PCI 3.2 is coming

In our Preparing for PCI DSS 3.2:  Lets take a look at key dates to help organizations plan for PCI Data Security Standard (PCI DSS) 3.2

April 2016

• PCI DSS 3.2 is scheduled for publication at the end of April. Publication will include a summary of changes document and webinar that provides an overview of 3.2 and the timeline and resources for putting it into place.
• PCI DSS 3.2 supporting documents including Self-Assessment Questionnaires (SAQ), Attestation of Compliance (AOC) forms, Report on Compliance (ROC) templates, Frequently Asked Questions (FAQ) and Glossary will also be available at the end of the month.

October 2016

• PCI DSS 3.1 will retire six months after the release of PCI DSS 3.2, and at this time all assessments will need to use version 3.2.

February 2018

• The new requirements introduced in PCI DSS will be considered best practices until 31 January 2018. Starting 1 February 2018 they are effective as requirements.

Questions, comments, concerns, please let me know by emailing me at: jncsousa@outlook.com

The Rising Cost of CyberSecurity

Since the early 2000's information security has always been mistaken for something you can buy or something you can do to prevent breaches and data compromises. The latest headlines have proven otherwise. The cost of data breaches are expected to reach 2.1 trillion by 2019, with the average cost of each breach exceeding $150 million by 2020.


Costly Attacks We know from past data breaches from Home Depot in 2014 that personal information from up to 60 million consumers was compromised. The Home Depot breach is still being calculated, but costs could reach $3 billion. Unfortunately, this type of attack had been seen before in an earlier Target attack Sony hack and could have been avoided all together.

The fallout from the 2013 Target compromise has cost the company $148 million for the breach, $100 million for better security and $86 million to settle with Visa and MasterCard for a total direct cost of $334 million. Indirect costs include the loss of their CEO, a class-action litigation filed against the board of directors for negligence, loss of an unknown number of customers, and making themselves a prime target for a hacker who wants to claim the trophy for breaking past their new defenses.


Is Human Error to Blame I have been monitoring and investigating various cyber-attacks since 2010 and I have found all compromises are the direct result of human failure at all levels. Not one data breach has ever been attributed to hardware, operating system, or application failures. In 2013 it took an average of 229 days to discover a breach, with only 33 percent of those finding the breach themselves, and 37 percent finding the breach with help from third parties. Here is my 5 second pitch to ensure you have proper logging in place. Ensure these logs are being monitored on a daily basis.


Always a Constant Process What most organizations fail to understand about information security is that defense is a process you must apply diligently with constant improvements over time. The process is a simple three-step focus of prevention, detection, and response. Every organization should continue to attempt to prevent attacks and compromises; just realize that history has proven that no matter what you do or spend to prevent a compromise, it will fail. When you compare the cost of data breaches to the cost to prevent a compromise, it is easy to understand that consumers and organizations both will have to find a way to cover or transfer those risks and costs. To do this, more effort and budget dollars must be put into the detection of attacks and data breaches.


In order to determine the best ways to cover or transfer cost, you must know exactly what happened. In the response phase of the process, knowing exactly what happened is imperative to making an informed decision. Of course, making an informed decision to do nothing can be acceptable. The information gathered during the detection or monitoring phase will be used to handle incidents internally through human resources, self-insure losses, dealings with authorities, or knowing which insurance policy could be used to transfer losses to. Regulatory compliance, potential litigation, and lost revenues all add unknown cost into your response.

Top 10 Network Security Tools

Hacking tools here means the tools or the software used to gather information of network or website. These tools could also be used by most of the hackers. There are a number of tools for different purposes. The tools listed here widely used. Moreover make sure you have the permission to run these tools otherwise it is illegal.

1. Nmap (Network Mapper): To explore the networks Nmap is mostly used tool. Nmap is a free and also an open source tool. Security auditing could be easy with the use of this tool. Rapidly scanning of network is its major task. With the use of IP packets it determines what type of hosts are present in a network along with information on the applications being used by them. Nmap also gives information about the operating systems used by the networks. It is helpful to identify the firewalls in a network and many more other characteristics of any given host.

