Branden R. Williams, Business Security Specialist

Getting Support for PCI DSS standard

For the record, I LOVE it when people send in emails requesting a specific blog topic. I can’t get to them all, but it sure helps set the direction. The part of the writing process that is sometimes hardest for me is finding a starting point. Thank you for this one (I’ll keep this person anonymous as their email bounced)! In the book we discuss how to manage a project to completion (Chapter 10), and one of the key steps is getting buy in from senior management. A reader emailed me this week asking about how to go about getting this support. Specifically (paraphrased for brevity): How do I make executive management (C-level) aware of the necessity for, and importance ...

What’s a Token? standard

Along with the confusion on the term End to End Encryption, Tokenization (or just simply tokens) is a term used to describe many things. But what is a token really? The PCI Council does not provide any guidance other than the definition for an Index Token in the glossary: A cryptographic token that replaces the PAN, based on a given index for an unpredictable value. But even this does not really help us. To make matters worse, the term “token” itself is defined in the PCI DSS Glossary in the context of a 2-factor authentication device like SecurID. I’m going to take a crack at defining it and discussing what the variants might be and how they could be weaker ...

March 2010 Roundup standard

What was popular in March? Consumer security and various news posts topped the list! I’m also working out the kinks on getting my daily links posted here. Here are the five most popular posts from last month: The Social Security Office, an Identity Thief’s Heaven! You know your spouse cares about your livelihood when she (he) points out massive identity theft opportunities at your local Social Security Office! Check out this wacky story based on my wife’s experience. The Mistakes QSAs Make. This one is a brand new post, but is getting a ton of attention. Well, it’s getting reads, but NO COMMENTS! I need your comments folks! I presented to the DFW PCI group my thoughts, but want to ...

Herding Cats April: Spread the Disease standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Spread the Disease. This issue’s theme was the Psychology of Security, and I decided to compare the thought process behind security to a psychosis. It’s fun! If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, go sign up! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug

Key Logger Attacks on the Rise (this is no joke!) standard

Visa released a report yesterday on their website (dated March 17) warning merchants about the rising threat of key logger and screen capture attacks. I went back looking through my archives to see if I’ve written about this danger before, but I think my examples are ones that I typically talk about. But don’t worry, I’ll put one for you here! This particular alert from Visa targets software key stroke and screen captures. At the bottom of page two, Visa puts some MD5 sums for various malware probably obtained while investigating merchant breaches. They also provide eight mitigation strategies to be used as preventative measures for areas that are likely to be targeted for malware installation. My real world example ...

Security & Compliance Links March 30, 2010 standard

FAQ on Washington State’s PCI Law : Info Law Group Fantastic review by Dave Navetta on the new Washington PCI Law. Possibly Related Posts: Security & Compliance Links March 24, 2010 Today’s Security & Compliance Links

Another Security by Obscurity FAIL standard

I was doing some technical testing for a friend of mine the other day ((Sometimes security guys get tagged like other techies and we’re some guys best friend’s college roomate’s sister-in-law’s cousin, twice removed on her MOM’s side (that’s very important apparently), and we get to try and “hack our way” into someone’s online presence.)), let’s call him George, and came across yet another bad example (or a good one) on security by obscurity failing miserably. George just set up his first online service portal for his customer base. He’s running a Pro Shop for a small, independent country club, and is trying to cut back on costs. He decided to invest in a simple online tee-time reservation system, and ...

The Mistakes QSAs Make standard

Aside from a rather embarrassing moment last night with Keynote ((Note to self, make your FIRST and LAST slides different, and actually test MOVING slides before the room is filled with expectant eyes boring holes through my skull into the screen behind me.)), I spoke to a local group of PCI DSS enthusiasts about the mistakes that QSAs make, and how to deal with them. I came up with several, but would really like to see what YOU FOLKS out there think! Submit comments below anonymously or with your name, either way. This is open to anyone! QSAs, ASVs, acquirers, issuers, merchants, service providers, ISOs, security professionals, PCI HAY-TAHs, payment brands, Council members, Jim, forensic investigators, and other PCI experts. ...

Security & Compliance Links March 24, 2010 standard

Security.exe – Powered by The CISO Group » Blog Archive » Do PCI requirements have a place in a non-PCI environment? Possibly Related Posts: Security & Compliance Links March 30, 2010 Today’s Security & Compliance Links

Today’s Security & Compliance Links standard

How Compliance Regulations Get Made | Chaordic Mind Nice post on what drives compliance regulations Possibly Related Posts: Security & Compliance Links March 30, 2010 Security & Compliance Links March 24, 2010