Branden Williams' Security Convergence Blog

Enjoy the Holiday!

2008-07-02T12:42:14Z

It's time to celebrate American Independence! I'll be taking a holiday for a few days, but will return next week. I will have a post hit on Monday though, so keep your eyes peeled (ouch?)!

PCI Requirement 6.6 in the news!

2008-07-01T19:13:41Z

The deadline has passed, do you know where your ~~children~~ web application firewalls are? If you scratched your head and then saw a shiny object fly by to steal your attention, you are not alone. Information Security Magazine interviewed me for an article on this topic. Go check it out!

Not all QSAs are created equal!

2008-06-29T19:11:47Z

The PCI landscape is pretty scary out there. If you are a merchant or service provider that is looking for assistance, there is a long line of companies that are ready to help. What should you expect from your QSA? What should your assessment look like to get the best results?

VeriSign reviewed our findings from our customers and wrote a white paper entitled, "Not All QSAs Are Created Equal: What You Should Know Before You Buy" that talk about what you should expect. This paper is a FREE download! Go check it out!

Breach got you down?

2008-06-27T15:49:41Z

Well, it has happened again. I received a rather menacing looking note in the mail today. You know, one of those heavy stock sealed letters that has the perforated edges? Yeah. That kind.

Inside it looks like my information is on a lost tape from a bank. The funny thing is, I don't remember banking with this institution... ever. I have a feeling that one of the brokerage firms I use (or used) was backed by this institution, but nevertheless, I thought of an interesting type of phishing attack that I bet would work. When I looked through this notice, it did appear to have a corresponding breach on PrivacyRights.org. I have already placed my fraud alerts, so I should be good.

But what if it didn't? If I were to target specific individuals (i.e., spear phishing) and tell them that their information was compromised from a large bank and provided a number for them to call for more info, would they readily give me enough information to steal their identity? I think people have started to be wary about clicking on things or giving out information over email, but what about through the mail? Sure it won't have the same reach that electronic attacks will, but how much more lucrative could the loot get?

My thoughts are that it would work remarkably well against those individuals who don't have lawyers reading their mail, and especially some of the elderly population.

PIN Security finally catching up?

2008-06-25T14:51:49Z

Wired reports that a Citibank hack may be responsible for a recent ATM crime spree. Edit: Looks like some arrests have been made! I've discussed issues around hacking ATMs and challenges with skimming in the past, but this one appeared to be pretty lucrative. While bank networks are not impenetrable, attacking endpoints is becoming much easier and more lucrative.

Anyone remember the old days when you had to make sure the ATM you were going to use was real? Speaking of that... Ladies, you should beware of this.

Something of interest to me... As a consumer, do you check your bank statement with all of your receipts? Would you know if money started disappearing from your account in $10-$30 increments? Does the state of your personal financial situation dictate your attention to your bank account? I may be a dying breed, but I have been known to spend twenty minutes poring over a bank statement to figure out where I missed a dime.

Listen to my PCI Podcast!

2008-06-20T14:46:48Z

About a month ago an audio guy showed up to my house and pinned a tiny microphone to my shirt for a podcast on PCI. It is a joint podcast with John Pescatore of Gartner. The theme is on managing PCI Compliance.

Go check it out!

Where oh where has my little blogger gone?

2008-06-17T01:41:46Z

I haven't written, called, emailed, faxed, or even sent you guys anything via carrier pidgeon. For that, I grovel at your feet and request my penance (tee hee, I love the occasional translation error, especially when it reminds me of the most beautiful thing I have ever seen). What have I been up to?

Last week was fun. Boston & Cincinnati in two days. Was great seeing many of you out there! Especially when a coworker and I started eating at the wrong party! This week, so far, I have met with the Visa CISP and Incident Response teams over two days, and I am headed home to fly out to Atlanta for a couple of customer meetings. If you are in town, drop me a line!

Some PCI News for you...

The PCI Security Standards Council has announced their community meetings for 2008. We will be there! They have also announced training dates for PA-DSS assessors.

I'm off to DFW!

Are you in Cincinnati?

2008-06-10T02:38:04Z

If so, shoot me an email! I will be there for the 5th 3rd Customer event tomorrow (if I can ever get out of Boston!).

June Edition of Herding Cats

2008-06-05T15:03:34Z

The ISSA has posted the electronic version of the journal, so if you are itching to read what is coming to you via the post, go check it out! My column this month is titled "Don't Get Cyberjacked!"

It may be the first time that the phrase "This ain't your daddy's security incident" and the word "stripper" appear on the same page (or ever) in that fantastic publication. Go check it out!

