Posted on July 14, 2016 by lexi
If any requirement of the PCI DSS is confusing for organizations, it’s penetration testing.
It’s complicated, time intensive, and must be carried out by highly skilled and experienced personnel if it’s going to be done properly.
But on the other hand, penetration testing is widely understood to be an extremely high-value security process. After all, what better way to keep attackers out than by attacking on your own infrastructure and learning from the results?
We’ve said repeatedly during
Posted on July 7, 2016 by lexi
It’s come round again, just like every year.
An automatic email ends up in your inbox, telling you it’s time to complete your annual information security training course.
So you follow the link and wind up in an online portal. You’re told to read through each page thoroughly and confirm your understanding.
Next. Next. Next. Agree. Time to forget about it for another year.
Sound familiar? It should.
This is how the vast majority of organizations treat their information security and PCI
Posted on June 28, 2016 by lexi
In this series, we’ve already talked several times about the need to go beyond compliance with the PCI DSS.
This is doubly true for policy.
Once everything has been setup and documented, there’s a tendency to treat policy as a box ticking exercise. After all, assuming you have the necessary systems and processes in place, how important can the actual policy document be?
Sadly, as with all security matters, many organizations don’t find out the answer to this question until after something
Posted on June 16, 2016 by lexi
TraceSecurity Information Security Analyst, Tommy Yowell, frequently performs penetration testing for organizations of all sizes across all industries. In a recent interview, he answered seven questions organizations typically have about penetration testing and how it can help prevent data breaches.
1.What is penetration testing?
A penetration test evaluates the security of information technology systems in an organization’s network. The main goal of a penetration test is to discover and
Posted on June 3, 2016 by lexi
The FBI’s Internet Crime Complaint Center (IC3) recently warned of increased social engineering attacks in the form of email extortion campaigns and technical support scam calls, also known as vishing. The email extortion attacks are believed to stem from recent data breaches like those of Anthem and the IRS, as massive amounts of personal data were stolen. The extortion emails target data breach victims and threaten to release personal information to social media contacts, family, and friends
Posted on May 27, 2016 by lexi
Just hearing the words brings dread to the heart of some, while others are left with a profound feeling of boredom and confusion.
It’s hard to blame them. At some stage in their career, most people have experienced a very badly conducted risk assessment, and it’s left them scarred for life. They can’t even think about the subject without bringing back memories of tedium, bureaucracy, and frustration.
But it doesn’t have to be that way.
Risk assessments are vital to your
Posted in Information Security
Posted on May 26, 2016 by lexi
Comodo Threat Research Labs recently posted an alert that a massive campaign of phishing emails have been sent with a spoofed "from" address: email@example.com. The subject is “Your Amazon.com order has dispatched (#code)" and there is no body text in the email, just a Microsoft Word attachment.
The Word files contain no copy, just macro codes, and people that receive the email are tricked (social engineered) into downloading the document, which kicks off the macros and start an
Posted on May 12, 2016 by lexi
Admit it, you’re a little confused.
Everybody talks about PCI compliance, and you’re happily nodding along… but do you really know exactly what you’re obligated to do about it?
Put another way, are you sure you’re doing everything you’re supposed to be doing?
Well, fear not. Thankfully it isn’t all that complicated.
Over the next few weeks we’ll be covering the ins and outs of PCI and explaining what you’ll need to do in order to become (and stay) compliant.
PCI… What’s the Point?
Posted in Information Security
Posted on May 6, 2016 by lexi
Verizon publishes an annual comprehensive report on security and data breaches. It is excellent ammo to get budget approval for new-school security awareness training. Verizon collaborates with 67 other organizations to create the report. To name a few well-known participants: the U.S. Secret Service, the U.S. Emergency Computer Readiness Team, the Anti-Phishing Working Group, Kaspersky Lab, Cisco Security Services, EMC and many others.
One area that has picked up dramatically over the prior
Posted on April 25, 2016 by lexi
In June 2015 the Federal Financial Institutions Examination Council (FFIEC) released the Cybersecurity Assessment tool to help financial institutions evaluate their overall cyber risk, as well as assess and monitor their cybersecurity preparedness.
While similar to an IT/IS (Information Security) assessment, the FFIEC Cybersecurity Assessment offers a new perspective and an additional opportunity for your financial institution to gain a thorough understanding of how much you have done to
Posted in Cybersecurity