Vulnerability management (VM) programs are the meat and potatoes of every comprehensive information security program. They are not optional anymore. In fact, many information security compliance, audit and risk management frameworks require organizations to maintain a vulnerability management program. If you don’t have vulnerability management tools, or if your VM program is ad hoc, there’s no...

Compliance with version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS) is a must for organizations that handle, process, transmit and store payment card data. But compliance isn’t always easy to establish or maintain. Indeed, there are certain challenges along the way that can make organizations’ compliance with PCI DSS 3.2 superficial and short-lived. To beat those challenges...

The Payment Card Industry Security Standards Council (PCI SSC) published a minor revision to version 3.2 of its Data Security Standard (PCI DSS). On 17 May, PCI SSC published PCI DSS version 3.2.1. The purpose of the update was to clarify organizations' use of the Standard and when they would need to upgrade their use of common cryptographic protocols. PCI SSC Chief Technology Officer Troy Leach...

The latest revision to PCI DSS, PCI 3.2, provides specific security guidance on the handling, processing, transmitting and storing of credit card data. PCI 3.2 presents an opportunity for retail, healthcare, finance and hospitality organizations to minimize the theft, exposure and leakage of their customer’s personal and financial credit information by strengthening weakened security controls. For...

Much attention and excitement within the security world has recently been focused on the lucrative surge in crypto-mining malware and hacks involving or targeting cryptocurrency implementations themselves. Yet the volume of ‘real world’ transactions for tangible goods and services currently paid for with cryptocurrency is still relatively niche in comparison to those that are being paid for every...

Two significant ransomware attacks occurred in the first half of 2017. The first outbreak took place on May 12, 2017, when WannaCry leveraged a known Windows exploit to infect hundreds of thousands of vulnerable computers around the world, including 34 percent of UK National Health Service (NHS) trusts . Less than two months later, NotPetya abused that same Microsoft vulnerability to strike banks...

To distinguish the size of merchant companies and appropriately determine the level of testing required, the founding credit card companies created four different brackets ranging from Tier 1 to 4. Each tier is based on the number of transactions processed per year by the merchant and also dictates the testing a merchant must undertake. While transactions are the primary determiner, a merchant can...

The retail industry saw more than its fair share of data breaches in 2017, with security incidents impacting at American supermarket chain Whole Foods Market and clothing companies Brooks Brothers , The Buckle , and Forever 21 , to name a few. At least some of those events likely resulted from retailers' poor data breach preparation. Consider the fact that just 28 percent of IT security...

Enterprise networks regularly see change in their devices, software installations and file content. These modifications can create risk for the organization. Fortunately, companies can mitigate this risk by implementing foundational security controls. For example, enterprises can monitor their important files for change using file integrity monitoring (FIM). This security measure enables IT...

The Payment Card Industry Data Security Standard (PCI DSS) was introduced to provide a minimum degree of security when it comes to handling customer card information. While the Standard has been around for over a decade, penetration testing has only recently been officially incorporated into the process. There’s a lot to cover in a PCI DSS engagement, and some aspects may fly under the radar as a...

Nearly half of organizations that store, process or transmit card data are still failing to maintain PCI DSS compliance from year to year, reveal new statistics. According to the 2017 Verizon Payment Security Report , the number of enterprises becoming fully compliant is on an upward trend—growing almost five-fold since 2012. Last year, 55.4 percent of organizations interviewed, including those in...

Since 2004, merchant companies that handle branded credit cards have worked to maintain compliance with the Payment Card Industry Data Security Standards (PCI DSS). These regulations, which consist of six fundamental control objectives and 12 core requirements , aim to protect payment card data for customers. They also help card issuers and banks limit their liability in the event a merchant...

Looking at the cyberthreat landscape, millions of new devices come online every day . But there’s a shortage of qualified cybersecurity workers to protect those devices once they come online. Additionally, in almost every case, it takes minutes or less to compromise them . Simply running more vulnerability scans to collect more data and generating more alerts isn’t the answer, with more than half...

To protect against evolving digital threats, more and more organizations are employing endpoint detection and response (EDR) systems on their computer networks. EDR consists of six crucial security controls. The first two, endpoint discovery and software discovery , facilitate the process of inventorying each device that is connected to the network and documenting all software applications running...

There is never a dull moment for compliance and security. Case in point, amidst a brewing storm of regulation, version 3.2 of the Payment Card Industry Data Security Standards (PCI DSS) announced in late spring articulates good data security intent along with controversy. PCI has been around since 2006, and aims to protect payment data for consumers and card issuers. A worthy cause, no question...

The recent announcement from the Payment Card Industry Security Standards Council (PCI SSC) that it will be moving the PCI 3.1 deadline to June 2018 – giving an extra 24 months – caught my attention and reminded me of the ongoing dance between compliance and security. From a compliance and operational standpoint, the new deadline gives organizations more time to identify, remove and replace the...

Tripwire studied confidence vs. knowledge of financial services IT security pros on seven key security controls necessary to detect a data breach. For many controls IT pros believed they had the information necessary to detect a breach quickly but provided contradictory information about the specific data.

This is the conclusion to a three-part series of building a successful vulnerability management program. The first installment focused on Stage One , the vulnerability scanning progress. Without a foundation of people and process, the remaining stages are prone to failure. The second installment focused on Stage Two and Three , using a vulnerability scanning technology to discover and inventory...

Recently, I introduced a three-part series on how to build a successful vulnerability management program. The first installment examined Stage 1 , the vulnerability scanning process. My next article investigates Stages 2 (asset discovery and inventory) and 3 (vulnerability detection), which occur primarily using the organization’s technology of choice for vulnerability scanning. In this case, the...