Tuesday, January 27, 2009

Data breaches and PCI

Lot of people have blogged about PCI (here, here and here) and the latest Heartland breach. While many of them argue the effectiveness of PCI compliance, I think it is too early to make a judgment on that. One way to measure the effectiveness would be to compare the breaches reported by PCI compliant and non-PCI compliant companies over the course of 6 to 12 months and of course this is assuming that the PCI complaint companies went through rigorous external audit requirements.

Branden brings up an excellent point in his blog that many of the companies may not be PCI compliant at the time of the breach.  " PCI Assessments are point-in-time and many companies struggle with keeping it going every day."

Many of the online PCI scanning vendors are set to automatically scan for vulnerabilities on a daily basis, so it would be good to know if these companies are compliant on a daily basis rather than once a quarter or once a year.

Sunday, January 25, 2009

Top 3 Books

Richard over at TaoSecurity lists the top 7 books he read in 2008. While I read many books in 2008, I am going to list the top 3 books, these were not necessarily published in 2008

3. File System Forensic Analysis by Brian Carrier

2. Nmap Network Scanning by Fyodor

1. Security Metrics: Replacing Fear, Uncertainty, and Doubt by Andrew Jaquith

Data breaches

Identity theft Resource Center tracks the data breaches reported by various organizations, recently they published their year end summary. They report that the number of data breaches increased by 47% over the last year. The full report is here.

Of course, there is a huge increase in theft and while lot of this could be attributed to increase in organized theft, I strongly believe that majority of these breach disclosures are necessitated by various regulations.

Speaking of data breaches, here is a chilling account of credit card theft and the underground economy. At the end it may seem like a movie plot but it is a true image of what's happening out there. 


While I did quite good on the 2008 predictions, I stopped believing in them because Information Security has become so unpredictable with more and more new attacks and threats surfacing on a daily basis. My only prediction is going to be that I am going to be blogging more often.