2014
In: Consumer Security, Enterprise Security
0
8

Heartbleed and Passwords standard

Right around this same time last week there was a flurry of activity for those responsible for deployments leveraging OpenSSL. Yep, I’m talking about Heartbleed. So after we go through all of the patching and re-keying, it’s now time to consider password changes. This post isn’t about Heartbleed, it’s about passwords and what the bad guys already know. Melanie Pinola from Lifehacker wrote a very interesting piece on Friday about how our password tricks don’t fool the modern hacker. I’m not sure what happened to recommendation number 3 in her piece, 1, 2, and 4 are spot on. What’s the solution? Ultimately it comes down to using some software to help you out. Password managers are now built into some ...