QSA Partner. Continuation from Part 1…
Back to the joys of selecting a QSA partner! I know when I contact them they are all going to want to know a lot of details about my business, including technical configurations. This is because of a PCI audit like many other audit frameworks needs to verify the policy and configuration details of just about, every component of your business and networks to properly scope the amount of work for your environment. This includes standard server images hardening process to firewalls, antivirus, change management, software development, physical access, visitors, vendors, policies, etc.
December 31, 2017, Organizations who process, store, and transmit Controlled Unclassified Information (CUI) need to comply with NIST Special Publication 800-171. The question organizations need to consider is what does it mean for their SaaS Applications? How do you do it in the “bring your own cloud,” (BYOC) world we live in? I am going to walk you through critical things you need to think of for SaaS applications about as you go through this.
It’s that time again. Yes, time to find this year’s auditor. You’d think that after 10 years of contacting, meeting with, planning and doing in-depth level 1 audits for multiple customers per year, for ZZ Servers a managed private cloud provider for PCI & HIPAA businesses, finding a Qualified Security Assessor (QSA) to work with would be easy. Maybe it would be especially easy because, before ZZ, I was a PCI QSA doing the level 1 audits/code reviews/penetration tests myself!
Coming from several large corporations that needed to attest to PCI DSS compliance annually, as well as being a QSA in a few former lives, I’ve seen my fair share of the post-audit slump. You know what I’m talking about; it’s the, “Wow! We completed our audit! Let’s take the next 11 months off to focus on other business needs and we’ll ramp back up during month 11.” Sure, you may not word it exactly like that; but more often than not, that’s exactly what happens.
There are a couple major problems with “taking a break” after an audit. Firstly, in the case of PCI DSS, there are daily requirements to meet: log review being the frontrunner. On more than one occasion I’ve assessed a company several years in a row and usually between the first and second year the company’s had trouble proving they do daily log review – especially if they’re not really setting up alerts around it. The more humorous ones are the SIEM/SOC folks who have a daily digest sent to a folder in their mailbox. I’ll show up on year two and find 300-something unread emails.
Since the first Red Lion Puerto Rico post, lots of things have happened!
Janice Paulson, my wife, and I attend quite a few hacker conventions every year. We run BSidesDE, are semi-officially listed on the organizer’s council for BSidesDC, attend BSidesLV and Defcon, work Derbycon and Shmoocon, and probably go to another 2-3 conferences a year, besides these.
And at Derbycon, in Louisville, KY, I met up with some friends of mine. Ok, about 2500 friends of mine. Derbycon is a hacker conference, run by Dave Kennedy, Erin Kennedy, Martin Bos, etc etc. TrustedSec employees and friends put a lot of effort into the conference. Part of that conference is a 2 day training time, where high quality paid training is performed. One of the trainers, Carlos Perez, is a master of post-exploitation, and his training is highly valued. Jose L. Quinones Borrero, the primary organizer of BSidesPR in Puerto Rico, is also at Derbycon.
Carlos and Jose are both Puerto Rican natives and fantastic guys. Both of their wives told them to come to the conference, and to have a good time. They’ve weathered hurricanes before, and it wouldn’t be too bad. They were wrong.
Authored by: Joshua Marpet – COO, Red Lion & Janice Paulson – Data Scientist, Red Lion
Red Lion has no intimate knowledge of why or how the Equifax breach occurred. Red Lion was not involved in the security planning, implementation, or strategy for Equifax, nor have we been consulted for the incident response, crisis communications, or any aspect of Equifax’s security, compliance, security testing, etc.
Equifax holds information about the bulk of all Americans who participate in common banking and credit transactions. They gather this information from your credit applications such as mortgage paperwork, car loans, and credit cards. They buy information about your address, family members, and other personal information from various sources, and re-sell, along with their assessment of your credit worthiness to banks and other lending institutions.
You consent to this every time you participate in the banking or credit lending system.
“WannaCrypt (a.k.a. WannaCry) is the name of a malware used in the May 2017 global ransomware attack targeting Microsoft Windows operating systems via known vulnerabilities leaked by The Shadow Brokers.
Through extensive research, it was found that the malware sends an HTTP request to a seemingly random domain name in the early stages of its execution. If the HTTP call fails, the malware encrypts the user’s files, requests ransom, and will spread to other vulnerable machines. If the HTTP call is successful, the malware exits, halting encrypting files and spreading itself.”
OWASP is changing their TOP 10! Ok, so this really isn’t as serious as I thought, but, wait, what is that? IT IS! Whether IPv4 or IPv6, common vulnerabilities can be found all over the place. OWASP, is finally updating their Top 10. So let’s look at some of the finer points.
Recently, the Red Lion team paid a visit to ITPro.tv studios in Gainesville, FL using a “party bus” set up by the company’s leaders Tim Broom and Don Pezet. Once there, the entire staff greeted us.
ITPro’s journey didn’t start out as flashy as they are today. To get to their current setup, they transitioned from a closet, then a warehouse, finally to their current 10,000 sqft facility. The first thing they did after moving in was to tear up the ground and re-lay the subfloor. They also laid pipes from the control center to each of the 5 “pods”/studios. This allows for the running of extra needed cabling to and from the control center. Then, they equipped each pod with soundproofing foam squares, overhead scaffolding, lighting, and cameras. The best part is that the control center can control all pods at the same time. And, all sets are built for maximum flexibility to fit the needs of their presenters.
This configuration is “typical” for most production studios. However, keeping the offices on the production floor allows for massive flexibility and a “Wow this is cool!” factor that is off the charts.
ITPro services the needs of the information security community in many forms. From being the Sherpas of solid technical content to enabling the career changing transformation of all people that want to better themselves, ITPro is the place to start. Their price as of the time of writing is $570 for the year or $57 per month with no annual commitment! This pales in comparison to the SANS Training at ~$5000/course. That being said, this is not a replacement for the boot camp style of training that most look forward to (and other dread). This can be an economical option for tight budget constraints, or someone with an individual desire to learn.
ITPro’s offerings can be found in their course catalog. They have a free trial that will allow you to sign up and start viewing content. Sign up today and start changing your career.
For being a Red Lion regular you get 30% off on your subscription to ITPro.tv when you use the Discount Code: RedLion.