Operation Swiper (No Swiping!) and EMV Migrations standard

Last week we saw a major indictment of 111 individuals from an “identity theft operation” based in Queens, NY. I suppose we will learn more details as the prosecutors make their case, but from the original reads it looks more like a counterfeit credit card operation versus a full identity theft operation. One key difference between the two is someone using your identity to open new lines of credit as opposed to just capturing your card data and making a duplicate to go on a shopping spree. Many are now citing this case as a specific reason to get moving on their widescale EMV adoption. I’ve already discussed MasterCard’s and Visa’s thoughts, and would agree on principal that an EMV ...

Continue Reading

Living in a State of Compromise standard

Imagine for a second that your boss came up to you and said, “We’ve been compromised. Assume trust doesn’t exist. Now define our new security organization and architecture!” Unfortunately, it may take events like that to change our perceptions or actions when approaching securing our organizations. Depending on who you talk to, we already are living in a state of compromise. I prefer removing the element of trust form my strategy as much as I can, and focus on how I would secure a system, application, or network if I knew there were hostile elements in it. Changes your perspective a bit, doesn’t it? All of the sudden, those satellite locations start looking less like friends and more like foes. ...

Continue Reading

Attack the Humans First standard

Information security professionals live in exciting times. It’s a constant battle of escalations between the new ways technology can be used to conduct business, and the new ways the bad guys can incorporate technology in their overall strategy to steal information. But an interesting trend emerged this year that has always been around, but now is used in a much larger sense when going after data: Human hacking. The nice way to say it is “social engineering.” How do I convince Sally in Accounting to give me information that i can then use for my own personal financial gain? It’s not a new concept, and frankly tamer versions are used daily by politicians, sales professionals, and children. The challenge for ...

Continue Reading

Herding Cats: Build Security In (October 2011) standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Build Security In. I’ve been on a kick lately talking to people about built-in security. Humans make too many mistakes to rely on a bolt-on mentality for security, and building it in is one great way to add in a fail-safe wall for protection. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

Continue Reading

Walls Aren’t Enough standard

The bad guys are getting smarter, more creative, and more persistent, so what are we doing in response? I can’t tell you how sad it is to hear things like this when I ask how companies are shifting their security programs in order to combat advanced threats: We’re upping our patch schedules from one month to two weeks. We’re deploying anti-virus signatures faster. We’re consolidating all of our user laptop images to a gold master. We’re deploying outbound content filtering. Sure, those things help. But individually they are largely ineffective in shifting the balance in your favor. Think about how IT evolves through bolted-on enhancements. What did day one of the business look like from an IT perspective? What does ...

Continue Reading

A Conversation with MasterCard standard

And finally, my conversation with John Verdeschi, Senior Business Leader, Payment Systems Integrity will wrap up my interviews and posts from the PCI Community Meeting that happened two weeks ago in Scottsdale, AZ. MasterCard is widely known as a major influence in the payment industry and is the number two player in the market behind Visa. If you have ever had to hire an Approved Scan Vendor (ASV) or filled out a Self-Assessment Questionnaire (SAQ), you can thank MasterCard as both of those items are largely distilled from their Site Data Protection (SDP) program. One of the first things that I had to ask about was how MasterCard’s new PCI DSS Risk-Based Approach framework compared to Visa’s Technology Innovation Program ...

Continue Reading

September 2011 Roundup standard

What was popular in September? The PCI Community Meeting in Scottsdale was one big highlight! I spent a week in AZ dealing with all manner of PCI-related topics. And we also saw Oracle’s CSO go out on a limb she probably shouldn’t have, especially in light of the MySQL defacement that happened last week. Be sure to check out all my “Conversation” interviews! Here are the five most popular posts from last month: PCI Community Meeting Day 1 Observations. This month is all about PCI, and specifically the community meeting and things leading up to and following. What was Day 1 like? Check this post for a preview of the social-media heavy meeting! PCI Community Meeting 2011, That’s A Wrap. ...

Continue Reading

A Conversation with Visa standard

Wednesday was a busy day for me at the Community meeting. In between sessions, I spent thirty minutes with Eduardo Perez, head of global payment system security, Tia Ilori, business leader, U.S. payment system risk, and Ingrid Beierly, business leader, fraud control & investigations from Visa. Visa is the largest payment brand and creator of the Cardholder Information Security Program whose content drove the majority of what we see in the PCI DSS today. We started by discussing the fraud rates and how PCI DSS is helping to keep fraud under control. According to Perez, fraud rates are very low and fairly stable—around 5%. So PCI has to be doing SOME good if fraud rates are not spiraling out of ...

Continue Reading

A Conversation with Bob, Troy, and Jeremy standard

If you caught me this year at the PCI Community Meeting you may have noticed something strange attached to my badge—a green “Press” ribbon. While it was strange to wear it and I don’t consider myself a member of the press, I’m thankful for what it ended up getting me. I had some great 1:1, on the record discussions with key stakeholders which I plan on bringing to you here in the blogorino. The first one I want to review is a conversation I had with the public leaders of the PCI SSC, Bob Russo (GM), Troy Leach (CTO), and Jeremy King (EU GM). The first thing I asked about was the new Special Interest Group (SIG) process that Jeremy ...

Continue Reading

PCI Community Meeting Reviews from the Field standard

While I was at the community meeting, I chatted with several individuals that had feedback on the conference, and here are a few nuggets distilled from over an hour of audio recordings: Council is getting better at understanding how reports are generated, but there still seems to be an inability to tie any given report back to the environment assessed. For example, was it scoped correctly? Were the controls assessed per the intent of the standard? Was the appropriate risk-based approach taken? CBT Requalification is convenient, but lacks the flowing Q/A that you might see in an interactive training course. May consider trading an in-person training (or interactive training) every so often as opposed to all CBT. Large variance among ...

Continue Reading