Branden R. Williams, Business Security Specialist

An alternative to PCI standard

PCI is still a hotly debated topic nearly four and a half years after its initial release on December 15, 2004. You didn’t have to visit too many after hours parties or exhibitors at RSA to see that. Most of the criticism of PCI comes from people who really don’t understand it, or understand how to use it to their advantage. And those people fall into two categories themselves; those who are green to PCI and are overwhelmed, and those who love their soap box. Those in the former bucket just need time to get up to speed. PCI, like Rome, was not built overnight, and it requires weeks of study to fully grasp how it will affect your environment. ...

Thank you RSA! standard

Well, I finally made it back home yesterday after a week in San Francisco. It was great to put some faces to names, and thanks to all of you who stopped by the VeriSign ESS booth and said “Hi!” On Wednesday, the blogger meetup DID happen, and neither Tim Callan nor I won any of the awards; though we did cheer loudly for our fellow bloggers! And then, who woulda thunk it, but little ol me won a Seagate Black Armor 420 NAS drive! SWEET! Thank you to Seagate for that! The tweeps were tweeting all over the place! Now, one last thing before I check out of the blogosphere for the week, I had to pass along this freaking ...

The Art of the Compensating Control (Part 6, The Finale) standard

See part 1 here, part 2 here, part 3 here, part 4 here, part 5 here. Go Forth and Compensate! What a pretty mural we have painted over the last several pages! Good compensating controls are the result of a marriage between art and science. We’ve discussed what compensating controls are, what they are not, some funny examples of how to go wrong, and three solid scenarios from which we created good controls. Compensating controls are not the golden parachute of compliance initiatives. They require work to build effective ones that will pass the scrutiny of both a QSA and an Acquiring Bank (or card brand). Rarely do they yield lower cost and effort than simply meeting the original requirement. ...

The Art of the Compensating Control (Part 5) standard

See part 1 here, part 2 here, part 3 here, part 4 here. How to Create a Good Compensating Control We’ve spent quite a bit of time setting this section up. We talked about what Compensating Controls are, what they are not, and some of the best mis-guided attempts to create them. Before we discuss the examples, please remember that these examples should be used for illustrative purposes only. I have over simplified the scenarios for brevity, and things are rarely as simple in the corporate world. Ultimately, compensating controls must be approved first by a QSA, or barring that, your Acquiring Bank. I know I don’t like it when someone slaps some random article about PCI on me during ...

Are you going to be at RSA? standard

I hope to see you there! I arrive on Monday and will be at the welcome reception about halfway through, and am leaving at lunchtime on Thursday. You can find me at the VeriSign ESS Booth (not the big one up front) at Booth #1454. It’s in the back, so you have to look for it! I will be manning the Retail Security area of our booth on Wednesday from 11:00 to 2:30. Come by and see me! Also, if you have not done so already, follow me on Twitter (http://twitter.com/BrandenWilliams/), I’ll be tweeting from the conference and the booth! Who knows, maybe we’ll end up at the same crowded bar filled with people arguing the merits of DLP!

Simplified DLP in a Cost Conscious World standard

I’ve been writing Herding Cats for over a year now, and with all this talk about DLP, I wanted to dust off my FIRST EVER Herding Cats. Have you ever wanted to see if sensitive data your company protects exists outside of designated areas? Maybe you are looking for Personally Identifiable Information (PII), intellectual property, or cardholder data that might be sitting around in flat files. I suggest turning to Grep ((http://www.gnu.org/software/grep)), a GNU searching tool that is included on most Unix-based operating systems (and there are MS ports)! Grep can use the power of regular expressions to quickly search for patterns in files. The results obtained will help you triage data leakage that may occur through the normal course ...

The Art of the Compensating Control (Part 4) Tax day special! standard

See part 1 here, part 2 here, part 3 here. The Funniest Controls that You Didn’t Design Some of my most cherished stories and experiences come from customers and vendors that had the right intentions, but never seemed to follow the basic doctrines listed above on how good compensating controls are made ((By the way, if you read this and think, ‘Hey! He is talking about ME!?’, I’m not. I promise.)). During my career I did some IT auditing for a bank that was owned by my employer. I know the drill of responding to auditor findings. They usually start with a meeting bringing all the key stakeholders together, a spreadsheet listing all the findings, and lots of grumbling about ...

Do you think about skimmers? standard

I’ll admit, I’m not the insomniac whose brain refuses to shut down because of something like a skimmer. They do scare me. Less from a personal liability perspective and more from a corporate liability perspective. Have you ever seen a real-life example of an ATM that has been doctored with a skimmer? Today is your lucky day! One Gizmodo reader submitted his pictures and story. Maybe I’m crazy, and maybe it’s just not that big of a deal anymore. The bad guys are getting very crafty now, and able to fit skimmers to specific ATM models. It used to be that if you used an ATM regularly, it would be very easy to tell if someone had tampered with it. ...

The Art of the Compensating Control (Part 3) standard

See part 1 here, part 2 here. What a Compensating Control Is Not Compensating controls are not a short cut to compliance. In reality, most compensating controls are actually harder to do and cost more money in the long run than actually fixing or addressing the original issue or vulnerability. Imagine walking into a meeting with a customer that has an open, flat network, with no encryption anywhere to be found (including on their wireless network which is not segmented either) ((While it is not a requirement to segment your network, it does make compliance easier. Usually in this situation, I find a legacy system that cannot be patched or upgraded, but now becomes in scope. Then the conversation about ...

VeriSign Forrester Webcast standard

Did you miss the super-duper, fantsmoriffic webinar that we did with Forrester? If you were not one of the more than 300 attendees, don’t worry! The webcast was recorded, and can now be viewed online! Check it out at http://www.iian.ibeam.com/events/nrfe001/30288/!