PCI DSS 3.2 is coming and that means some changes for Merchants and Service Providers and the steps that they take to mitigate their risk of a breach involving credit and debit cards. While change is inevitable, change can still be difficult,especially when you are talking about all of the different parts related to PCI Compliance and Information Security. The good news is that the PCI Data Security Standard (DSS), according to the PCI Security Standards Council (SSC), is now considered a mature standard and, therefore, will only see incremental changes moving forward. But what are incremental changes? While they may not fall into the category of major shifts, incremental changes can still have a significant impact on an organization. For that reason, we are going to dig into PCI DSS 3.2 by the numbers.
The SANS Top 20 Critical Security Controls outline the 20 most critical controls that an organization should implement to ultimately reduce their overall risk of suffering a data breach. These controls were originally developed in 2008 by the NSA at the request of the Office of the Secretary of Defense. Since that time, the controls have undergone several revisions with leaders from the US Government, International Government Leaders, and private organizations from around the world. These controls are widely considered essential and some estimates have shown that by implementing these controls, organizations are able to mitigate their risk by 94%. While all the controls are important, there are two specific CSC's that are often confused, misused, and not implemented correctly. These CSC's would be:
Cyber Monday is in the books for 2015 and it is expected to be another record year for online spending. Analysts expect that individuals will spend around $2.4 billion online this past Cyber Monday, an 18% - 20% increase over last year. While there were some deals to be found out there online, there is certainly a level of risk that comes with online shopping. When you combine this inherent risk with the fact that 95% of individuals planned to do some online shopping from work, your company might be opening themselves up for a cyber-attack without even knowing it.
US-CERT recently issued an alert stating that holiday phishing scams and malware attacks are on the rise this year and we are just entering the busiest part of the holiday shopping season. Some of these attacks might look like the following:
Have you ever had a situation that you have been involved in where someone was talking about a specific topic and you thought that they were referring to something completely different? Yeah, me neither! One of the challenges that we come across in IT Security Services is the frequent confusion and interchanging of terms that people think mean the same thing but in reality are very different. A great example of this is Vulnerability Scanning and Penetration Testing. These two concepts are often times misused and swapped out, creating some degree of confusion, lack of understanding, and disconnect within the conversation. The problem with this becomes that neither party knows what the other is talking about or they assume that the person is referring to one service, when in reality they are referring to a different service. So what are the differences between these two, often confused services that perform different functions? Here is a small list to help clarify some of the confusion out there: