Branden R. Williams, Business Security Specialist

Does your data flow free? standard

The first challenge to securing your data (or meeting compliance) is understanding where your data lives. An alarming number of people I speak with in the industry have no idea how bad their problem is because they only know where half of the data lives and goes. HALF! That is a BIG problem. Engaging in data flow mapping exercises can be painful. So painful, that you might be forced to look outside your organization for help! Yes, VeriSign has a service that does this… OK, shameless plug complete. Where do you start? In an article that I published last year entitled, “Data Flows Made Easy,” I detail an adaptation of the Design Structure Matrix that can be used to help ...

Want more information on Heartland’s breach? standard

Anton Chuvakin has assembled three fantastic roundup posts that pull both news articles and prominent bloggers opinions together for a couple of hours worth of reading (if you hit everything). Check them out: On Heartland I On Heartland II On Heartland III Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down

January Issue of Herding Cats now online! standard

This month’s article entitled “Trust THIS” tackles Trusted Computing and the role it might play in corporate security today. There’s a mini iPhone rant in there… and while I don’t have one (yet), it certainly would irk me if I did. Click here to read Trust THIS, or go see the whole repository of articles! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug

End to End Encryption is NOT the PCI Silver Bullet! standard

Evan Schuman of StorefrontBacktalk has a pretty shocking article today. Apparently, the Heartland malware hid in the unallocated file space. Right on the heels of my last blog post too. Nuts. Our forensic examiners at VeriSign look for this type of malware during every investigation because it is not a new trick. It surprises me that it was almost missed. Even still, I stand by my original premise which is that the standard (properly implemented) would prevent this. In order to get the malware on there, a software flaw or credential had to be exploited. Both of those vulnerabilities are addressed by PCI-DSS. What is more troubling is the same noise that came out after the Hannaford breach last year. ...

What CEOs (and CISOs!) Can Learn from Heartland standard

It’s one week later. With limited public announcements, what is this post going to tell you? Well, let’s start off by stating what it won’t tell you. You won’t find any gory details about the breach or the other parties involved. You won’t find anything here that cannot be deduced using public information sources. You won’t find anything here that has not been stated before. So what use is it? How about we assemble some key points and do a little bit of analysis to understand how something like this can be prevented in your company. According to the original press release, the investigation uncovered malicious software that compromised data that crossed Heartland’s network. Before we start attacking PCI and ...

PCI Compliant Companies Don’t Suffer Breaches standard

We’ve got another one in the news. Heartland Payment Systems recently reported a breach that may have affected up to 100 million cards. That’s a lot. Heartland joins another elite group of companies that suffered a breach, but was also validated as compliant by a QSA. I want to make something very clear in this next paragraph, but before I do, none of the comments here should be tied directly to any incident that has been in the news. We keep our customer lists private unless we get permission to use one as a reference. There is a big misnomer out there that needs to be cleared up. I’ve even written about it before in this blog. In our investigations ...

Discover Matches Merchant Levels (pretty much) standard

James DeLuccia IV noticed that Discover has officially matched their merchant levels to Visa (sorta). While this is a big step for Discover, I think most will find that they become Level 1 merchants of Visa before they become Level 1 merchants of Discover. There are exceptions. Some merchants are exclusively Discover. Those merchants will have to double check their levels (if Discover has not already told them they are a Level 1) to see if they have new compliance requirements. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Equifax is only half the problem, your SSN ...

Free Compliance Webcast! standard

Greetings all! Join me for a Free Compliance Webcast put on by BrightTALK! I’m one of the featured speakers and will be discussing “Beating PCI in 2009!” You can review the agenda and register here: http://www.brighttalk.com/webcasts/2158/attend. You should also be able to look below this paragraph and log in and register there! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down

Revisiting Botnets for Profit standard

One thing about Botnets that scares me is the amount of idle computing power that is available to the owner of the Botnet. Suddenly, things that were once computationally infeasible with one machine become plausible or even possible with thousands of machines. It seems like most Botnets churn out SPAM right now to the tune of trillions per day. SPAM may be profitable–the fraud generated by the SPAM anyway–but in light of recent attacks, I wonder if there are more enterprising methods. If Botnet owners didn’t happen to have 200 PS3s laying around for a research project on SSL, they could develop a program to break a large task down into work units, and have each bot on the net ...

Will 2009 finally be the year for the insider threat? standard

Finance and Commerce Magazine published an article based on a survey revealing that most companies are unprepared for IT risks. *blink* What? You mean that with all the emphasis we put on it, and all the spending after some of the biggest breaches in history, we’re still not ready? This is not coming from the consultant who sees this stuff every day, this is coming from people working for these unprepared companies. With the economic situation as it is, will your own employees finally turn on you and take advantage of weak security controls in your network? This may be an unpopular position, but while the risk is definitely much higher for insider threat, it doesn’t seem to make the ...