Survey Says...PCI Works
I had a chance to listen to a webinar yesterday and thought I would share my thoughts on it. It was based on a new study that just came out. The study was conducted by the Merchant Acquirer's Committee...
View ArticlePCI Self-Assessment Questionnaire Explained
For the majority of merchants (levels 2 - 4) PCI compliance can be reported through the PCI SSC Self-Assessment Questionnaires (SAQ). Essentially the SAQ is a paired down list of requirements from the...
View ArticleSelf-Assessment Questionnaire A Explained
Self-Assessment Questionnaire A is the most basic of all the PCI validation types. It was developed to address the needs of merchants who don't personally process any card data electronically. The...
View ArticleSelf-Assessment Questionnaire B Explained
Self-Assessment Questionnaire B is probably the most popular of all the SAQ types provided by the PCI SSC. SAQ B applies to the majority of small business retail stores. SAQ B applies to the most basic...
View ArticleSelf-Assessment Questionnaire C-VT Explained
With the newest version of the PCI DSS came a new SAQ type - SAQ C-VT. This particular SAQ form is geared toward a special branch of merchant. Even though SAQ C-VT qualifying merchants use the Internet...
View ArticleWeb Application Session Auditing
Web application session handling is one of the most difficult things to do right. As we move more and more towards standard web frameworks (django,rails, etc.) to handle the basic functionality of a...
View ArticleData Breach Statistics
While doing a little research, I came across some interesting statistics about data breaches. I just wanted to share them along with some of my thoughts.71% of security breaches target small...
View ArticleWeb Application Session Auditing Part 3: Exploitation
The idea here is to determine your goals. Typically in our web app assessment engagements, our primary goal is to identify all the weaknesses in the application. While this isn't necessarily the goal...
View ArticleWeb Application Session Auditing Part 2: Recon
One of the best things you can do is take time to understand how the authentication system works on your target site. How is the session stored? In a cookie? In the URL? What happens when you fuzz or...
View ArticleWeb Application Session Auditing Part 1: Intro
Web application session handling is one of the most difficult things to do right. As we move more and more towards standard web frameworks (django, rails, etc.) to handle the basic functionality of a...
View ArticleCyber Attacks & Emergency Preparedness
Today I came across an article published on the Digital transactions. The overall focus on the article was about how small, level 4, merchants are still lagging behind when it comes to PCI compliance...
View ArticleEveryday Cybercrime and What You Can Do
I'm a big fan of Ted Talks. I came across one that was very interesting and relevant to security. James Lyne, a cybersecurity specialist with Sophos, discussed the basics of everyday cybercrime and the...
View ArticleHeartbleed: 0-day Vulnerability in OpenSSL
A widespread and impactful 0-day vulnerability has been identified in current versions of OpenSSL that is utilized in most Linux and Unix based web servers that serve pages over SSL/TLS encryptionWhat...
View ArticleDeath of Antivirus & Indicators of Compromise
This week there have been articles popping up all over the Internet with quotes from a Symantec executive stating that antivirus software is DEAD. The articles state that antivirus solutions are only...
View ArticleQSA Educational Discussion | Q.E.D.
We are having the first ever QSA Educational Discussion Group (Q.E.D.) next month. If you are in the Phoenix metro area, please join us. This group has a very simple objective - Get members of the...
View ArticleMy Software is End-of-support, Who Cares?
With the ultimate demise of Windows XP comes questions of what it really means that software is "unsupported?" I get this question a lot when a client reads through a penetration test report for their...
View ArticlePCI Policy Documentation
Without fail, the first time an organization goes through the PCI gap assessment, remediation, and assessment cycle, they always underestimate the amount of specificity required by the PCI DSS. Smaller...
View ArticleHeartbleed Hanging On
More than a month has past since the disclosure of the Heartbleed vulnerability and it is still making the rounds in the news. Even though it presents a serious security issue to Internet communication...
View ArticleMicrosoft My Bulletins & PCI Compliance
Microsoft just released a new tool for their Security TechCenter. Its a pretty straight-forward service called My Bulletins 1. Basically it provides a customized dashboard to present Microsoft security...
View ArticleI Have Vulnerabilities On My LAN. So What?!
During the course of my penetration testing engagements (where I pretend I'm a malicious user and attempt to do naughty things on the network), I usually see or detect many vulnerabilities that are...
View ArticleQ.E.D Is Fast Approaching
We are getting excited around here for the first ever QSA Educational Discussion! This is going to be a great event to hone your PCI compliance skills, get answers to those complex compliance questions...
View ArticlePasswords & Underpants
I don't know how I missed it before, but I stumbled upon a little InfoSec analogy that has been floating around for a while now. It goes a little something like this: "Passwords are like...
View ArticleOld vs New: A Comparison of Magnetic Stripe and Chip-and-PIN
I was doing some poking around on the internet recently, reading various stories about different network breaches and loss of credit card numbers and I was reminded of the semi-recent Target breach and...
View ArticleSMB Data Breach Fallout
For any organization a data breach is a disruptive experience. Besides the distraction from daily operations, and unwanted publicity, a data breach brings a huge financial burden as well. Most large...
View Article33 Stores Affect in PF Chang's Data Breach
PF Chang's Restaurant has released more information about their recent data security breach. They haven't release very many specific details about how the breach was carried out or how many records...
