Branden R. Williams, Business Security Specialist

From the Vault standard

Rick Moy and I sat down at the PCI Community Meeting in Orlando and discussed some of the trends that we see for PCI. While this video was created almost six months ago, the content is still relevant! The audio is a bit low, so you will need to get some headphones or just turn the volume up. There are no mean tricks like a scary zombie screaming or anything, so you should be safe. Just remember, all of your OTHER audio will be much louder too. Just saying, don’t spit out your coffee because Outlook reminded you of something.

Does your data flow free? standard

The first challenge to securing your data (or meeting compliance) is understanding where your data lives. An alarming number of people I speak with in the industry have no idea how bad their problem is because they only know where half of the data lives and goes. HALF! That is a BIG problem. Engaging in data flow mapping exercises can be painful. So painful, that you might be forced to look outside your organization for help! Yes, VeriSign has a service that does this… OK, shameless plug complete. Where do you start? In an article that I published last year entitled, “Data Flows Made Easy,” I detail an adaptation of the Design Structure Matrix that can be used to help ...

Want more information on Heartland’s breach? standard

Anton Chuvakin has assembled three fantastic roundup posts that pull both news articles and prominent bloggers opinions together for a couple of hours worth of reading (if you hit everything). Check them out: On Heartland I On Heartland II On Heartland III

January Issue of Herding Cats now online! standard

This month’s article entitled “Trust THIS” tackles Trusted Computing and the role it might play in corporate security today. There’s a mini iPhone rant in there… and while I don’t have one (yet), it certainly would irk me if I did. Click here to read Trust THIS, or go see the whole repository of articles!

End to End Encryption is NOT the PCI Silver Bullet! standard

Evan Schuman of StorefrontBacktalk has a pretty shocking article today. Apparently, the Heartland malware hid in the unallocated file space. Right on the heels of my last blog post too. Nuts. Our forensic examiners at VeriSign look for this type of malware during every investigation because it is not a new trick. It surprises me that it was almost missed. Even still, I stand by my original premise which is that the standard (properly implemented) would prevent this. In order to get the malware on there, a software flaw or credential had to be exploited. Both of those vulnerabilities are addressed by PCI-DSS. What is more troubling is the same noise that came out after the Hannaford breach last year. ...

What CEOs (and CISOs!) Can Learn from Heartland standard

It’s one week later. With limited public announcements, what is this post going to tell you? Well, let’s start off by stating what it won’t tell you. You won’t find any gory details about the breach or the other parties involved. You won’t find anything here that cannot be deduced using public information sources. You won’t find anything here that has not been stated before. So what use is it? How about we assemble some key points and do a little bit of analysis to understand how something like this can be prevented in your company. According to the original press release, the investigation uncovered malicious software that compromised data that crossed Heartland’s network. Before we start attacking PCI and ...

PCI Compliant Companies Don’t Suffer Breaches standard

We’ve got another one in the news. Heartland Payment Systems recently reported a breach that may have affected up to 100 million cards. That’s a lot. Heartland joins another elite group of companies that suffered a breach, but was also validated as compliant by a QSA. I want to make something very clear in this next paragraph, but before I do, none of the comments here should be tied directly to any incident that has been in the news. We keep our customer lists private unless we get permission to use one as a reference. There is a big misnomer out there that needs to be cleared up. I’ve even written about it before in this blog. In our investigations ...

Discover Matches Merchant Levels (pretty much) standard

James DeLuccia IV noticed that Discover has officially matched their merchant levels to Visa (sorta). While this is a big step for Discover, I think most will find that they become Level 1 merchants of Visa before they become Level 1 merchants of Discover. There are exceptions. Some merchants are exclusively Discover. Those merchants will have to double check their levels (if Discover has not already told them they are a Level 1) to see if they have new compliance requirements.

Free Compliance Webcast! standard

Greetings all! Join me for a Free Compliance Webcast put on by BrightTALK! I’m one of the featured speakers and will be discussing “Beating PCI in 2009!” You can review the agenda and register here: http://www.brighttalk.com/webcasts/2158/attend. You should also be able to look below this paragraph and log in and register there!

Revisiting Botnets for Profit standard

One thing about Botnets that scares me is the amount of idle computing power that is available to the owner of the Botnet. Suddenly, things that were once computationally infeasible with one machine become plausible or even possible with thousands of machines. It seems like most Botnets churn out SPAM right now to the tune of trillions per day. SPAM may be profitable–the fraud generated by the SPAM anyway–but in light of recent attacks, I wonder if there are more enterprising methods. If Botnet owners didn’t happen to have 200 PS3s laying around for a research project on SSL, they could develop a program to break a large task down into work units, and have each bot on the net ...