Categories ArchivesEnterprise Security

Edit: Merge.io is no longer, however, will keep this up as part of the discussion around vulnerability management. I’ve been known to say that vulnerability detection is easy—it’s vulnerability management that’s hard. There are too many tools available today that can tell you everything that is wrong with your security posture. The real work comes in finding the root cause of the issue, permanently eradicating it from your environment (as in changing configuration servers, patching gold builds, dealing with sleeping physical or virtual instances), and validating to everyone who wants to know that you were successful in doing so. Time and time again, my customers complain about the challenges associated with getting clean vulnerability scans. In fact, that might be ...

Visa released a public update to their Memory-Parsing Malware Warning yesterday bringing forward signatures and IPs from their original alert in April based on recent activity. This very effective technique can present itself leveraging commonly used debugging techniques for software. Essentially, this malware will access a few readily available routines to hook into the memory in a way that allows them to access and export full track data. So all of you folks who told QSAs like me this would never happen in a million years (this was a constant conversation from 2004 to 2009), baZINGA. Now that we have bazinga’d, let’s focus on how to prevent this from happening. Remember that post I did a while back about the ...

Yes, I know. There are some cobwebs around here. Don’t worry, I’m working on clearing those out. I’ve finally taken a position with a company and have been buried with all kinds of great stuff. More on this soon! But in the meantime, I found an article in the ISACA Journal from Tommie Singleton entitled, “What Every IT Auditor Should Know About Using Inquiry to Gather Evidence.” If you are in the information security business and have to deal with assessing or auditing, do yourself a favor and take ten minutes to read this article. This technique is what separates the pros from the newbs in our industry. If you have worked with me in the past, you probably remember ...

It looks like it’s been a busy couple of weeks for the Council! We saw their release of the eCommerce guidelines, which had some good nuggets while missing the key point of understanding the contracting process for scoping. Now we have the release of the Cloud Guidance, the latest SIG to conclude and publish a report. Read this post, then check out StorefrontBacktalk’s post, then go download the document. First, let’s highlight the good stuff. There are some great charts that attempt to give examples on how responsibilities might be allocated depending on your setup. Go through these as a benchmark, but instead of taking their defaults as gospel, validate them with your CSP using Appendix C. They reference the ...