Has the era of major revisions to the Payment Card Industry Data Security Standard (PCI DSS) come to an end? Some industry watchers believe that the standard has reached a stage of maturity where only minor tweaks are required and organizations can now expect stability in the world of credit card compliance.
In February, the PCI Security Standards Council (PCI SSC) published a blog interview with Troy Leach, the council’s Chief Technology Officer that announced the upcoming release of PCI DSS 3.2 and discussed the future of the standard. Let’s dig in and take a look at what merchants should expect in PCI DSS 3.2 and how the standard’s release tempo might change in the future.
Read the full story: PCI DSS 3.2: Is this really the end?
Published April 25, 2016 on SearchSecurity.com
Cold hard cash is a strong motivator for many people and the Department of Defense is hoping that hackers are no exception. In March, DoD announced the upcoming launch this spring of a bug bounty program, modeled after those popular in the private sector. The press release announcing the program was short on details and long on patriotic hype, but this first-of-its-kind program in the public sector seeks to take an approach that has already proven successful in private industry.
Whether organizations like it or not, hackers will probe their systems seeking out weaknesses in servers and applications that may be exploited for a variety of reasons. Some of these individuals merely seek the intellectual challenge of identifying vulnerabilities and then leverage their discoveries to gain notoriety within the hacking community. Bug bounty programs seek to redirect these individuals to disclose their discoveries directly to the company, rather than to the general public, typically in exchange for some form of compensation. The goal is to harness the intellectual horsepower and work ethic of hackers and use it in the service of improving security.
Read the full article: Defense Department Puts Bounty on Bugs
Published April 12, 2016 in Certification Magazine
“Apple devices don’t get malware.” Those words have echoed throughout technology organizations and, for years, they were generally true. Times have changed, however, and both Macintosh computers and iOS mobile devices are now the source of frequent security vulnerabilities and find themselves the focus of malware authors and hackers. The rising prevalence of Apple devices in traditionally Windows-centric businesses, government agencies, and other organizations has placed iOS and Mac OS X squarely in the crosshairs of attackers seeking access to sensitive information and resources. Technology professionals seeking to secure their organizations must develop a strategy that considers both Apple and Windows security equally.
The Apple security landscape shifted dramatically during 2015 with several major changes that should cause every technology professional to reconsider previous opinions they held about the security of OS X and iOS devices. Apple products earned the dubious distinction of ranking first in the number of security vulnerabilities included in the well-respected Common Vulnerabilities and Exposures (CVE) database during 2015. An analysis of the database by CVE Details found that the database added 654 Apple vulnerabilities during 2015, compared to 571 vulnerabilities for Microsoft, who earned second place on the list.
Read the full story: Defending Macs and iOS Devices Against Malware
Published April 11, 2016 in StateTech Magazine
Cloud computing is transforming the world of information technology before our eyes. Less than a decade ago, IT teams focused most of their time on building enterprise data centers, managing capacity and building custom applications. Today, times have changed and many organizations are now shifting their focus toward the cloud, moving to a world where automation and integration dominate and enterprises purchase much of their computing as a service from a number of different providers.
This shift toward the cloud doesn’t only change the world of developers and engineers, it also dramatically affects the work of information security professionals. In the world of cloud computing, assessments rise in importance and contract language becomes as significant a security control as the configuration of the enterprise firewall. As security professionals seek to reinvent themselves as cloud security experts, they must gain new knowledge and skills and may wish to pursue professional certifications that help them demonstrate this aptitude to current and potential employers.
Read the full story: Secure Cloud: Earning Your Cloud Security Certification
Published March 28, 2016 in Certification Magazine
In the past few months, deadly terrorist attacks rocked both Paris, France and San Bernardino, California. The technical investigation following both incidents focused on questions related to whether the attackers communicated with each other using strong encryption to avoid eavesdropping by law enforcement and intelligence organizations. These questions sparked a national debate on the use of encryption and government access to private communications. There’s one bottom line question: Is encryption evil?
Politicians and presidential candidates quickly condemned the bombings but also used their soapboxes to condemn encryption technology as a tool of terrorism. In a Democratic debate, Hillary Clinton called for “a Manhattan-like project” focused on encryption. Republican presidential candidate John Kasich said that “we have to solve the encryption problem.” There’s certainly an undertone in the national conversation that encryption is an unwanted technology that facilitates terrorism and that the government must take action to protect Americans from it.
Read the full story: Encryption is Not Evil
Published January 2016 in Certification Magazine
Organizations around the world have extremely complex technology environments that depend upon many different components to function properly. Operating systems, hardware devices and applications all play a role in shaping our technology environments and each of these components relies upon current security patches to remain protected against the many threats found on the Internet. The vendors supplying these products continue to supply patches for older versions of their product still in use at customer sites but, unfortunately for IT teams, all good things must come to an end. Vendors are only willing to support a limited number of older versions because of the costs involved of maintaining legacy software and hardware. When a vendor decides to end support for a product organizations using it face difficult end-of-life decisions.
