Skimming the July issue of MSDN magazine, an article titled “When Security Doesn’t Make Sense” by David Platt caught my eye. As someone who relays security advice on a daily basis, outside perspectives on security are of great interest.Read more
Author Archives: Michael Oglesby
Solving the Verizon DBIR 2011 Cover Challenge … again
April 28th, 2011 | Posted by in Uncategorized - (0 Comments)For a third year, Verizon Business has embedded a “Cover Challenge” in its annual Data Breach Investigation Report (DBIR). The challenge is an unspecified puzzle hidden within the document. I finished the puzzle in second place after having placed first last year. Congrats to Dan Caselden on his amazingly fast first place win this year.Read more
When are merchants required to use a PA-DSS validated POS (point-of-sale) application?
December 3rd, 2010 | Posted by in Compliance | PCI - (0 Comments)In True’s experience as a QSA advising merchants with PCI compliance, one point of confusion seems to always surface – when are merchants required to use a Payment Application Data Security Standard (PA-DSS) validated POS application?
First, it is important to understand that the Payment Card Industry Data Security Standard (PCI-DSS) and PA-DSS are completely separate standards. Assessors do not validate or require PA-DSS when validating PCI-DSS. All applicable PCI-DSS controls must always be evaluated regardless of the POS validation status. Utilizing a PA-DSS application allows merchants to ensure that the application was designed to meet the PCI security requirements.Read more
Solving the Verizon DBIR 2010 Cover Challenge
August 26th, 2010 | Posted by in Uncategorized - (2 Comments)For the second year in a row, Verizon Business has encoded a “Cover Challenge” in its annual Data Breach Investigation Report. This year I was the first place winner, submitting the correct solution after 1.5 weeks of puzzling.
Verizon 2010 Data Breach Investigation Report
Knowing about last year’s challenge, I took a quick look at this year’s report and didn’t immediately notice anything puzzle related. A few days later Verizon confirmed on their security blog that there was indeed a cover challenge. Game on.Read more
Getting the most value from your next penetration test
November 24th, 2009 | Posted by in Compliance | Security - (0 Comments)We here at True Digital Security conduct quite a lot of engagements around penetration testing, or “Pen-Tests”. Usually this testing is driven by compliance requirements like the Payment Card Industry (PCI) DSS or security audit requests from potential new clients. Unfortunately, penetration testing is perhaps the most confusing and misunderstood type of security engagement. Don’t quite know what I mean? Try this little experiment: Google for “Penetration Testing” and try to determine the scope, and more importantly, the goal of a penetration test. Go ahead, I’ll wait …. Confused yet? The vast array of methods, styles, and differing goals can be overwhelming. Even security experts themselves don’t agree on what the purpose or goal of a penetration test should be.Read more
Connect with True
