The RSA Conference, Are You Ready? standard

The annual RSA conference descends upon the Moscone center in San Francisco next week, and I can’t tell you how excited I am to be attending this year.  Not only do I work for the company that bears the conference’s name, but we’re making some big announcements about our future and direction.  More on that next week! Outside of that, if you want to catch up with me you will have several opportunities. Monday: Arriving in the late afternoon.  Meeting with some folks and gearing up for the conference! Tuesday: Client meetings and booth duty!  Come find me at the RSA booth from 11am to 2:30pm in the Expo. Wednesday: This day is stacked with meetings and I will be ...

Continue Reading

Subscriptions Deal with Transactions Times Twelve standard

I was talking to a company that accepts credit cards for monthly subscription or service dues (think something as simple as paying your electric bill with your credit card) and when I asked them what level merchant they were, I was shocked to have them tell me they were at the top end of the Level 3 bracket!  While I do not advocate focusing your PCI DSS efforts based only on your validation requirements, but it is interesting to consider what might happen if you were to reduce the number of payment cards you process in one year. Is there a way to game the system?  Well, maybe two ways.  First is to delete PCI DSS data, but that’s not ...

Continue Reading

Think Blackberry is Safe? Think again! standard

Chris Eng at Veracode put together a pretty sweet little presentation based on a tool Tyler Shields created to infiltrate Blackberry Smartphones called BBSpy.  Blackberry’s seem to be viewed as a more secure mobile platform for a smartphone or PDA than any other, to the point of speculation about the existence and future of President Obama’s Blackberry. When I first got a Blackberry smartphone, not only did my ability to separate my personal and professional life change, but I remember as a security professional liking some of the features provided.  Remote wiping, encryption, and a password attempt bomb made me feel that should I lose my Blackberry, I would be able to prevent any sensitive data on it from falling ...

Continue Reading

Satellite Hacking, Not Just for Pros! standard

I found a great article by Stan Shyshkin last week on hacking internet satellites. Satellite networking has always interested me, especially when it comes to learning how to take advantage of foolishly trusted links.  Most of these links manifest as a form of a “carrier grade” link such as MPLS or Frame Relay.  These links are inherently considered private, even though they typically do not take advantage of encapsulated encryption. Fifteen years ago we extended our network footprint through private network links.  Companies extended their WAN in the form of a frame relay in 64-Kbit increments ((Yes I know there were 56-Kbit links too—I managed one back in the day.)). These links were rarely (if ever) encrypted partly due to ...

Continue Reading

Personal Liability for QSAs standard

I was chatting with a colleague this week, let’s call her Anne, who had a very interesting question. “Should Anne carry personal liability insurance as a QSA working for  a QSA company?” She was trying to assess her personal liability for doing QSA work.  So let’s say Anne made a mistake, and that mistake caused a merchant to be breached, would her former employer go after Anne to make her a scapegoat after she left? I had a brief discussion with David Navetta of the Info Law Group about the idea (and please note that anything found here is NOT legal advice, and you should always talk to an attorney if you have an issue… entertainment purposes folks), and he ...

Continue Reading

Data Destruction is YOUR Responsibility! standard

Matt Springfield (formerly of I-Net Solutions, those were the days) posted about a problem he is having with his Apple Time Capsule, and what happens to the data when they blow up.  In his situation, a bad power supply prematurely ended the life of his device.  When he asked an Apple representative what they do with the old hard drive contained inside the device, she responded that there was no data destruction policy. No data destruction policy?  Wow, there must be some fun stuff in old equipment at Apple. For the record, I’m a Mac user.  The first computers I used were early generation Macs (think System 6), and then I switched to a PC for a while in college.  ...

Continue Reading

Herding Cats February: The Retreat to Centralized Computing standard

Have you checked out ISSA Connect yet?  The next issue is up there with my column, The Retreat to Centralized Computing.  I’m traveling abroad right now so I don’t have the ability to put it up here on the site, but will do it when I get back next week. If you are a member, log into ISSA Connect and join the discussion!  Interact with great professionals globally as well as the authors that you enjoy reading every month.  If you are not a member, go sign up! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

Continue Reading

Healthcare Security, the New Front standard

HIPAA tried to address it, HITRUST and HITECH are the newest entrants into the mix, but health care is just he latest example of an industry’s information technology significantly outpacing its ability to secure it.  If you’ve heard me speak on where I think the next big area that hackers will go after, you’ve heard some stories about what I would do if I were the bad guy. Last week I had a routine doctor checkup, and I watched my doctor type in a four digit password to access all of my records (and presumably any record in the practice).  Any security professional reading this has had a similar experience with someone in authority accessing data with weak credentials, and ...

Continue Reading

New Ponemon Study (and other fun metrics) standard

The Ponemon Institute released its latest analysis on the cost of data breaches, and this year they posit that the cost of breaches is still on the rise.  While new legislation and increased savvy and persistence from attackers is continuing to drive the cost of breaches up, I also believe that this very same legislation is forcing more breaches to be reported.  If anything, managers should take this information as a sobering reminder that the bad guys are out there and they still want your data. I’ve discussed these studies in the past, and I’m not terribly supportive of one of the key metrics that Ponemon analyzes: the cost per breached record.  Non-security managers (and unfortunately some new security managers) ...

Continue Reading

Don’t run IT as a business, run it as a business? standard

That’s what I felt like the theme of Bob Lewis’s article entitled “Run IT as a business—why that’s a train wreck waiting to happen.”  I understand that having people on different sides of an issue can lead to a more productive result, so this perspective is entertaining if nothing else. At a minimum, reading the article will expose a key problem IT organizations face, but the solution is no different than what vendors propose every single day. Have you noticed the push to “solutions” and “solution-based selling” over the last few years in the IT space?  CIOs don’t give a rip about some fancy whiz-bang technology.  What they do care is if you can solve a (business) problem for them.  ...

Continue Reading