From a security perspective, using current software versions is a critical control. Many of the issues corrected by vendor patches are major security vulnerabilities that leave an organization open to attack. When a vendor ends support for a product, any new vulnerabilities discovered will remain unpatchable, leaving the organization susceptible to attack: clearly an undesirable situation! Adding to the gravity of the situation, hackers often develop and use automated scanning tools that scour the Internet searching out systems containing vulnerabilities. Leaving an unpatched, out-of-support device connected to the Internet presents a dangerous security risk but it happens every day!
Read the full story: IT and End of Life Issues
Published February 22, 2016 in Certification Magazine
In 2014, officials at the Internal Revenue Service received a Congressional subpoena demanding that the agency turn over all email messages sent or received by IRS official Lois Lerner as part of a Congressional investigation. Information security professionals suddenly found themselves in the public spotlight when the IRS claimed that they were unable to produce Lerner’s emails because her hard drive had crashed and the backup tapes had been accidentally erased. This began a months-long saga as data integrity issues took center stage in the media and the public focused on the ability of federal agencies to maintain the integrity of official government records.
There’s no doubt that federal agency information technology professionals have a special obligation to preserve the integrity of agency information. From tax records to legislative history, federal agencies preserve and protect the critical information that comprises our nation’s history and ensures its continued efficient operation. The duty to preserve federal records is a sacred trust between the American people and the nation’s government and IT professionals bear significant responsibility for maintaining this trust. Fortunately, there are several technology tools available to assist in this important task.
Read the full story: Preserving Data Integrity
Published February 18, 2016 in FedTech Magazine
The proposed General Data Protection Regulation (GDPR) recently passed a key legislative hurdle in the European Union and enterprise compliance teams are watching carefully as the regulation nears expected adoption in early 2016. Once passed, organizations doing business in the EU will have a two year grace period to become compliant with the regulation before facing steep fines for non-compliance.
Under the GDPR, the EU seeks to implement a single set of data privacy rules that apply across all EU member states. It expands many of the provisions of the 1995 EU Data Protection Directive and applies to organizations who previously fell outside the scope of EU regulation due to their geographic location. The GDPR includes notice and consent provisions similar to those found in the 1995 regulation with some enhancements, including disclosure of the retention time for personal information and parental consent requirements for children under the age of 13.
Read the full article: Minimizing Compliance Costs with GDPR on the Horizon
Published February 16, 2016 on SearchSecurity.com
“I’ll just synchronize these firewall settings and bypass the encryption and we’ll be inside the system in a few seconds.” Words like these cause cybersecurity professionals (and others in IT) to cringe, but they occur all the time on television and in movies. It seems that whenever the subject turns to hacking or computer security, the cyberwizards of Hollywood are able to achieve their goals with a few simple clicks of the mouse. These far-fetched scenarios make real security experts shake their heads and wonder whether the producers even bothered to consult an actual security expert before writing their script.
Clearly, the entertainment industry needs to dress up the work of security professionals before trying to portray it on the big screen. After all, nobody wants to watch a network engineer carefully crafting firewall rules, or a cryptanalyst running a brute force attack against an encrypted file for days at a time. That said, don’t you wish that, just once in a while, they’d take the time needed to get the basic facts correct, and introduce a slightly more realistic view of hacking and cybersecurity? Let’s take a look at some of the most common mistaken portrayals of cybersecurity in the media.
Read the full story: Hollywood vs. Reality: Cybersecurity Fact Check
Published 1/18/2016 in Certification Magazine
The Trans-Pacific Partnership agreement has come under fire from a wide variety of opponents, including Internet activists and online privacy advocates who feel the agreement could jeopardize cybersecurity. Opponents of the agreement claim the proposed ban on source code audits, if approved as an international regulation, could hamper security efforts on a number of levels.
The Trans-Pacific Partnership agreement language was negotiated in secret by trade representatives from 12 Pacific Rim nations, including the United States, and with the notable exclusion of China. The public didn’t see the text of the agreement until the negotiating nations released it in November. Trying to read the full Trans-Pacific Partnership agreement is a formidable task, as it weighs in at 30 chapters. Let’s take a look at a few of the key provisions that affect cybersecurity and intellectual property rights.
Read the full story: The Trans-Pacific Partnership and Cybersecurity
Published January 13, 2016 on SearchSecurity.com
Mike is an IT leader, information security professional, author, speaker and trainer with over fifteen years of experience in the field.