What an IRS Scam Sounds Like standard

Like many of you, I have come to the realization that people not in my contact list who actually use their voices to communicate with me over this texting machine usually want something from me—many times, a sales pitch. I’ve given up on answering most of these calls. For the few that leave a message, I will return it if it’s important. Hopefully people have figured out by now that written communication is preferred in many instances. I recently got one of those robo-dialers to leave me a generic, threatening message (which you can listen to here) that meets many of the requirements of good social engineering. The transcript is below (apologies for the bad copy in two areas, the ...

Continue Reading

The Beginning of the End, No PCI DSS 4.0 in 2016 standard

Taking a cue from infosec luminary Bill Brenner, how about some mood music? Browsing Twitter last night brought me to this tweet about PCI DSS in 2016. Anybody else notice that the new redesign for the @PCISSC website is conspicuously missing the current lifecycle status #noversion4 — James Adamson (@jameskadamson) February 25, 2016 Indeed, earlier this month the Council posted a blog that revealed that PCI DSS 3.2 was the next version of the Standard, and would be the only release in 2016. I’ve previewed the proposed changes in 3.2, and I think this is a good approach for the Council this year. We can continue to debate the efficacy of the standard ad nauseam, but unless we’re going to ...

Continue Reading

Does Income Matter for Awareness? standard

Here’s another visualization to consider based on demographical data generated from my Consumer Attitudes Toward Breaches research (sponsored by MAC). Did income levels matter in breach awareness? It appears to have mattered, yes, but not in the way you might expect. Below is a graph that shows how consumers reported their awareness of breaches as separated by income level. When we add weights to our responses to make sure we are comparing apples to apples. What’s interesting here is that the smallest two and largest two income levels were the most aware of the breaches, while the middle three were much less aware. Do lower income segments watch their dollars more closely? Are higher income segments more likely to be ...

Continue Reading

Gender Differences in Breach Awareness standard

Over the next few posts, I’m going to show you a few more visualizations that didn’t make it in my Consumer Attitudes Toward Breaches report (sponsored by MAC). Most were omitted for brevity as they didn’t add anything material to the content already presented. Below is a graph that shows how consumers reported their awareness of breaches as separated by gender—pink for female, baby blue for male. What made this interesting to me was that even though males were generally more aware of breaches than females, but the two breaches where females were more aware (Michael’s and Target) seem to target that demographic. The respondents split the gender line at almost 50/50 (11 more females responded than males of the 1031 responses). ...

Continue Reading

Consumer’s Attitudes on Breaches? Meh. standard

Fear, uncertainty, and doubt… three very dirty words when pushing products at security and IT professionals. Commonly known as FUD, it’s one of the techniques that sales and marketing folks use to create discomfort in their targets. If I can highlight a serious problem to you (and make you think that you have this problem), I might be able to sell you my solution that will make that problem go away. In the information security product space, one of the biggest claims that vendors make is that security breaches impact your brand’s value. I once said that in front of the CFO of a large retail establishment and was quickly called out for making such a general statement (he called ...

Continue Reading

We Should Question Bold Claims that PCI Is “Highly Effective” standard

For my first real post of 2016, let’s deconstruct a quote from an article published by eWeek about PCI DSS and 2016. The quote in question is from Jeremy King, International Director for the Council. “The PCI DSS is a mature standard that has proven highly effective wherever it is adopted and used.” The rest of the quotes fall along the messaging guidelines that you hear from the Council (although this appears to be more of a pitch related to the logging SIG), but this one stuck out for me. It reads like something that wants to be true versus something that actually is true. In the Council’s defense, they will readily cite that no fully PCI DSS compliant merchant has ever been breached. ...

Continue Reading

Top Posts from 2015 standard

2015 is over and in the books. It was a pretty busy year for those of us in security & payments. My company went IPO, the largest compliance provider sold (instead of IPO), adult websites were hacked and in some cases extorted, new books and publications, lots of blogs, a step back on SSL restrictions, and EMV. Thanks for continuing to stop by and check out my content. Looking forward to a great 2016 and I will see you at a conference soon! Here’s what you folks liked the most in 2015: Is The Council Trying to Kill the QSA Program? Obviously, any post where you reference Christina Aguilera is going to be something you all will love. The Council finally ...

Continue Reading

Dear Santa, 2015 standard

Lots of time for reflection and requests during this time of year. For those that recognize the elf-herder named Santa, what do you wish for this year? Did you have any infosec wishes? I have one, and the awesome folks at SecureWorld Expo included me in their series for 2015. Go check out my Santa wish for 2015! Need some levity in your office? Check out this call back to a great Steve Martin skit where he discusses his Christmas wishes (transcript). Possibly Related Posts: The Impacts of Breaches: New Research!

Continue Reading

WiFi Risks and Travel standard

Holiday travel is about to be in full swing for the holidays, and we’re all going to be wading in dangerous waters as we seek WiFi to keep ourselves and our kids occupied while we move around. Paul Ducklin just put together a great blog post on Naked Security about a risk you should be aware of when connecting to these networks. He specifically talks about unsecured requests for information before you are allowed to reach the Internet. There are a couple of other scary things you should be aware of: Don’t forget that open, free, and no-password-required WiFi is about as wild west as you can get. When you connect to these networks, anything you do that is not encrypted ...

Continue Reading

The Privacy Plug-in You Need standard

Sometimes I’m a bit behind the times on all this new fangled technology stuffs, so I wanted to make sure that everyone else knew that I caught up to 2015 and installed Ghostery. Ghostery is a cross-platform browser plugin that will help you select which tracking networks you want to participate in and which ones you want to block. If y0u have ever been annoyed by countless ads for some product that you Googled late one Saturday night that one time, this is a product for you. Here are my two reasons for keeping this installed on my machines: It allows me to selectively whitelist both certain ad networks and certain sites. So, for example, if I want to support ...

Continue Reading