An interesting post from blog.elementps.com on the difficulties of franschise models and their impact on the paths of responsibility for PCI DSS compliance.

From a branding standpoint, franchisors have a lot to lose if one of their franchisees falls victim to a breach.  Depending on the level of media attention the breach garners, one for a store in downtown Philadelphia has the potential to negatively affect the brand – and, arguably, sales— across the state, regionally or even nationally.

The interesting thing with franchising and PCI DSS is that while franchisees may have individual merchant accounts with the bank (and therefore be responsible for their own reporting) the impact of a breach on the franchisers compliance may come up for question if a breach was to occur, as well as the inevitable brand reputation loss…

I’d be interested to here any feedback from the field on the topic.

Related articles by Zemanta

• PCI DSS Myths 2009: Myths and Reality (slideshare.net)
• ProPay to Host 2010 Data Security Summit (eon.businesswire.com)
• Why Businesses need to be PCI Compliant (wealthyways4you.com)
• Goodbye PCI – Hello Encryption and Data Loss Prevention Products (pindebit.blogspot.com)
• 2010 Compliance Laws (deurainfosec.com)

Here’s an excerpt of the release from Visa…

The marketplace has expressed a growing interest in pursuing data field encryption (also known as end-to-end encryption) of card data. Data field encryption protects card information from the swipe to the acquirer processor with no need for the merchant to process or transmit card data in the “clear.” Importantly, data field encryption renders cardholder data useless to criminals in the event of a merchant data breach.

The full clarification can be downloaded here, and a “softer” version with sum executive summary style information here.

Kudos to Visa for seeking to clear this issue up a bit.

Related articles by Zemanta

• Only 27% of Organizations Use Encryption (it.slashdot.org)
• Gmail Moves To HTTPS By Default (it.slashdot.org)
• Using Encryption Garners Exemption For Data Breach Notification (yro.slashdot.org)

Found a very neat and succinct way of defining the difference between VA and Pentesting.

During a vulnerability assessment an environment is assessed to determine if known vulnerabilities can be identified. Penetration testing goes a step further by attempting to exploit these identified vulnerabilities.

The difference between the two, in terms of identifying a need within an organization, is that vulnerability assessment can be achieved using automated tools, whereas penetration testing generally can not.

Why this is important is that vulnerability assessment and penetration testing are addressed as separate requirements of the PCI DSS… Doing a VA will not address the pentesting requirement, and vice versa.

Related articles by Zemanta

• Metasploit Project Sold To Rapid7 (news.slashdot.org)
• The 20 Coolest Jobs in Information Security (q-ontech.blogspot.com)

I’m continually amazed at how often HIPS is confused with FIM. I guess I shouldn’t be.

Here’s a simple definition:

File Integrity Monitoring (FIM): FIM established a baseline value for the content, presence, and permissions of files on a system (application, binaries, config files, documents – they are ALL FILES). If a change is detected, an alert is raised. Examples of FIM are Samhain, McAfee PCI Pro (formerly Solidcore), Osiris, Tripwire, and nCircle CCM.

Host Intrusion Prevention System (HIPS): HIPS’s are in essence the same as Network Intrusion Detection/Prevention Systems except that they run on hosts. This is useful when you have, for example, point to point IPSec tunneling between your servers which would stop a NIPS/NIDS from detecting anything inside the tunnel (NIPS/NIDS are all but useless is the traffic they are monitoring  is encrypted). Examples are Snort, and just about all of the anti-virus vendors “End point” product now include some sort of HIPS.

This is the REALLY important part if the only reason your are interested is to comply with the PCI DSS:

HIPS will NOT get you compliant with PCI DSS 11.5 Deploy file-integrity monitoring software to alert personnel to
unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Just the same…

FIM will NOT get you compliant with PCI DSS 11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic in the cardholder data environment and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines up-to-date.

Related articles by Zemanta

• Facebook Joins with McAfee to Clean Up Malware on Site (bits.blogs.nytimes.com)
• Security through diversity (cdixon.org)
• Ingenico Unveils Strategy to Provide Secure End-to-End Solutions for Merchants in North America (pindebit.blogspot.com)

I know that this is fairly old news, but the rate of take up of wireless in the enterprise space makes it worthy of attention, and indeed the first real post on this blog.

I guess it was always going to happen. The fruit is hanging far to low with wireless networking for it not to attract a hell of a lot of the wrong type of attention. The saving grace is the fact that TKIP Personal seems to be the only flavor of WPA threatened.

The paper, Practical Attacks against WEP and WPA, is available for download. Giddy up!

Related articles by Zemanta

• WEP = Fail; WPA+TKIP = Fail (q-ontech.blogspot.com)
• One-minute WiFi crack puts further pressure on WPA (arstechnica.com)
• New attack cracks common Wi-Fi encryption in a minute (infoworld.com)
• New attack breaks Wi-Fi security in a minute (vator.tv)
• WPA networks cracked in just under a minute, researchers claim (engadget.com)