« March 2008 | Main | May 2008 »
The Register is reporting that McAfee's "Hacker Safe" sites are not so much. In the security industry, we typically refrain from saying things are 100% secure, simply because the only 100% secure computer is the one that does not exist.
Bout to go board my jet-fueled chariot right now. If you are going, look me up on Twitter! I'm planning on taking a cab to the hotel, checking in, and seeing if any conference goings on are... going on.
See you there!
GloboTV (via Gizmodo) has a story (in Brazilian Portuguese) about some crooks that used the Eee PC to steal customer's debit information at ATMs.
Tee Hee.
I'm going to aggregate several PCI related things here in one post as it has been a busy week in PCI Land! I have other things I want to write about, so stay tuned for more stuff later today and throughout the week.
First off, the Council has released the Payment Application Data Security Standard (PA-DSS). This replaces Visa's Payment Application Best Practices program, and your Point Of Sale application should comply by July 2010, or your customers may not be able to accept Visa cards! Nothing we did not already know, but it is now finally released.
Next, the Council also released clarifications on Requirements 6.6 and 11.3 (apparently a very hotly debated topic in a recent QSA Requalification class). There are two very important issues to pull out of the clarification.
On Requirement 11.3 (annual penetration test), the clarification makes mention that the penetration test should also include an on-site (or internal) penetration attempt. This will drive the cost of these assessments up a bit, but I think there is some room for innovation. Just depends how risk-averse a company really is.
The real doozy is on Requirement 6.6 (periodic code review or web application firewall on all web-facing apps). There really appears to be overlap here now. In lieu of a code review or web app firewall, the Council has elaborated on how the intent of a code review can be carried out. They say that a "Manual web application security vulnerability assessment and/or proper use of automated web application security vulnerability assessment (scanning) tools" can be used in lieu of an actual code review.
In a normal application penetration test that VeriSign performs, we already would perform the above. Does that mean if you get a Penetration Test by VeriSign that you automatically comply with both 11.3 and 6.6? If we take the guidance of the Council, it does.
I was disappointed by the 6.6 clarification as it does not seem to have legs any more. VeriSign typically recommends that a code review be performed as part of your PCI strategy. We believe that you should fix the problem at the source (pun intended) instead of trying to put another filter in-line. Passive web application firewalls have their place in any sound security strategy, but the fact remains that the most effective way to remove the threat of these vulnerabilities is to fix the problem in the code.
As an example, during a recent code review we performed, we found several vulnerabilities that could be exploited that would not be caught through an automated tool, and yet could be exploited remotely. When you are working with the code, you don't need to manage the mask of the interface.
In other news, Visa released a bulletin on packet sniffing cardholder data, no doubt in response to a recent breach. VeriSign has often recommended using encryption over the wire to help reduce insider threats. Visa echoes that strategy in the recommended mitigation section.
OK, enough PCI for today!
Please don't take the title to mean that Dave doesn't get it right often, I just wanted to laud this recent column at StoreFront BackTalk. The quote specifically that drives the nail home is:
If you're thinking that the Hannaford security breach is a very isolated "blip" and that PCI compliance is the same as securing the enterprise against security breaches, you'd better think again. Why? It's not uncommon for merchants to turn on security controls shortly before an audit, and turn them off afterward.
Could not have said it better myself, Dave. The two points he brings out are, 1) Compliance is not the same as security, and 2) you have to MAINTAIN what is assessed.
I had a conference call today with a prospective customer that was really interested in beating the standard by focusing on security. It was refreshing! Most customers say "Just tell me the minimum I have to do to get the check mark." Gold star for point numero uno.
On the second, I've mentioned before how important maintaining compliance is. We even created a service around it. But actually doing something just for the assessor to see, and then undoing it? I really hope that is not happening. Just going through the motions does not do you any good.
If you are not a member if the ISSA, click here to go sign up! I am a monthly columnist in the ISSA Journal--the publication for the association. This month I tell you how you can learn something from the Department of Homeland Security and Ron "Tater Salad" White.
If so, LOOK ME UP! I'm speaking on Monday afternoon at 4pm at the conference. Hope to see you there!
As always, I'll be sending tweets!
Phillip Hallam-Baker commented recently on my post about the NRF, but specifically added to the chip and pin point. Thanks Phillip!
While others at VeriSign are headed to ETA, I took the opportunity to speak about PCI to the OpenTravel Advisory Forum in Atlanta today. A shout out to an excellent group of individuals that are in one of the more difficult industries with respect to PCI (the other being Fuel Dispensing). Thanks for the hospitality!
It appears that the PCI-SSC has finally released the new Payment Application Data Security Standard! You can read all about it here.
Just finished up with the last booth work at the show. Today was fairly slow (as to be expected), though there were still plenty of people coming through. I got to see the VeriSign VIP token work, and that was pretty cool! Hope you stopped by to get your free token!
As I was leaving, the last hunters of conference trinket treasure were hurriedly making the rounds before the expo closed. All in all, quite a show. If I missed you this time, I hope to see you somewhere else soon!
Today has been filled with all kinds of activities, including meeting with some customers and vendors. I just finished the first meeting of the NSS Advisory Group and I am very pleased with the direction that it is heading. I think there is a lot of promise there for helping customers figure out which vendors DO solve PCI issues, and which ones don't.
I will be AT THE BOOTH at 10am tomorrow! Please stop by! I have a pretty "Blog This!" button on (Thanks K-Dog!).
Also you can follow me on Twitter at http://twitter.com/brandenwilliams.
See you there!
Thanks SC Magazine! We've been recognized as the Best Security Company in 2008! Here's the part of VeriSign that I represent!
VeriSign's Enterprise Security Group (ESG) provides a best of breed suite of solutions for global companies. Beginning with our iDefense Intelligence Service that provides detailed threat information in advance. Vendors are notorious for taking anywhere from 90-180 days to patch discovered vulnerabilities. iDefense can help you understand how to mitigate before patches are available.
From there, our Managed Security Services (MSS) group provides some of the best managed security services to customers according to the Gartner Magic Quadrant. Why not let your security staff concentrate on adding real security value and outsource your security device management to us?
Finally, VeriSign's Global Security Consulting (GSC) practice that provides a valuable mix of Risk & Compliance and Technical services. From PCI to Application Testing and Code Review, we do it all. Our consultants are seasoned (average 8-9 years experience) and provide customers with executable, tactical solutions rooted in sound security strategy to all levels of management.
Well, even the FAA's nit picking couldn't keep me away!
I'm sitting at the InterContinental waiting for some associates. There's a very interesting crowd here at the conference. I'm looking forward to getting out to the city later on!
I arrive tomorrow and will see you there! Please stop by the VeriSign booth!
Clement James writes about a security expert that slams PCI, stating that the breach in the news "was almost certainly the work of hackers exploiting a single code flaw on internal systems." The expert goes on to say that "PCI takes a relaxed attitude towards internal machines."
While I agree that there is room for improvement on internal controls for PCI, remember, it's not designed to protect your entire enterprise. It is a basline, and you should layer security on top.
The challenge is this. Not until the end of last year did we see a compliance validation rate exceeding 60% among Level 1 merchants. If you make the standard too hard, you will have little or no adoption. You have to wait until you have enough momentum to add more security into it, but you will always have stragglers. The adoption rate would be easily less than 25% if there were more standards on internal encryption or device security.
