Branden R. Williams, Business Security Specialist

Breach got you down? standard

Well, it has happened again. I received a rather menacing looking note in the mail today. You know, one of those heavy stock sealed letters that has the perforated edges? Yeah. That kind. Inside it looks like my information is on a lost tape from a bank. The funny thing is, I don’t remember banking with this institution… ever. I have a feeling that one of the brokerage firms I use (or used) was backed by this institution, but nevertheless, I thought of an interesting type of phishing attack that I bet would work. When I looked through this notice, it did appear to have a corresponding breach on PrivacyRights.org. I have already placed my fraud alerts, so I should ...

PIN Security finally catching up? standard

Wired reports that a Citibank hack may be responsible for a recent ATM crime spree. Edit: Looks like some arrests have been made! I’ve discussed issues around hacking ATMs and challenges with skimming in the past, but this one appeared to be pretty lucrative. While bank networks are not impenetrable, attacking endpoints is becoming much easier and more lucrative. Anyone remember the old days when you had to make sure the ATM you were going to use was real? Speaking of that… Ladies, you should beware of this. Something of interest to me… As a consumer, do you check your bank statement with all of your receipts? Would you know if money started disappearing from your account in $10-$30 increments? ...

Listen to my PCI Podcast! standard

About a month ago an audio guy showed up to my house and pinned a tiny microphone to my shirt for a podcast on PCI. It is a joint podcast with John Pescatore of Gartner. The theme is on managing PCI Compliance. Go check it out! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Where oh where has my little blogger gone? standard

I haven’t written, called, emailed, faxed, or even sent you guys anything via carrier pidgeon. For that, I grovel at your feet and request my penance (tee hee, I love the occasional translation error, especially when it reminds me of the most beautiful thing I have ever seen). What have I been up to? Last week was fun. Boston & Cincinnati in two days. Was great seeing many of you out there! Especially when a coworker and I started eating at the wrong party! This week, so far, I have met with the Visa CISP and Incident Response teams over two days, and I am headed home to fly out to Atlanta for a couple of customer meetings. If you ...

Are you in Cincinnati? standard

If so, shoot me an email! I will be there for the 5th 3rd Customer event tomorrow (if I can ever get out of Boston!). Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

June Edition of Herding Cats standard

The ISSA has posted the electronic version of the journal, so if you are itching to read what is coming to you via the post, go check it out! My column this month is titled “Don’t Get Cyberjacked!” It may be the first time that the phrase “This ain’t your daddy’s security incident” and the word “stripper” appear on the same page (or ever) in that fantastic publication. Go check it out! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug

Is PCI Working? standard

I was asked this question while sitting on a panel at RSA, and I think the answer depends on your perspective. I’ll answer this from a security industry perspective. If nothing else, you have to credit PCI with forcing the issue. Security among retail enterprises was generally limited to loss prevention and physical security until recently. Information security usually existed as a small and buried team within the Information Technology group, and did not have board level attention. If someone at the board was savvy enough to realize that security reporting to IT is an example of the fox guarding the hen house, then maybe they moved security into Internal Audit. Now we are seeing a massive amount of development ...

See you at the Gartner IT Security Summit! standard

Are you making the trek to DC next week for the Gartner IT Security Summit? VeriSign will be there, and I’ll be speaking on Monday, June 2, at 4:15PM in Potomac 6. It’s time to discuss the classic transmogrification, changing the tactical PCI approach to strategery. Phew! Anyway… Come see my presentation or stop by the VeriSign booth! Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Will your QSA Breach your Contract? standard

Your QSA may not be telling you the whole story. No, I’m not talking about sloppy assessment work. What I’m referring to is a clause that is supposed to be in your contract with your QSA. The DSS Validation Requirements for Qualified Security Assessors requires that QSAs put a notification in their contracts with their customers telling them that the ROC and supporting materials can be disclosed (Section A.6.3 in the doc linked above). Why does that language need to be in the contract? Because the QSA agrees to send the ROC to certain parties per the operating agreement! In a recent competitive bid situation, we were informed that two (of four) bidders DID NOT have such language in their ...

PCI News Flash! PCI-DSS Version 1.2 to be released in October standard

If you had any action on the Vegas odds for the release of the next DSS and what it might be called, time to cash in. I was speculating that it would occur around the time of the conference this year, and it would have been called 1.2 (vs 2.0). Ahh, you win some, and you lose some. The official release is here, and hints that there may be some new requirements coming down the pipe. They typically give 18-24 months to implement, so no need to panic now. But watch out for more controls around wireless! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI ...