Skip to content

Threatpost blog post: http://threatpost.com/microsoft-recalls-patch-tuesday-exchange-update/109844

about the exchange server patch rollback (uninstall).

 

The TipofDay is about PCI compliance - security policy must be created.

some parts of the PCI DSS3.0 standard is not very specific (since there are many different types of environments.

What is the reason one hires an independent CPA to check your financial books?

fixvirus-logo-small

Unfortunately even where employees are trustworthy and capable, it makes sense to periodically review their work.

Even the PCI Security Standards Council has the following as "Testing Procedures"

6.1.b Interview responsible personnel and observe processes to verify that:
 New security vulnerabilities are identified.
 A risk ranking is assigned to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities.
 Processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information.

Are you really performing this function with internal personnel? Can you ensure that it is done with accuracy and efficiency over the long term?

For an independent review to occur by definition it must be "Independent"

That is why we have developed a basic Alpha Security scan  to give information to the IT department and management so they can run more efficiently and with higher security.

DARKReading has the highlights of the changes of v3.0 compared with v2.0

SearchSecurity also has a synopsis - with the 5 most important changes:

1. Pentesting (Penetration testing)

2. inventory system components

3. Vendor relationships

4. Antimalware

5. Physical access

All of the changes make sense in light of the Target breach which we will review in more detail on a separate post. the most important is the Pentesting and segmentation of networks from your vendors.  It is likely that one of the vendors at Target caused the breach, or at least helped the exfiltration of the Credit card data.

Here is a snapshot from the actual v3.0 PCI DSS doc

pcibestpractices

Have you checked wifi signals as to their effectiveness?

Is your wifi router/ access point using good encryption technology?

Wardriving: Peter Shipley coined the term "wardriving" the practice of deliberately searching a local area looking for wifi networking signals.

You do know that some wifi(WEP) encryption is easier to hack and break into than others(WPA2)

There are also other ways that people attack you and your information and resources.

Hackers use fake wifi access points to steal peoples logins. be careful where you accept a wifi connection, as unencrypted wifi can be very dangerous, at lest assume that all your network traffic can be stolen and analyzed.  I.e. do not enter userids and passwords on unencrypted wifi connections.

 

we can help you test and audit your wifi, including for PCI auditing purposes (has to be done quarterly

PCISecurityStandards.org  has a website and it's response to the Target Data breach:

"As part of this security effort, the Council maintains that adherence to and maintenance of the Payment Card Industry Data Security Standard (PCI DSS) is the best defense against data breaches."

What is this "adherence to the PCI DSS?

To look at the actual requirements and procedures you have to agree to their terms and conditions.

The standard says to maintain a vulnerability management program.

Among other items:

NIST SP800-115 is the sample standard for penetration testing methodologies.

Examine Security policies and procedures.

"Verify responsibility" is sprinkled in multiple times in the PCI DSS standard.  Each person or team with responsibilities should be clearly aware of their responsibilities.

 

I know a "Guidance" that would make PCI DSS even stronger:   Use an independent reviewer (second pair of eyes) such as Fixvirus.com

Dark Reading has an interesting article about how Target was compliant with PCI(Payment Card Industry) standards and it was not enough.

The Point of Sale terminals were infected with malware specific to Point Of Sale terminals, stole the CC# and the 3 digit CV code as well.  So it was designed to steal the complete magnetic strip information.

Many parties may be to blame in this, but what can you do in the meantime?

Test your systems - check for malware, in an automated manner. If there are unknown pieces of software or ports open on your computers then that means it requires more investigations and cleaning the systems.

 

Use our Alpha-A, Sigma-Σ, and Omega-Ω services.  (A – Σ – Ω)