Author Archives: lexi

How To Conduct PCI Penetration Tests for Security & Compliance

Posted on July 14, 2016 by lexi

If any requirement of the PCI DSS is confusing for organizations, it’s penetration testing.

It’s complicated, time intensive, and must be carried out by highly skilled and experienced personnel if it’s going to be done properly.

But on the other hand, penetration testing is widely understood to be an extremely high-value security process. After all, what better way to keep attackers out than by attacking on your own infrastructure and learning from the results?

We’ve said repeatedly during

Read More...

Posted in Cybersecurity, IT Compliance and Regulatory Change Management

Why Most PCI Training Programs Are Ineffective… And What To Do About It

Posted on July 7, 2016 by lexi

It’s come round again, just like every year.

An automatic email ends up in your inbox, telling you it’s time to complete your annual information security training course.

So you follow the link and wind up in an online portal. You’re told to read through each page thoroughly and confirm your understanding.

Next. Next. Next. Agree. Time to forget about it for another year.

Sound familiar? It should.

This is how the vast majority of organizations treat their information security and PCI

Read More...

Posted in IT Compliance and Regulatory Change Management, Security Awareness Training

How To Manage Your PCI DSS Security Policy… And Why That Isn’t Enough

Posted on June 28, 2016 by lexi

In this series, we’ve already talked several times about the need to go beyond compliance with the PCI DSS.

This is doubly true for policy.

Once everything has been setup and documented, there’s a tendency to treat policy as a box ticking exercise. After all, assuming you have the necessary systems and processes in place, how important can the actual policy document be?

Sadly, as with all security matters, many organizations don’t find out the answer to this question until after something

Read More...

Posted in IT Compliance and Regulatory Change Management, Policy Management

Penetration Testing 101: An Interview with an Information Security Analyst

Posted on June 16, 2016 by lexi

TraceSecurity Information Security Analyst, Tommy Yowell, frequently performs penetration testing for organizations of all sizes across all industries. In a recent interview, he answered seven questions organizations typically have about penetration testing and how it can help prevent data breaches.

 

1.What is penetration testing?

A penetration test evaluates the security of information technology systems in an organization’s network. The main goal of a penetration test is to discover and

Read More...

Posted in Cybersecurity, Information Security, Vulnerability Management

FBI’S Internet Crime Complaint Center Warns of Increased Social Engineering Attacks

Posted on June 3, 2016 by lexi

The FBI’s Internet Crime Complaint Center (IC3) recently warned of increased social engineering attacks in the form of email extortion campaigns and technical support scam calls, also known as vishing. The email extortion attacks are believed to stem from recent data breaches like those of Anthem and the IRS, as massive amounts of personal data were stolen. The extortion emails target data breach victims and threaten to release personal information to social media contacts, family, and friends

Read More...

Posted in Security Awareness Training, Social Engineering

How To Conduct a PCI DSS Risk Assessment (Even if You Have No Idea What You’re Doing)

Posted on May 27, 2016 by lexi

Risk assessment.

Just hearing the words brings dread to the heart of some, while others are left with a profound feeling of boredom and confusion.

It’s hard to blame them. At some stage in their career, most people have experienced a very badly conducted risk assessment, and it’s left them scarred for life. They can’t even think about the subject without bringing back memories of tedium, bureaucracy, and frustration.

But it doesn’t have to be that way.

Risk assessments are vital to your

Read More...

Posted in Information Security

Latest Phishing Scam Alert – Ransomware on the Rise

Posted on May 26, 2016 by lexi

Comodo Threat Research Labs recently posted an alert that a massive campaign of phishing emails have been sent with a spoofed "from" address: auto-shipping@amazon.com. The subject is “Your Amazon.com order has dispatched (#code)" and there is no body text in the email, just a Microsoft Word attachment. 

The Word files contain no copy, just macro codes, and people that receive the email are tricked (social engineered) into downloading the document, which kicks off the macros and start an

Read More...

Posted in Security Awareness Training, Social Engineering

PCI Compliance: What, Who, and How?

Posted on May 12, 2016 by lexi

Admit it, you’re a little confused.

Everybody talks about PCI compliance, and you’re happily nodding along… but do you really know exactly what you’re obligated to do about it?

Put another way, are you sure you’re doing everything you’re supposed to be doing?

Well, fear not. Thankfully it isn’t all that complicated.

Over the next few weeks we’ll be covering the ins and outs of PCI and explaining what you’ll need to do in order to become (and stay) compliant.

 

PCI… What’s the Point?

The

Read More...

Posted in Information Security

Phishing Identified as Top Security Concern in Verizon 2016 Data Breach Report

Posted on May 6, 2016 by lexi

Verizon publishes an annual comprehensive report on security and data breaches. It is excellent ammo to get budget approval for new-school security awareness training. Verizon collaborates with 67 other organizations to create the report. To name a few well-known participants: the U.S. Secret Service, the U.S. Emergency Computer Readiness Team, the Anti-Phishing Working Group, Kaspersky Lab, Cisco Security Services, EMC and many others.

One area that has picked up dramatically over the prior

Read More...

Posted in Cybersecurity, Security Awareness Training, Social Engineering

Enhancing Risk Management: The Case for FFIEC Cybersecurity Assessments and IT Risk Assessments

Posted on April 25, 2016 by lexi

In June 2015 the Federal Financial Institutions Examination Council (FFIEC) released the Cybersecurity Assessment tool to help financial institutions evaluate their overall cyber risk, as well as assess and monitor their cybersecurity preparedness.

While similar to an IT/IS (Information Security) assessment, the FFIEC Cybersecurity Assessment offers a new perspective and an additional opportunity for your financial institution to gain a thorough understanding of how much you have done to

Read More...

Posted in Cybersecurity