Branden Williams' Security Convergence Blog

Confused about DLP?

Mon, 21 Jul 2008 09:29:44 -0700

Don't worry, you are not alone. A partnership of several companies released DLP In Depth today, a website that is set off to unravel the mystery of Digital Loss Prevention (DLP). DLP technologies have been around for some time, but last year we saw a fury of activity in that market as RSA picked up Tablus, and Symantec picked up Vontu.

At VeriSign, we regularly recommend using DLP products as part of your security strategy. Knowing where your data lives is the first step to being able to secure it.

So if you are looking for more info on DLP, go check out www.dlpindepth.org!

Thanks to the EUCI!

Thu, 17 Jul 2008 18:40:46 -0700

Thanks to everyone at EUCI and their great hospitality in Vail. I'm looking forward to working with some of you soon!

Are you in Vail for the EUCI Conference?

Wed, 16 Jul 2008 11:16:00 -0700

If so, drop me a line! I'm leaving the home base here in a few hours to head there for the conference. I will be discussing personally identifiable information and why it is important to secure.

After I speak, I'll be high-tailing it to Denver International to catch a return flight home. Hope to see you there!

Looking for a career as a QSA?

Thu, 10 Jul 2008 19:28:58 -0700

Well look no further! Come join VeriSign's Premier Global PCI Consulting practice!! If you are a current QSA in good standing, take a look at the job listings below. If you are a security professional that wants to get into PCI related work, we can train you!

Click here and enter keywords "qualified security assessor" to learn more!

Herding Cats, July 2008 is out!

Wed, 09 Jul 2008 12:46:48 -0700

Before you click on the link to read the article, I should warn you. Things got a little silly with this one. I even had to edit a cleverly-placed word as my editor threw up a little when he hit publish on this one.

SILLY.

Anyway... I hope you enjoy the July edition of Herding Cats entitled, The Forward Looking Future!

Oh, and it looks like Twitter lost me. I'm there, but you can't see my updates. *shrug*

Mind the Storefront!

Sun, 06 Jul 2008 16:18:14 -0700

Dave Taylor has another guest post on StoreFrontBackTalk, this one alluding to a lack of audit resources to mind the storefront (like Minding the Gap!).

Store front security continues to be an issue for retailers even outside of PCI. Take physical security for example. Realize that a major retailer's data center tends to be a hardened facility that is not easily accessed (with the exception of a few notable ones that are for another post). There are security guards, badged access, and sometimes even man traps. Now visit that same retailer's store front. You might find accessible Ethernet jacks, or worse, a system room door that is unlocked or left wide open. Walk into there with an official ID and you might just jack in to that same VLAN or security level as if you jumped through all the hoops at the data center!

The point that Dave makes is the same one I'll make here. There are two things that will greatly mitigate the risks associated with weak physical security in the stores.

Remove all card data from the store (How about most of it? Or just unencrypted data?)
Deploy end-to-end encryption from the POS Terminal to the data center.

Companies that treat their store networks as trusted are fooling themselves. Those networks are either already hacked, or could easily be hacked (even if you ignored the obvious insider threat!). End to end encryption is a best practice for PCI (and in my opinion, it should stay that way for now), but it is definitely an example of layered security on top of compliance that will greatly increase a company's resistance to a breach.

Enjoy the Holiday!

Wed, 02 Jul 2008 05:42:14 -0700

It's time to celebrate American Independence! I'll be taking a holiday for a few days, but will return next week. I will have a post hit on Monday though, so keep your eyes peeled (ouch?)!

PCI Requirement 6.6 in the news!

Tue, 01 Jul 2008 12:13:41 -0700

The deadline has passed, do you know where your ~~children~~ web application firewalls are? If you scratched your head and then saw a shiny object fly by to steal your attention, you are not alone. Information Security Magazine interviewed me for an article on this topic. Go check it out!

Not all QSAs are created equal!

Sun, 29 Jun 2008 12:11:47 -0700

The PCI landscape is pretty scary out there. If you are a merchant or service provider that is looking for assistance, there is a long line of companies that are ready to help. What should you expect from your QSA? What should your assessment look like to get the best results?

