Is it me, or does it seem like many of today’s security breaches are (eventually) the result of organizations not taking the necessary precautions to protect their data from cyber fraud? With the attacks on the Sony PlayStation Network and marketing giant, Epsilon, April saw its share of high-profiled data breaches. But many of the intelligence reports that follow such incidents seem to indicate that had the organization taken proactive security measures to protect their enterprises, they may have mitigated risks that allowed their data to be compromised. All this leads to one important question: Are we doing enough to protect our networks? Here were some of the top security stories from April 2011: Continue reading this post…
Top Endpoint Security Stories for December 2010 — In a year that forever changed the threat landscape, experts predict more of the same in 2011
December is typically the time when industry experts reflect on the past year and provide their take on what we might expect in the year to come. While the IT security industry saw its share of game-changing incidents in 2010, unfortunately, many agree the same security trends we’ve seen over the past year will continue into 2011. December also saw security professionals looking to adopt new solutions to stop more targeted malware exploits and meet their regulatory compliance goals. Here are some of the top endpoint security stories for December 2010. Continue reading this post…
PCI Council Moves to Accept Application Whitelisting to Address Malware in Requirement 5
In a major step forward for application whitelisting as an important control to meet compliance guidelines, the PCI Security Standards Council has put out the following guideline adjustment regarding the addressing malware.
“The Council is looking for equivalent controls that address malware and all types of threats referenced in Requirement 5, which are often found in traditional anti-virus solutions. If another type of solution (application whitelisting, for example) addresses the identical threats with a different methodology than a signature-based approach, it may still be acceptable to meet the requirement.” Continue reading this post…
Interesting post on retailers views of PCI – only 30% take PCI security seriously
I came across an interesting post on the darkREADING website yesterday titled PCI More Of A ‘Check-Box’ Than Security For Most Retailers. Particularly interesting was the following excerpt:
Nearly 80 percent of retailers and organizations that handle credit card transactions have been hit with a data breach, but more than 70 percent still don’t consider security strategic to their operations, according to a new report released today.
This apparent incongruity has more to do with organizations accepting a certain level of risk with doing business on the Internet, says Brian Contos, chief security strategist at Imperva, which commissioned the 2009 PCI DSS Compliance Survey conducted by the Ponemon Institute.
“Roughly 30 percent take [PCI security] seriously,” Contos says. “And the others see it as a check box.”
Despite the fact that 80 percent of retailers have experienced a data breach, only 70 percent consider security strategic to their operations and only 30 percent take PCI security seriously. The question is, is this an indictment of the retailers or the PCI standards themselves? Continue reading this post…
Time For an Update of PCI Antivirus Requirements: Take a lesson from NERC CIP
PCI requirements have come under scrutiny lately. A number of high profile security incidents resulting in the exposure of hundreds of thousands of credit cards have, fairly or unfairly, brought attention to the companies who suffered these attacks and yet were PCI compliant at the time. The highest profile incident was that of Network Solutions where over a half a million credit cards were compromised.
The culprit? Unauthorized code on their servers resulted in the exposure of the credit card data. Despite the protections employed to protect the card data on servers, they were done in by simple malware on a system in their infrastructure.