Posts tagged Compliance

2 min Metasploit

Creating a PCI 11.3 Penetration Testing Report in Metasploit

PCI DSS Requirement 11.3 requires that you "perform penetration testing at least once a year, and after any significant infrastructure or application upgrade or modification". You can either conduct this PCI penetration test in-house [/2011/10/20/pci-diy-how-to-do-an-internal-pentest-to-satisfy-pci-dss-requirement-113] or hire a third-party security assessment. Metasploit Pro offers a PCI reporting template, which helps you in both of those cases. If you are conducting the penetration test in-h

6 min PCI

PCI 30 seconds newsletter #20 - PCI DSS and SANS Top 20 Critical Security Controls: The Sumo match.

You said "Minimum." Really? How we can be sure that the PCI DSS requirements are sufficient and stay aligned with the evolution of attacks? This is a fair question raised by Mike Mitchell VP global network operations at American Express and chair person at the PCI council. On page 7 of PCI DSS V2 one could read that "PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks." The term “minim

2 min Nexpose

Nexpose adds CyberScope support

The latest version of Nexpose, 5.3, allows federal agencies and consultants to generate reports that can be submitted into the CyberScope reporting tool in compliance with Federal Information Security Act (FISMA) requirements for security information data. CyberScope, which is mandated by the Office of Management and Budget (OMB) is a Web-based application that collects data around the relevant vulnerabilities, configurations, and assets that are present within a federal agency in a standardize

2 min Compliance

SOC Monkey - Week in Review 5.25.12

It's SOC Monkey, coming to you on May 25th, otherwise known as Geek Pride Day []. Unrelated, sure, but not something my Monkeynauts should be unaware of.  Also, they should be aware of my IPhone App [], still free to download from the Apple App Store []. First, let's start with a big company from the beginning of the Internet: Yahoo Axis

1 min PCI

PCI Compliance Dashboard - New version including SANS Top20 Critical Security Controls

Hi, According to what we are hearing from the field, there are quite a big number out there of active users of this PCI Compliance Dashboard. Encouraged by your feedback and your assitance we worked on this new release. Among other great enhancements it encompasses references to the SANS Top 20 Critical Security Controls. A deeper analysis paper on PCI-SANS matching and deviation areas will follow but for now on, enjoy this new version of the PCI Compliance Dashboard. What's New? * Add a tabl

3 min PCI

PCI 30 seconds newsletter #19 - Your PCI Logbook - What is required in terms of log management?

P>D R is a well-known principle in security. It's a principle that means that the Protective measures in place must be strong enough to resist longer than the time required to Detect something wrong is happening and then React. For example, your door must be strong enough to prevent a malicious individual from getting in for at least the amount time required to detect the incident, alert the police, and have them arrive on site. In this context, log management plays a specific role. It help

2 min Compliance

SOC Monkey Week in Review - 4.26.12

Dearest Monkey Minions, It is once again your favorite Simian InfoSec curator, bringing you the most interesting bits and pieces from my App [], that is, as you know, free in the Apple App Store []. This week, I'm actually traveling out there in that big wide world, so I'm going to keep this relatively simple. Next week, my normal big monkey mouth will be back in force, with lots

3 min PCI

PCI 30 seconds newsletter #18 – What to do if compromised?

Experience and statistics show us that the unlikely happens, we don't know when, we don't know how but we know it will occur. So management should better be concerned by being prepared to face an incident than by being secure. "I'm compliant so I don't care." The above principle has never been so true within the context of PCI where compliance doesn't really shelter organizations from compromises and therefore penalties. Achievement of PCI compliance is a long, costly, and fastidious journey

4 min Release Notes

Configuration assessment and policy management in Nexpose 5.2

We love our policy Dashboards. They are new, hot, intuitive, robust and really useful. In our latest release of Nexpose, version 5.2, we've made two major enhancements to our configuration assessment capabilities: * A policy overview dashboard: To understand the current status of compliance of configurations delivering a summary of the policy itself.A policy rule dashboard: To provide further details for a particular rule and the current compliance status for that rule. What makes th

5 min PCI

Become an Approved Scanning Vendor (ASV) in 3 Steps

If you are working for a security consulting company, having your company certified as an Approved Scanning Vendor (ASV) for the Payment Card Industry Data Security Standard (PCI DSS) can add a lucrative new area to your business. PCI is a worldwide standard that requires companies who accept or process credit cards to comply with certain security standards. One of these requirements is an annual, external vulnerability scan from an authorized scanning vendor, a so-called ASV. In this blog p

3 min PCI

PCI 30 seconds newsletter #16 - Is your organization behaving like a fashion victim or a clown?

In our last newsletter [/2011/11/28/pci-30-seconds-newsletter-15-nice-look] we discussed the severity of the presence of bugs in software, and how these bugs are handled on the software vendor's side. Now let's discuss the customer organization's side. What can we do about software defects? Software is buggy. This is a fact (see PCI newsletter #14 [/2011/11/14/pci-30-seconds-newsletter-14-the-world-isnt-perfect]). Returning to the analogy of protection gear used in our last newsletter [/2011/

3 min PCI

PCI 30 seconds newsletter #15 - Nice Look!

In the PCI newsletter #14 [/2011/11/14/pci-30-seconds-newsletter-14-the-world-isnt-perfect] we discussed why bugs aren't fixed in software before release. Once software is released and installed within our environment these weaknesses are on our side. Is it a problem? Examples: Let's take the image of a bridge, a strong and proud bridge. Cars are driving through it the whole day without being aware of the presence of a weakness in its internal structure. In appearance, no threat, no risk.

3 min PCI

PCI 30 seconds newsletter - The World Isn't Perfect

According to the 2011 Verizon Payment Card Industry Compliance Report, requirement 11 - "Regularly test security systems and processes" - is the one least met, so I thought I would dedicate a few newsletters to this subject, starting with the definition and source of vulnerabilities. The term "vulnerabilities" is often used in the PCI DSS standard to mean the following (per the definition given by the Council): Flaws or weaknesses which, if exploited, may result in an intentional or unintentio

1 min PCI

New version of the PCI Compliance Dashboard

The idea behind the PCI Compliance Dashboard is to provide you with one unique document to manage your PCI journey. I want to avoid you having to open multiple PDF documents to get all the information you need. Many of you suggested to add an executive summary part. This is now done! What's new? To this end, the new version of the PCI Compliance Dashboard includes: * * * * An "Executive Summary" showing your progress along your PCI journey. The Executive summary takes into ac

3 min PCI

PCI 30 second newsletter #13 - Compensating Controls: Magic Trick or Mirage?

There are circumstances where companies could face some technical or business impediments preventing them from implementing the requirements as explicitly stated in the standard. Does this mean that these companies could never achieve and maintain compliance? There is a common misconception that organizations must meet the requirements as they are written. This is not the case. The important thing is that the inherent security objectives behind each requirement are met. The PCIco and the Pa