This is just too funny to resist.
I might open up a little on this blog from time to time but you won't find a picture of me in a fairy costume, clutching a beer, when I'm supposed to be at work. Oh the joys of Facebook.
Saturday 23 August 2008
Friday 22 August 2008
PCI DSS update
An update to the Payment Card Industry Data Security Standard (PCI DSS) has been announced with a preview/summary of the changes due for release in version 1.2 on 1st October.
Most of the changes are classified as clarifications of existing requirements but controls for wireless networks caught my beady eye. On the one hand, PCI DSS semingly acknowledges that WEP is no longer adequate (about time!), but on the other it allows WEP to continue until July 2010. 2010! That's like saying "Wardrivers, take your time, you have 2 years to find and exploit vulnerable stores". Given recent high-profile incidents of that nature, I'm puzzled as to why WEP is tolerated at all. PCI DSS 1.2 is an opportunity to drive up security standards and in many respects it is incrementally improving things, but in this one respect, they're letting the chance slip by.
Examples of "critical employee-facing technologies" that ought to be covered by security policies will be expanded to include "remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and Personal Data Assistants (PDAs)". I'm pleased to say that we have been covering those issues for years in the NoticeBored security awareness service, and will be covering them all before the end of this year [RATs were mentioned in the malware module in March. We're currently finalizing next months module on email security right now, and researching for a forthcoming module on 'securing portable IT devices' for release in December.]
Employees will be required to acknowledge that they have read and understood the company’s security policy and procedures “at least annually”. Note the wording: employees will have to acknowledge the policies and procedures. Management's focus will be on getting bits of paper signed or learning management systems ticked once a year, rather than confirming that employees actually understand and recall the policies or pushing for more frequent awareness and training. That's another opportunity missed. Ho hum.
Against this background, I'll be just a touch more cynical next time someone complains about the 'PCI DSS compliance overhead', and even more careful about giving anyone my payment card details.
[Thanks to the Security Warrior, Anton Chuvakin, for alerting me to this. Anton's home turf is security logging but like many infosec pros, he has fingers in many pies.]
Most of the changes are classified as clarifications of existing requirements but controls for wireless networks caught my beady eye. On the one hand, PCI DSS semingly acknowledges that WEP is no longer adequate (about time!), but on the other it allows WEP to continue until July 2010. 2010! That's like saying "Wardrivers, take your time, you have 2 years to find and exploit vulnerable stores". Given recent high-profile incidents of that nature, I'm puzzled as to why WEP is tolerated at all. PCI DSS 1.2 is an opportunity to drive up security standards and in many respects it is incrementally improving things, but in this one respect, they're letting the chance slip by.
Examples of "critical employee-facing technologies" that ought to be covered by security policies will be expanded to include "remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and Personal Data Assistants (PDAs)". I'm pleased to say that we have been covering those issues for years in the NoticeBored security awareness service, and will be covering them all before the end of this year [RATs were mentioned in the malware module in March. We're currently finalizing next months module on email security right now, and researching for a forthcoming module on 'securing portable IT devices' for release in December.]
Employees will be required to acknowledge that they have read and understood the company’s security policy and procedures “at least annually”. Note the wording: employees will have to acknowledge the policies and procedures. Management's focus will be on getting bits of paper signed or learning management systems ticked once a year, rather than confirming that employees actually understand and recall the policies or pushing for more frequent awareness and training. That's another opportunity missed. Ho hum.
Against this background, I'll be just a touch more cynical next time someone complains about the 'PCI DSS compliance overhead', and even more careful about giving anyone my payment card details.
[Thanks to the Security Warrior, Anton Chuvakin, for alerting me to this. Anton's home turf is security logging but like many infosec pros, he has fingers in many pies.]
Wednesday 20 August 2008
Help for ISO27k implementers
Over at ISO27001security dotcom I've just posted:
- a 2.2Mb ZIP file containing the full contents of the free ISO27k Toolkit
; and
- a printoutable PDF version of the ISO27k FAQ.
Although they are already useful and generating good feedback, these are both works-in-progress. Further contributions to the toolkit and FAQ are always welcome. If you have implemented the ISO27k standards, are there policies, procedures etc. that you would be willing to donate to the cause? If you wish, I can help you format them to suit the purpose, for example removing any proprietary content to make them generic and adding a Creative Commons license. In return, you will be openly acknowledged as the contributing author in the material and on the website. Clearly, it is vital that you either personally own the materials you submit or have the copyright owner's express permission since they will end up in a public forum.
Visit the website or contact me (Gary@isect.com) for more info.
Subscribe to:
Posts (Atom)