3 min
PCI
How PCI Compliance Helps Keep Your App’s Credit Card Data Safe
In this blog, we break-down why you and your organization should be committed to the Payment Card Industry Data Security Standard (PCI DSS, or PCI).
3 min
InsightIDR
Utilize File Integrity Monitoring to Address Critical Compliance Needs
To help organizations address their compliance auditing needs, we are excited to introduce file integrity monitoring (FIM) for InsightIDR.
2 min
Compliance
The British Airways Breach: PCI is Not Enough
Magecart's techniques are sophisticated and worth understanding in detail, especially because they point out a major gap that occurs even with perfect PCI compliance.
4 min
InsightIDR
PCI DSS Dashboards in InsightIDR: New Pre-Built Cards
No matter how much you mature your security program
[https://www.rapid7.com/fundamentals/security-program-basics/] and reduce the
risk of a breach, your life includes the need to report across the company, and
periodically, to auditors. We want to make that part as easy as possible.
We built InsightIDR [https://www.rapid7.com/products/insightidr/] as a SaaS SIEM
[https://www.rapid7.com/solutions/siem/] on top of our proven User Behavior
Analytics (UBA) [https://www.rapid7.com/solutions/user-beh
2 min
Nexpose
Maximizing PCI Compliance with Nexpose and Coalfire
In 2007 Coalfire selected Rapid 7 Nexpose as the engine around which to build
their PCI Approved Scan Vendor offering. PCI was just a few years old and
merchants were struggling to achieve and document full compliance with the
highly proscriptive Data Security Standard. Our goal was to find that classic
sports car blend of style and power: a vulnerability assessment solution that
was as streamlined and easy to use as possible, but robust enough to
significantly improve the customer's security.
3 min
User Behavior Analytics
[Q&A] User Behavior Analytics as Easy as ABC Webcast
Earlier this week, we had a great webcast all about User Behavior Analytics
[https://www.rapid7.com/solutions/user-behavior-analytics.jsp?cs=blog] (UBA). If
you'd like to learn why organizations are benefiting from UBA, including how it
works, top use cases, and pitfalls to avoid, along with a demo of Rapid7
InsightIDR, check out on-demand: User Behavior Analytics: As Easy as ABC
[https://information.rapid7.com/uba-as-easy-as-abc.html] or the UBA Buyer's
Tool
Kit
[https://information.rapid7.com/
5 min
PCI
Seven Ways InsightIDR Helps Maintain PCI Compliance
If your company processes credit card transactions, you must be compliant with
the Payment Card Industry Data Security Standard, or PCI DSS
[https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf]. Any
entity that stores, processes, or transmits cardholder data must abide by these
requirements, which provide best practices for securing your cardholder data
environment (CDE) [https://www.rapid7.com/solutions/compliance/pci-dss/].
Rapid7 InsightVM [https://www.rapid7.com/products/i
2 min
Compliance
Top 3 Takeaways from the "PCI DSS 3.0 Update: How to Restrict, Authenticate, and Monitor Access to Cardholder Data" Webcast
In this week's webcast, Jane Man [/author/jane-man] and Guillaume Ross
[/author/guillaume-ross] revisited the latest PCI DSS 3.0 requirements. Security
professionals need to be diligent to remain compliant and secure. Jane and
Guillaume discussed some key results from the Verizon 2015 PCI Compliance
Report, tips and tricks for complying with requirements 7, 8, and 10, and
touched upon upcoming changes in v3.0 and v3.1. Read on for the top 3 takeaways
from the “PCI DSS 3.0 Update: How to Restrict
2 min
PCI
Top 3 Takeaways from the "Escalate your Efficiency: How to Save Time on Penetration Testing" Webcast
Penetration Testing is a complex process that requires attention to detail,
multi-tasking, extensive knowledge of different attack vectors, available
vulnerabilities and exploits, and patience. Recently erayymz
[https://twitter.com/erayymz], Senior Product Manager at Rapid7 spoke with pen
testing professionals Leon Johnson, Senior Consultant at Rapid7, and Dustin
Heywood, Manager of Security Assurance at ATB Financial. They discussed how to
take advantage of automation with Metasploit Pro to sim
3 min
PCI
PCI 30-second newsletter #38 - The Holy Grail vs ROC-Fission: The only way to reach compliance
A big thanks to Andy Barratt [https://www.linkedin.com/in/andrewbarratt] -
Managing Director, Europe and QSA, Coalfire for his contribution to this
newsletter.
“Any darn fool can make something complex; it takes a genius to make something
simple.”― Peter Seeger
If you are the glorious knight responsible for getting your company up to
mandatory compliance levels (and keep it there), you could potentially feel
desperate facing this enormous and tedious undertaking. This is especially true
fo
2 min
PCI
ControlsInsight: Server Controls - Single Critical role
NIST CM-7, Australian DSD Mitigation #24, SANS critical control 11-6 and PCI-DSS
2.2.1 suggest that servers deployed in a production environment must only be
serving one critical role.
For example, if we add another critical role like file services to a web server
then we increase the attack vectors on that server. Generally, web servers
deployed in a production environment are open to public internet and are more
susceptible to attacks. They require high maintenance with respect to installing
3 min
PCI
Cyber Security Awareness Month: Data Custodianship
By now, you know that October is Cyber Security Awareness Month in the US
[http://www.staysafeonline.org/ncsam/] and across the European Union
[http://www.enisa.europa.eu/activities/stakeholder-relations/nis-brokerage-1/european-cyber-security-month-advocacy-campaign]
. We know many SecurityStreet readers work in information security and are
already “aware” - so this year we're equipping you for executive tier cyber
security discussions. We kicked this off last week with a piece on why security
3 min
PCI
PCI 30 Seconds newsletter #37 - And PCI said "Get Pen-Tested"!
This newsletter clarifies what is expected to comply with PCI DSS 11.3:
Penetration testing.
Why is Pen-test needed?
In the same way that wellness checks support a doctor's diagnosis by determining
what's wrong or not working as expected (a.k.a. an analysis) and establish the
appropriate treatment (a.k.a. a remediation plan), penetration testing aims to:
* Determine and validate a diagnosis by determining the genuineness and
severity of identified vulnerabilities
* Validate that defense m
2 min
PCI
Top 4 Takeaways from "Mind the Gap: 5 Steps to Perform Your Own PCI DSS 3.0 Gap Analysis" Webcast
PCI is never far from mind these days as the January 1, 2015 deadline for most
organizations to be compliant with PCI DSS 3.0 by approaches quickly. In light
of these deadlines, ncrampton [https://community.rapid7.com/people/ncrampton]
and ospannero [https://community.rapid7.com/people/ospannero] hosted a webcast
earlier this week on the, "5 Steps to Perform Your Own PCI DSS 3.0 Gap Analysis
[https://information.rapid7.com/5-steps-to-perform-pci-gap-analysis-webcast.html?CS=blog]
", so that org
4 min
PCI
PCI 30 seconds newsletter #36 - Control your privileged accounts - How to contain the "Keys to the kingdom" problem
What's a Privileged account?
The term "Privileged account", also known as "High Privileged account" or "Super
user" refers to any type of account that holds special or extra permissions
within the enterprise systems.
They are generally categorized as:
* IT administrative accounts used to install or configure. E.g.UNIX root,
Windows Administrator accounts or accounts associated with database ownership
and network components.
* Identity and access management accounts used to manage use