I Have Vulnerabilities On My LAN. So What?!
During the course of my penetration testing engagements (where I pretend I'm a malicious user and attempt to do naughty things on the network), I usually see or detect many vulnerabilities that are typically not found on the public internet. These vulnerabilities range from a small information disclosure (yawn) to full remote code execution (OH YES!) and of course everything in between. As a good security professional, my recommendations are to fix every single vulnerability found. This would exclude vulns that exist due to a specific business need, such as legacy systems or applications, or other legitimate reasons. When I suggest that we fix all of them, I often receive pushback from IT staff and sometimes even the stakeholders.
Microsoft My Bulletins & PCI Compliance
Microsoft just released a new tool for their Security TechCenter. Its a pretty straight-forward service called My Bulletins [^1]. Basically it provides a customized dashboard to present Microsoft security bulletins. The nice thing is that you can customize the dashboard to only receive notices for those Microsoft products you use and care about.
PCI Policy Documentation
Without fail, the first time an organization goes through the PCI gap assessment, remediation, and assessment cycle, they always underestimate the amount of specificity required by the PCI DSS. Smaller companies will spend a significant amount of time drafting and adopting new policies within their organization, while larger companies will spend their time trying to find which existing policies satisfy which requirements, making adjustments as necessary.
My Software is End-of-support, Who Cares?
With the ultimate demise of Windows XP comes questions of what it really means that software is "unsupported?" I get this question a lot when a client reads through a penetration test report for their environment and wants to know why they can't use an out-of-date version of XYZ webserver software or Windows XP (which, by the way, was supported for just shy of twelve years).
QSA Educational Discussion | Q.E.D.
We are having the first ever QSA Educational Discussion Group (Q.E.D.) next month. If you are in the Phoenix metro area, please join us.