PCI DSS

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 14

February 18, 2011 Added by:Anton Chuvakin

The logbook establishes the follow-up required in item 10.6.a of PCI DSS validation procedures, which states “Obtain and examine security policies and procedures to verify that they include procedures to review security logs at least daily and that follow-up to exceptions is required"...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Understanding the Intent of PCI Requirement 11.2

February 09, 2011 Added by:PCI Guru

Requirement 11.2 requires that vulnerability scanning is performed at least quarterly. Given the 30 day patching rule and the fact that scanning must be performed after all “significant” changes, an organization really needs to conduct monthly scanning at a minimum to stay compliant...

Comments  (2)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 13

February 04, 2011 Added by:Anton Chuvakin

How do you create a logbook that proves that you are reviewing logs and following up with exception analysis, as prescribed by PCI DSS Requirement 10? The logbook is used to document everything related to analyzing and investigating the exceptions flagged during daily review...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Understanding the Intent of PCI Requirement 6.1

February 02, 2011 Added by:PCI Guru

Unlike the insurance industry which has done a very good job of educating management on its value, the security industry has done a very poor job educating management on the value of security and what really needs to be done to secure the organization...

Comments  (0)

37d5f81e2277051bc17116221040d51c

How Much Longer Does the Magstripe Have?

January 29, 2011 Added by:Robert Siciliano

Every U.S.-based credit card has a magnetic stripe on the back. This stripe can be read and rewritten like a burnable CD. The simplicity of the magstripe’s design, coupled with the availability of card reading and writing technology, results in billions of dollars in theft and fraud...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 12

January 28, 2011 Added by:Anton Chuvakin

We have several major pieces that we need to prove for PCI DSS compliance validation. Here is the master-list of all compliance proof we will assemble. Unlike other sections, here we will cover proof of logging and not just proof of log review since the latter is so dependent on the former...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

More On The Cloud And PCI Compliance

January 28, 2011 Added by:PCI Guru

PCI DSS can be applied to “the cloud” in its existing form. Then where is the problem? The first problem with “the cloud” is in defining “the cloud.” If you were to ask every vendor of cloud computing to define “the cloud,” I will guarantee you will get a unique answer from each vendor asked...

Comments  (1)

Fc152e73692bc3c934d248f639d9e963

Why Stuxnet Matters To PCI Compliance

January 25, 2011 Added by:PCI Guru

Stuxnet was not as nasty to devices that were not centrifuges, but it still caused problems. Imagine if an entity wrote an attack for a common device or protocol hoping to actually target another entity. Do you think your organization could become “collateral damage”? I would say it is highly likely...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 11

January 23, 2011 Added by:Anton Chuvakin

The main idea of this procedure it to identify and then interview the correct people who might have knowledge about the events taking place on the application then to identify its impact and the required actions, if any...

Comments  (0)

959779642e6e758563e80b5d83150a9f

Credit Card Security in the Cloud

January 21, 2011 Added by:Danny Lieberman

Obviously, the standard was written by system administrators and not programmers because the notion of inter-process communications is ignored. Once we are running online transaction applications in the cloud, the notion of public networks becomes an antiquated given...

Comments  (1)

Fc152e73692bc3c934d248f639d9e963

Network Segmentation – One Last Discussion

January 21, 2011 Added by:PCI Guru

Just because you implement all of these recommendations does not make you invincible. All these recommendations do is just make the likelihood of an incident and the potential damage resulting from an incident lower than if you had little or no controls in place...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

RTFM: Take the Time to Read the Documentation

January 18, 2011 Added by:PCI Guru

The PCI SSC’s Web site contains all of the documentation you need to interpret the PCI standards, yet it seems the only document that people download and read is the PCI DSS. If people would just read the rest of the documentation that is available, we would all be better off...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 10

January 17, 2011 Added by:Anton Chuvakin

A message not fitting the profile is flagged “an exception.” It is important to note that an exception is not the same as a security incident, but it might be an early indication that one is taking place. At this stage we have a log message that is outside of routine/normal operation...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 9

January 14, 2011 Added by:Anton Chuvakin

The first method considers log types not observed before and can be done manually as well as with tools. Despite its simplicity, it is extremely effective with many types of logs: simply noticing that a new log message type is produced is typically very insightful for security, compliance and operations...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

The Harsh Reality Of Security

January 09, 2011 Added by:PCI Guru

Chris Skinner asks the question, “Why does the card securities council not care about card security?” What concerns me is the title of the article as it again implies that the PCI standards do nothing to secure cardholder data. I thought I would take a shot at answering this question...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 8

January 09, 2011 Added by:Anton Chuvakin

To build a baseline without using a log management tool has to be done when logs are not compatible with an available tool or the available tool has poor understanding of log data (text indexing tool). To do it, perform the following...

Comments  (0)

Page « < 8 - 9 - 10 - 11 - 12 > »