Put another way if everyone keeps saying being PCI compliant does not mean being secure, where exactly does this occur – the failure of PCI compliance? One major difference is that PCI compliance does not cover security breaches outside of credit card number information. The law covers notifications of security breaches on Personally Identifiable Information … Read more
If you had to start over how would you do it? The NIST (National Institute Science Technology) document is a good place to start http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf Publication 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems the document outlines how to set up a Risk Management Framework including partnerships with third party providers, … Read more
We have a dilemma when deciding how and when to patch the software we depend on. Not all vulnerability patches are built to fix the problems they were set to resolve without causing any other problem. Picture is from #TheHackerNews How do we resolve this while also realizing that the window to patch our software … Read more
The criminal hacker is out to get you – The auditors want you to have your paperwork in place. What is the real weak point that we need to focus on? http://www.scmagazine.com/compliance-with-requirement-11-in-pci-dss-drops/article/403249/ Security magazine discussed requirement 11 which is the test and validating all wireless access points. One must validate the wireless access point survey … Read more
http://blog.sucuri.net/ has an interesting post about “The Impacts of a Hacked Website” This is a good line: “We are learning the hard way, what large organizations already learned – being online is a responsibility and will eventually cost you something.” I now know that it was the Yoast Google Analytics plug-in that caused … Read more