Is PCI Working?

2008-05-29T15:32:47Z

I was asked this question while sitting on a panel at RSA, and I think the answer depends on your perspective. I'll answer this from a security industry perspective.

If nothing else, you have to credit PCI with forcing the issue. Security among retail enterprises was generally limited to loss prevention and physical security until recently. Information security usually existed as a small and buried team within the Information Technology group, and did not have board level attention. If someone at the board was savvy enough to realize that security reporting to IT is an example of the fox guarding the hen house, then maybe they moved security into Internal Audit.

Now we are seeing a massive amount of development in security and compliance programs. Where companies had a staff of two or three to handle this, they now have large, global teams to deal with this. PCI forced the issue, then higher ups started asking questions about HIPAA, GLBA, and others.

Security teams now report into the office of the CFO, or Legal, and in many cases have their own seat on the board. Budgets are opening up, and money is being spent. Without fail, more issues are found while every stone is turned over to see what bugs lie beneath.

Poetic, don't you think?

The next test is to see if the strategy component has been handled such that you can sustain the support to the organization, and avoid bureaucratic bloat. PCI can't get you there, only good old security process will.

See you at the Gartner IT Security Summit!

2008-05-27T19:22:52Z

Are you making the trek to DC next week for the Gartner IT Security Summit? VeriSign will be there, and I'll be speaking on Monday, June 2, at 4:15PM in Potomac 6. It's time to discuss the classic transmogrification, changing the tactical PCI approach to strategery.

Phew!

Anyway... Come see my presentation or stop by the VeriSign booth!

Will your QSA Breach your Contract?

2008-05-16T15:11:36Z

Your QSA may not be telling you the whole story.

No, I'm not talking about sloppy assessment work. What I'm referring to is a clause that is supposed to be in your contract with your QSA. The DSS Validation Requirements for Qualified Security Assessors requires that QSAs put a notification in their contracts with their customers telling them that the ROC and supporting materials can be disclosed (Section A.6.3 in the doc linked above). Why does that language need to be in the contract? Because the QSA agrees to send the ROC to certain parties per the operating agreement!

In a recent competitive bid situation, we were informed that two (of four) bidders DID NOT have such language in their contracts! This means that the QSA has a choice. They can either breach the agreement they have with the Council, thus quickly getting them delisted as a QSA. Or, they will breach YOUR contract and send the info along without your consent!

I am surprised that QSAs are doing this, and wondering what their intentions are. If nothing else, if you get a contract without that clause in there, what does that say for the quality of the assessment you will receive?

PCI News Flash! PCI-DSS Version 1.2 to be released in October

2008-05-14T21:10:52Z

If you had any action on the Vegas odds for the release of the next DSS and what it might be called, time to cash in. I was speculating that it would occur around the time of the conference this year, and it would have been called 1.2 (vs 2.0).

Ahh, you win some, and you lose some.

The official release is here, and hints that there may be some new requirements coming down the pipe. They typically give 18-24 months to implement, so no need to panic now. But watch out for more controls around wireless!

Will you meet the 6.6 PCI Requirement by June 30?

2008-05-13T14:52:16Z

Well? Will you?

We're waiting!??

Hopefully your bank is not taking THAT approach to checking on your status, but I know many merchants are feeling the heat. Jaikumar Vijayan from Computer World writes that when this deadline passes, most people will not be in compliance. If you read the letter of the law, yes, I would agree. But based on the guidance released by the council, if you are compliant with the rest of the standard, there is a pretty good chance you are compliant with 6.6.

In this clarification, The Council declared the intent of the code review component to include "Manual web application security vulnerability assessment" and "Proper use of automated web application security vulnerability assessment (scanning) tools." So essentially if you are getting something like VeriSign's Premium Vulnerability Management Service, you meet this requirement. You could also count your penetration test as long as the application has not changed since that penetration test was performed, and it covers the entire application with manual interaction. VeriSign's Penetration Testing services DO cover this.

There will be some merchants that do not meet the requirement; but those merchants have likely been doing just the bare minimum, or "Managing Checkmarks," as opposed to building a sound security infrastructure and fitting compliance inside it. Merchants doing that are probably not fully compliant on any given day anyway.

PCI News Flash! QSA Lookup!

2008-05-09T14:14:54Z

Do you wonder if the consultants that your QSAC sends on-site are actually QSAs? Well now you can check! For some reason, all of VeriSign's QSAs don't appear in this list, but we're diligently working to correct that. I can only imagine the large QSACs are probably flooding Cathy with email right now.