SMB Data Breach Fallout
For any organization a data breach is a disruptive experience. Besides the distraction from daily operations, and unwanted publicity, a data breach brings a huge financial burden as well. Most large businesses have the resources to weather the storm, but many small and mid size businesses aren't as fortunate. Most SMBs don't have the capital or technical talent on staff to properly respond to a data security breach. Given that 71% of data breaches target small businesses, I thought it would be beneficial to discuss the fallout of a security breach and the impact it could have to a small business.
Old vs New: A Comparison of Magnetic Stripe and Chip-and-PIN
I was doing some poking around on the internet recently, reading various stories about different network breaches and loss of credit card numbers and I was reminded of the semi-recent Target breach and how they're making a push to switch to chip-and-PIN cards. This made me think it would be a good idea to do a a write up on the differences between chip-and-PIN and traditional magnetic stripe credit cards.
Passwords & Underpants
I don't know how I missed it before, but I stumbled upon a little InfoSec analogy that has been floating around for a while now. It goes a little something like this: "Passwords are like underpants...". They then proceed to list all the things that passwords and underwear have in common.
Q.E.D Is Fast Approaching
We are getting excited around here for the first ever QSA Educational Discussion! This is going to be a great event to hone your PCI compliance skills, get answers to those complex compliance questions and PCI DSS interpretations.
I Have Vulnerabilities On My LAN. So What?!
During the course of my penetration testing engagements (where I pretend I'm a malicious user and attempt to do naughty things on the network), I usually see or detect many vulnerabilities that are typically not found on the public internet. These vulnerabilities range from a small information disclosure (yawn) to full remote code execution (OH YES!) and of course everything in between. As a good security professional, my recommendations are to fix every single vulnerability found. This would exclude vulns that exist due to a specific business need, such as legacy systems or applications, or other legitimate reasons. When I suggest that we fix all of them, I often receive pushback from IT staff and sometimes even the stakeholders.