Branden R. Williams, Business Security Specialist

Wait, we did something right? standard

Where have I been? Certainly not here! I’ve been on a little bit of travel to Asia and Australia and spending time with security professionals both inside and outside my company. I also tried the Tim Tam Slam for the first time, and videoed it. Enjoy. In my travels over the last two weeks, I am learning that the security market here tends to be more focused on shiny tools than security process. Someone even made a statement about the maturity of the US around information security and how much more mature it is than what they are dealing with. I was a little shocked, actually. It’s pretty rare that you hear that kind of praise outside of the US. ...

April 2011 Roundup standard

What was popular in April? Poking fun at QSAs still showed up, and I’m working on some new ideas on the behaviors of QSAs for May. Hope to see you at EMC World! Here are the five most popular posts from last month: How To Make A Mobile Payment App Comply With PCI DSS. I had this idea after the PCI Council stopped accepting mobile payment applications, but didn’t have time to put it together until now. It is possible to use a mobile payment application in a PCI Compliant environment! The Lack of Understanding in QSAs. Top five for two months! The statistics are getting interesting. Some reports suggest that HALF of the QSAs trained in 2010 were new ...

22nd of April, 2011
In: Consumer Security, Enterprise Security
0
0

Does Security Impede Innovation? standard

Depends on who you ask, I suppose. In my experience as a security professional I have seen some security organizations in big companies that were so well oiled that patches could be rolled out in a few days after release without any impact to the larger organization. I’ve also seen some that were virtually non-existent—victims of poor leadership or political agendas. Most programs I see fall somewhere in the middle of that continuum, but for the most part are not as functional as they could (should) be. Therefore, in those companies, information security is seen as an impediment to innovation and creative people find ways around them. Imagine for a minute that you were a data center manager looking to ...

How to Make a Mobile Payment App Comply with PCI DSS standard

The PCI Security Standards Council recently made news when they announced that they would no longer be accepting mobile payment applications for PA-DSS compliance consideration. This means that vendors looking to certify new mobile applications or devices are now left in the lurch. But we have to dissect this rather knee-jerk reaction (see, there I go again) by the Council to understand exactly their intent. What they said was: “No mobile payment applications used by merchants to accept or process payment for goods and services would be approved or listed as validated PA-DSS applications unless all requirements can be satisfied as stated… Until it has completed a comprehensive examination of the mobile communications device and mobile payment application landscape, the ...

How Deep is Deep Enough? standard

After my last post on the Lack of Understanding in QSAs, Brad emailed me and asked how much a QSA or ISA should look behind the curtain for someone like an Iron Mountain (analogy used in the post). I feel like a bad consultant/blogger because I only pointed out a problem, but didn’t point out a solution. It’s OK though, I’m over it now. How deep is deep enough? Here is a basic guideline: Is the service provider currently on the PCI DSS Global Registry of Service Providers, and is their listing current? If so, I think most QSAs would look at how the data is handled prior to the handoff, make sure that the handoff and contracts are compliant ...

Neutral vs. Agnostic standard

I am not a grammar expert. Did you see that? If you didn’t start this post over because that first line is important. I do write often and I have a particular style that I like to follow, but most importantly, I am a student of the English language and not an expert. THAT SAID… There are certain things that people do that really grind my gears. I think it has to do with being granted access to a thesaurus too early in life, or lazy students aiming for a minimum page count. Regardless, the result is the usage of certain words to sound smart even though their usage makes you sound dumb. Today I want to cover a word ...

March 2011 Roundup standard

What was popular in March? This month was rather light as my travel schedule was a bit hectic. But I’m working on some great stuff for you this month! Here are the five most popular posts from last month: The Lack of Understanding in QSAs. The statistics are getting interesting. Some reports suggest that HALF of the QSAs trained in 2010 were new QSAs. I’m all about fresh blood, but at some point you might need some experienced folks, right? RIGHT? Bueller? I Don’t Need to Know, I Can Look it Up. Sure, storage is cheap nowadays, but why do we insist on keeping every single piece of data that our business comes across on any given day? Is that ...

The Lack of Understanding in QSAs standard

This topic seems to keep coming back, and it’s getting more frequent. I mentioned this as an element of Sin #2, Compensating Control Chaos in my recent paper, and more companies are coming to my team to help them through an inexperienced QSA’s assessment. The worst part is that it is a self-fulfilling prophecy. If you squeeze the dollars you pay a QSA, they will squeeze the quality and thoroughness of what you are getting. It’s been a while since I have performed an assessment from start to finish. That said, I’ve seen people ((Meaning me.)) guilty of assuming that an Iron Mountain truck seen near a company’s data center equals secure off-site transport and tracking of goods—no questions asked. ...

22nd of March, 2011
In: Consumer Security, Enterprise Security
0
0

I don’t need to know, I can look it up! standard

The pace at which our society produces information is staggering. Even worse, the amount of value of that information is typically only apparent after slicing it up in a particular way. Those of us that are naturally curious and problem solvers have gotten quite good at knowing where to find certain information as opposed to memorizing it. There are certain things you sometimes just need to memorize. For example, driving laws. It’s much better to remember that you must always stop at a red light then having to look it up each time you approach an intersection. We have enough trouble with distracted drivers already. Those of us that have figured out this critical skill often become technical support for ...

Why Trying to Change the Rules Doesn’t Work standard

Going against the grain isn’t easy. Go back through history and look at individuals that failed and succeeded doing just this. Most of them had incredible hardships and made huge personal sacrifices, including many who gave their life to the cause. OK, so I suppose I should take a moment to clarify. Changing the rules CAN work, just not very often, and none of you are really willing to die changing PCI DSS, are you? Didn’t think so. When PCI DSS was becoming more relevant, I saw two distinct camps of individuals responding to the movement. Typically the security folks were in favor of PCI DSS as they saw it as the justification to get the things they needed to ...