The Problem with PCI standard

Uh oh, is he really going to go there? No way… he can’t go there! YES! HE IS GOING THERE! One thing that cracks me up about reading blogs on PCI is the massive amount of individuals who have no idea what they are talking about. Just like that vendor that you run into at RSA that says “I SOLVE ALL PCI PROBLEMS! I AM A SILVER BULLET,” there are those out in the blogosphere that throw out claims without substance and pure drivel. Some even do it so well that the media will run with the claim. Like the so called “second processor breach” of last month. Actually, that makes me laugh more! There have been people that argue ...

Continue Reading

Funny how??! standard

I’m too tall to even come close to pulling off Joe Pesci. So just think about the scene in Goodfellas where Tommy DeVito is pulling Henry Hill’s leg in the restaurant. How am I funny?! Anyway, if you are looking at my blog and you see a little badge on the upper right with a link to the Social Security Award and are wondering what that funny business is, I’ll tell ya! The Security Blogger Meet-Up at RSA is coming soon, and they are going to have some awards this year! There are five awards that will be given out. They are: Best Security Podcast – Who is the voice you listen to week after week? Best Technical Security Blog ...

Continue Reading

The Threat You Forget standard

Here’s a rare one from me, some Friday Night blogging! Why are you so lucky as to get this? Because I didn’t have time to do it yesterday! In speaking with a customer today, I remembered something that many companies (not this customer) are missing when it comes to building secure and compliant environments. It’s really a scope creep issue when you look at it. Unfortunately, a very dangerous one. What could this mystical threat be? That of core systems. Those systems that provide IT services to the larger server population. Here are a few systems to think about. Domain Controllers Anti-Virus Servers Log Aggregators Patch Management Remote Access Network Monitoring Why are these a threat? Let’s take a look ...

Continue Reading

Satellite Hacking on the Cheap standard

Are you one of the many companies that rely on satellites to communicate with your, uh… satellite offices? We security professionals often ask hard questions about how that data is protected en-route and usually are quickly dismissed with a “Oh, it is too hard to do and would require a six-figure investment in hardware to accomplish.” Well, thanks to Adam Laurie, you can do it for around $1,000! If you are relying on satellite communications, you should now be asking those hard questions of your provider, and making sure that you have acceptable encryption on those lines preventing someone from intercepting or injecting traffic into that stream. Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers ...

Continue Reading

New Data Sheet on PCI Program Management standard

Ever wonder how you can bulls eye the moving target that is PCI? It’s possible! Many of our customers are rolling out our program to do this. You have often heard me talk about our PCI Program Management service that was developed based on our customers asking for ways to sustain compliance and security between assessments. BitPipe now has our PCI Program Management Services data sheet available for download. Go check it out! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

Rolling the Dice on PCI standard

Here’s a line you have heard many times–“but wait, don’t look at this in black and white. You have to take a risk-based approach.” We hear it all the time as a QSA. Sometimes there is a legitimate reason to take a sane, risk-based approach. In fact, the Council tells QSAs that PCI must be applied using a risk-based approach. That allows for some latitude in some areas, but can create problems in others. Wait… problems? Why problems? We don’t have a single, industry-wide risk model to measure risk. This means that each QSA is empowered to use their discretion on how to measure and accept risk, leading to variance in interpretation and opinion shopping by companies hiring a QSA. ...

Continue Reading

Payment Security Professional of the Year standard

It’s official, I was selected as Payment Security Professional of the Year by the Society of Payment Security Professionals! The Society has gained a ton of momentum in the industry and launched their two excellent certifications, the Certified Payment-card Industry Security Manager (CPISM), and Certified Payment-card Industry Auditor (CPISA). If you are looking to get into this industry, or work for a company subject to PCI compliance and have responsibility for PCI, you should have these certifications. This training is better than the training that we receive as QSAs for a few reasons, but mainly because it covers a much wider base than just PCI-DSS. Anyone that has heard me speak about the negatives associated with a breach and/or non-compliance ...

Continue Reading

QSA Requal for 2009, DONE! standard

I’m sitting in my big metal tube ready to depart ORD for DFW. Thank you to the Council for putting together our requalification training! We enjoyed our new trainer, Jeff Foresman, and I thought of several good blog posts for next week. Don’t worry Bob… I won’t bust a copyright 🙂 Look for some posts next week about how things will evolve over 2009, and some thought provoking discussion (hopefully) on the acceptance of risk and rolling the dice! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

Really Peter? 219K Sites? standard

I’m not Seth Meyer. I’m not a television star. I don’t have a team of writers feeding me stuff on cue cards. That said…. According to an article by Fred Aun, Peter Alguacil from Pingdom released a report recently suggesting “there are probably 219,000 sites with outdated SSL certificates.” Probably. Fred, who rounded the original 219K figure from Peter up to 250K in his posting, goes on to describe the “bit of math” that Peter used to come to this conclusion using data from two different sources. First, Netcraft estimates there are one million sites with valid SSL certificates. Next, a report by Venafi released in 2007 suggests 18% of Fortune 1000 sites had expired certificates. So then Peter does ...

Continue Reading

From the Vault standard

Rick Moy and I sat down at the PCI Community Meeting in Orlando and discussed some of the trends that we see for PCI. While this video was created almost six months ago, the content is still relevant! The audio is a bit low, so you will need to get some headphones or just turn the volume up. There are no mean tricks like a scary zombie screaming or anything, so you should be safe. Just remember, all of your OTHER audio will be much louder too. Just saying, don’t spit out your coffee because Outlook reminded you of something. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the ...

Continue Reading