LRQA Nettitude Blog

Many people are aware of how Cross Site Request Forgery can be used to turn a victim’s browser against a vulnerable application, however vulnerabilities also exist that can turn an application server itself against the infrastructure that it is connected to.

Here at Nettitude, we have been delivering penetration tests for clients for more than a decade.  Over the last 10 years, we have seen the industry mature. Many organisations understand what penetration testing is, and as a consequence, it has become an integral part of many organisations' information security programs. However, more often than not, organisations ask us to focus on the technical aspects of a penetration test and ignore the social aspects. In many instances, we are told that ‘management’ doesn’t want to look at social engineering, and as a consequence, can we provide services that focus on the technology only?

A new year started and why change good habits - or maybe this is a New Year’s resolution? I’m just back from the second New York Metro ISSA Chapter meeting of 2012. Here is my quick wrap-up.

‘Ssssshh – Do I have to tell anyone that I have lost something important?
Beyond PCI DSS - Protecting more than just card data
The latest version of the PCI Data Security Standard, which was formally released last month (Version 2.0, 28 Oct 2010), provides Merchants, Service Providers, Auditors and Banks with an opportunity to briefly review how far (or not) the Card Payment Industry has come in securing it’s Card Holder Data.
Many IT Managers and Financial Directors still loath the words ‘PCI Compliance’, however, the essential common sense of the 12 requirements are slowly being understood as general good practice for data security.

Version 2.0 offers no seismic shift in the standard or its approach. Clarifications of the existing requirements, a more detailed reporting/testing process and a longer three-year cycle of updates all demonstrate that the standard is bedding into a mature yardstick for data security.

Now is a good time to pause and reflect on why these requirements cause so many organisations so much pain. We should also scratch our heads and ask why it is that we have not done all this before?
Clearly, a big part within our organisations and companies has been played by a culture that has seen security as an optional add-on, or something to be considered when the budget exists, or as is the case with many, a naive understanding that security will be someone else’s problem. The media is full every week of cases of data theft:  Law company websites being compromised, major hotel chains being breached and high street retailers being attacked.

Or what about the reports that Card Details have been sent out in clear text emails in what appears to be an unthinking legitimate process, or the reports of yet another loss of Personally Identifiable Information (PII) on a USB/CD/Laptop/unencrypted email or spreadsheet.

The pillars and concepts of PCI Security are not rocket science. They consist of 12 requirements that any Information Security Manager worth his salt would be able to pull together as sensible, common-sense measures that any organisation that takes security seriously should be doing to some degree or level.