Branden Williams' Security Convergence Blog

Your QSA may not be telling you the whole story.

No, I'm not talking about sloppy assessment work. What I'm referring to is a clause that is supposed to be in your contract with your QSA. The DSS Validation Requirements for Qualified Security Assessors requires that QSAs put a notification in their contracts with their customers telling them that the ROC and supporting materials can be disclosed (Section A.6.3 in the doc linked above). Why does that language need to be in the contract? Because the QSA agrees to send the ROC to certain parties per the operating agreement!

In a recent competitive bid situation, we were informed that two (of four) bidders DID NOT have such language in their contracts! This means that the QSA has a choice. They can either breach the agreement they have with the Council, thus quickly getting them delisted as a QSA. Or, they will breach YOUR contract and send the info along without your consent!

I am surprised that QSAs are doing this, and wondering what their intentions are. If nothing else, if you get a contract without that clause in there, what does that say for the quality of the assessment you will receive?

Posted by Branden Williams at 08:11 AM | Permalink | Comments (0) | TrackBacks (0)

If you had any action on the Vegas odds for the release of the next DSS and what it might be called, time to cash in. I was speculating that it would occur around the time of the conference this year, and it would have been called 1.2 (vs 2.0).

Ahh, you win some, and you lose some.

The official release is here, and hints that there may be some new requirements coming down the pipe. They typically give 18-24 months to implement, so no need to panic now. But watch out for more controls around wireless!

Posted by Branden Williams at 02:10 PM | Permalink | Comments (1) | TrackBacks (0)

Well? Will you?

We're waiting!??

Hopefully your bank is not taking THAT approach to checking on your status, but I know many merchants are feeling the heat. Jaikumar Vijayan from Computer World writes that when this deadline passes, most people will not be in compliance. If you read the letter of the law, yes, I would agree. But based on the guidance released by the council, if you are compliant with the rest of the standard, there is a pretty good chance you are compliant with 6.6.

In this clarification, The Council declared the intent of the code review component to include "Manual web application security vulnerability assessment" and "Proper use of automated web application security vulnerability assessment (scanning) tools." So essentially if you are getting something like VeriSign's Premium Vulnerability Management Service, you meet this requirement. You could also count your penetration test as long as the application has not changed since that penetration test was performed, and it covers the entire application with manual interaction. VeriSign's Penetration Testing services DO cover this.

There will be some merchants that do not meet the requirement; but those merchants have likely been doing just the bare minimum, or "Managing Checkmarks," as opposed to building a sound security infrastructure and fitting compliance inside it. Merchants doing that are probably not fully compliant on any given day anyway.

Posted by Branden Williams at 07:52 AM | Permalink | Comments (1) | TrackBacks (0)

Do you wonder if the consultants that your QSAC sends on-site are actually QSAs? Well now you can check! For some reason, all of VeriSign's QSAs don't appear in this list, but we're diligently working to correct that. I can only imagine the large QSACs are probably flooding Cathy with email right now.

Posted by Branden Williams at 07:14 AM | Permalink | Comments (1) | TrackBacks (0)

Greetings everyone! Go check out my guest post on Karen Swim's fantastic blog, Words for Hire.

"Step 1: Extinguish the precipitous rubescent LED-based luminosity!"

Posted by Branden Williams at 08:15 AM | Permalink | Comments (0) | TrackBacks (0)

One of the arguments for becoming PCI compliant is to keep this an industry regulated certification, versus having to deal with a federal mandate like Sarbanes-Oxley. People often ask me if I think PCI will become a federal mandate. I don't think it is possible.

Most federal mandates are designed to protect their citizens (I said MOST... ok?). The electronic payment system already has mandates to protect the citizens. For example, did you know that the Fair Credit Billing Act limits your liability to $50 for unauthorized charges? Personal experience says $0 liability if the physical card is still in your possession.

PCI is designed to minimize losses to issuers and the brands caused by a credit card breach and instill confidence in the payment system. As an important side effect, it promotes information security inside retailers and reduces the losses that would be associated with a breach of their systems (potential brand damage, fines, and consulting fees).

Since the citizens are already protected, and breaches do not directly affect the money system (they affect companies), I don't believe the federal government will get involved. We've seen a state governments pass legislation, but it is still untested in the courts and I have doubts on its ability to be enforced. Keep in mind, credit card fraud is not the same as identity theft, and I believe we will see much more legislation on that in the future.

Posted by Branden Williams at 12:33 PM | Permalink | Comments (0) | TrackBacks (0)

Monday was presentation day at CSI-SX. I had a decent crowd, for the breakout session! One day, I'll do a talk that is not the last session of the day :)

While I was in between sessions sitting in the speakers lounge, one of the other speakers (I did not catch his name) dropped his computer bag and jacket on the chair across from me. I looked up, nodded, and went back to my work. He proceeded to pull out one of those laptop locking devices that you see at public terminals. You know, the ones you can beat with a toilet paper tube. He then secured the whole apparatus (bag included) to the chair! A conference chair. The ones that weigh like ten pounds.

I was not watching him the whole time, but I did not see him ever leave the room. The room was maybe 100' x 40' and he sat down on the couch less than 10 feet away. What benefit would someone get by "securing" the laptop and back to the chair? Am I not paranoid enough?

Posted by Branden Williams at 10:49 AM | Permalink | Comments (1) | TrackBacks (0)

The PCI Security Standards Council released a statement yesterday defending the PCI-DSS against claims that the standard is not strict enough and will not protect against common attacks. This is the first real communication we've gotten from the council since the announcement of the Hannaford breach earlier this year.

This statement is the first to be released to try and counter the negative press from Hannaford telling the world that they were compliant with PCI. This was the first breach of a Level 1 merchant that had validated compliance through a QSA. After reading the statement from the council, vague as it is, merchants should feel better about their PCI programs.

The PCI DSS, if properly implemented on a merchant or service providers' network, provides the security controls necessary to prevent hackers from penetrating a payment environment and installing malicious software that would jeopardize the protection of card data as it is being processed.

So does that mean that PCI DSS was not properly implemented at Hannaford? If it was not properly implemented, how would they have passed a QSA's PCI assessment? Maybe the new Q/A program at the council will address something like this, but then again, maybe it is all up to interpretation?

Posted by Branden Williams at 11:29 AM | Permalink | Comments (0) | TrackBacks (0)

The Register is reporting that McAfee's "Hacker Safe" sites are not so much. In the security industry, we typically refrain from saying things are 100% secure, simply because the only 100% secure computer is the one that does not exist.

Posted by Branden Williams at 07:10 AM | Permalink | Comments (1) | TrackBacks (0)

Bout to go board my jet-fueled chariot right now. If you are going, look me up on Twitter! I'm planning on taking a cab to the hotel, checking in, and seeing if any conference goings on are... going on.

See you there!

Posted by Branden Williams at 05:16 PM | Permalink | Comments (0) | TrackBacks (0)