Being a responsible corporate citizen and member of the local community is at the core of Control Gap’s daily operations. We believe in making work a rewarding experience by incorporating fun team events within our corporate culture, and supporting cause-related and local organizations.

Blog

WP_Query Object ( [query] => Array ( [post_type] => post [post_status] => publish [cat] => 14, 134, 1 [orderby] => date [order] => desc [posts_per_page] => 3 [paged] => 1 [ignore_sticky_posts] => 1 ) [query_vars] => Array ( [post_type] => post [post_status] => publish [cat] => 14 [orderby] => date [order] => DESC [posts_per_page] => 3 [paged] => 1 [ignore_sticky_posts] => 1 [error] => [m] => [p] => 0 [post_parent] => [subpost] => [subpost_id] => [attachment] => [attachment_id] => 0 [name] => [static] => [pagename] => [page_id] => 0 [second] => [minute] => [hour] => [day] => 0 [monthnum] => 0 [year] => 0 [w] => 0 [category_name] => charity [tag] => [tag_id] => [author] => [author_name] => [feed] => [tb] => [meta_key] => [meta_value] => [preview] => [s] => [sentence] => [title] => [fields] => [menu_order] => [embed] => [category__in] => Array ( ) [category__not_in] => Array ( ) [category__and] => Array ( ) [post__in] => Array ( ) [post__not_in] => Array ( ) [post_name__in] => Array ( ) [tag__in] => Array ( ) [tag__not_in] => Array ( ) [tag__and] => Array ( ) [tag_slug__in] => Array ( ) [tag_slug__and] => Array ( ) [post_parent__in] => Array ( ) [post_parent__not_in] => Array ( ) [author__in] => Array ( ) [author__not_in] => Array ( ) [update_post_term_cache] => 1 [suppress_filters] => [cache_results] => [lazy_load_term_meta] => 1 [update_post_meta_cache] => 1 [nopaging] => [comments_per_page] => 50 [no_found_rows] => ) [tax_query] => WP_Tax_Query Object ( [queries] => Array ( [0] => Array ( [taxonomy] => category [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id [operator] => IN [include_children] => 1 ) ) [relation] => AND [table_aliases:protected] => Array ( [0] => wpcm_term_relationships ) [queried_terms] => Array ( [category] => Array ( [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id ) ) [primary_table] => wpcm_posts [primary_id_column] => ID ) [meta_query] => WP_Meta_Query Object ( [queries] => Array ( ) [relation] => [meta_table] => [meta_id_column] => [primary_table] => [primary_id_column] => [table_aliases:protected] => Array ( ) [clauses:protected] => Array ( ) [has_or_relation:protected] => ) [date_query] => [request] => SELECT SQL_CALC_FOUND_ROWS wpcm_posts.ID FROM wpcm_posts LEFT JOIN wpcm_term_relationships ON (wpcm_posts.ID = wpcm_term_relationships.object_id) WHERE 1=1 AND ( wpcm_term_relationships.term_taxonomy_id IN (1,14,134) ) AND wpcm_posts.post_type = 'post' AND ((wpcm_posts.post_status = 'publish')) GROUP BY wpcm_posts.ID ORDER BY wpcm_posts.menu_order, wpcm_posts.post_date DESC LIMIT 0, 3 [posts] => Array ( [0] => WP_Post Object ( [ID] => 1420 [post_author] => 7 [post_date] => 2018-04-11 11:25:21 [post_date_gmt] => 2018-04-11 11:25:21 [post_content] => Understanding PCI DSS requirements in depth can often be confusing and frustrating. The requirements covering penetration testing, PCI DSS 11.3, are a case in point. This article will help those of you who are seeking compliance to know what is expected and to guide you in the right direction. Specifically, we will look at what penetration testing is, how to perform penetration tests, the different types of penetration tests, and what you need to get out of penetration testing to be successful.

What Is Penetration Testing?