VeriSign reviewed our findings from our customers and wrote a white paper entitled, "Not All QSAs Are Created Equal: What You Should Know Before You Buy" that talk about what you should expect. This paper is a FREE download! Go check it out!

Breach got you down?

Fri, 27 Jun 2008 08:49:41 -0700

Well, it has happened again. I received a rather menacing looking note in the mail today. You know, one of those heavy stock sealed letters that has the perforated edges? Yeah. That kind.

Inside it looks like my information is on a lost tape from a bank. The funny thing is, I don't remember banking with this institution... ever. I have a feeling that one of the brokerage firms I use (or used) was backed by this institution, but nevertheless, I thought of an interesting type of phishing attack that I bet would work. When I looked through this notice, it did appear to have a corresponding breach on PrivacyRights.org. I have already placed my fraud alerts, so I should be good.

But what if it didn't? If I were to target specific individuals (i.e., spear phishing) and tell them that their information was compromised from a large bank and provided a number for them to call for more info, would they readily give me enough information to steal their identity? I think people have started to be wary about clicking on things or giving out information over email, but what about through the mail? Sure it won't have the same reach that electronic attacks will, but how much more lucrative could the loot get?

My thoughts are that it would work remarkably well against those individuals who don't have lawyers reading their mail, and especially some of the elderly population.

PIN Security finally catching up?

Wed, 25 Jun 2008 07:51:49 -0700

Wired reports that a Citibank hack may be responsible for a recent ATM crime spree. Edit: Looks like some arrests have been made! I've discussed issues around hacking ATMs and challenges with skimming in the past, but this one appeared to be pretty lucrative. While bank networks are not impenetrable, attacking endpoints is becoming much easier and more lucrative.

Anyone remember the old days when you had to make sure the ATM you were going to use was real? Speaking of that... Ladies, you should beware of this.

Something of interest to me... As a consumer, do you check your bank statement with all of your receipts? Would you know if money started disappearing from your account in $10-$30 increments? Does the state of your personal financial situation dictate your attention to your bank account? I may be a dying breed, but I have been known to spend twenty minutes poring over a bank statement to figure out where I missed a dime.

Listen to my PCI Podcast!

Fri, 20 Jun 2008 07:46:48 -0700

About a month ago an audio guy showed up to my house and pinned a tiny microphone to my shirt for a podcast on PCI. It is a joint podcast with John Pescatore of Gartner. The theme is on managing PCI Compliance.

Go check it out!

Where oh where has my little blogger gone?

Mon, 16 Jun 2008 18:41:46 -0700

I haven't written, called, emailed, faxed, or even sent you guys anything via carrier pidgeon. For that, I grovel at your feet and request my penance (tee hee, I love the occasional translation error, especially when it reminds me of the most beautiful thing I have ever seen). What have I been up to?

Last week was fun. Boston & Cincinnati in two days. Was great seeing many of you out there! Especially when a coworker and I started eating at the wrong party! This week, so far, I have met with the Visa CISP and Incident Response teams over two days, and I am headed home to fly out to Atlanta for a couple of customer meetings. If you are in town, drop me a line!

Some PCI News for you...

The PCI Security Standards Council has announced their community meetings for 2008. We will be there! They have also announced training dates for PA-DSS assessors.

I'm off to DFW!

Are you in Cincinnati?

Mon, 09 Jun 2008 19:38:04 -0700

If so, shoot me an email! I will be there for the 5th 3rd Customer event tomorrow (if I can ever get out of Boston!).

June Edition of Herding Cats

Thu, 05 Jun 2008 08:03:34 -0700

The ISSA has posted the electronic version of the journal, so if you are itching to read what is coming to you via the post, go check it out! My column this month is titled "Don't Get Cyberjacked!"

It may be the first time that the phrase "This ain't your daddy's security incident" and the word "stripper" appear on the same page (or ever) in that fantastic publication. Go check it out!