The deadline has passed, do you know where your children web application firewalls are? If you scratched your head and then saw a shiny object fly by to steal your attention, you are not alone. Information Security Magazine interviewed me for an article on this topic. Go check it out!
Are you making the trek to DC next week for the Gartner IT Security Summit? VeriSign will be there, and I'll be speaking on Monday, June 2, at 4:15PM in Potomac 6. It's time to discuss the classic transmogrification, changing the tactical PCI approach to strategery.
Phew!
Anyway... Come see my presentation or stop by the VeriSign booth!
Greetings everyone! Go check out my guest post on Karen Swim's fantastic blog, Words for Hire.
"Step 1: Extinguish the precipitous rubescent LED-based luminosity!"
The Register is reporting that McAfee's "Hacker Safe" sites are not so much. In the security industry, we typically refrain from saying things are 100% secure, simply because the only 100% secure computer is the one that does not exist.
GloboTV (via Gizmodo) has a story (in Brazilian Portuguese) about some crooks that used the Eee PC to steal customer's debit information at ATMs.
Tee Hee.
If you are not a member if the ISSA, click here to go sign up! I am a monthly columnist in the ISSA Journal--the publication for the association. This month I tell you how you can learn something from the Department of Homeland Security and Ron "Tater Salad" White.
Thanks SC Magazine! We've been recognized as the Best Security Company in 2008! Here's the part of VeriSign that I represent!
VeriSign's Enterprise Security Group (ESG) provides a best of breed suite of solutions for global companies. Beginning with our iDefense Intelligence Service that provides detailed threat information in advance. Vendors are notorious for taking anywhere from 90-180 days to patch discovered vulnerabilities. iDefense can help you understand how to mitigate before patches are available.
From there, our Managed Security Services (MSS) group provides some of the best managed security services to customers according to the Gartner Magic Quadrant. Why not let your security staff concentrate on adding real security value and outsource your security device management to us?
Finally, VeriSign's Global Security Consulting (GSC) practice that provides a valuable mix of Risk & Compliance and Technical services. From PCI to Application Testing and Code Review, we do it all. Our consultants are seasoned (average 8-9 years experience) and provide customers with executable, tactical solutions rooted in sound security strategy to all levels of management.
Sharon Gaudin at Computerworld writes about a new way to use RFID tags. In this article, a new physical security technique is discussed where a worker who walks into a restricted area would pick up hundreds of tiny RFID sensors on their shoes. As they track their feet across the doormat on the way out, sensors pick up that this employee has entered a restricted area, and then release the hounds.
Cooler than LED Throwies? You be the judge.
In an unpublished (and scrapped to my knowledge) Top 10 Security Predictions for 2008, I predicted that we would see a breach in 2008 from an entity that had validated compliance (hey, come on.... It's true, I promise). Does that mean that the standard is not tough enough? Or that companies validating compliance are having a hard time maintaining it? Or possibly that a QSA is not doing their job properly?
The first has been discussed at length in the industry. While there are loud detractors to the standard, insiders agree that compliance does not equal security. Compliance is a baseline and security should be layered on top. The PCI standard as it stands is GOOD. Getting companies to comply and build additional security on top is the challenge. If I had a hundred dollars for every time I heard the phrase, 'What is the bare minimum I must do to comply,' this blog would not exist.
Unfortunately, with something as divisive as PCI, you will have people complaining about how hard it is, and then folks saying it's not hard enough. Rock? Meet hard place.
For the second, VeriSign answered struggling (shout-out to the P1) entities cries for help and instituted a service called PCI Program Management. This longer process sets up a program to support and maintain PCI. If you have an existing security program, we work within the guidelines of that program, and hopefully help improve it overall. Our goal is to get companies set up to maintain compliance on their own, as opposed to being afraid that one of the thousands of change control documents is overlooked and pushes them out of compliance.
That last one is a big ouch, but if you have been dealing with PCI for some time it makes perfect sense. How can it be possible to get a small PCI Assessment quote for 15K from one vendor and a 40K quote from another? We must not be comparing apples-to-apples. Do you notice that some QSAs are easier than others? How much management confidence do you have in the findings from the assessment? 15K or 40K?
The great QSA equalizer of 2008 was supposed to be the PCI Q/A Program that the council is instituting this year, not a breach of a validated entity (remember, validated is not the same thing as compliant). Time will tell as details come out how this will affect the industry, but I am betting it will force entities to look more closely at the QSA's work product.
Merchants & Service Providers alike can alleviate something like this happening by first checking the history of the QSA and lobbing a couple of hardball questions prior to starting the engagement. This can tell you how effective the assessment is. Is the majority done remotely? Do they recommend achievable controls? Are they missing things that you know are not compliant?
But most importantly, entities subject to PCI can avoid this by building a solid program to maintain their PCI compliance day-in and day-out. Don't aim for the minimum, aim for security without impacting the business. VeriSign believes in this mantra and ensures that its importance is conveyed to our customers.
