PCI DSS 4.0 Released plus BOOK DETAILS! standard

It’s been nearly six years since we had a major release of PCI DSS, and March 31, 2022 was the day that the final version of PCI DSS 4.0 released. For those that had access to the last discussion draft (released early this year), there are virtually no changes from that (with the exception of refining Requirement 9.4.1 and inserting 9.4.1.1). But don’t go changing your assessment processes yet! PCI DSS 3.2.1 won’t sunset until March 31, 2024 (see page 36). This means, you have to START your last PCI DSS 3.2.1 assessment BEFORE March 31, 2024 (better if you complete by then), and then you have a year to prep for the base PCI DSS 4.0 until the extended ...

Continue Reading

Managing to a State of Abundance standard

As practitioners, we are often asked to solve problems or simply change the state of something to remove a negative influence on our success. We’re not even necessarily tasked with turning a negative into a positive—but more often only removing the negative state. A great example of that is our own health. When we are ill, we seek help to cure the illness. But does a pill alone guarantee something other than the absence of illness (if even that)? In Kim Cameron’s “Developing a Teachable Point of View,” he details his method for the WHAT and HOW of teaching. The relevant excerpt for us is the concept of abundance—or a plentiful amount of the positive things in life. Cameron defines ...

Continue Reading

Preventing Account Takeover, Enable MFA! standard

Welcome to October where we celebrate National Cybersecurity Awareness Month! In a previous job, we would host a Cybersecurity Expo and learn together. Last year, I presented a version of this presentation to a large audience with representation across the business (not just IT folks) and I wanted to make a version of it that could be consumed anywhere. This all was created from a conversation with a former consultant who made it her personal crusade to get everyone she knows to turn on some form of MFA for their GMail accounts. Just think about all the information someone could learn about you from your email. From there, I wrote this post that urges you to disable SMS and use ...

Continue Reading

Aviation Apps I Use standard

A friend of mine suggested this as a blog post, the top aviation apps that I use on my phone. Now, keep in mind, I’m a pilot. So some of the apps I use, such as ForeFlight, wouldn’t make much sense unless you are a pilot (or have had some kind of pilot training). I’m not including pricing on these simply because they could change, but some have both a free and paid tier. Another disclaimer, the links below are to the iOS versions. Most of these are also available in the Google Play store, so you can search there to find them if you are on Android. So, here’s the list! FlightRadar24: Ever wonder which plane just rattled the ...

Continue Reading

Sellers Buying 5-Star Amazon Reviews standard

tl;dr: A seller who sold a terrible product is offering me $50 to change my review from 2 stars to 4 or 5. November 1 Update: The product has been removed and I can’t find the seller’s store anymore. March 9 Update: Updated review is live that talks about the $50 offer. I’m not even sure where to start with this one. It’s a scenario that I’ve never experienced before even as one of the earliest of early adopters of Amazon (like, when they only sold books and this Unix nerd was deep into the O’Reilly series). I shop on Amazon for the convenience. They don’t always have the best selection or price, so I still shop around. In some ...

Continue Reading

Proofpoint Patches URL Sandbox Bypass Bug standard

Or, how a travel website’s newsletter clued me in to a huge security gap in a popular email protection service. tl;dr: I discovered URLs of sufficient length (over 770 characters) would bypass Proofpoint’s URLDefense service leaving the original link untouched, allowing malicious links directly into users’ email inboxes. Proofpoint let me know this week that they finally have patched all the instances of their service that had this particular bug, so it’s time to disclose how I discovered it. Many of you know I switched my personal email protection away from Postini/Google Apps for Business to modusCloud by Vircom. My users and I are 100% satisfied with the service! One of the technologies powering Vircom is Proofpoint Essentials, and one ...

Continue Reading

Introducing Where To Now standard

When I want to learn a new programming language, my typical method of doing this is to either take an existing small project and port it over to the new language, or come up with a small, yet practical problem to solve. I’m kinda like Johnny Five, in that I need input! I’ve been playing with Go for a little bit, but nothing very serious. I’ve also been playing around with Docker and Kubernetes, so I decided to kill two birds with one stone by building an application in Go as well as learning how to package it up in a Docker container. Introducing Where To Now. It’s designed to vary the webpage that might show up when a user ...

Continue Reading

Improve Outbound Email with SPF, DKIM, and DMARC standard

“Oh sorry, I missed your email. It got dropped into my SPAM folder for some reason.” Isn’t that frustrating? All you did was send over a proposal and it got dropped into the SPAM folder. Perhaps it was word choice, perhaps you ended up on a list somewhere, or perhaps you are not doing your part to elevate the confidence of your emails leveraging the tripod of email security frameworks known as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). I started experimenting with these years ago noting that there are several vendors who will happily do this for you—and by the way, their products are pretty awesome. Given that I’m running ...

Continue Reading

Life after G-Suite/Postini standard

Postini was a technology darling in the mid-2000s that sold email filtering technology as a service to companies struggling to combat the onslaught of SPAM and malicious emails that were sprayed at corporate inboxes. For small companies or small footprints, the price was right as well. $1/user/month translated to super cheap filtering with a nice web interface to boot. Google thought so highly of the technology that they paid $625M in cash in 2007 for the company, which was absorbed into Google Apps over time. Those of us legacy Postini users were drug along for a time as the service continued to dwindle in quality and usability, culminating in a complete shutdown and forced migration in December. Google handled the ...

Continue Reading

The Breach Research We Need standard

I’m not afraid to point out misleading or questionable research findings funded by marketing groups strictly to gain headlines. Studies like the cost per record or cost per breach white papers come to mind here that give us excellent, attention grabbing headlines supported by a house of cards (specifically the cost per record studies). The information presented is unusable for risk management purposes, and is a quick way to get laughed out of a room if you quote these studies. What risk managers need is something that is comparable to their companies when trying to think about costs. Simply taking an average cost per record or an average cost per breach is not concrete enough to make risk management decisions. ...

Continue Reading