The Art of the Compensating Control (Part 6, The Finale) standard

See part 1 here, part 2 here, part 3 here, part 4 here, part 5 here. Go Forth and Compensate! What a pretty mural we have painted over the last several pages! Good compensating controls are the result of a marriage between art and science. We’ve discussed what compensating controls are, what they are not, some funny examples of how to go wrong, and three solid scenarios from which we created good controls. Compensating controls are not the golden parachute of compliance initiatives. They require work to build effective ones that will pass the scrutiny of both a QSA and an Acquiring Bank (or card brand). Rarely do they yield lower cost and effort than simply meeting the original requirement. ...

Continue Reading

The Art of the Compensating Control (Part 5) standard

See part 1 here, part 2 here, part 3 here, part 4 here. How to Create a Good Compensating Control We’ve spent quite a bit of time setting this section up. We talked about what Compensating Controls are, what they are not, and some of the best mis-guided attempts to create them. Before we discuss the examples, please remember that these examples should be used for illustrative purposes only. I have over simplified the scenarios for brevity, and things are rarely as simple in the corporate world. Ultimately, compensating controls must be approved first by a QSA, or barring that, your Acquiring Bank. I know I don’t like it when someone slaps some random article about PCI on me during ...

Continue Reading

Are you going to be at RSA? standard

I hope to see you there! I arrive on Monday and will be at the welcome reception about halfway through, and am leaving at lunchtime on Thursday. You can find me at the VeriSign ESS Booth (not the big one up front) at Booth #1454. It’s in the back, so you have to look for it! I will be manning the Retail Security area of our booth on Wednesday from 11:00 to 2:30. Come by and see me! Also, if you have not done so already, follow me on Twitter (http://twitter.com/BrandenWilliams/), I’ll be tweeting from the conference and the booth! Who knows, maybe we’ll end up at the same crowded bar filled with people arguing the merits of DLP! Possibly ...

Continue Reading

Simplified DLP in a Cost Conscious World standard

I’ve been writing Herding Cats for over a year now, and with all this talk about DLP, I wanted to dust off my FIRST EVER Herding Cats. Have you ever wanted to see if sensitive data your company protects exists outside of designated areas? Maybe you are looking for Personally Identifiable Information (PII), intellectual property, or cardholder data that might be sitting around in flat files. I suggest turning to Grep ((http://www.gnu.org/software/grep)), a GNU searching tool that is included on most Unix-based operating systems (and there are MS ports)! Grep can use the power of regular expressions to quickly search for patterns in files. The results obtained will help you triage data leakage that may occur through the normal course ...

Continue Reading

The Art of the Compensating Control (Part 4) Tax day special! standard

See part 1 here, part 2 here, part 3 here. The Funniest Controls that You Didn’t Design Some of my most cherished stories and experiences come from customers and vendors that had the right intentions, but never seemed to follow the basic doctrines listed above on how good compensating controls are made ((By the way, if you read this and think, ‘Hey! He is talking about ME!?’, I’m not. I promise.)). During my career I did some IT auditing for a bank that was owned by my employer. I know the drill of responding to auditor findings. They usually start with a meeting bringing all the key stakeholders together, a spreadsheet listing all the findings, and lots of grumbling about ...

Continue Reading

Do you think about skimmers? standard

I’ll admit, I’m not the insomniac whose brain refuses to shut down because of something like a skimmer. They do scare me. Less from a personal liability perspective and more from a corporate liability perspective. Have you ever seen a real-life example of an ATM that has been doctored with a skimmer? Today is your lucky day! One Gizmodo reader submitted his pictures and story. Maybe I’m crazy, and maybe it’s just not that big of a deal anymore. The bad guys are getting very crafty now, and able to fit skimmers to specific ATM models. It used to be that if you used an ATM regularly, it would be very easy to tell if someone had tampered with it. ...

Continue Reading

The Art of the Compensating Control (Part 3) standard

See part 1 here, part 2 here. What a Compensating Control Is Not Compensating controls are not a short cut to compliance. In reality, most compensating controls are actually harder to do and cost more money in the long run than actually fixing or addressing the original issue or vulnerability. Imagine walking into a meeting with a customer that has an open, flat network, with no encryption anywhere to be found (including on their wireless network which is not segmented either) ((While it is not a requirement to segment your network, it does make compliance easier. Usually in this situation, I find a legacy system that cannot be patched or upgraded, but now becomes in scope. Then the conversation about ...

Continue Reading

VeriSign Forrester Webcast standard

Did you miss the super-duper, fantsmoriffic webinar that we did with Forrester? If you were not one of the more than 300 attendees, don’t worry! The webcast was recorded, and can now be viewed online! Check it out at http://www.iian.ibeam.com/events/nrfe001/30288/! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

OWASP Code Review Guide standard

Have you seen it? OWASP recently released their Code Review Guide to the general public for download! I’m very happy to say that one of our own consultants was a contributing author, Jenelle (Chapman) Davis! This book goes through the basics of preparing for a review, understanding how threats may present themselves, to the more advanced topics of reviewing code for technical controls, to even giving suggestions for common languages or platforms on where to start. If you are interested in code review, you should understand the concepts in this book at a minimum. Slowly, but surely, we’re starting to see more and more information be made available on this topic, and hopefully this will begin to spread around the ...

Continue Reading

The Art of the Compensating Control (Part 2) standard

See part 1 here. What a Compensating Control Is In the early years of PCI DSS (and even my experience under the CISP program), the term compensating control was used to describe everything from a legitimate work-around for a security challenge to something that Michael Phelps may have dreamed up while expanding his mind at approximately twenty minutes after four in the afternoon ((Aww… too soon?)). If you are considering a compensating control, you must perform a risk analysis and have a legitimate technological or documented business constraint before you even go to the next step. We will see more of the documented business constraints coming our way for review based on the current economic situation. Just remember the word ...

Continue Reading