Security vulnerabilities are usually hidden, non-obvious, and easily overlooked by most people. Security testing brings these problems to light and should put them in perspective.  PCI DSS mandates objectives for several types of security tests including rogue wireless detection (PCI DSS 11.0), vulnerability scanning (PCI DSS 11.2), and penetration testing (PCI DSS 11.3). Rogue wireless detection and vulnerability scanning are basically technical surveying techniques. Penetration testing goes beyond this and can often include human factors as well. Penetration testing often utilizes a broad set of tools and skills that can be used to satisfy a wide range of security objectives but for this article we will focus just on PCI. Penetration testing is a process used by organizations to understand the impact of security vulnerabilities. In contrast to a vulnerability scanning, penetration tests aren't just a simple numeration of identified vulnerabilities and potential vulnerabilities reported with metrics and identifiers like (CVSS, and CVE).  While penetration tests often include vulnerability scans, they attempt to answer deeper questions about vulnerabilities, such as: How they can be exploited by attackers? How far attackers can go? What can attackers do? And, what are the implications to the organization? Penetration testers usually actively attempt to exploit systems but can use other techniques to go beyond vulnerability enumeration. The key to penetration testing is that it should provide an objective method to confirm vulnerabilities, to demonstrate how they can be linked, how they can be leveraged to attain greater network and system control, and to confirm the harm that can arise from a successful attack. Organizations can then leverage the results of these tests to achieve improvements and mitigate risks. By analogy, security testing allows you to see not only that your doors and windows are locked; but how good those locks are, and if your kids will let strangers into your house.

The Process

Penetration tests should be performed with a well thought out plan and objectives. Once the strategies and methods to be used are decided, the assessment usually begins with reconnaissance to determine information on systems,  processes, and people. This can be performed actively and/or passively and uses information from DNS interrogation, network surveys, web presence, and more. From here, vulnerabilities are identified using various methods such as vulnerability scanners, OS fingerprinting, banner grabbing, and service enumeration. Frequently used attack vectors include the discovery of weak user credentials, default-insecure configurations, software, protocol, and application vulnerabilities. Human focused activities such as Phishing and Social Engineering may also be attempted. Once vulnerabilities have been discovered, exploitation is attempted. The attacker will use manual and automated techniques to attempt to exploit identified vulnerabilities. If access is obtained, a diligent penetration tester will attempt to escalate privileges and maintain access. Tests should include a cleanup step to remove or nullify any modifications introduced by the tests. Finally, the tester will deliver a detailed report of findings. There are three main strategies used to approach penetration testing:

White-Box Testing

The tester is provided full disclosure of the environment prior to commencement.

Advantages:

  • Can effectively simulate attacks by insiders and organizations that are highly motivated or well funded and employ sophisticated methods
  • Time and cost effective way to address the in depth surveillance and research used by this type of attack

Disadvantages:

  • Security teams may be aware of the testing, thus a realistic assessment of detective controls or incident response may not be achieved

Grey-Box Testing

The tester is provided partial disclosure prior to commencement.

Advantages:

  • Helps balance the advantages and disadvantages of white and black box methods
  • Can provide very convincing demonstrations of vulnerabilities

Disadvantages:

  • Difficulties can be experienced when determining the exact level of knowledge to provide
  • Reporting can be a challenge if your audience (e.g. management) believes too much was shared

Black-Box Testing

The tester is provided minimal knowledge of the environment prior to attack.

Advantages:

  • Effectively simulates common attack scenarios and attacks of opportunity
  • Allows entities to test their detection and response methods

Disadvantages:

  • Lower threshold for attacker skill/effort may mean some findings and attack vectors are missed

Penetration Testing and PCI Compliance

Penetration tests can be time consuming and require specialized resources, however, they play an important role in the ongoing maintenance of a strong information security program. It is critical to ensure the objectives of penetration tests are well defined and understood to ensure an organization gets the most value from these exercises. The objectives will not only cover the scope and methods employed, but will guide how results are reported.  For example, a penetration test for PCI DSS will be less concerned with denial of service vulnerabilities than a penetration test to validate operational resilience. PCI DSS requires entities to complete penetration and segmentation tests as follows:
  • Following a methodology based on an industry accepted approach
  • Penetration tests annually and after any significant change
  • Coverage of the entire cardholder data environment perimeter and critical systems
  • Both network and application layer testing
  • Segmentation tests semi-annually  and after any significant change
  • Review of threats and vulnerabilities over the previous 12 months
  • Retention of records of testing and remediation

Segmentation Tests

Segmentation tests represent a forth strategy that differs from the penetration test methods previously discussed. Segmentation tests validate effectiveness of isolation of networks and components. In comparison to penetration tests, segmentation tests are not as intensive and are usually less expensive. Within PCI, proof of effective segmentation mechanisms is necessary for organizations seeking to simplify and reduce their scope.

