Compliance, Easier than Security! standard

My undergrad is in Marketing.  I sometimes call myself a marketing guy, but only right before I rip on one that hypothetically might do something causing a technical guy to lose his weekend.  One of my favorite marketing guys is Seth Godin, and every once in a while he posts something that works not only in the Marketing world, but in our world. On Friday, his post “It’s easier to teach compliance than initiative” reminds me of how our business works.  Isn’t it WAY easier to talk about some kind of security-related compliance versus actually talking about security?  Think about your past interactions with information security.  Did you have a chance to create a 3-5 year plan detailing how you ...

Continue Reading

EMC/RSA Expand Security Consulting Services standard

If you call yourself a “security guy,” this week represents one of the pivotal industry-related weeks every year.  I’m speaking, of course, of the RSA Conference.  The conference turns 19 this year, and there is quite a buzz going on!  I’ve not even arrived and I’m hearing about the excitement. What I wanted to tell you about today is our release on the expanded Security Consulting services that we announced earlier this morning.  The full release is here.  You can follow all the news coverage here, and there seems to be quite a bit!   If you are out in San Francisco, be sure to stop by the RSA booth around lunchtime tomorrow, and we can discuss this in detail! ...

Continue Reading

The RSA Conference, Are You Ready? standard

The annual RSA conference descends upon the Moscone center in San Francisco next week, and I can’t tell you how excited I am to be attending this year.  Not only do I work for the company that bears the conference’s name, but we’re making some big announcements about our future and direction.  More on that next week! Outside of that, if you want to catch up with me you will have several opportunities. Monday: Arriving in the late afternoon.  Meeting with some folks and gearing up for the conference! Tuesday: Client meetings and booth duty!  Come find me at the RSA booth from 11am to 2:30pm in the Expo. Wednesday: This day is stacked with meetings and I will be ...

Continue Reading

Subscriptions Deal with Transactions Times Twelve standard

I was talking to a company that accepts credit cards for monthly subscription or service dues (think something as simple as paying your electric bill with your credit card) and when I asked them what level merchant they were, I was shocked to have them tell me they were at the top end of the Level 3 bracket!  While I do not advocate focusing your PCI DSS efforts based only on your validation requirements, but it is interesting to consider what might happen if you were to reduce the number of payment cards you process in one year. Is there a way to game the system?  Well, maybe two ways.  First is to delete PCI DSS data, but that’s not ...

Continue Reading

Think Blackberry is Safe? Think again! standard

Chris Eng at Veracode put together a pretty sweet little presentation based on a tool Tyler Shields created to infiltrate Blackberry Smartphones called BBSpy.  Blackberry’s seem to be viewed as a more secure mobile platform for a smartphone or PDA than any other, to the point of speculation about the existence and future of President Obama’s Blackberry. When I first got a Blackberry smartphone, not only did my ability to separate my personal and professional life change, but I remember as a security professional liking some of the features provided.  Remote wiping, encryption, and a password attempt bomb made me feel that should I lose my Blackberry, I would be able to prevent any sensitive data on it from falling ...

Continue Reading

Satellite Hacking, Not Just for Pros! standard

I found a great article by Stan Shyshkin last week on hacking internet satellites. Satellite networking has always interested me, especially when it comes to learning how to take advantage of foolishly trusted links.  Most of these links manifest as a form of a “carrier grade” link such as MPLS or Frame Relay.  These links are inherently considered private, even though they typically do not take advantage of encapsulated encryption. Fifteen years ago we extended our network footprint through private network links.  Companies extended their WAN in the form of a frame relay in 64-Kbit increments ((Yes I know there were 56-Kbit links too—I managed one back in the day.)). These links were rarely (if ever) encrypted partly due to ...

Continue Reading

Personal Liability for QSAs standard

I was chatting with a colleague this week, let’s call her Anne, who had a very interesting question. “Should Anne carry personal liability insurance as a QSA working for  a QSA company?” She was trying to assess her personal liability for doing QSA work.  So let’s say Anne made a mistake, and that mistake caused a merchant to be breached, would her former employer go after Anne to make her a scapegoat after she left? I had a brief discussion with David Navetta of the Info Law Group about the idea (and please note that anything found here is NOT legal advice, and you should always talk to an attorney if you have an issue… entertainment purposes folks), and he ...

Continue Reading

Data Destruction is YOUR Responsibility! standard

Matt Springfield (formerly of I-Net Solutions, those were the days) posted about a problem he is having with his Apple Time Capsule, and what happens to the data when they blow up.  In his situation, a bad power supply prematurely ended the life of his device.  When he asked an Apple representative what they do with the old hard drive contained inside the device, she responded that there was no data destruction policy. No data destruction policy?  Wow, there must be some fun stuff in old equipment at Apple. For the record, I’m a Mac user.  The first computers I used were early generation Macs (think System 6), and then I switched to a PC for a while in college.  ...

Continue Reading

Herding Cats February: The Retreat to Centralized Computing standard

Have you checked out ISSA Connect yet?  The next issue is up there with my column, The Retreat to Centralized Computing.  I’m traveling abroad right now so I don’t have the ability to put it up here on the site, but will do it when I get back next week. If you are a member, log into ISSA Connect and join the discussion!  Interact with great professionals globally as well as the authors that you enjoy reading every month.  If you are not a member, go sign up!

Continue Reading

Healthcare Security, the New Front standard

HIPAA tried to address it, HITRUST and HITECH are the newest entrants into the mix, but health care is just he latest example of an industry’s information technology significantly outpacing its ability to secure it.  If you’ve heard me speak on where I think the next big area that hackers will go after, you’ve heard some stories about what I would do if I were the bad guy. Last week I had a routine doctor checkup, and I watched my doctor type in a four digit password to access all of my records (and presumably any record in the practice).  Any security professional reading this has had a similar experience with someone in authority accessing data with weak credentials, and ...

Continue Reading