StorefrontBackTalk's Evan Schuman writes about a serious hole in an airport wireless network that could allow people to reroute luggage.
Oops... More reasons to carry-on.
As it relates to PCI, VeriSign has extensive experience in the travel industry and has dealt with some of the challenges that airlines have. Like a few other industries, it is very unique in its constraints around compliance and security. For instance, something you may not know is that the airports typically own all of the networking and computing equipment used by their tenants. So unlike most companies that have control over the chain of systems that deal with sensitive data, airlines may be forced to start off with a lack of control at the front lines.
Hopefully, this incident will be a reality check for airports.
WJLA News reports that a University of Virginia graduate student and two fellow hackers have cracked code contained in smart cards. Information security rears it's head again!
The company claims they only got a portion of the code, but depending on what they got, it could be enough to launch a feasible attack against those keys. Any reduction in bits can make a huge difference in the time required to retrieve a key.
You know, those smart card guys would have gotten away with a sub-par setup if it weren't for those meddling kids...
Greetings folks! How about a headline wrap-up? Ready? OK!
USA Today had an interesting article on Monday detailing how Cybercrooks are getting craftier (is that a word? more crafty? more craftierest?) on the scams designed to trick people into parting with personal information. A couple of the attacks listed include:
And here's someone else with too much time on their hands (thanks Springtown!)!
As a follow up to the last article, here's a pretty interesting story about a teenager in Poland who figured out a way to control how trains change tracks. He didn't hack through the internet, or some rogue access point at a station. He used a TV remote.
Between this and the Boeing 787 Dreamliner's issues, I wonder if this will force companies to take a hard look at the software they use to drive their products.
After getting an extended battery for my laptop (yaay! Less whipping out the iGo for power on the plane!), I am wondering if anyone has had problems with the new TSA Battery Guidelines. My battery is well below any proposed limit, and I rarely check bags (thank YOU London Airports!), but it seems any time a new TSA regulation is put into place there can be some difference in interpretation.
What say you?
While sitting in the Courtyard this morning in Sterling, VA, I saw that Dan Frost of the USA Today is warning of the Evil Twin problem with wireless networks.... again. I seem to remember seeing this pop up in the past, but this problem has been around as long as wireless has been in cafes.
So, watch out.... again!
According to an interview on 60 Minutes, the National Retail Federation's position (says Dave Hogan, NRF's CIO) is that the Card Associations are at fault for credit card fraud because the card associations require retailers to store consumer's CC data. I can't believe how wrong these guys are and that they are taking the national spotlight to try and scare consumers into believing this lie.
He also says he is not sure how vested the credit card companies are in securing customer data. The funny thing is the whole PCI Standard "thing" came BECAUSE the card associations are interested in securing customer data, not the other way around.
And the notion of fines being a revenue stream are absurd. Look at the amount of cash that issuers and the members of Visa & MC are charged in fraud losses each year. We all hope that these fines go to promoting securing credit card data and lessening the impact of compromises to issuers. Is it? I certainly hope it is not another "Let's get a state lottery to fund public education" bit.
Visa & MasterCard DO NOT require retailers to store customer data. Retailers sometimes do this as a convenience due to some failure in the process, such as a missed transaction. But the real problem comes in the lack of data cleaning and disposal by those collecting it.
There is absolutely no reason to keep a full credit card past settlement.
...
Stop and think about that.
NO REASON to keep the data past settlement. Yet millions of retailers do! Why? Convenience? Cause the "man" is out to get them and withhold revenue?
Nah, more likely, "Because that's the way we have always done it." In fact, we've had customers who have decided that they will just take chargebacks as an acceptable loss because the cost of securing and holding data is too expensive.
Acquirers can and have offered to store data on a retailers behalf, but of course for added cost. Big surprise, security costs! Because so many retailers drive cost through the floor, they accept risk they cannot afford. Did TJX think they would spend over a half billion dollars this year cleaning up after a horrible breach? Probably not.
Mark Rasch is also seen in this piece and is absolutely correct in that retailers do not do enough to help secure data. Why not? Because it is not in their nature!
Retailers are good at retailing, not information security. Identity Theft is forcing retailers to grow security brains and start to implement good controls to protect customers data. Does your company? Is your company taking the "I'm compliant until I'm compromised" stance?
Will it take a TJX like event happening to your company to get the fire started?
Have you got your ISSA Journal for October in the mail yet? If not, click on over to their website and you will see that they featured my article!
USA Today published a rather comical headline last week about airport security and security screening -- Most fake bombs missed by screeners.
FAKE bombs.
Wouldn't you want to let FAKE bomb parts pass through and catch the ACTUAL bomb parts? I'm not sure what this study shows. Does it show that the TSA is doing their job well? Hard to say. I think it would be interesting if they redid the study (with some kind of get out of jail free card) with ACTUAL bomb parts. I can only hope that they would be stopped.
