Blog

Blog

Why Continuous Scans Are Important to Vulnerability Management

To protect against evolving digital threats, more and more organizations are employing endpoint detection and response (EDR) systems on their computer networks. EDR consists of six crucial security controls. The first two, endpoint discovery and software discovery, facilitate the process of inventorying each device that is connected to the network...
Blog

PCI 3.2 and The Regulation Storm

There is never a dull moment for compliance and security. Case in point, amidst a brewing storm of regulation, version 3.2 of the Payment Card Industry Data Security Standards (PCI DSS) announced in late spring articulates good data security intent along with controversy. PCI has been around since 2006, and aims to protect payment data for consumers...
Blog

Delaying PCI 3.1: Time to Dance the Compliance and Security Waltz

The recent announcement from the Payment Card Industry Security Standards Council (PCI SSC) that it will be moving the PCI 3.1 deadline to June 2018 – giving an extra 24 months – caught my attention and reminded me of the ongoing dance between compliance and security. From a compliance and operational standpoint, the new deadline gives organizations...
Blog

Are Financial Services IT Pros Overconfident in Data Breach Detection Skills?

Tripwire studied confidence vs. knowledge of financial services IT security pros on seven key security controls necessary to detect a data breach. For many controls IT pros believed they had the information necessary to detect a breach quickly but provided contradictory information about the specific data. ...
Blog

Vulnerability Management Program Best Practices – Part 3

This is the conclusion to a three-part series of building a successful vulnerability management program. The first installment focused on Stage One, the vulnerability scanning progress. Without a foundation of people and process, the remaining stages are prone to failure. The second installment focused on Stage Two and Three, using a vulnerability...
Blog

Vulnerability Management Program Best Practices – Part 2

Recently, I introduced a three-part series on how to build a successful vulnerability management program. The first installment examined Stage 1, the vulnerability scanning process. My next article investigates Stages 2 (asset discovery and inventory) and 3 (vulnerability detection), which occur primarily using the organization’s technology of...
Blog

Vulnerability Management Program Best Practices – Part 1

An enterprise vulnerability management program can reach its full potential when it is built on well-established foundational goals that address the information needs of all stakeholders, its output is tied back to the goals of the enterprise, and there is a reduction in the overall risk of the organization. Such vulnerability management technology...
Blog

Keeping Up with PCI DSS 3.1

Earlier this year, the PCI Security Standards Council officially released PCI DSS 3.1 only months after its predecessor (version 3.0) came into effect. With a typical three-year period between standard revisions, the out-of-band update caught many off guard, especially organizations still in the process of complying with the changes from the...
Blog

80% of Retailers Failed Interim PCI Compliance Assessments

Despite retailers’ continuous improvement in compliance with the Payment Card Industry (PCI) security standards, four out of five companies are still failing at interim assessments, according to Verizon’s latest report. The report highlights that the overall state of compliance grew significantly in 2014, with 20 percent of organizations...
Blog

Apple To Add New Security Alerts Following iCloud Hack

In response to the recent debacle that exposed multiple celebrities by hackers breaking into their personal Apple accounts and leaking private images on the web, Apple has stated it plans to launch additional security alerts warning users of possible intrusion.
Blog

Vulnerability Management: Just Turn It Off! Part III

Four unnecessary risks that often appear in even the most secure networks, and step-by-step instructions on how to immediately address these considerable risks that can be hurting the security of our environment.
Blog

Vulnerability Management: Just Turn It Off! Part II

Our last post in the “Turn It Off!” blog series discussed some of the most common and yet unnecessary features that can make your environment more vulnerable, including JBoss JMX consoles, server banners and the Apache HTExploit. These risks are often encountered by our Vulnerability and Exposure Research Team (VERT), even on well-defended networks and many of which have been around for quite...
Blog

NETGEAR Wireless Router Configuration Guide

This guide assumes that the reader has a NETGEAR branded wireless router and knows it’s address on the network. If you have forgotten the administrative password for your device, it may be necessary to perform a factory reset as outlined in this NETGEAR knowledge base article and then to login with the default password. Please note that while...
Blog

Friends Don’t Let Friends Mix XSS and CSRF

In preparation for my upcoming talk at BSides SF about finding vulnerabilities, I would like to share today some insights regarding two common types of vulnerabilities which leverage web browser in two unique ways. The goal of these vulnerabilities is quite different however. One is used to run untrusted code while the other is used to hijack authentication. The combined effect of these issues...
Blog

Why the Security Stack Has Ten Layers, Not Seven

The next item to tackle is the overall security architecture – and this includes several things. But let me first state the disclaimer that of course it is imperative that the correct governance and policies are in place and that technology can’t replace those things. But, it is also clear that however sophisticated, no paper document or process design will block an attack in the meantime until...