2. Wireshark: Wireshark is a packet analyzer. It is a free and also an open-source. A network engineer use wireshark for troubleshooting, network analysis, education, software and communication protocol development. It’s original named was Ethereal, but in May 2006 the project was renamed with a new name Wireshark. It happens only due to trademark issue.

3. Nessus: Nessus Remote Security Scanner has become closed source software in the year 2005, but the engine that runs the software is still free of cost. 75000 organizations world-wide are using the Nessus Security Scanner. So Nessus has been become the world’s most popular scanner. Many have befitted from this software and it is being used extensively in auditing critical enterprise devices.

4. Kismet: For 802.11 wireless LANs, Kismet works as network detector, packet sniffer, and intrusion detection system. It is also compatible with all the wireless cards, which supports raw monitoring mode, and can sniff 802.11a, 802.11b, 802.11g, and 802.11n traffic. This is available for Linux, FreeBSD, NetBSD, OpenBSD, and Mac OS X. Kismet is also available for Microsoft Windows in GUI version. Aside from all external drones, Kismet is only supported wireless hardware available as packet source.

5. LCP: In Windows NT/2000/XP/2003, LCP could be used for user account passwords auditing and recovery, Brute force session distribution, Hashes computing and Passwords recovery. It is very good free alternative to L0phtcrack.

6. Yersinia: In different Layer 2 protocols there are some weaknesses. So this network tool has been designed to take advantage of these weaknesses. It acts like a solid framework for analyzing and testing the deployed networks and systems, but in actual it is not a framework. Currently, the following network protocols are implemented: IEEE 802.1q, Spanning Tree Protocol (STP), Dynamic Host Configuration Protocol (DHCP), Hot Standby Router Protocol (HSRP), Inter-Switch Link Protocol (ISL), VLAN Trunking Protocol (VTP), Dynamic Trunking Protocol (DTP), Cisco Discovery Protocol (CDP).

7. Nikto: It is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. The plugins used by it needs to be update at proper timess and it could be updated automatically.

8. SuperScan: SuperScan is a very powerful tool which works as connect-based TCP port scanner, pinger and hostname resolver. This program is extremely fast and versatile due to multithreaded and asynchronous techniques which developers used to make it. For network administrators, this is first and foremost tool. Do not scan those systems which are not under your control. It will be illegal. To use this program against computers on the Internet that you have no right to scan since you are highly likely to be tracked down and attract the attention of your ISP, possibly resulting in your account being terminated.

9. John the Ripper: John the Ripper is a fast password cracker, currently available for many flavours of Unix, DOS, Win32, BeOS, and OpenVMS. The weak passwords of any operating system could be crack by using it. Besides several crypt password hash types most commonly found on various Unix flavours, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

10. Cain and Abel: In Microsoft Operating Systems Cain and Abel works as a password recovery tool. With the help of decoding scrambled passwords, recording VoIP conversations, sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, uncovering cached passwords, recovering wireless network keys, revealing password boxes, and analyzing routing protocols, it allows easy recovery of various type of passwords

Microsoft and Adobe Adobe Push Critical Updates

Microsoft today pushed out 13 security updates to fix at least 39 separate vulnerabilities in its various Windows operating systems and software. Five of the updates fix flaws that allow hackers or malware to break into vulnerable systems without any help from the user, save for perhaps visiting a hacked Web site.

The bulk of the security holes plugged in this month’s Patch Tuesday reside in either Internet Explorer or in Microsoft’s flagship browser — Edge. As security firm Shavlik notes, Microsoft’s claim that Edge is more secure than IE seems to be holding out, albeit not by much. So far this year, Shavlik found, Edge has required 19 fixes versus IE’s 27.

Windows users who get online with a non-Microsoft browser still need to get their patches on: Ten of the updates affect Windows — including three other critical updates from Microsoft. As always, Qualys has a readable post about the rest of the Microsoft patches. If you experience any issues with the Windows patches, please share your experience in the comments below.

As it is known to do on patch Tuesday, Adobe issued security updates for its Reader and Acrobat software. Alas, there appears to be no update for Adobe’s Flash Player plugin as per usual on Patch Tuesday. However, an Adobe spokesperson has advised through various news channels that the company will be issuing a Flash Player update on Thursday morning.

If you would like to see more detailed information on monthly patches, please leave a comment and I will look at adding it to the blog.

Be Safe and for god sake, please patch!