I thought you might find this interesting:

Trustwave is facing a lawsuit in relation to (and along with) Target because they allegedly failed to identify critical vulnerabilities that were leveraged by hackers during the Target breach (link provided below).  This is just another clear cut example as to why its so important to put your energy into selecting a genuine penetration testing vendor.


http://www.cnet.com/news/security-firm-trustwave-sued-in-connection-with-target-breach-report/

My two cents. I have used Trustwave for PCI services for 5 years now. They are the largest QSA organization out there and do complete the most assessments. This does not make them the best. The level of consultants who come onsite have little to no knowledge of systems or how an organization operates. I think there needs to be a more comprehensive testing program for both companies and individual QSA's to ensure companies are properly being audited. 

Send me your thoughts at jncsousa@outlook.com

YOUR BIGGEST THREATS ARE COMING FROM INSIDE

While rogue employees, such as the infamous Edward Snowden, can be a corporation’s greatest fear, the reality is your employees are probably unknowingly your greatest threat. Better than 60 percent of security events are the result of an inside attack.

Of that group, about 80 percent are from inside people unintentionally compromising your company’s security. They don’t mean to, it’s just that the nature of their job gives them direct access to highly sensitive data. They may not be taking their own security as seriously as you’re taking corporate security.

It’s frightening how careless many users are about corporate security. For example, 40% of all users who have access to a corporate infrastructure use the same login credentials on other non-corporate sites such as Facebook, Twitter, and LinkedIn, said Schoenberg. That’s just one very common example, another is someone with authorized, but unapproved access. It could be an employee that’s authorized to have access to the network from 9am to 5pm, but then you see a single access at 2am. What exactly happened there is not clear, but it definitely would require further investigation.

To combat the unintentional insider threat, all organizations should conduct an audit of your internal team. Where could people be making the biggest impact? A smaller organization could begin a manual audit process, while a larger organization will want to use audit log management tool.

The end of Windows XP

Windows XP has proven to be one of the most popular operating systems in computing history, at one point

 it was used on most of the computers around the  world. However Windows XP is old, and all support  for it from Microsoft will be ending in April of this year.  This  means Microsoft will no longer release any end-user updates or security patches. With approximately 25% of  the world’s desktop computers still running Windows XP (only Windows 7 is more popular), millions of people  will be at greater risk once this happens. Keep in mind, home users are not the only ones who will be impacted  as XP is still widely used in offices, industrial control systems, ATM machines, medical systems, point-of-sale  terminals, and other devices. Below we describe what the risks are once Windows XP is no longer supported .and steps you can take to protect your

You may not know it, but your computer’s operating system has a limited lifespan. The vendor who created the operating system will provide updates and patches that add new features, improve the stability and performance  and keep your system secure. The problem is that eventually the vendor will no longer support your operating system, at some point they have to focus their resources on their latest and greatest technologies. This means that once an operating system is no longer supported, the vendor will no longer release patches or updates even when they know your computer is vulnerable and cyber criminals can hack into it. This is what is going to happen with Windows XP after April. 

To protect yourself and you can afford it I highly recommend you purchase a new computer. Many computers running Windows XP cannot support today’s  newer operating systems. If you cannot afford a new computer then ensure you have the latest AV and see if upgrading is an option.

12 years is a long time to hold onto an operating system. Good bye XP. Hello 21st century computing.

Have a safe day

Security Tips - Social Media

These days nearly everyone uses at least one social networking site. Social networking sites potentially expose users to a myriad of security risks including social engineering and malicious code attacks.

So what can you do to try to protect yourself? Here are some tips from the United States Computer Emergency Readiness Team (US-CERT):

Limit the amount of personal information you post - Do not post information that would make you vulnerable, such as your address or information about your schedule or routine. If your connections post information about you, make sure the combined information is not more than you would be comfortable with strangers knowing. Also be considerate when posting information, including photos, about your connections.

Remember that the internet is a public resource - Only post information you are comfortable with anyone seeing. This includes information and photos in your profile and in blogs and other forums. Also, once you post information online, you can't retract it. Even if you remove the information from a site, saved or cached versions may still exist on other people's machines.

Be wary of strangers - The internet makes it easy for people to misrepresent their identities and motives. Consider limiting the people who are allowed to contact you on these sites. If you interact with people you do not know, be cautious about the amount of information you reveal or agreeing to meet them in person.

Be skeptical - Don't believe everything you read online. People may post false or misleading information about various topics, including their own identities. This is not necessarily done with malicious intent; it could be unintentional, an exaggeration, or a joke. Take appropriate precautions, though, and try to verify the authenticity of any information before taking any action.

Evaluate your settings - Take advantage of a site's privacy settings. The default settings for some sites may allow anyone to see your profile. You can customize your settings to restrict access to only certain people. However, there is risk that even this private information could be exposed, so don't post anything that you wouldn't want the public to see. Also, be cautious when deciding which applications to enable, and check your settings to see what information the applications will be able to access.

Use strong passwords - Protect your account with passwords that cannot easily be guessed. If your password is compromised, someone else may be able to access your account and pretend to be you.

Check privacy policies - Some sites may share information such as email addresses or user preferences with other companies. This may lead to an increase in spam. Also, try to locate the policy for handling referrals to make sure that you do not unintentionally sign your friends up for spam. Some sites will continue to send email messages to anyone you refer until they join.

Use and maintain anti-virus software - Anti-virus software recognizes most known viruses and protects your computer against them, so you may be able to detect and remove the virus before it can do any damage. Because attackers are continually writing new viruses, it is important to keep your definitions up to date.

Source: http://www.us-cert.gov/cas/tips/ST06-003.html

Introduction – Social Networking and Security Risks

With any new tool or application, it is always important to keep a close watch on its security implications. Facebook comes with its own set of security concerns which can put your information systems and/or personal data at risk. This article will look at some of these risks and identify possible solutions to help protect you, your personal information and your company data.

Facebook - Three of the most popular features of Facebook are the ability to add Friends, update your status and run applications such as games and quizzes. A “Friend” is anyone on the Facebook network whom you allow to see various levels of personal information, such as job, birth date, photos, group membership, comments and list of other Friends. You can even play online games and keep others updated on your daily life. Friends can also see Friends of Friends, meaning individuals, whom you have officially befriended and may never have met, may have visibility into your personal information and whereabouts.

Updates - At the top of the user’s Facebook profile is the Update field, which allows the user to post a sentence or paragraph regarding any topic at any time. Here are some examples of updates that my Facebook friends have recently posted. These are very typical:

»» “Just received a job offer. Hooray!”

»» “I’m tired of all the rain.”

»» “Looking forward to the family vacation next week at Disney World.”

Although these might seem relatively harmless, the third bullet point could raise some concern. You have just told all your friends, as well as all their friends, that you will be away from home for a full week. This is comparable to putting a sign on the main road that shouts “Empty House” for passers-by to see. Even if you have a burglar alarm or neighbors keeping an occasional eye on the home, you still don’t want to create the temptation for strangers (Friends of Friends) to consider helping them to that wonderful, new 52” flat screen TV you just purchased.