Welcome to Brazen Careerist!
There are networks on Brazen Careerist to discuss all the career issues you are thinking about right now. Join now to start moving your career in the right direction.
InfoSec Professionals
Aspiring or current professionals in the information security business.
It's a tough job. Maybe one of the toughest in the tech field, as we need to be prepared for anything to happen to everything. Let's share wisdom and help each other.
Network Leader: Ray Pompon
Ray Pompon
Though experiment from a colleague -
This is a hypothetical – If I operate a store where you buy stuff and every time you use a CC, I perform a 1 way hash of the card # to reference a database and stuff the purchase info in, theoretically the only way to get the data for customer X from the database is to have their CC.
Is there ANY PCI implication of associating the one-way hash with the purchase data, even if I include EVERY other PCI trigger (name, address)?
This is a hypothetical – If I operate a store where you buy stuff and every time you use a CC, I perform a 1 way hash of the card # to reference a database and stuff the purchase info in, theoretically the only way to get the data for customer X from the database is to have their CC.
Is there ANY PCI implication of associating the one-way hash with the purchase data, even if I include EVERY other PCI trigger (name, address)?
Ray Pompon
Rather than asplode a bunch of 2010 predictions, I thought I'd just focus on one big one with many facets http://assumebreach.blogspot.com/2009/12/everyone-else-is-doing-predicti...
Paul McGinley:
Great post Ray. (In regards to number two:) As one in the physical security sector I can say that this has a huge potential for loss and damage ...MoreGreat post Ray. (In regards to number two:) As one in the physical security sector I can say that this has a huge potential for loss and damage in the physical world as well. Information gained in phishing attacks can easily be used to breach a physical perimeter as well as gain access to data in a virtual environment.
28 weeks ago
28 weeks ago
Ray Pompon:
Thank you. Indeed, physical attacks are often a blind spot for most infosec folks. And blended attacks -> use cyber to enable a physical ...MoreThank you. Indeed, physical attacks are often a blind spot for most infosec folks. And blended attacks -> use cyber to enable a physical attack or vice-versa is common avenue but often overlooked in assessments.
28 weeks ago
28 weeks ago
Dr. Anton Chuvakin
>breaks usefulness
Well, I've seen cases where is a little creative thinking allows them to skip PAN storage and still preserve business usefullness.
In some cases, this is clearly impossible; but maybe they can outsource to somebody who can protect the data better..
Well, I've seen cases where is a little creative thinking allows them to skip PAN storage and still preserve business usefullness.
In some cases, this is clearly impossible; but maybe they can outsource to somebody who can protect the data better..
Ray Pompon
PCI mandated encryption is a fare - other than laptop encryption, how many people under PCI actually implement crypto for their applications that process PANs (ccard #s). Most of what I see are "compensation controls" because crypto is too expensive to do. What's you're take?
Dr. Anton Chuvakin:
Yup, my point exactly: tokenization or simply not touching the data by using other technologies works wonders to PCI scope, cost, etc.
33 weeks ago
33 weeks ago
Ray Pompon:
But what about those who cannot tokenize or remove the PANs from their applications because it breaks the business usefulness of the system? I've ...MoreBut what about those who cannot tokenize or remove the PANs from their applications because it breaks the business usefulness of the system? I've seen quite a few cases of large corps where it wasn't cost effective to alter the data in any way within the legacy app.
33 weeks ago
33 weeks ago
Ray Pompon
My mentor had lunch with Peter Newmann today. Lots of interesting things heating up in SmartGrid security.
Michael Stephen Ruiz:
Have we (meaning those heavily involved in the SmartGrid development), integrated preventive security measures through the process lifecycle? And ...MoreHave we (meaning those heavily involved in the SmartGrid development), integrated preventive security measures through the process lifecycle? And if not, why not?
34 weeks ago
34 weeks ago
Ray Pompon:
Sounds like you need to come to the SmartGrid conference our chapter is putting together this summer.
34 weeks ago
34 weeks ago
Ray Pompon
Blogged Art & Science of infosec. Hint - the art is the hard part. http://assumebreach.blogspot.com/2009/10/art-and-science-of-infosec.html
Ray Pompon:
Thanks to Anton Chuvakin blogging a link to this article, I've got some terrific feedback and comments going. I'm thinking of combining this idea ...MoreThanks to Anton Chuvakin blogging a link to this article, I've got some terrific feedback and comments going. I'm thinking of combining this idea with my deceptive defense talk (http://www.iedtalk.com/) and doing something more with it.
35 weeks ago
35 weeks ago
Ray Pompon
Culling through about a half decade of my talks, I decided to dig up some more exclusive content for this forum.
Kevin Durbin:
Not specifically your sites/links, just computer/network security words in general;we are a lower-tier site, but still are IS/IT so not good
44 weeks ago
44 weeks ago
Ray Pompon
Just published an article on risk analysis that some may be interested in. DL here http://www.planetheidi.com/Communique-Aug%2009-Risk.pdf
Dean Soto:
Mind if I pass this along to some of my IA classmates? This is some good stuff! Timely too.
44 weeks ago
44 weeks ago
Ray Pompon:
Sure. Some of the material is actually based on a lecture I did in the UW IA program.
44 weeks ago
44 weeks ago
Ray Pompon
Wishing I was at BruCon. Notes from Chris Nickerson's talk http://c22blog.wordpress.com/2009/09/19/brucon-red-team-testing/
Ray Pompon
Aspiring infosecers may be interested in this blog post http://assumebreach.blogspot.com/2009/05/losing-your-infosec-innocence.html
Ray Pompon:
There should be an Atom link at the bottom of the main page MoreThere should be an Atom link at the bottom of the main page http://assumebreach.blogspot.com/
47 weeks ago
47 weeks ago
Kevin Durbin:
I didn't realize initially the Atom link would work for RSS feeds in Google reader; thankfully it does and I'm suscribed
45 weeks ago
45 weeks ago
Kevin Durbin
Hello from NC! While not an official title - still, infosec is a big part of my job. Good to see there is a group dedicated for this area.
Events
No events have been posted yet.
Recent Network Activity
Arsene Hodali added a blog post “Who Is More Foolish, The Child Afraid Of The Dark Or The Man Afraid Of The Light?”
Dr. Anton Chuvakin added a blog post Log Awesomeness – On August 19!
Frank Barrett added a blog post Money Money 2020Arsene Hodali added a blog post “One Art” ~ Elizabeth Bishop
