Welcome to Delicate template
Header
Just another WordPress site
Header

When are merchants required to use a PA-DSS validated POS (point-of-sale) application?

December 3rd, 2010 | Posted by Michael Oglesby in Compliance | PCI - (0 Comments)

In True’s experience as a QSA advising merchants with PCI compliance, one point of confusion seems to always surface – when are merchants required to use a Payment Application Data Security Standard (PA-DSS) validated POS application?

First, it is important to understand that the Payment Card Industry Data Security Standard (PCI-DSS) and PA-DSS are completely separate standards. Assessors do not validate or require PA-DSS when validating PCI-DSS.  All applicable PCI-DSS controls must always be evaluated regardless of the POS validation status. Utilizing a PA-DSS application allows merchants to ensure that the application was designed to meet the PCI security requirements.Read more

Michael Oglesby

Michael Oglesby

The Director of Tactical Security Services at TRUE, Michael specializes in security testing initiatives with vast network and application security assessment experience. He oversees a team of analysts in conducting SAST- and DAST-based services. Certifications include CISSP, CSSLP, QSA and CNSS 4011-4015. He is also the Verizon 2010 Data Breach Investigation Report Cover Challenge Winner and second place finisher in the 2011 competition.

More Posts - Twitter

,

Getting the most value from your next penetration test

November 24th, 2009 | Posted by Michael Oglesby in Compliance | Security - (0 Comments)

We here at True Digital Security conduct quite a lot of engagements around penetration testing, or “Pen-Tests”. Usually this testing is driven by compliance requirements like the Payment Card Industry (PCI) DSS or security audit requests from potential new clients. Unfortunately, penetration testing is perhaps the most confusing and misunderstood type of security engagement. Don’t quite know what I mean?  Try this little experiment: Google for “Penetration Testing” and try to determine the scope, and more importantly, the goal of a penetration test. Go ahead, I’ll wait ….  Confused yet? The vast array of methods, styles, and differing  goals can be overwhelming. Even security experts themselves don’t agree on what the purpose or goal of a penetration test should be.Read more

Michael Oglesby

Michael Oglesby

The Director of Tactical Security Services at TRUE, Michael specializes in security testing initiatives with vast network and application security assessment experience. He oversees a team of analysts in conducting SAST- and DAST-based services. Certifications include CISSP, CSSLP, QSA and CNSS 4011-4015. He is also the Verizon 2010 Data Breach Investigation Report Cover Challenge Winner and second place finisher in the 2011 competition.

More Posts - Twitter

, ,

Microsoft’s banned function calls

May 21st, 2009 | Posted by Brett Edgar in Compliance | SDLC - (0 Comments)

After reading Michael’s earlier post about SDL, I started digging a bit deeper into Microsoft’s SDL documentation and came across this pretty cool page.  I wonder if anyone has a similar page for Unix-like OSes?

Brett Edgar

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

More Posts - Twitter

, ,

Avoid Becoming a Data Loss Victim

May 4th, 2009 | Posted by Nathaniel James in Compliance | Security - (0 Comments)

With the current US economy downturn, cyber crime is increasing at an alarming rate. Let’s face it – data loss can quickly become a public relations nightmare for any business. Solid Core conducted a survey [solidcore.com] of 201 IT and compliance professionals and found that more than half of the respondents admitted their organization either experienced or did not know if they had experienced a compliance control deficiency in the last year.

The Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center, released the 2008 Annual Report on the number of Internet crime complaints received. This report [ic3.gov] was made available on March 31, 2009.

The 2008 Annual Report states that complaints of online crime hit a record high in 2008. The Internet Crime Complaint Center received a total of 275,284 complaints, a 33.1% increase over the previous year. The total dollar loss linked to online fraud was $265 million, about $25 million more than in 2007. The average individual loss totaled roughly around $931 dollars.

Now more than ever, it’s extremely critical for everyone to do their part and be vigilant when it comes to network and enterprise security. Still, with the recent gains in the stock market, I’m hopeful this trend will become more positive.

Nathaniel James

More Posts - Website

, , ,

Acquiring target… NOW!

May 1st, 2009 | Posted by Dominic Schulte in Compliance - (0 Comments)

Walt Conway has some interesting commentary [treasuryinstitute.org] on the recently released Verizon data breach report [verizonbusiness.com].

All the valuable PCI compliance insight aside, I found the statistics on the prevalence and value of targeted attacks to be especially interesting.  We are frequently engaged to perform social engineering exercises for our clients, primarily to help them stress the importance of security policies, procedures, and communication to their employees.

While our generic email campaigns typically fool a few of the overly curious or too-quick-to-click crowd, the more informed (targeted) phishing campaigns are overwhelming effective to the point that we often need to reassure our clients that the world is not ending.  Unfortunately, this report highlights the fact that targeted attacks are not just elements of security company sales talk.

Dominic Schulte

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.

More Posts

, , ,