LRQA Nettitude Blog

Introduction

CREST, CSA and AISP work together to introduce penetration testing certifications in Singapore

eBay is in the headlines once again this week as the online auction site has reportedly been compromised by a cross-site scripting (XSS) attack, in which users were redirected to a spoof site designed to steal their credentials.  This latest attack follows an announcement from the company back in May urging its users to change their passwords after one of its databases containing encrypted passwords and other customer data had been compromised via a “small number of employee log-in credentials, allowing unauthorised access to eBay’s corporate network”.

Nettitude has added another string to its penetration testing bow today, following confirmation from CREST – the not-for-profit organisation that serves the needs of the technical information security marketplace – that our testing team has successfully achieved full CREST STAR (Simulated Target Attack & Response) status. STAR is arguably one of the most sophisticated approaches for delivering penetration testing. Through combining comprehensive threat data with a “Red Team” style of testing, STAR assessments are designed to deliver some of the strongest levels of assurance available to organisations across the globe.

‘Ssssshh – Do I have to tell anyone that I have lost something important?
Beyond PCI DSS - Protecting more than just card data
The latest version of the PCI Data Security Standard, which was formally released last month (Version 2.0, 28 Oct 2010), provides Merchants, Service Providers, Auditors and Banks with an opportunity to briefly review how far (or not) the Card Payment Industry has come in securing it’s Card Holder Data.
Many IT Managers and Financial Directors still loath the words ‘PCI Compliance’, however, the essential common sense of the 12 requirements are slowly being understood as general good practice for data security.

Version 2.0 offers no seismic shift in the standard or its approach. Clarifications of the existing requirements, a more detailed reporting/testing process and a longer three-year cycle of updates all demonstrate that the standard is bedding into a mature yardstick for data security.

Now is a good time to pause and reflect on why these requirements cause so many organisations so much pain. We should also scratch our heads and ask why it is that we have not done all this before?
Clearly, a big part within our organisations and companies has been played by a culture that has seen security as an optional add-on, or something to be considered when the budget exists, or as is the case with many, a naive understanding that security will be someone else’s problem. The media is full every week of cases of data theft:  Law company websites being compromised, major hotel chains being breached and high street retailers being attacked.

Or what about the reports that Card Details have been sent out in clear text emails in what appears to be an unthinking legitimate process, or the reports of yet another loss of Personally Identifiable Information (PII) on a USB/CD/Laptop/unencrypted email or spreadsheet.

The pillars and concepts of PCI Security are not rocket science. They consist of 12 requirements that any Information Security Manager worth his salt would be able to pull together as sensible, common-sense measures that any organisation that takes security seriously should be doing to some degree or level.