Blog Posts Tagged with "PCI DSS"

Fc152e73692bc3c934d248f639d9e963

Understanding the Intent of PCI Requirement 11.2

February 09, 2011 Added by:PCI Guru

Requirement 11.2 requires that vulnerability scanning is performed at least quarterly. Given the 30 day patching rule and the fact that scanning must be performed after all “significant” changes, an organization really needs to conduct monthly scanning at a minimum to stay compliant...

Comments  (2)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 13

February 04, 2011 Added by:Anton Chuvakin

How do you create a logbook that proves that you are reviewing logs and following up with exception analysis, as prescribed by PCI DSS Requirement 10? The logbook is used to document everything related to analyzing and investigating the exceptions flagged during daily review...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Understanding the Intent of PCI Requirement 6.1

February 02, 2011 Added by:PCI Guru

Unlike the insurance industry which has done a very good job of educating management on its value, the security industry has done a very poor job educating management on the value of security and what really needs to be done to secure the organization...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 12

January 28, 2011 Added by:Anton Chuvakin

We have several major pieces that we need to prove for PCI DSS compliance validation. Here is the master-list of all compliance proof we will assemble. Unlike other sections, here we will cover proof of logging and not just proof of log review since the latter is so dependent on the former...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

More On The Cloud And PCI Compliance

January 28, 2011 Added by:PCI Guru

PCI DSS can be applied to “the cloud” in its existing form. Then where is the problem? The first problem with “the cloud” is in defining “the cloud.” If you were to ask every vendor of cloud computing to define “the cloud,” I will guarantee you will get a unique answer from each vendor asked...

Comments  (1)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 11

January 23, 2011 Added by:Anton Chuvakin

The main idea of this procedure it to identify and then interview the correct people who might have knowledge about the events taking place on the application then to identify its impact and the required actions, if any...

Comments  (0)

959779642e6e758563e80b5d83150a9f

Credit Card Security in the Cloud

January 21, 2011 Added by:Danny Lieberman

Obviously, the standard was written by system administrators and not programmers because the notion of inter-process communications is ignored. Once we are running online transaction applications in the cloud, the notion of public networks becomes an antiquated given...

Comments  (1)

Fc152e73692bc3c934d248f639d9e963

Network Segmentation – One Last Discussion

January 21, 2011 Added by:PCI Guru

Just because you implement all of these recommendations does not make you invincible. All these recommendations do is just make the likelihood of an incident and the potential damage resulting from an incident lower than if you had little or no controls in place...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

RTFM: Take the Time to Read the Documentation

January 18, 2011 Added by:PCI Guru

The PCI SSC’s Web site contains all of the documentation you need to interpret the PCI standards, yet it seems the only document that people download and read is the PCI DSS. If people would just read the rest of the documentation that is available, we would all be better off...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 10

January 17, 2011 Added by:Anton Chuvakin

A message not fitting the profile is flagged “an exception.” It is important to note that an exception is not the same as a security incident, but it might be an early indication that one is taking place. At this stage we have a log message that is outside of routine/normal operation...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 9

January 14, 2011 Added by:Anton Chuvakin

The first method considers log types not observed before and can be done manually as well as with tools. Despite its simplicity, it is extremely effective with many types of logs: simply noticing that a new log message type is produced is typically very insightful for security, compliance and operations...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

The Harsh Reality Of Security

January 09, 2011 Added by:PCI Guru

Chris Skinner asks the question, “Why does the card securities council not care about card security?” What concerns me is the title of the article as it again implies that the PCI standards do nothing to secure cardholder data. I thought I would take a shot at answering this question...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 8

January 09, 2011 Added by:Anton Chuvakin

To build a baseline without using a log management tool has to be done when logs are not compatible with an available tool or the available tool has poor understanding of log data (text indexing tool). To do it, perform the following...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PCI SSC Backs Off Certifying Mobile Payment Apps

January 05, 2011 Added by:PCI Guru

A mobile payment refers to the use of a wireless device as a cash register. This is one of the reasons why the PCI SSC has pulled back on certifying mobile payment applications. The definition is becoming too broad and confusing thus creating too many issues to cover in a quick time...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 7

January 04, 2011 Added by:Anton Chuvakin

An additional step should be performed while creating a baseline: even though we assume that no compromise of card data has taken place, there is a chance that some of the log messages recorded over the 90 day period triggered some kind of action or remediation...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 6

January 02, 2011 Added by:Anton Chuvakin

In addition to this “event type”, it makes sense to perform a quick assessment of the overlap log entry volume for the past day (past 24 hr period). Significant differences in log volume should also be investigated using the procedures define below...

Comments  (0)

Page « < 7 - 8 - 9 - 10 - 11 > »