View ArticleWeekly Wrap Up | Aug, 29 2014
This week has been a pretty eventful one in the world of information security. There have been quite a few news stories worth checking out. I thought I would post a summary of this weeks news stories,...
View ArticleBus Factor
Many of you may be familiar with bus factor, lottery, truck factor, and/or bus/truck number. For those that aren't though, I wanted to take a small moment to explain it. The concept is quite simple....
View ArticleWeekly Wrap Up | Sept, 5 2014
This week's wrap up will provide key details of a possible The Home Depot breach and an update to the Chase Bank data breach.The Home DepotKey Details-No official confirmation to a data breach -The...
View ArticleWeekly Wrap Up | Sept, 12 2014
This week's wrap up will provide key details of The Home Depot data breach, information on the Cyber Protection Brigade, and key details of the report discussing the vetting of cyber contractors.The...
View ArticleThe Rising Cyber Threat to Small Business | Lunch & Learn
Aeris Secure and the Arizona Restaurant Association are hosting a free lunch and learn on cyber security and the threat it poses to your business. We will discuss what you can do to prepare for, and...
View ArticleShellshock! Bash Vulnerability.
This past Wednesday, September 24th a vulnerability in bash was announced and I wanted to give a quick summary or run-down of the situation and how it may effect some of us. The vulnerability allows...
View ArticleWeekly Wrap Up Oct, 3 2014
This week's wrap summarizes the Jimmy John's data breach and the breach on Japan Airlines. Jimmy John's Data BreachOfficially Acknowledged by Jimmy John's216 stored affected 108 other independent...
View ArticleWeekly Wrap Up | Oct 10, 2014
This week's wrap up includes information on failing incident response, an update on the Chase Bank data breach, Jimmy Johns data breach, and the Good Will data breach. Schneier Says Incident Response...
View ArticleWi-Fi for SMB - Things to Consider
I came across a good little article 1 earlier in the week about setting up guest Wi-Fi and I think it should really hit home with many small business owners. Simply throwing up a wireless access point...
View ArticleDairy Queen Data Breach Impacts Arizona Business Owners
After a few weeks of speculation, Diary Queen has confirmed that nearly 400 locations were compromised in a recent data security breach. Among the 400 locations affected, 9 were local Arizona...
View ArticleVulnerability Scanning from AWS
At Aeris Secure, we really enjoy Amazon's infrastructure, AWS. Like most organizations, we went from having a sense of pride in our nice physical servers to eventually resenting the trips to the...
View ArticlePCI Task Calendar
PCI compliance is comprised of over 200 individual requirements. Many of the requirements in the PCI DSS must be maintained throughout the year and conducted on a recurring basis. To help your...
View ArticleIT Risk Assessment
To prevent any risk of a security breach, it is always a good idea to conduct a periodic risk assessment. A risk assessment will help identify the areas where your company is most susceptible to an...
View ArticlePCI Terminology
Understanding a compliance standard requires understanding all of its terminology and jargon. We've compiled our own glossary of terms for the PCI DSS to provide additional clarity beyond the Official...
View ArticlePCI Frequently Asked Questions (FAQ)
The Payment Card Industry Security Standards Council (PCI SSC) is the regulating body established by the credit card brands to institute and enforce procedures which enhance the security of credit card...
View ArticleNavigating PCI Compliance with A.C.E.
Many parts of the PCI Data Security Standard are technical in nature, and some may even be hard to understand without a certain level of computer experience. We are here to relieve stress and pain and...
View ArticleAnnouncement: New Seattle, WA Office
Aeris Secure is expanding once again. We are now offering our comprehensive PCI/EI3PA compliance and auditing services in the Seattle, Washington area. The new office will service Seattle, Tacoma,...
View ArticleMastercard Requires QSA or ISA for Level 2 Merchants
The standard for handling credit card data is set by the PCI (Payment Card Industry) SSC (Security Standards Council). However, each card brand, Visa, Mastercard, AmEx, Discover and JCB, manages its...
View ArticleAttention: Services Providers - Clients want to know how you protect their data
It would be careless to do business with someone before doing your homework. You need to make sure you understand exactly what you are getting into and that the other party is open, honest and acting...
View ArticleAnnouncement: New Dallas/Fort Worth Office
Aeris Secure is pleased to announce a new office in the Dallas/Fort Worth, Texas area. This new location will help Aeris Secure better serve PCI QSA clients in the DFW area as well as the greater...
View ArticleTexas Health Provider Suffers Ransomware Attack
Urology Austin, a healthcare provider with 13 locations in central Texas, was the target of a cyber attack on January, 22 2017. It appears that the attackers were able to encrypt data on the company...
View ArticleForbes Interview: How can small business protect themselves from a cyber attack
A while back I was contacted by Karsten Strauss, a journalist with Forbes.com, He was looking for information for an article he was working on. The topic was how can small businesses protect themselves...
View ArticleTOSS C3 Interview: Cyber Securit and Compliance for SMBs
I was recently interviewed by TOSS C3 as part of their Expert Interview Series. We discussed the importance of cyber security and PCI compliance for small businesses. I cover everything from changes...
View ArticleChallenges of PCI-Compliant Multi-Factor Authentication
In the era of ever-evolving cybersecurity threats, Multi-Factor Authentication (MFA) has emerged as a hallmark of robust user authentication. While the premise of MFA is straightforward, implementation...
View Article
More Pages to Explore .....