Jan 24 2009
It’s been a busy week for me. Long days, short nights and report after report to write. I guess the one good thing is that I’ve been home for a while now instead of gallivanting around the country like I sometimes do. What I’m trying to say is there hasn’t been much time for blogging this week, even though there’ve been some pretty big stories come out this week. I had a lot of fun a couple times earlier in the week debating the merits of PCI with Jeremiah Grossman and HD Moore, which gave me more then enough fodder for half a dozen blog posts or more. The funny part of the debates is that we all agree that the goal is securing enterprises in a time when more and more breaches are being reported, we just disagree about whether or not PCI is doing anything towards accomplishing that goal. I received a couple of complaints about having the debates on Twitter and even more compliments about the quality of the conversation. Go figure.
Saturday morning reading (aka catching up with the feeds)
- What PCI compliance really means – Michael Dahn draws the distinction between being “PCI Complaint”, being validated during an assessment and being secure. Validation is a point in time, while being compliant is a continuous process. Being secure means taking that compliance and continuing to improve upon it, which is a step many organizations forget. Didn’t I write something on this recently?
- Data breach study ties fraud lossess to Hannaford, TJX breaches – One of the most annoying things I read this week is that TJX was giving customers a 15% ‘appreciation’ discount this week to thank the customers for sticking with them. How many of those customers were using their credit cards at a company that was in this position because they were breached in the first place? Now there’s proof that the breach led to fraud and people are still giving TJX more credit cards to lose.
- The new Homeland Security page – So much changed at noon on Tuesday. I wonder if the new DHS will ever step the security alert level in airports dow from Orange to Yellow. Or [gasp] maybe even Green! Wouldn’t that be nice.
- PCI Compliant Companies Don’t Suffer Breaches – This is an article that I have a hard time swallowing. The logic is that no company that’s been breached has been PCI compliant (as opposed to validated, read the first article) because deeper inspection found some way they weren’t compliant. But my own experience is that you’re always going to find at least some portion of an enterprise that’s not compliant if you dig deep enough. No one is perfect. And that’s exactly what the bad guys are doing to these big companies, digging and digging until they find the one server in the enterprise that was misconfigured or in the wrong network.
- Making PCI Easier – A Reality/Health Check – Wow, merchants can make PCI compliance easier on themselves by actually applying some resources to the project. Who’d a thunk it? Actually, getting the manpower and tools to become complaint is one of the things that got me excited about PCI when I was a security manager several years ago.
- A Smarter Alternative to PCI – Let’s give merchants the option of complying with PCI, as long as they secure their environments. Oh yeah, that worked soooo well before the PCI requirements started getting what little teeth they have now. Instead they’d go back to ignoring the cardholder environment and concentrate on whatever the other hot project of the day is. Making security optional is a guaranteed failure, instead of the potential failures that happens when merchants meet the standard and don’t go any further.
- Network Solutions under large scale DDoS attack, Millions of websites potentially unreachable
- Monster.com reports theft of user data – I think I have a Monster account. I haven’t checked it in five years or so. If you take the Monster.com breach and add the information to the Heartland breach (which I can’t talk about), you get a huge potential for identity theft. I just hope the two groups that perpetrated these two attacks don’t get together and cross refernce the data.