Healthcare Security, Where Are You? standard

Information security with electronic healthcare information is often discussed (not here) behind closed doors with lots of whispers. The state of information security in the healthcare space varies, but most insiders agree it is in conflict. Dismal even. Yours truly even took down an entire hospital’s printing network because they were running a super-duper-pooper vulnerable print server that just happened to get popped when doing what should have been innocent scanning. Security in many industries starts with compliance, but even that’s not working. HIPAA has been around for fifteen years—and its follow-up act(s) less than five—but we are constantly playing catchup. The results of a 2006 (yes five years old) survey showed that HIPAA had the lowest compliance rates among ...

Continue Reading

Hospitality Still in the Crosshairs standard

With all the news and information we are pummeled with daily, it’s hard to ignore the significance of cyber security and its role in protecting enterprises and individuals. It’s even pretty easy to ignore until it happens to you. I have written and spoken about the challenges in the hospitality industry before, and they remain a big target for a few big reasons. Many hotels, even ones with a big-brand name on the facade, are owned and operated by individual companies and investors. Joe’s Hotel Group buys the building, hires the employees, and plugs into GiantHotelChain’s reservation and reward system. Many hotels are wide-reaching properties where everywhere you go you have an opportunity to perform a transaction (pay TV, internet, ...

Continue Reading

It’s Board of Advisors time! standard

Yep, this week is another fun filled meeting where I’ll load up on all things PCI DSS. While I can’t discuss the topics we will review, what I would like to do is two-fold: Reminder that we are in Phase 6 of the lifecycle for PCI DSS changes. This is the feedback review period that captures all the feedback you dutifully submitted  back in April and allows the Council to mull changes to the standard. Expect an update at the community meetings in your neck of the woods. Ask if there is anything pressing that I should pass along to the Council while in these meetings. Constructive feedback is welcomed, and I’m happy to pass it along. Just leave it ...

Continue Reading

PCI Requirements Review: Service Accounts and 3.6.6 standard

It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! So far we’ve discussed PCI Requirement 4.1 and mobility, Sampling, and Patching & IPS. If you have a requirement you want reviewed, post it here! Today, it’s fun with a very specific interpretation, but I think we can cover this in a way that will be functional in most (if not all) modern setups. Now, on to our submitter: Requirement 3.6.6 – Specifically related to service accounts for applications where a human would have the service account password and the service account can then access the keys. There is are two security controls that we discuss in our critical control checklist that are missing ...

Continue Reading

PCI Requirements Review: Patching & IPS standard

It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! Last time we talked about PCI Requirement 4.1 and mobility. If you have a requirement you want reviewed, post it here! Today, it’s fun with interpretation around patch management and IPS. This isn’t a topic I’ve addressed before, but it is something I’ve debated with a customer. Now, on to our anonymous submitter: Some Host Based IPS vendors and QSAs are saying that if a host based IPS product can block any exploits related to a specific Microsoft patch (virtual patching), then the in-scope system does not have that specific patch applied within 30 days. Even if it SPT cc data! Hrm, interesting. A ...

Continue Reading

PCI Requirements Review: Requirement 4.1+Mobility standard

It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! Last time we talked about Sampling. If you have a requirement you want reviewed, post it here! Today, it’s all about requirement 4.1 and mobility. There are a couple of elements in play here. I’ve written about PCI DSS and mobility before and given tips on making a mobile application comply with PCI DSS, read this post. Now, on to the reader’s dilemma: Does mobile phone technology fall into [the classification] of public networks? I have ongoing arguments with an acquirer about whether a purpose-built mobile payment device, which they sold to us, can be assessed under SAQ B. The device uses cell phone ...

Continue Reading

PCI Requirements Review: Sampling standard

Hey look, it’s the first of ten posts with a detailed analysis on a PCI Requirement! While this one isn’t specifically a numbered requirement, I do find that sampling is troubling. I’ve written about it before, and we used to have all kinds of fun in the assessment process with sampling. From the reader: Sampling methodology. The QSA has to validate that the sampled infrastructure is compliant with the requirements. However, time cost the client money which they don’t want to pay. They always go with the lowest price / proposal. How can the QSA convince the client that the sampling methodology used is aligned with the RoC reporting instructions? How can one QSAC propose 30 days to complete a ...

Continue Reading

Security and Compliance in a Virtualized World standard

Are security and compliance hindering your ability to comply with PCI DSS or any other number of compliance initiatives? Check out this BUZZ Talk from EMC World where Paul Divittorio and I talk about how EMC does it, and how you can too! Description of the talk: As you move to adopt virtual infrastructure solutions to reduce costs and improve IT operations, make sure you understand the security implications of virtualization. The good news is—virtual environments can be more secure than their physical counterparts. It’s time to separate fact from fiction. Let’s discuss your experiences and what we’ve learned from EMC IT’s own virtualization story. Watch the video here!

Continue Reading

May 2012 Roundup standard

What was popular in May? We had Facebook all over the news (again) with its IPO woes, including lawsuits and 30% of the value of the stock eroded, the Call for Papers for RSA Europe closed, and RSA China opened, EMC World festivities in Las Vegas, and a whole host of product announcements to boot! Here are the five most popular posts from last month: Visa Kills PCI Assessments and Wants Your Processor to Support EMV. Another month, another winner! Is this the end of PCI Assessments? Visa threw out some timelines and program details last year that you need to know about. Top 10 PCI Requirements for Interpretation. I haven’t quite gotten ten yet, but I’ll start working through ...

Continue Reading

Data as a Gravity Well standard

Las Vegas hosted one of EMC’s premier events, EMC World. While this show is primarily IT focused, RSA (the Security Division of EMC) makes a presence every year. This year was my second to attend, and even though the location was the same, there was a big difference in this year’s average IT attendee—they showed a tremendous interest in Security! In fact, our booth at EMC World was PACKED on Monday evening. We nearly hit our goal of visitors for the whole show on the first day! Security and compliance had a track in the breakout sessions, and if you went to Sanjay’s keynote, you may remember our CISO getting up on stage to talk about some of the security ...

Continue Reading