Branden R. Williams, Business Security Specialist

Would you pay for a PCI DSS 2.0-3.0 class? standard

The PCI Council released a training course on PCI DSS 3.0 (via Security Innovation) dubbed an “Insider’s Guide” to the new standard. The training has a price tag to get access to the materials, and some might deem it a bit hefty considering it is only a 90-minute course. In fairness, the Council is competing with free here as a number of experts have already built, delivered, and recorded courseware for on-demand viewing on these differences. So any price for materials might appear to be “hefty.” Also, don’t forget the Council already released this freely available document which should theoretically cover all of the same materials. Is there overlap with existing training offerings? If you are relatively new to PCI ...

Subject to PCI DSS? Time for defense! standard

For those of you that have been reading this since it was part of the VeriSign blogging program, you know that my posts tend to follow what is most important in my daily life. Or, if not most important, the loudest thing in my daily life that really needs a comment or two. After joining RSA, I spent quite a bit of time talking about advanced threats, especially after the breach. I also sat on the PCI Board of Advisors during that time, but the reality is that my daily work around information security and what the Board was tackling were very far apart. Given the release of 3.0 and the commentary from that to date, I would still agree ...

PCI Compliance, 4e! standard

You read that right! The Fourth Edition of the book is now green-lit (pre-order it here), and Anton & I are hard at work bringing you new updates for PCI DSS 3.0, the SAQs, and two new chapters focused entirely on Cloud/Virtualization and Mobile. We expect the book to be out later this year through your favorite channels. Now, this is where YOU come in. We have had such amazing feedback on the book over the years and this is your chance to influence the content. This book is, and always was, for you! If you have suggestions for the book, drop them down in the comments below. We will keep you posted on our progress, and in fact you ...

Swing and a Miss: Target and the Council Respond standard

I happened upon the Council’s news page today and saw a couple of great attention grabbing headlines entitled, Time for Smartcards and PCI Council Responds to Critics. I found both of these interesting given the landscape of breaches we have seen over the last couple of months, but I found that both missed key points in their communication. Let’s start with the Council’s response. First, we should be clear. What Russo is saying is absolutely accurate. The majority of breaches that happen, including the Target one, happen due to basic security failures that are already covered in the standard. Go take a look at requirement 8.3 and 8.5.6.b which directly address the latest disclosures surrounding the event. I also agree ...

Data Discovery, It’s A Thing! standard

Those of you who have been following me for a while know that I am a proponent of data discovery tools, and Data Loss Prevention tools where appropriate. I partnered with one while running the consulting business at VeriSign, and worked with the teams at RSA that developed their product. I even talked about finding the data as the security equivalent to Dave Ramsey’s first Baby Step for security. It’s becoming even more critical with PCI DSS 3.0 as data flow maps must be maintained and validated (to some degree). At Sysnet, we have tools for doing all kinds of scanning including data discovery scans. One of the challenges with most of the DLP solutions available is that the vendor ...

2013 Roundup standard

It’s been an interesting year, but now we can welcome 2014 with wide open arms! It’s already shaping up to be both a busy and interesting year, but let’s take a moment to look back at 2013 and talk about the top posts! How Starbucks is Revolutionizing Mobile (Micro) Payments. This one was pretty popular last year, and it is still making waves in 2014. You know how you see those crazy fools that pass their phone in front of some magical sensor at Starbucks and never seem to pull out their wallet, yet walk away with coffee? That is really part of a huge master plan to reduce the impact that payments has on the organization. Check out the ...

What the Leaked Target PIN Data Actually Means for You standard

Before you read this, consider checking out my first post on the Target breach. Payment systems are complex. If you have ever assessed one or looked under the curtains going all the way back to the issuer, you know this. So it is not a surprise that there is a ton of misinformation flying around about the PIN data that Target admitted was taken. Before we get to far down the road here, I want to review a few items to make sure we’re all on the same page. First, let’s talk about track data. The type of data in the magstripe on the back of your card is sensitive, which is why PCI Requirement 3.2 forbids storing it. I’ve ...

20th of December, 2013
In: Consumer Security, Enterprise Security
0
8

For the Super Geeky Crypto Guys standard

Of course, if you are a super geeky crypto guy (in which I am envious because math is not my strong suit) you probably already saw this amazing paper by Daniel Genkin, Adi Shamir (the S in RSA), and Eran Tromer in which they prove a side-channel attack against RSA encryption. Since the math behind RSA is such that decryption becomes infeasible through brute force, attackers must get creative in how they go after the protocol. Previous attacks on prime number generation have been published, as well as weak implementations of software that leak parts of the key. But this one is really ingenious. The authors are able to extract the RSA key by simply listening to the noise put ...

19th of December, 2013
In: Consumer Security, Enterprise Security, PCI
0
6

I Thought We Were Done With These? standard

Well, it appears that the bad guys hit another giant retailer this year as Target now reports a massive breach. There are a few items here that are interesting to note. First, we are talking about magnetic stripe and a massive volume of cards in a short period of time. This would indicate some kind of software compromise (read, not an attached skimmer) that lead to the capture of stripe or PIN data. Given that there is a concern about PIN, I would guess that the compromise was either in the POS terminal or in the actual payment terminal itself where the PIN is entered. Breaches of this magnitude obviously call their compliance status in question, and the devil will ...

Bitcoin and Virtual Currencies standard

There has been a ton of noise around Bitcoin recently for two big reasons. The first is that the Bitcoin-USD forex climbed above $1,000 (currently just under $900, and the second is a heist that moved around $100 million worth of the currency, all able to be watched online through the public clearing houses. So if you are a business, what should you do with this and other currencies? One of the main attractions to Bitcoin is that it is not regulated by a sovereign government. Some might say that it works in the purest form of capitalism, completely separating the buyer from the seller through an anonymous exchange. Well, somewhat anonymous. The contents and value of the wallet is ...