In case you missed it, the PCI Security Standards Council (SSC) published the initial release of the much anticipated Point-to-Point Encryption Solution (P2PE) Requirements document last month. Many of you are probably asking, “Why do I care?” – a good question in a day and age with so much information and noise. If you’ll allow me, I’d like to answer two better questions! But first, to answer, this document is significant because it is at the heart of the fiery topic of PCI scope.Read more
Author Archives: Dominic Schulte
Security is expensive. We all know that. I see the battles my clients continually face – particularly the small and medium-sized businesses (SMBs) – as they try to spread their limited security dollars across dedicated salaries (for the fortunate ones), toolsets, appliances, training, and consulting (maybe we don’t need to include the last one…). The underlying belief that many SMBs seem to receive some relief from: “I’m the small guy. Surely I won’t be targeted when there are banks and multinational retailers to be hacked.” Mr. Angelastri says as much in this Wall Street Journal article.Read more
…and there’s this [jeremiahgrossman.blogspot.com]. The Internets can be a little scary.
If you’re searching for ways to get buy-in or resources for SDLC, vulnerability management, or security testing improvements, this example should help.
All the valuable PCI compliance insight aside, I found the statistics on the prevalence and value of targeted attacks to be especially interesting. We are frequently engaged to perform social engineering exercises for our clients, primarily to help them stress the importance of security policies, procedures, and communication to their employees.
While our generic email campaigns typically fool a few of the overly curious or too-quick-to-click crowd, the more informed (targeted) phishing campaigns are overwhelming effective to the point that we often need to reassure our clients that the world is not ending. Unfortunately, this report highlights the fact that targeted attacks are not just elements of security company sales talk.
With yesterday’s introduction[reuters.com] of Google Health, we can now add personal health records and related information to the types of data Google is storing. This service includes connections to pharmacies, like Walgreen Co. and CVS Caremark, and other health groups. It will “allow patients to schedule appointments, refill prescriptions, receive diagnostic results online, and instantly add their doctors’ email addresses to a list of contacts.”