Branden R. Williams, Business Security Specialist

An upcoming treat! standard

As a preview for next month’s Herding Cats, I decided to take a suggestion from a colleague and turn it into a column. We’re going to explore Hizver’s Insecurity in Large Numbers Theorum! Think you are safe in a crowd? Think again! Think that your company is too small to be noticed or targeted? Danger is afoot! Without ruining the punchline, consider this. Let’s say you work for a large company with a few thousand employees. Each one has at least one Microsoft Windows device assigned to them. Remember the emergency patch from last month? Are you 100% confident that every single last one of those devices was patched? Also, another preview… All previous versions of Herding Cats will be ...

Where to get good PCI Training standard

Yep, it’s been a PCI heavy week. Want me to discuss other topics? T and suggest one! Last week I sat through the Certified Payment-card Industry Security Manager training here in Dallas. The folks at Aegenis planned it at a hotel that happened to be about 10 minutes from my house, so getting there was easy. There were several bigwigs from the information security and PCI industry there with me in the sold out training, and the industry perspectives were valuable. If you are not an employee of a QSAC and are looking for a GOOD source of training around PCI, data breach laws, and a detailed look into the payment industry, this training is for you. If you opt ...

International PCI Compliance Dates Set standard

The day has come! I can’t tell you how many merchants have hounded me for compliance dates outside the US and Canada, and then looked at me like I just told them the sky was red when I could not provide them. Visa, Inc. has formally announced global compliance deadlines (thanks JKA!). If you are a global retailer, or a retailer not based in the US or Canada, the pressure is now on to become compliant with the PCI Standard! Feel free to reach out to a VeriSign QSA if you need assistance! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to ...

PCI-SSC Releases Data Storage Do’s and Don’ts standard

The PCI Security Standards Council posted a document on Data Storage Do’s and Don’ts this week. This document does an excellent job breaking down the storage piece of PCI for merchants big and small, but especially for the smaller folks out there. Now, for all of you out there, don’t forget that PCI is NOT just a data storage initiative. Just because you don’t store cardholder data does not exempt you from being compliant. That said, locating your data is step one in understanding how you measure up to the PCI Standard. Consequently, it is also step one in VeriSign’s PCI Program Management methodology. How healthy is your compliance program? If it needs work, drop us a line and we’ll ...

Fun with Phishing standard

Here at VeriSign, our email filtering is pretty effective. We have a corporate solution run by Postini (Google) that I am sure processes an amazing amount of SPAM for us. In most cases, one email that I would consider truly SPAM might slip through every couple of months. Not a bad track record. Today one of those messages got through, and I was amazed at what the bad guys doing to try and commit fraud nowadays. I remember several years ago that one effective method to get money out of large corporations was to just send an invoice for a small amount to the Accounts Payable department. Somewhere in the next two months, a check for that amount would show ...

Win a free pass to CSI2008 in DC! standard

Thanks to the Security Blogger’s Network, I am pleased to offer one free pass to CSI 2008 in DC! You will need to put some thought into your entry as this is not just some easy give away. To enter into this contest, all you need to do is email me your favorite security related story. Something that you saw that was clearly a huge security problem. Like if you saw a metal detector in a building that was maybe turned off, or maybe a NEXT box running an e-commerce web server in the last year. Here are the rules: All entries must be received via email by Thursday, November 6th, 5PM Central time. One entry per person. Your entry ...

PCI v1.2 saves the travel industry standard

One major change to PCI version 1.2 is the new requirements and testing procedures for Req. 12.8. 12.8 deals with how merchants and service providers should handle their third parties that can affect the security of cardholder data. The card brands have told us in the past that they would not expect a service provider to prevent a merchant from being compliant, but that the merchant must understand that they will carry the liability for a breach at their service provider’s site. We’ve seen 12.8 morph considerably from PCI version 1.0 to 1.2. The intent was to help merchants understand how service providers deal with their data, and make sure that they are protected if there is a breach at ...

Still think passwords are reliable? standard

Researchers Martin Vuagnoux and Sylvain Pasini recently released video demonstrating the ability to pull electromagnetic eminations from wired keyboards. Both videos show how various configurations of standard keyboards could have keystrokes intercepted through the air. Many of us have heard of the old TEMPEST project that was made famous by their demonstration of the ability to intercept the data that would be displayed on Cathode Ray Tube monitors. Imagine having someone sit outside your office or home and being able to see on their monitor the very same things you are looking at on yours. I wonder how many more corporate scandals would hit the press if this happened regularly. Now it appears that simply typing your passwords or authentication ...

PCI Europe Community Meeting, Q/A (Part 2) standard

Final round of questions from the field! The first question from this session was “Are end of life operating systems able to be used?” The thing that really worries me about retail is that information security does not seem to be built into the price of goods on the shelf. When someone asks if they are expected to replace hundreds or thousands of devices for PCI Compliance because Microsoft will not support them anymore, I worry more about the overall security of the company. This seems like a reactive approach without any forward strategy, which is unfortunately fairly common. I understand the business implications here. If your competitors are not doing this, you could face additional price pressures by trying ...

PCI Europe Community Meeting, Q/A standard

I always enjoy the Q/A sessions that the Council has at these events. I don’t know how many sessions I will be able to blog about (we only want the interesting ones anyway), but here’s the first bunch of Q/A from this session! The first question was around segmentation and SANs. I’d never heard the question asked that way, but most SANs by nature are segmented from each other. The more interesting point here is what constitutes segmentation? So many assessors only consider firewalls a method of segmentation. According to the documentation provided by the council, segmentation can be accomplished in multiple ways–not just by deploying firewalls. QSAs should be looking at the whole solution, not just fixating on a ...