Test

The Breach Research We Need standard

I’m not afraid to point out misleading or questionable research findings funded by marketing groups strictly to gain headlines. Studies like the cost per record or cost per breach white papers come to mind here that give us excellent, attention grabbing headlines supported by a house of cards (specifically the cost per record studies). The information presented is unusable for risk management purposes, and is a quick way to get laughed out of a room if you quote these studies. What risk managers need is something that is comparable to their companies when trying to think about costs. Simply taking an average cost per record or an average cost per breach is not concrete enough to make risk management decisions. ...

Continue Reading

Pushing Vendors to Abandon SMS standard

SMS-based authentication continues to be a great way to placate a user into thinking they are safe while creating an avenue for attackers to gain access to their accounts. Fabio Assolini and Andre Tenreiro from Kaspersky published some research that puts numbers in fraud losses to these threats. SIM Swaps cost criminals $10-15/SIM with gains from fraud being over $1,000. That’s a good return on investment. It’s why I’ve become a huge fan of U2F and other non-SMS authenticators (see my guide here). Companies like Yubico have made real multi-factor authentication doable for the masses with zero client-side infrastructure. Major companies like Google and Facebook are leading the charge to remove SMS-based authentication and account recovery options by allowing users ...

Continue Reading

Ditch SMS for True Second Factor Authentication standard

At one point, getting a text message with a code seemed like a great way to provide more identity and authentication assurance. Phone networks are out of band from email, the cost of sending the message is relatively inexpensive, and few people are without a cell phone these days. As it gained popularity, SMS-based authentication got the attention of cyber criminals and they soon exposed a number of high- and low-tech attacks that make SMS authentication unreliable. I’ve been on a kick to turn on any 2nd-factor authentication option possible in every site/service that I use. Lately, however, I’m switching to real 2nd-factor options that include apps, U2F, or other methods. To that end, I recently published an article that ...

Continue Reading

Brando’s Rules for Success standard

I’ve had a few folks ask me if I could attribute any big life lessons that have helped me get to where I am. Things like the Golden Rule or an extremely healthy amount of respect for karma (both of which would be true for me) came to mind, but I was able to distill my guiding principles into this: Show up. Don’t be a dick. End of list. Let’s dive deeper. Show up. This rule can mean a lot of things, which is why I love it. It’s extremely versatile. Be physically present and on time to appointments when required. Don’t be a flake. Fulfill your commitments (and communicate EARLY if you need to adjust them, bad news does ...

Continue Reading

PCI Council Loses $600K in Revenue, PO Population on the Decline standard

Last year I released a blog post and a GitHub repository with some code to calculate how much money the PCI Council brings in annually, with an estimation of lifetime revenue. There are some MAJOR assumptions in there that can swing the revenue in either direction. And, of course, there are already new programs that the Council will happily charge for that have been released since my initial commit (3DS Assessors, 25 of those with each individual consultant paying $1,400 per exam). I’ll work on that soon. I was meeting with some industry people this week and thought I’d check up on the old numbers to give the package a refresh. As it turns out, the number of Participating Organizations ...

Continue Reading

No Need to Sign standard

If you went shopping on Sunday and happened to notice that a signature was not required for your credit card purchase, that wasn’t an April Fools joke. Back in December & January, the major payment networks all announced they were dropping the signature requirement. Even MORE time saved when paying for things! I’m sure many of you are like me in that you didn’t even put your actual signature on those papers or electronic signature capture devices. The only time I have been serious about it is when I travel abroad. Those cashiers are very good at matching your signature to what is signed on the back of the card.

Continue Reading

So You Want to Gong-Fu? standard

The Gong-fu Tea Ceremony is a celebrated method for brewing and enjoying tea (here’s another instructional video, and here are two posts with awesome info). When you start to spend money on higher quality leaf, the gong-fu tea ceremony will yield better results for a more immersive and enjoyable tea experience. Even lower quality tea can taste much better using the gong-fu method! Full disclosure: I’m just as lazy as the next guy some days. There are times where I can barely be bothered to rip open a single serve teabag of Queen Anne and throw it into a mug with hot water. I also have a few different ways I make loose leaf tea that are simple and get ...

Continue Reading

What’s the craic on KRACK? standard

For those who are not familiar with the Irish slang, read this. We got another fun named vulnerability this week that goes after WPA2 encryption, something that is ubiquitous but not impenetrable. Key Reinstallation Attacks, or KRACK for short, exposes a weakness in the WPA2 protocol. It’s an attack on the protocol itself, so anything that is unpatched and properly implemented to the Wi-Fi and WPA2 standard is vulnerable. Patches are already well on their way to being released and deployed. But this problem is going to stick around for a long time like Shellshock and Heartbleed. Many Wi-Fi hotspots are running outdated firmware that cannot be upgraded in some cases. Just like Shellshock and Heartbleed, the only way to ...

Continue Reading

Why PCI DSS 4.0 Needs to be a Complete Rewrite standard

The last month has been tough for our coastal regionsĀ and based on what forecasts show for the rest of the season, we’re not out of the woods. If you have not donated to those affected by these massive storms, please consider doing so today. The group that received my donations this time around is Direct Relief, but there are plenty to choose from. Thankfully, the Council canceled the Community meeting due to Irma (albeit, probably two days too late). It was the right decision. Hopefully, the vendors who have spent money with the Council will get some kind of relief for this year. Given that the conference didn’t happen, there was a missed opportunity to discuss the future of PCI ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!