nCircle Sync Blog: February 2010 Archives

Again this year, the folks at the nCircle booth will be providing customized RSA badge mods with your twitter handle.

We've made things really simple to request your own:

Follow @ncircletweets
Send us a DM that you'd like one for yourself.
Come by the booth (#1023) at RSA for pickup.

Each time a vendor releases patches; I always answer the same questions about prioritization. Which new patch is the most important? How is enterprise IT going to be tackling this new work?

At nCircle, we know from customers and other publicly available sources that most companies need at least 60 days to complete a patch deployment cycle. Every day a new deluge of patches are released. Every group of new patches kicks off a new cycle of patch management steps. Each patch must be evaluated, prioritized and scheduled. Information security managers are continually juggling decisions regarding risk, prioritization and resource allocation and the variables change every time a vendor releases a new set of patches

Today, nCircle announced the Patch Priority Index, a monthly ranking of the top 10 highest risk vulnerabilities from key vendors such as Microsoft and Adobe that adjusts to reflect how vulnerability's risk changes over time. The Patch Priority Index (PPI) helps prioritize risk reduction decisions by evaluating new patches within the context of the bigger security picture and acknowledges that all patches may not be deployed before the next group of patches are released.

The idea for this index grew out of community discussions with customers, partners and vendors. Our Patch Priority Index is a free and publicly available service that nCircle is providing as a service to the information security community.

We hope that the service will provide a repeatable, consistent and complimentary metric that IT security teams can use to effectively prioritize the most critical vulnerabilities.

Patch Priority Index rankings are based on key elements of nCircle's Risk Score and includes a critical time component that is unique among scoring systems. This time component prioritizes new patches within the context of all patches previously released by a vendor within the preceding twelve months.

Patch Priority Index debuts for Microsoft vulnerabilities in March and other key
vendors will follow.

The most recent Patch Priority Index may be found here

For information on the nCircle risk score algorithm, please check out our
whitepaper

This past Saturday my son and I were having a "boys day". My wife was out having
fun all day and the boys were left to be boys. Dinnertime rolled around and we were
having too much fun playing LEGO India Jones to even consider making food. So I
treated him to a stereotypical boys dinner - video games and pizza. This was when
the fun turned into fear.

Moments after ordering pizza online from our favorite local pizzeria, the phone
rang.

Caller: "This is Joe from the local pizza place, calling to confirm your order".
The order and delivery location was confirmed.

Caller: "And how do want to pay for this?"

Me: "Um, well I just entered all my credit card info into your website like I usually
do".

Caller: "oh". A moment of pause. "Oh I see your credit card info now in the email."

Me, with a definite tone of anger: "My credit card was sent to you in email?!"

Caller: "um, I'll get that pizza delivered ASAP."
Click

The pizza delivery guy arrived. As it turns out it was the owner delivering the pizza.
He explained to me that he had recently bought the local franchise and had no idea
that the online orders were emailed to him along with all the customer information.
As an attempt at a good-hearted gesture, he gave me some free breadsticks along
with the printed email containing my entire credit card and address information.

I was now bent out of shape. Five minutes of Google searches turned up no methods
for a consumer to report this obvious PCI non-compliance. Asking friends on
Twitter and Facebook ended up with equally non-specific information. Some friends
offered up email addresses of people at Visa, others stated quite assuredly that a
consumer has no means to turn in violators. Realize of course that nCircle (my
employer) is a certified PCI scan vendor and my online friends are all very much
entrenched in information security. That is to say that you would think someone
like me could ask around and quickly find a way to report this merchant to the PCI
council for review.

The next step was to call my bank and issue a fraud alert. The bank customer
support person took my information, listened well and followed her procedural
steps exactly as instructed. All my information was confirmed, past orders were confirmed
and a new card was issued. I requested directions on how to report this merchant
for obvious non-compliance. Furthermore, I felt the merchant was in violation of a
number of laws by printing out my entire credit card number. The bank customer
support person offered the number of the Better Business Bureau.

Think about this. The PCI standards council has worked hard to ensure compliance
of all their merchants. An entire industry has sprung up around the PCI Data
Security Standards. Yet, the standard provideds no means for consumers to flag
merchants for non-compliance. Even the issuing bank seems to have no means to do
so.

Aside from naming names here in my public soap box, how are consumers suppose
to help due their part to ensure security and privacy of the credit card industry?