PxI

What’s your secret question redux

ekleintop — Wed, 22 Jul 2009 12:23:16 +0000

That recent Twitter hack relied on, guess what, resetting a password using secret questions. Read the details here.

Nevada mandates PCI-DSS

ekleintop — Wed, 24 Jun 2009 12:35:40 +0000

Nevada is the first state to pass legislation that requires companies doing business in the state processing credit cards to comply with the PCI-DSS. Suprising they beat Cailfornia to the punch, but I suspect other states will follow suit in short order. Read here.

MasterCard – On-site assessments extended to level 2 merchants

ekleintop — Fri, 19 Jun 2009 13:11:53 +0000

Looks like as far as self assessments are concerned MC thinks the fox hasn’t been guarding the hen house very well. Starting in Dec 2010 level 2 merchants will have to undergo on-site security assessments ala level 1 merchants. Even though this is a MC only requirement the effect will be felt by all level 2 merchants. Read here.

Mid week challange

ekleintop — Wed, 10 Jun 2009 14:19:20 +0000

Here is a little challenge, maybe not so little, to get your security juices flowing again. It’s some security 101 stuff, that low hanging fruit that can close the door on a possible breach. When was the last time you bounced your user accounts (Active directory, ‘nix, remote access) up against an active employee listing? Against a list of active contractors/temps? Do you even have such lists? My experience has been it either never has been done, has been a while, or the lists do not exist. The 2009 Verizon Data Breach Report noted several instances of breaches that were a direct result of active user accounts being used by recently terminated employees. This is simple stuff that gets overlooked but goes a long way in improving your security posture.

If you are not a script writer like me take a look at DumpSec from the SystemTools folks. It’s a great little free app that will dump your Active Directory accounts (sorry ‘nix folks but you are better script writers than the Windows crew, right?) into a file for import into your favorite spreadsheet/DB. Add your employee/contractor/temp lists, shake and stir, and viola!

Overworked government workers flub..

ekleintop — Wed, 03 Jun 2009 20:57:19 +0000

It’s no big story that a government office has manged to release sensitive information again. It’s the excuse in the second half of the article I find disturbing. In a statement from a Government Printing Office (GPO) spokesman they suggest the error was due to the “sheer volume” of documents the GPO processes. Read entire article here.

“On average, the GPO produces “approximately 160 House documents each Congress,” the statement said. During the 109th Congress, the GPO produced 157 reports, while in the 110th Congress, 161 reports were published, the statement said.”

That’s 160 WHOLE documents? Am I missing something? That works out to less than 1 document a day, assuming they are all processed during the session (if my math is correct .65 per day is the result of 157 docs /242 days). I’ll email Mike over at Dirty Jobs to see if he is up for the challenge.

What’s your secret question?

ekleintop — Tue, 19 May 2009 12:45:37 +0000

Passwords are our front doors to all sorts of sensitive data & information. So what’s your Mother’s maiden name? Read here.

Schecter’s paper. (PDF link)

Schneier’s take back in ’05.

Two cost of breach studies

ekleintop — Fri, 15 May 2009 19:47:40 +0000

For your weekend reading, here are some studies from the Ponemon Institute on the costs of data breaches.

The Fourth Annual Cost of a Data Breach PDF link. A related report is Ponemon’s 2008 Annual Cost of a Data Breach Study. Get it here (free registration required).

The Cost of a Lost Laptop PDF link.

Inside a data leak audit

ekleintop — Tue, 12 May 2009 14:40:57 +0000

E-mail can be a big source of potential data exposures. Read here.

I like the advice that you have to take the encryption decision out of the senders hands, they will inevitably forget to encrypt something sensitive.

How to destroy digitally stored information

ekleintop — Wed, 06 May 2009 15:14:24 +0000

PCI, Federal, and many state PII regulations require the proper destruction of data when an organization is done with it. Here is an overview from CSO on data destruction methods.

PCI’s Grading System Is Failing

ekleintop — Thu, 30 Apr 2009 13:24:29 +0000

The author discusses the concept of bringing risk analysis into the compliance grading process. Sounds very sensible to me. I am of a mind that for most large organizations being 100% compliant with PCI is a fleeting task. I would rather ensure that high risk exposures are thoroughly identified, mitigated, and monitored than attempt to do a less than adequate job across the board to achieve an appearance of 100% compliance. Read here.