Heartbleed Hanging On
More than a month has past since the disclosure of the Heartbleed vulnerability and it is still making the rounds in the news. Even though it presents a serious security issue to Internet communication there are still a good number of servers and services that haven't been fixed. There is also evidence that a good portion of remediation efforts have fallen short and are insufficient to protect against and resolve the issues created by Heartbleed.
PCI Policy Documentation
Without fail, the first time an organization goes through the PCI gap assessment, remediation, and assessment cycle, they always underestimate the amount of specificity required by the PCI DSS. Smaller companies will spend a significant amount of time drafting and adopting new policies within their organization, while larger companies will spend their time trying to find which existing policies satisfy which requirements, making adjustments as necessary.
My Software is End-of-support, Who Cares?
With the ultimate demise of Windows XP comes questions of what it really means that software is "unsupported?" I get this question a lot when a client reads through a penetration test report for their environment and wants to know why they can't use an out-of-date version of XYZ webserver software or Windows XP (which, by the way, was supported for just shy of twelve years).
QSA Educational Discussion | Q.E.D.
We are having the first ever QSA Educational Discussion Group (Q.E.D.) next month. If you are in the Phoenix metro area, please join us.
Death of Antivirus & Indicators of Compromise
This week there have been articles popping up all over the Internet with quotes from a Symantec executive stating that antivirus software is DEAD. The articles state that antivirus solutions are only catching about 45% of cyber attacks. Both the Wall Steret Journal and Brian Krebs (Krebs on Security) posted great articles on the topic and the current state of antivirus solutions.