Branden R. Williams, Business Security Specialist

Activity is Cranking, #RSAC in Ten Days! standard

For most of us security professionals, our busy season kicks off with the annual RSA Conference in San Francisco. The last two days has been a frenzy of activity with a ton of my time reserved in the last 24 hours. I’m looking forward to this RSA Conference for a couple of reasons. It might be the biggest one yet! I get to spend time with media and analysts talking about our stuff. I’m speaking! Tons of great networking opportunities. I hope that I will see you there! Possibly Related Posts: RSA Conference 2013, YOU READY!? New Security Services from EMC Consulting Enable Trusted IT GRC in the NextGen Data Center Trusting Identities in the Cloud Discover Your Security Persona ...

Cracking iOS Privacy standard

I had an article pop up on my radar yesterday on iOS Privacy, specifically where a researcher found that a particular app (Path) was uploading data without explicit permission. iOS, in some respects, feels like it has been given a pass with the type of traffic it passes (and how it does so) because a significant number of iOS users are in fact iPhone users, where traffic often moves over cellular networks. Those networks are coming under increasing scrutiny as the equipment required to disrupt or spoof cellular communications is quite affordable whereas in years past that was a massive barrier to entry. With Facebook getting in all kinds of hot water over privacy concerns, how did iOS get a ...

PCI Compliance for…. standard

We are almost done with the next edition of the book! Anton & I are cleaning up a few last edits in the first manuscript and it will be in the publisher’s hands. One topic that we kept coming back to when writing this edition was broadening our scope to go beyond big, Level 1 merchants and service providers. We even dedicated a chapter to small businesses in this edition, and give you tips for what to do when starting a business that needs to accept payment cards. But one thing that strikes me as I reflect upon writing that chapter is the overwhelming urge to make the chapter three words long. Those three words would be: Just. Outsource. It. ...

Herding Cats: No Bubble People (February 2012) standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, No Bubble People. We must assume malware will end up in our network. Unless we treat our users like the Boy in the Bubble, they will click things and infect themselves—many times without even realizing it. This month’s column discusses the war we face understanding that we cannot fight or even win every battle. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 ...

January 2012 Roundup standard

What was popular in January? We’re already one month down in this new year and most of us have our sites set on RSA Conference in three weeks. Let’s talk infosec! Here are the five most popular posts from last month: Myth Busting with Ben Tomhave and Corporate Responsibility with Ben Tomhave took the top two spots this month. Ben Tomhave and I got into a fun discussion over Twitter that ended up going in two directions. First, can merchants self-assess, negating the need for a QSA-lead merchant assessment? Intelligence Driven Security. The latest Security for Business Innovation Council report is out, and one key indicator is that we have tuned our systems to support compliance, not security. Read this ...

1st of February, 2012
In: Consumer Security, Enterprise Security
0
1

Hardware Security, the New Frontier? standard

RSA Conference is right around the corner, and I’m excited to actually be able to see some talks this year. I’m on a panel with Dave Navetta and Serge Jorgensen on Tuesday covering the Dark Side of a Payment Card Breach (LAW-107, Room 131, 2:40pm). I am sure if you are there, we will bump into each other somewhere along the way! One of the topics that I want to explore with other security folks while I am there is a shift to hardware-focused exploits whereby you bypass software and focus on firmware to control machines. It’s not a new concept and has been seen in both theoretical and actual attacks on systems. But as software vulnerabilities are closed, the ...

Intelligence-Driven Security standard

RSA released the ninth installment of the Security for Business Innovation Council report last week, and through a series of blog posts on Speaking on Security, we’re going to analyze the various areas highlighted in the findings. Today I’m going to explore the concept of Intelligence-Driven Security. In our world, intelligence-driven means that information coming in from all of our available sources will influence our actions—some of which will become automated over time. The report makes a pretty sad claim about the global state of information security, one that has been explored here in the past and largely derivative of the old subject of my blog. Security programs tend to be compliance driven, or even worse, simply optimized for compliance. ...

Corporate Responsibility with Ben Tomhave standard

This is part two in a conversation that I had with Ben Tomhave (@falconsview) last week over Twitter. What started out as a quick question about busting PCI myths turned into corporate responsibility. If you haven’t seen this article about a company who is facing massive penalties, give it a read. It will help set up my position on corporate responsibility for promoting longevity. My position: Companies must make security and compliance a core part of their competency if they choose to operate in a manner that puts them in the cross-hairs of regulation. During the conversation, we moved to overall organizational competency around areas that arguably sit on the fringe of their core business. Restaurants that make pizza should ...

Myth Busting with Ben Tomhave standard

I love our industry! There is no shortage of truly talented and smart folks, and one of the best parts of being in this industry is getting to have conversations with these folks often. Ben Tomhave (@falconsview), a noted security pro and blogger, kicked off a fury of tweets that really went into two directions. First was for a common myth about PCI DSS validation which I will address here (and ensure it is much clearer in the next edition of the book). “Can merchants (including Level 1) self assess?” lead us to a conversation about the functions of audit, the industry in general, and corporate responsibility. We’ll get into THAT discussion next week. The discussion on Twitter began with ...

We Must Hunt standard

Security people are often viewed as gatherers. We gather security event data, collect logs for review, build documentation based on information about our environment, and group informational assets in like-valued groups to focus our defenses. I think we’ve got the gathering part down. It’s similar to our propensity to react. We may not be great at reacting (or more likely, we’re great at reacting at only a few things), but we get plenty of exposure to it. You cannot be a successful security professional by only being a gatherer, and your team won’t be successful if you only hire and employ gatherers. Just like most societal norms that evolved over thousands of years, you need hunters to fill a need ...