Skip to content

DARKReading has the highlights of the changes of v3.0 compared with v2.0

SearchSecurity also has a synopsis - with the 5 most important changes:

1. Pentesting (Penetration testing)

2. inventory system components

3. Vendor relationships

4. Antimalware

5. Physical access

All of the changes make sense in light of the Target breach which we will review in more detail on a separate post. the most important is the Pentesting and segmentation of networks from your vendors.  It is likely that one of the vendors at Target caused the breach, or at least helped the exfiltration of the Credit card data.

Here is a snapshot from the actual v3.0 PCI DSS doc

pcibestpractices

RealclearTechnology  has an interesting article

(the 4 headings below is my synthesis of the article)

It is based out of the Cisco projections (linked in article).

#1 issue  there will be 4Billion Internet users, and 52% will be in Asia. (2.1Billion)

internetuserprojections

(image from the Cisco site).

 

This means that there will be more security issues, as there

Since we advocate testing your IT services and devices, what if your organization has cloud services?

How about Amazon EC2?  AWS compliance  keep this in mind.

It is as Amazon AWS(Amazon Web Services) says it is a shared responsibility.

Rackspace has a security page - Rackspace Security   rackspace says it is a shared responsibility as well.

There are different cloud providers with specific missions and infrastructure services.

Serversincage

Let's say you need PCI compliance completed for your website. That is on a cloud provider.

Rackspace has scanning rootkits among other links in a search.

As a computer professional in the Security field, one cannot just scan or perform penetration tests on any computer on the Internet, in fact we must get written approval to perform a scan on a computer.

Why? How about this example:

Internet Storm Center example

"However, their implementation of SSL is fragile enough that scanning them for the Heartbleed vulnerability will render them inoperable.  This affects Proliants from G1 all the way up to G6, as well as many of the HP Bladesystems."

So when scanning for heartbleed on HP Proliant hardware iLO cards have a problem:

An iLO card allows a specific system administration remote ability:

"Before using an ILO card you must plug an Ethernet cable in to the server's ILO Ethernet jack. Once the ILO card is connected to the Internet, you must set up an ILO user account and IP network address in the server's BIOS menu"

This capability of the iLO card has a drawback, its software actually caused the server to crash, with a hard boot to recover (must press the power button). This side effect of a heartbleed scan is a disaster to many cloud providers. As a reboot of a hypervisor server may cause a loss of service in 10-30 minutes or more if the system has to be manually reset in some way by a technician.
All Certified Ethical Hackers must be aware of the problems  that can arise.
we must test for compliance and to uncover vulnerabilities, but it must be done in a way that does not affect services if at all possible.