Following the Sony breach, President Obama is preparing legislation and security initiatives intended to help strengthen the security of the US and companies that operate here. While it is good to see this issue brought to national attention, it’s hard to see how these proposals will actually lead to a stronger security posture for a few major reasons.
Released today, the movie Blackhat centers on several cyber-attacks perpetuated against a Chinese nuclear facility and the stock market, and the hunt for the perpetrator of the attacks by Chinese and American law enforcement agencies. As with many movies centering on hackers and cyber security, expectations for accuracy were fairly low among experts in the field. We at SecureState decided to watch the movie and note any of the ridiculous inaccuracies here. Be forewarned, there are some minor spoilers ahead.
As we head into the New Year, QSAs and organizations alike begin preparing for their annual Report on Compliance (RoC). A year ago, The PCI Council announced that version 3.0 of the Payment Card Industry Data Security Standard Report (PCI DSS) would come into effect beginning January 1, 2015. The council updated the report with the intent to provide greater clarifications and additional guidance on PCI 2.0 requirements, with the intent to move DSS closer to industry expectations. Although the changes from PCI 2.0 – 3.0 were not dramatic, it takes time to fully understand what the council’s intent is. The following is an overview of the changes from PCI 2.0-3.0 and suggestions for upcoming RoCs in 2015.
As your organization begins to lay the groundwork for their 2015 PCI 3.0 Audits, take a look at the following services to better prepare:
While PCI DSS has required penetration testing for quite some time, the soon-to-be-mandatory PCI 3.0 has made a few changes to how penetration testing should be done, and where/when it is needed.
Changes and Enhancements to 11.3
11.3, the overall rule that covers the need for penetration testing, has been changed to specify how the tests are performed. In particular, the 3.0 version adds guidelines for creating a methodology for the tests, which QSAs are now required to evaluate as part of a PCI audit.
Below are 5 tips from SecureState QSAs to prepare for your organization’s upcoming audit:
“TOR is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet,” according to TORProject.org. TOR is a type of Darknet or private network in which the network connections are only established between trusted pairs. Originally an extension of ARPANET, the government project which led to the current Internet, and developed by the United States Navy. TOR is the largest of these Darknets, publicly available, which are being used to access anonymous networks and permit individuals to access content in a discrete manor. All done in order to obscure the identity of the user and their associated Internet activity from any type of oversight. It is estimated that over a million users are currently utilizing TOR networks around the world. In the end, these types of Darknets create an unseen network bundled within the internet we all us every day.
As you have probably heard, Sony Pictures Entertainment was recently the target of a major compromise, which involved the copying of vast amounts of data, including the personal details of employees, internal emails, and several unreleased movies. Reporting on this attack has largely focused on determining the potential source (with much speculation regarding North Korea), and only recently uncovering that a portion of the attack originated in Thailand, specifically a hotel and college in Bangkok.
To our Colleagues in the Security Community,
As we prepare for the New Year, we have the opportunity to reflect on 2014. This past year brought news of the recovering US economy. Job growth was steady and businesses began to finally see the end of the recession. With many companies posting record profits, the stock markets are hitting new record highs. In general, feelings have shifted from the desperation of the recession to optimism for the future. In 2015, my hope is that this trend continues. Jobs should continue to grow, if not increase even more quickly. Companies should continue to see increases in sales and profits, fueling the stock markets to reach for even higher numbers.
Recently, security news has been focused on a particular new form of malware known as Regin. While the developer of this software remains officially unclear, most experts believe that Regin must have been developed by a group with large amounts of both time and money, which points to it being state-developed or at the very least state-sponsored. Given the various identified targets of the malware, as well as some other details about the software, the most likely developers are the US and UK governments. This malware is even mentioned specifically in some of the leaked Snowden documents as being used in 2012 by the GCHQ (the UK equivalent to the US’s NSA).