Branden R. Williams, Business Security Specialist

PCI Council Releases Risk Assessment Guidelines standard

The PCI Security Standards Council announced today a new set of guidelines for risk assessments, as output from one of the major Special Interest Groups selected by the Participating Organizations in 2011. This topic is one I have written about before, and in fact it was one of the SIGs that I voted for. I’ve been through the output and I must say, I don’t see it as any different from any other risk guidance out there. It’s fairly comprehensive when it comes to listing common risk methodologies, it gives some sample frameworks and processes, and aims to give some clarity to the larger 12.1.2 subrequirement of PCI DSS. As with most risk-related topics, you will have people hailing its ...

So you want to guest post? standard

Bloggers get pelted with requests for guest posts all the time, and I’ve had a string of relatively strange ones lately. They all start with something like this: Hi, I’m Scheizenfreud McGilicutty and I love to write. I saw your website and I was wondering if you allow guests posts? Here are some samples of posts I have done on other blogs. Let me know if we can work something out. Then this is followed by seemingly unrelated blog posts like “The Top 10 Ways to Check your Email” or “A Home Security System You Can’t Miss!” It’s SPAM, but targeted SPAM. It’s not quite targeted enough where someone had to type out an email specifically for me, but it ...

PCI Compliance Book Giveaway! standard

OK folks, our PCI Compliance book has been out for a couple of months now, and Anton & I thought it would be fun to give a way a couple of copies with a contest! We have assembled a group of three independent judges that will take a whittled down list and pick winners for each competition. The winner will receive a free, signed copy of the book! So, on to the first contest. Our book attempts to draw a middle line between the black & white “audit” style of looking at PCI DSS and the loosey-goosey anything goes view. We want to take a compliance-friendly, practitioners line. But we’ve all been in those meetings when you look at a ...

Securing Distributed Infrastructure standard

With Harvard Business Review calling the Data Scientist the sexiest career for the next 10 years, security professionals are going to have their hands absolutely full with securing the distributed infrastructure that powers big data analytics. The Hadoop infrastructure isn’t just one tool that you download to get you some Big Data fun, it’s really a framework of a multitude of tools (and options for substitution) that each carry out specific tasks in a distributed and flexible way. Part of the driving force behind wide-scale Hadoop environments is the notion that it is easier to move computation capabilities than it is to move data. This means that nodes will have some slice of data, but the end result analytics would ...

Game Theory and Cyber Defense standard

One of my colleagues is working with a bunch of crazy-smart people at RSA Labs to explore how attacker-defender games can be used to help model behaviors and outcomes in the cyber defense realm. Notice how I am not saying “Information Security.” I know a lot of you hate the term “cyber,” but in this case it is a more accurate usage of what these games really teach us about. Check out this latest blog by Bob Griffin. In it, he discusses how game theory is making its way into the information security mainstream starting with several presentations at RSA Europe 2012 (and next week at GameSec in Budapest). The FlipIt game that these guys created is quite ground breaking, ...

October 2012 Roundup standard

What was popular in October? We had the PCI European Community Meeting kick off another round of discussions on everything that is right (and wrong) with PCI DSS. The Board of Advisors met after that meeting, and we had a little frankensnor’eastercain cause billions of damage on the coast. I’m also interested to watch how some of the same posts keep coming back. Three of the top five were here last month as well. Here are the five most popular posts from the last month: The Definition of Cardholder Data. Man, here’s another oldie but goodie for the second month in a row. It’s still on people’s minds, probably because they are looking for ways to drop systems out of ...

Preying on National Disasters: Today’s Get Rich Quick Scheme standard

Earlier this week we started to see warnings from news outlets, bloggers, and other media warning people about scams to collect money in the aftermath of Hurricane Sandy. Unsolicited calls asking for donations, websites that seem to appear official, and random numbers you can text to donate money automatically start to pop up and disappear quickly. So if you are in a giving mood, how do you find the good ones from the bad ones? The first thing to be wary of is someone calling your phone and asking for money. It can be a great reminder, but if you want to guarantee your money gets to people in need and not into someone’s pocket, go find your charity of ...

On Whitelisting ASVs standard

This topic has made the rounds again—both due to the community meetings happening over the last four weeks and with some customer discussions I became involved in. Essentially, the issue is this. ASVs need the ability to scan through perimeter defenses like IPS and companies being scanned want to showcase their defenses such that they activate (like they should) upon a scan. Both groups have valid points. The ASV is following the program guide. In order to provide passing scans they must be able to scan through perimeter defenses to the actual systems to generate an accurate vulnerability report. Having a scan instantly blocked doesn’t necessarily eliminate the possibility that a vulnerability could be exploited, it just stops that scan’s ...

Slow Down Patching? standard

The whole discussion around patching and vulnerability management is a big problem in general, but typically exacerbated by compliance initiatives like PCI DSS. Companies want to be secure, in general, but they have different risk procedures that can change the manner in which they do things like patching or how they lock down desktop controls. A good friend of mine turned me on to a presentation that happened at the San Diego ToorCon this past weekend that I am curious about. The abstract pushes us into dangerous territory, that of interpretation of QSAs (something we have often chatted about here). In the abstract, the presenter takes the opinion that rushing to patch is undesirable (potentially agree) and that the language ...

The Power of Inference standard

Last week I spoke at RSA Conference about using social engineering techniques as a form of espionage—a way to “game” big data, as it were. I believe that our current estimation of what can be derived from innocuous appearing data is not only lacking, but it’s nearing the level of irresponsibility. In our talk, we discussed how an attacker might go after a prized piece of information, say the formula for Coca Cola. If an attacker wants to re-assemble such a formula, he could apply techniques often used in social engineering. Social engineers don’t bluntly ask targets for their social security number, they ask them for pieces they can use to reconstruct it. For example, people tend to give out ...