You can't secure what you don't acknowledge.SM

Friday, June 27, 2008

What does "qualified third party" mean in PCI 6.6?

There's been a lot of hoopla surrounding the PCI DSS requirement 6.6 compliance next week. Even with all the noise, there is some good news for both covered entities and independent security professionals such as yours truly. In the PCI DSS requirement 6.6 Information Supplement document, the first sentence at the top of page 3 states "Manual reviews/assessments may be performed by a qualified internal resource or a qualified third party."

But nowhere - anywhere - have I been able to find out what "qualified third party" means....until today. Yep, straight from the horse's mouth (PCI Security Standards Council) told me:

"Req 6.6 it is any independent, qualified security organization with expertise in application security." dealing with all those high-end "QSAs and ASVs" (the whole process of which I think is a ridiculous sham) who may have questionable quality is not necessary! Any little old security peon like me could do these types of assessments. I feel honored.

Wow, a free market concept where everyone wins...There are some good snippets coming out of the regulatory world every now and then after all I suppose.

BTW, in case you haven't seen the links I posted in the past couple of weeks, here are two reality-check articles I wrote regarding the PCI requirement 6.6 code reviews and web application firewalls that you'll enjoy:

The realities of PCI DSS 6.6 application code reviews
The realities of using WAFs for PCI DSS 6.6 compliance

Thursday, June 26, 2008

Does FACTA really exist? Send up a Red Flag!

I spoke recently for a group of technically-savvy accountants. Out of the 120 or so people in the audience, 2 raised their hands when I asked if anyone was aware of the impending FACTA requirements for identity theft protection measures for financial institutions. Two people folks! OUCH.

Sign of the times in information security I suppose...

Good management yet bad results? No way!

I was watching my favorite TV channel yesterday (SPEED) and heard well-known racer Tommy Kendall say something that struck a cord. He was actually quoting Carlos Ghosn, head of Renault, who said:

"There's no such thing as good management with bad results."

I immediately thought, hey, this ties into what I do for a living.

Many, many people believe they have information security under control yet time and time again they come up short in their security assessments - or worse - they have a breach. This stuff happens and they're up in arms. They don't understand what happened. They claim to have firewalls, a good network admin, and formal security policies...what gives, they ponder.

Folks, good security is not merely the presence of firewalls, a good network admin, and formal security policies. It's about making these things and others all work together in the right way day in and day out. This means management pulling their heads out of the sand and realizing that security is a business issue that needs their attention. This thing called information security takes leadership and hands-on management thoroughly and consistently every day of the week.

Wednesday, June 25, 2008

Ignorance is bliss when it comes to patching database servers

I just saw this bit today on about admins not patching database servers. So, it's not just me that sees ignorance in action when it comes to admins not wanting to patch their database servers. I can't tell you how many times I've found database flaws directly-exploitable from the inside all because an admin didn't want to patch the system. I'm talking about full command prompt access to database servers in a matter of minutes using nothing but free tools. You can't tell me everyone on the network can be trusted!

I wrote an article about this VERY thing for to hear it, here it go:
SQL Server patch pros and cons doesn't much more bury-your-head-in-the-sand ridiculous than this. Oh wait, why am I complaining! This is the kind of stuff that keeps me employed. :)

Tuesday, June 24, 2008

Good security resource worthing checking out

If you haven't been over to NIST's National Vulnerability Database site lately, it's worth checking out. There's tons of good info on system hardening, vulnerability research, and more. If you're here in the U.S., you helped fund it so you might as well use it, right?

Monday, June 23, 2008

You don't say...A new Mac Trojan?

They haven't had one in a it's about time again.

New Mac Trojan Disables Security, Steals Passwords

My security content from last week

I was out the latter part of last week so I missed my 'deadline'. Here's an article hot off the press that you may be interested in:

The realities of using WAFs for PCI DSS 6.6 compliance


As always, check out for all of my past articles, webcasts, podcasts, and more.Publish Post