Filed under: Around the Web
Tags: ciso, cyber security, denial of service, gzipping, infosec, minificaiton, session hijacking, signature-based, signatureless, vulnerability, web app security, web application firewall, windows security, windows server 2003
The end of 2015 approaches and we’d like to share some of the most popular links related to infosec.No Comments »
Filed under: Around the Web, IIS & HTTP
This week on the performance front:
Indications that Twitter is using SPDY. With one of the Internet’s most popular sites on board, who will be next to switch over to the faster protocol?
In the world of information security:
We saw the introduction the Cybersecurity Bill “SECURE IT Act” (Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act) to the Senate, which doesn’t suggest any additional regulations for info security and would distance the government from protecting the private sector. Others suggest the Department of Homeland Security should be involved. What do you think the governments role in information security should be?
David Spark writes, “The bad guys are really good at sharing information to break into us. We’re really not that good at sharing information to prevent them from breaking into us.” Should we be sharing incident data?No Comments »
Filed under: Around the Web
This past week brought us a few good stories on the importance of site performance.
Walmart did a study to determine how page speed affected conversions and sales. There were some interesting outcomes here:
The New York Times published a piece on user’s responses to page speed:
Page load data and tools for testing your site’s speed:
Stories coming from RSA Conference.
Dwayne Melancon, CTO of Tripwire, suggests companies assess their assets and ask,“What is the value of each asset to my business and how does that change over time? How does it look when things are good, OK, and bad?”
News on the IIS front.
And Scott Forsyth reported new information on IIS 8:
No Comments »
Filed under: Around the Web, Web and Application Security
Tags: iis, info security, pci compliance, pci dss, Port80 Software, serverdefender vp, web app firewall
In 2011, 89% of organizations with payment card data loss were not Payment Card Industry Data Security Standard compliant at the time of the security breach. These types of breaches can lead to monetary loss for the customer and for a company; in the case of the former, there is also the possibility of reputation loss – which may be a far worse and lasting negative effect.
The first tip for avoiding costly PCI Compliance violations (in the above piece) is familiarization with the requirements themselves. With the complexity and severity of security breaches always growing, it is crucial to know and understand the security standards required to store, transmit or process payment cardholder data. While the 75 page PCI DSS “Requirements and Security Assessment Procedures” document may be somewhat daunting in its requests and exhaustive calls for implementation, it can be simplified to:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
When you break down these main categories, there are 12 provisions to achieve PCI DSS compliance. Not only are these requisite provisions for PCI Compliance, but they are a great template for security for any type of business.
A while back we posted the following PCI quick tips, which are still applicable:
- Encrypt cardholder data.
- Use products that are approved for the PCI standard.
- Understand the concept of compensating controls.
- Organize PCI compliance as an on-going, cross-functional project–not as a one-time event.
- Understand your cardholder information business process from end to end.
- Take the time to read and understand the PCI Data Security Standard.
- Store unnecessary cardholder data beyond receiving the authorization code.
- Be lulled into thinking that you would not be a target for criminals.
- Try to create your own crypto solutions.
- Assume your vendor is protecting you.
Through all the preparation and planning, let’s not forget that PCI DSS does not make a company immune from attack. It can and does still happen – after all, a determined hacker can bypass any security. This is why PCI DSS Compliance, and security as a whole, must be treated as an ongoing processes with a time investment in-line with how much your company values staying in business.
No Comments »