PCI Security Standards go to Three Year Lifecycle standard

On June 22, the PCI Security Standards Council announced that effective October 2010, all of the standards under its care will move to a three year development lifecycle from the current two year lifecycle we have enjoyed since the standard was originally released on December 15, 2004. I had a chance to sit down with Bob Russo (VIRTUALLY that is) and discuss some of the changes and how that affects the standard going forward. According to Russo, the change is “a direct result of feedback from [sic] our board of advisors [sic] and participating organizations ((Quote shortened for brevity.)).”  He believes the change is “a win-win for everybody.” In the linked press release above, the Council cites feedback from key ...

Continue Reading

Herding Cats July: Back to Basics standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Back to Basics. This issue’s theme centered on the basics of information security, and what better time to take a step back and really evaluate what we’re doing? Are we actually accomplishing our goals? Or just treading water? And do you want to take away my man card after reading this one? If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective ...

Continue Reading

No More WEP, Did You Make It? standard

Well, last week saw the passage of June 30, 2010.  Do you know where your WEP is? For those of you subject to PCI DSS, you are no longer allowed to use WEP to “protect” your in-scope networks (Requirement 4.1.1, in the italics).  Remember when PCI DSS 1.2 came out and you thought you had plenty of time?  Hopefully you planned well. I have not run into too much WEP on in-scope networks in the last year or so.  I still see it in retail locations for inventory control or other types of wireless networking, but those are usually firewalled off from the POS environment. Is anyone out there still using WEP? Possibly Related Posts: Level Up Cybersecurity with Kasm ...

Continue Reading

June 2010 Roundup standard

What was popular in June? Would it shock you to know that my most popular post by far this month was the review on the Hoffacino?  It’s second all-time to my post on Upgrading to Snow Leopard. So if any other prominent information security pros want to have me try and review their crazy Starbucks creations, bring it on! Here are the five most popular posts from last month: Pwn3d by the Hoffacino. As @Beaker says, another one bites the dust.  I did it.  I rode the carmel colored, caffeine loaded pony known as the Hoffacino.  Who says living life through chemical stimulants isn’t fun? This was BY FAR the most popular post. Why ISAs are Good for QSAs. This ...

Continue Reading

PCI Doesn’t Take Vacations standard

I was lucky enough to spend some quality time away from the tubes last week, and while I am not part of a rogue PCI enforcement militia, I do tend to observe how organizations tackle security and compliance issues.  For the first time, I found a rather unique disclaimer that was mere feet away from the Point of Interaction.  It shocked me so much, I snapped a picture to make sure I got the wording correct.  It plainly stated: WARNING: The method used to authenticate credit card transactions for approval is not secure and personal information is subject to being intercepted (the original sticker said ‘intercetped’) by unauthorized personnel. I promptly copied the phone number down and passed it to ...

Continue Reading

VLANs and Segmentation standard

I was following an email trail from a few colleagues and it dawned on me that I had not written about the use of VLANs with respect to PCI in this blog.  If you purchased Anton & my book, you can get a great, real-life example of VLANs in the second case study in Chapter 4, Building and Maintaining a Secure Network entitled, “The Case of the Large, Flat Corporate Network.” The question that was asked is, “Can a VLAN be used as a way to segment a network?” Of course, the answer (as always) is “It depends on how you are using it.”  If you are using simple 802.1q tagging with no other controls, that is not considered good ...

Continue Reading

The “Should” Rule of Cloud Computing standard

I’ve been asked over the last few months quite a bit about virtualization and cloud computing.  Virtualization is something most people understand, but cloud computing baffles many professionals because there is often not a clear nomenclature used to describe products and services in the space ((I just saw an ad for a “Dynamic Cloud Server.”  For real.)). In fact, my father in law asked me if I was somehow involved in weather forecasting (jokingly) after looking at what my current employer does. It’s like PCI DSS in the vendor space. “Install my product, and I GUARANTEE you are PCI Compliant!” Except in the cloud world, it goes something like: “I got me some sexy, fluffy cloud stuff JUST FOR YOU!” ...

Continue Reading

RSA Security Brief, Secure Payment Services: Card Data Security Transformed standard

RSA, the security division of EMC, recently released a new security brief entitled, “Secure Payment Services: Card Data Security Transformed,” that outlines the security implications and benefits of the emerging category of outsourced secure payment services. In fact, many of the challenges we’ve discussed over the years in this blog can be solved by accomplishing significant scope reduction—the surest way to reduce the impact of PCI DSS on an environment. The authors of the brief include Dr. Anton Chuvakin (Security Warrior Consulting), Sam Curry (RSA), Robert Griffin (RSA), Craig Tieken (First Data), Steven Wilson (Visa EU), and me. The brief offers practical guidance on how retailers, merchants, and other organizations handling card data can improve payment card security and reduce ...

Continue Reading

Do Small Service Providers Scare You? standard

Take PCI off the table for a minute. Do you get nervous when dealing with a small service provider that performs some niche service for your company?  It doesn’t have to be cardholder data related, but it definitely needs to be some kind of data that is either regulated or is classified as something other than public—data like PII, healthcare, or even intellectual property. Smaller providers can sometimes provide higher or better security than larger ones, and that may be beneficial long term—especially when doing the value proposition. But in some cases, smaller providers are providing a niche service to a larger customer, and are operating on a skeleton crew.  Imagine if a company like Ford Motor Company selected Brando’s ...

Continue Reading

Running Security Into The Ground standard

Security professionals are funny.  We are incredibly strong willed and have strong opinions on subjects we live for.  It’s more than passion, it’s Passion++.  Just like regular passion, but with an object oriented framework that makes for the amplification of said passion, but only for those that truly grasp its power. For example, get a security expert that lives and breathes Linux and one that lives and breathes NetBSD in the same room, ask for the most secure, open-source platform, and watch the hilarity ensue. Some security professionals have developed a dangerous attitude that rears its head when people discuss things like PCI DSS or other compliance topics. “Don’t tell me how to do my job!”  This sometimes comes across ...

Continue Reading