Data centers


  • How can a vendor risk assessment help enterprise security?

    Third-party vendors are necessary for organizations, but with them come more security risks. Expert Mike O. Villegas discusses how vendor risk assessments can help.Continue Reading

  • Is mobile payment security regulated enough by PCI DSS?

    PCI DSS is pretty specific about security, but does it do enough for mobile payment security? Expert Mike Chapple explains why he says yes.Continue Reading

  • Exchange email security best practices sanction self-assessments

    Do you have the guts and technology know-how to undertake a self-assessment of your organization's Exchange-related risks? If so, start here.Continue Reading

  • Six areas of importance in the PCI Penetration Testing Guidance

    Complying with PCI penetration testing mandates has always been a challenge for enterprises. Expert Kevin Beaver discusses the recently released PCI SSC pen testing guidance and how it can help enterprises overcome their PCI woes.Continue Reading

  • From SSL and early TLS to TLS 1.2: Creating a PCI DSS 3.1 migration plan

    PCI DSS 3.1 requires enterprises to deplete SSL and early TLS use by June 30, 2016. Expert Michael Cobb offers advice for putting a migration plan to TLS 1.2 in place.Continue Reading

  • Manage compliance controls with Adobe Common Controls Framework

    Adobe's Common Controls Framework sets an example for enterprises struggling to manage multiple compliance standards and looking to build their own compliance framework.Continue Reading

  • Fighting crimeware, RAM scraping and other modern mischief

    There's a good possibility that the attacks you see this year will be harder to detect than in years past, particularly as malware generation toolkits make these more advanced techniques easy to incorporate with existing systems.

    In this three-part guide, SearchSecurity contributors examine the latest iterations of malware. First, however, is a chapter on crimeware in general -- that is, malware used to conduct crime. Not surprisingly, that means grabbing sensitive personal information from either point-of-sale terminals or individual end users. The ultimate goal is the same either way: To get at the money. Investigation is essential to understanding and preventing attacks, so we've included some guidance on how a formal investigation should proceed. Later, particular methods of malware users are explored in depth -- RAM scraping and advanced evasion techniques.

    This guide provides a valuable rundown of what's coming at you in the months ahead from the world of malware, and helps determine what you must do to keep your enterprise systems and finances secure.

    Continue Reading

  • Four ways security compliance standards strengthen enterprise security

    Rather than approaching security compliance standards as boxes to be checked, expert Steven Weil provides four ways enterprises can use compliance standards to strengthen security programs.Continue Reading

  • Credit card protection tactics: Technology vs. standards

    In 2014 shoppers spent almost $300 billion dollars online (a number expected to grow in future years). There was a significant number of online fraud attempts, too—and about 78% of those were made through website applications. (In contrast, only 3% were made via mobile applications).

    This Technical Guide looks at efforts made thus far to crack down on credit card fraud. It starts with a discussion of card-not-present scams, currently a tool of choice for fraudsters, not only because they can shift tactics rapidly among different types of Internet transactions but also because there is no need to steal a card itself (only its attributes), which means customers are typically unaware of the theft until after fraudulent transactions have occurred. It then considers the new breeds of technology placed into networks today that focus on fraud and may give organizations means to not only detect and monitor but also stop fraud. The good news is that these tools for banks and merchants alike begin to protect before a transaction is ever made.

    Finally, Chapter 3 explores whether the Payment Card Industry’s Data Security Standard (PCI DSS) effectively and efficiently protects consumer data.Continue Reading

  • What advice does the PCI Special Interest Group have for compliance?

    A new PCI Special Interest Group document gives advice to enterprises on staying PCI DSS compliant after audits. Expert Mike Chapple highlights the key takeaways.Continue Reading

  • How can companies protect against Backoff malware?

    After Backoff malware was discovered in over 1,000 businesses, companies should be asking how to prevent it. Expert Mike Chapple answers.Continue Reading

  • Ranum Q&A: Security metric best practices with IBM's Diana Kelley

    Marcus Ranum chats with IBM's Diana Kelley about security metric programs, risk appetite and the tradeoffs.Continue Reading

  • Can video surveillance improve PCI DSS 3.0 compliance?

    Requirement 9.9 of PCI DSS 3.0 focuses on physical security of point-of-sale systems. Expert Mike Chapple looks at whether or not video surveillance can help in that regard.Continue Reading

  • Mainframe security best practices for compliance with PCI DSS

    Mainframe security is a largely overlooked topic by QSAs assessing compliance with PCI DSS, but expert Mike Villegas explains why enterprises can't ignore the key security controls to ensure mainframe compliance.Continue Reading

  • Disaster response and recovery: This is not a drill

    Disaster recovery takes many forms: natural disasters that knock out data centers, data that's lost in transit, nefarious employees who abscond with proprietary company information. And those are all operational hazards, to be sure, but sometimes disaster response and recovery is more than that. Sometimes, DR has life-or-death stakes, with the CIO playing a leading role in sifting through the chaos and keeping employees safe.

    In our first piece in this issue of Modern Infrastructure: CIO Edition, CIO expert Harvey Koeppel recounts his fears, but also his swift response and communication, when terrorism stuck his institution. In our second piece, CTO Niel Nickolaisen explains how he matter-of-factly told new CFO that IT should not, in fact, be the ultimate owner of disaster recovery efforts. In our third piece, Rich Licato, a chief information security executive, provides six steps toward building an enterprise risk management program that pegs both common risks and countermeasures to take.Continue Reading