Posts tagged Compliance

2 min Compliance

Malicious SSIDs And Web Apps

On February 13th 2013, Cisco released a security notice related to CVE-2013-1131 [http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1131] . According to Cisco, the vulnerability is due to improper validation of the Service Set Identifier (SSID) when performing a "site survey" to discover other wireless networks. On the face of it, this vulnerability seems to be low-risk. Indeed, site surveys are not often performed and an adversary would need to either be incredibly luc

5 min PCI

PCI 30 seconds newsletter #26 - PCIP is it worth it?

At the last PCI Community meeting the Council introduced a new certification (yes one more!). After, ASV, QSA, P2PE QSA, ISA, PFI, QIR, there it is: The PCIP (Payment Card Industry Professionals) certification. Why? Firstly, to answer a valid concern from the QSA and ISA employees. QSA and ISA certifications are not assigned to individuals but to the couple (company, employee). Therefore the QSA/ISA employee status is lost whenever the individuals leave their employers. This fact is poorly know

3 min PCI

Demystifying PCI DSS - A Rapid7 ebook

We know, we know: The ins and outs of the Payment Card Industry Data Security Standard (PCI DSS) don't typically make for exciting reading. But learn the PCI DSS you must, if you're any kind of organization that handles credit card information, from a point-of-sale merchant to a service provider. There are a wide range of organizations that must be compliant with the PCI DSS, if only to keep auditors and hefty fines at bay, to say nothing of securing sensitive data. But for most security profess

4 min PCI

PCI 30 seconds newsletter #25 - A New Standard is Born.

PCI SSC is putting the finalizing touches to two new standards (Physical and Logical Security Requirements) for card manufacturers and card personalization centers. After having co-authored the first version of the PCI DSS and having designed and led the ASV certification program on behalf of PCIco, I've been assigned with another critical mission for a "secret" department at Mastercard, the Global Vendor Certification Program. My role was to write a set of logical security requirements to mini

3 min PCI

PCI 30 second newsletter #24 - PCIco strengthens the scoping rules

This page supplements our newsletter #9 - Defining the Scope of the PCI assessment [/2011/07/14/pci-30-seconds-newsletter-9-defining-the-scope-of-the-pci-assessment] In terms of scope definition here is what PCI says: PCI DSS requirements apply to all system components, defined as any network component, server, or application that is included in or connected to the cardholder data environment (CDE). The scope of a PCI DSS assessment could be reduced using adequate network segmentation but wh

2 min PCI

PCI 2013 SIGs NOW Open for PO Votes

Here we are in the last lap for the election of the  PCI 2013 Special Interest Groups. 663 participating organizations [https://www.pcisecuritystandards.org/get_involved/member_list.php] have until 11:59 p.m. EDT on November 9, 2012 to vote for up to two projects. They can review the proposals and vote for up to two projects on the PO portal In an effort to enrich the community, Rapid7 presents two SIG projects: Internal Scanning and vulnerability management guidelines Context: #11.2 clearl

6 min PCI

PCI 30 seconds newsletter # 23 – Introduction to Risk Assessment

If you went to work this morning, you took a risk. If you rode your bicycle, walked, or drove a car, you took a risk. If you put your money in a bank, or in stocks, or under a mattress, you took other types of risk. If you bought a lottery ticket at the newsstand or gambled at a casino over the weekend, you were engaging in activities that involve an element of chance – something intimately connected with risk. PCI DSS Requirement 12.1.2 requires organizations to establish an annual process t

2 min Metasploit

Man on the SecurityStreet - Day 2 Continued.

It's your favorite reporter in the field, Patrick Hellen, reporting back with some more updates from our speaking tracks at the UNITED Summit. Dave Kennedy, the founder of TrustedSec, gave an entertaining presentation called Going on the Offensive - Proactive Measures in Security your Company. Just like HD's earlier presentation, we had our staff artist plot out the entire speech, which you can see attached below. When I say entertaining, the previous talk track was a debate session that Dave

3 min PCI

PCI 30 seconds newsletter #22 - Don't get lost in translation with Executives. Get them listening.

"I need people and I need funding to do my job properly. Executives don't get it - They want me to bulletproof their systems but don't want to listen". Does this sound familiar? Of course, such moaning fills the room of security gathering sessions such as the any local PCI Community meeting. IT security responsible persons usually point to Executives as a major impediment to their mission. Why is that?  I think that Executives and IT Security DO work toward the same goal: "Securing the busin

3 min Compliance

SOC Monkey Week In Review - 7.23.12

Hello my Monkeyreaders - and welcome back to another edition of the ongoing misadventures of the InfoSec world, as told though my Free App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], available as always in the Apple App Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8]. I figured I'd start off the week with a story that reminds me of all the Breach stories from my last Review: Eight Million Email Addresses And Passwords Spilled From Gaming Site Gamigo Months A

3 min Nexpose

SOC Monkey - Week in Review - 7.9.12

Welcome back Monkeyminions, to the best content aggregation blog you read on Mondays that's written by a monkey. If you'd like to join in the content part, feel free to download my App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], from the Apple App Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8]. It's July 9th, so for about 300,000 people, it's the end of the internet as they know it (yet I feel fine?): Still infected, 300,000 PCs to lose Internet access July

1 min Nexpose

Small business experience with Nexpose to help meet PCI Compliance

Nexpose has saved my bacon and allowed me to meet the rather onerous PCI-DSS compliance. Thank you Nexpose, the product is brilliant, fairly easy to use and corrects the security issues. My business ThirtyFifty is a great smallish business running wine tastings. It is generally a pretty straight forward type of business, but we need to take payments over the phone to confirm bookings. This is fine, but if you have had any experience in PCI compliance, it is getting harder and harder to meet the

4 min PCI

Untangle the Knot: Risk Assessment Essentials

Businesses are faced with the growing demand—and challenge—of creating and operating solid security programs. The risk assessment process necessary to begin this undertaking is the cornerstone in creating a strong information security program. Properly managed risk assessment provides an organization with insight into the security posture and thus, enables organizations to make informed security decisions. But do technology program owners have insight into technology risks and practices? Do they

4 min PCI

PCI 30 seconds newsletter #21 - "Qualified" internal scanning staff using "appropriate" scanning tools - What does that mean?

Every Customer, (Merchants, Service Providers), should be acquainted with the fact that they must assign their quarterly external scans to an Approved Scanning Vendor certified by the PCI Council. What is less known is that external scans conducted after network changes and in between quarterly scans, as well as quarterly internal scans, may be performed by the company's internal staff as long as they are "qualified" and use "appropriate tools". "Qualified Staff", "Appropriate tools", What does

5 min Compliance

5 NON-TECHNICAL REASONS ORGANIZATION GET BREACHED

For every data breach that makes the headlines, there are tens to hundreds that go unreported by the media, unreported by companies, or even worse, go unnoticed. The rash of negative publicity around organizations that have experienced data breaches would appear to be a sufficient motivator to whip corporate leaders into bolstering their security programs in order to prevent from being the next major headline. If that is not reason enough, the litany of regulations imposed on certain industries