Wednesday, June 13, 2007

Wifi - The Hole You Can Drive A Bus Through?

Having read more about the TJX breach and how it started - with wireless sniffing - and yesterday sitting in a parking lot of a Danbury, CT shopping center and being able to see 6 wireless networks, all identifiable by some naming convention that tied it back to the retailer, it got me thinking...

Is WIFI the big ubiquitous hole you could drive a bus through?

Yes the little lock showed up on my wireless network 'available networks' scan, but even me - who is slightly more technically capable than a junior high student - could have pulled down a WEP cracker and had some fun had my lunch appointment been late.

Folks, take a look at WIFI Owl and get scanning yourself before some interested party like me does it for you...


New Frontiers...

It's been far too long since I have contributed something meaningful on my PCI blog and I felt compelled based on some work I am doing now, to finally post something with some interesting implications.

In the past 5 years, having spent a great deal of time in the identity management and compliance space the one thing that is repeatedly being talked about is the cost/benefit trade off of compliance. Historically the companies I've worked directly with are spending millions on relatively undefined compliance laws and are having a hard time figuring out how to pay for all of this imposed regulation designed to provide accuracy and transparency of financial information.

The PCI Compliance specification is the first piece of compliance directive that was designed by those in the industry vs. lawyers and politicians and it is because of this approach that I believe it makes more sense than some of the other stuff out there - HIPAA and SOX specifically. It also outlines the downside of not paying attention to the intent or implementations of controls and what they are designed to do. Way to go on clarity.

The one thing that I am starting to have discussions with companies about is how will PCI ultimately be enforced? Will it be auditors' responsibility to blow the whistle? Will it be based on the materiality of the gaps in their PCI program.

To this end I am working a lot of hours on designing PCI as a service. The biggest reason driving this is cost and where the costs hit a balance sheet. There is a fair amount of infratsructure cost tied to PCI if you're behind the times, and the operational controls and expertise on an ongoing basis are anothing thing to consider since PCI is not an event but something that ultimately must be baked into an organization's operational DNA.

What organizations are trying to figure out is how do they keep the capital infrastructure expenses low, and work with companies to provide not just auditing but ongoing compliance. Stay tuned for my thought on this in the next few weeks as I am close on a way to do this.

Mark MacAuley

Labels: ,