Blog
Insights for Reasonable Cyber Security and Compliance
What’s happening in the world of cybersecurity? How do you define 'reasonable' security controls? Which cyber threats can be prevented? What steps should you take to make your systems safer? Read our blog posts to gain new insights into cybersecurity news, security awareness, the latest threats and risks, penetration testing, compliance, regulations and so much more.
EMV (Europay, MasterCard, Visa): THE COMING SHIFT IN LIABILITY
Author: Todd Becker, PCI QSA, ISO 27001 Auditor
‘Chip and PIN’, or EMV (“Europay, MasterCard, Visa”), is an open-standard set of specifications for smart card payments and acceptance devices and is a popular topic these days with HALOCK’s PCI clients. EMV is not a PCI requirement. However, there is a ‘liability shift’ in October 2015 that impacts brick and mortar merchants that accept credit cards (i.e. all of them). With this in mind, it is important to understand that EMV and PCI are complementary in their relationship, rather than being interwoven. We will explain below.
HOW TO CREATE A REALLY STRONG PASSWORD: A PEN TESTER’S PERSPECTIVE
CREATE A REALLY STRONG PASSWORD: A PEN TESTER’S PERSPECTIVE.
Attackers have figured out how to crack even what you and I think are the toughest passwords. HALOCK pen testers almost always find passwords as a weak spot in every investigation. With so much at stake, it’s a wonder why password safety still isn’t being taken seriously. (more…)
How To Find The Right QSA
If you are a Level 1 or Level 2 merchant, complying with the Payment Card Industry Data Security Standard (PCI DSS) continues to get more complicated. The stakes have never been higher for large organizations that process payments. With major data breaches constantly in the headlines like Target, Home Depot, JP Morgan Chase and countless others, organizations are relying more and more on QSA’s to help them navigate the Standard and get in compliance. Additionally, with risk management taking a larger focus, organizations are looking for QSA’s that have the right credentials that aren’t simply taking an audit checklist approach to PCI, but using critical thinking skills to delve deeper into the organization to uncover hidden risks. (more…)
PCI DSS 3.1 RELEASED
Author: Viviana Wesley, PCI QSA
The Payment Card Industry Data Security Standard (PCI DSS) version 3.1 was released today outlining a number of important changes. (more…)
HOW TO PROTECT YOURSELF FROM SOCIAL ENGINEERS IN SOCIAL MEDIA
The use of social media like Twitter, Facebook, Instagram, Tumblr, Google Plus, LinkedIn and others have been steadily growing. It is used not only between individuals connecting with their “tweeps,” but also for businesses connecting with their customers, and even politicians with their constituents. Social media platforms have become a forum for sharing all manner of expression on all subjects.
PCI DSS v3.1 Coming – SSL No Longer Considered Strong Cryptography
SSL No Longer Considered Strong Cryptography
Author: Viviana Wesley, PCI QSA
In a recent bulletin the Payment Card Industry Security Standards Council (PCI SSC) stated that updates will be forthcoming to the Data Security Standard (DSS) version 3.0 – and very soon. The change is related to vulnerabilities seen with Secure Socket Layer (SSL) cryptography. (more…)
ENDPOINT DETECTION AND RESPONSE: FIRE FOR EFFECT
The modern digital landscape is a battleground rife with adversaries ready and willing to go to great lengths to steal your data. Clever independent attackers and state-sponsored actors alike are deploying increasingly effective versions of cyber attacks intended to intrude, infect, steal, evade, disrupt and destroy everything they touch. To defend themselves, many businesses are investing in a variety of technologies and techniques to mitigate these threats. Blocking, containing, obfuscating, authenticating, verifying, and filtering are all important control elements of network security. (more…)
DON’T BE A SUCKER ON VALENTINE’S DAY
Valentine’s Day is February 14. Traditionally it’s the one day of the year when people express their love for each other by sending flowers, candies and love notes. But we’re not here to talk about love and candy and flowers… we’re here to talk about how hackers use holidays like this to compromise your security.
Hackers and other thieves are looking to prey on those they perceive are weak – the lonely hearts. They set up elaborate fake social media profiles, with attractive photos using stock photography to swoon and lure their victims into thinking that they are a sincere love interest. The bad guys can get you talking and learn all sorts of things about you without you ever speaking a word or meeting face-to-face. All with the purpose of exploiting the information you have.
So the next time you get that friend request on Facebook or connection request on Linkedin, you might think twice about accepting it unless you actually know the person. Don’t be a sucker this Valentine’s Day – or any day. Hackers are counting on it.
Download our “Don’t Be a Sucker” Security Awareness Poster at halock.com and let your co-workers know too!
PREPARING FOR YOUR DATA BREACH
PREPARING FOR YOUR DATA BREACH. Author: Chris Cronin, ISO 27001 Auditor
Most InfoSec professionals don’t want to think about becoming the next victim of a major data breach to make the headlines. And yet when faced with another major data breach it is a time when Executive Management and security teams reflect on their own insecurities. The latest breach is being reported as the largest data breach of health information or protected health information (PHI) in U.S. history with 80 million records stolen. The high profile breaches of Sony, Target and Home Depot, brand themselves in consumer’s minds, as Americans deal with the direct and indirect effects. And now we have a large healthcare insurance provider running its incident response cycle. (more…)
PCI v3.0 Transition Year Ends…With One More Deadline Looming
Author: Terry Kurzynski, ISO 27001 Auditor, CISSP, CISA, PCI QSA
As we rang in the New Year, the transition year for PCI v3.0 compliance came to a close. All businesses are now required to be compliant with version three of the PCI Data Security Standard (DSS). But did you know that a handful of the requirements are still considered best practice until they become full requirements on July 1, 2015? The following is a quick summary of those four requirements; and you still have a few more months to fully implement them: (more…)