Learn More

For more information on penetration testing, see: _______________________________________________________________ Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant. [post_title] => The 3 Approaches to Penetration Testing for PCI DSS [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => penetration-testing [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ [post_modified] => 2018-04-24 19:57:39 [post_modified_gmt] => 2018-04-24 19:57:39 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1420 [menu_order] => 28 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 1673 [post_author] => 2 [post_date] => 2018-03-20 14:43:11 [post_date_gmt] => 2018-03-20 14:43:11 [post_content] => We've been following security and breaches for a long time and they have been getting unquestionably worse. While mega-credit card breaches seem to have been falling off lately, other industries like healthcare, research analytics, and financial services have quickly taken their place. Last year was a record breaker for vulnerabilities and data breaches. We thought that Equifax was about as bad as it could get short of an all-out cyber-war. In light of recent events, that opinion now looks optimistic.

What Could Eclipse Equifax?

The big news that has emerged over the weekend and on Monday, March 19th is a breach or theft of data from Facebook by Strategic Communications Laboratories and Cambridge Analytica.  It's not so much the scale of the breaches as Equifax is currently about 3 times larger. It is the very nature and exploitation of the breach/theft. If the reporting on this is accurate, this is far more disturbing than the neglect and apparent incompetence that led to the Equifax breach. The reporting not only hints at neglect and disinterest but carries strong suggestions of criminal activity.  Currently, Facebook is aggressively investigating the incident and Cambridge have denied these claims. What is certain at this point is that both Facebook and Cambridge need to do some serious explaining.  It's not just that Cambridge took the data but also that Facebook appears to have known and been less than forthcoming about what they knew. There will be multiple inquiries and investigations in many countries. There will also be lawsuits and possibly criminal trials; as well as calls to put limits on tech companies or possibly break them up. Lastly, even if Facebook naively trusted a researcher who lied and cheated, there will be demands for changes. Another thing that is certain is that Cambridge Analytica's role in the Brexit vote will raise questions in the UK. Their association with the Trump campaign in the 2016 US elections and connections to political figures like Steve Bannon, a one-time VP with Cambridge, and Donald Trump will further intrigue and add fuel to the already fragmented US political scene. Reporting indicates the Muller investigation will also be looking into Cambridge. Finally, investigative journalists in the UK went undercover and have video of Cambridge executives talking about setting up opponents to look like they're corrupt or involved with prostitutes and leaking videos on the Internet. Cambridge is denying it, claiming it was a setup and that they were lured into a "hypothetical discussion." Taken together and if accurate, Cambridge may have gone far beyond just targeting election ads. They may have actively manipulated and deceived the public. They may possibly be real "fake news." Based on what has been reported to date, if accurate, we'd be surprised if Cambridge Analytica can survive as a company. Facebook too may be wounded even if it is too large to be killed. Even if the US doesn't take action against Facebook, other jurisdictions can.  Several states with breach disclosure laws may act and the EU already has a tense relationship with Facebook. One thing that is certain is that there is a lot more to this story and we will be hearing about it for a long time to come. What follows is a summary of news articles which should get you started.  Keeping up on this will surely challenge everyone given the rate of new articles that keep appearing.

What Has Been Reported?

Cambridge Analytica, Strategic Communications Laboratories, and SCL Elections (all related) used a personality app to profile approximately 270K Facebook Users, using a further "loophole" they were able to gather information on another 50M users without asking for any consent, these were in turn used to generate over 30M psychographic profiles.  The company has further been denying this for years. Facebook denies this was a breach, confirms that Cambridge stole it's data, and shuts out the whistle-blower, Strategic Communication Laboratories, and Cambridge Analytica

Some background

Not to be confused with ...

  [post_title] => Equifax Move Over, Here Comes The Cambridge Analytica and Facebook Scandal! [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => cambridge-analytica-facebook-scandal [to_ping] => [pinged] => [post_modified] => 2018-03-20 14:45:39 [post_modified_gmt] => 2018-03-20 14:45:39 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1673 [menu_order] => 33 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 1621 [post_author] => 2 [post_date] => 2018-02-22 15:03:29 [post_date_gmt] => 2018-02-22 15:03:29 [post_content] => Executives and managers in organizations preparing for their first onsite PCI security assessment may feel confident that having passed a SOX audit will make passing a PCI audit relatively easy. And while it’s true that it can make passing PCI easier, there can often be significant and expensive gaps between complying with the two frameworks.

SOX and PCI Have Different Programs, Objectives and Methods

Perhaps it's human nature to confuse these very different programs. That certainly seems to be what we've seen in the industry. Without question, SOX and PCI require strenuous effort to achieve compliance and complete audits; however, we find that the gaps can be so significant which is often unexpected and surprising. Understanding why, requires a slightly deeper look as there are several reasons why SOX and PCI don’t align:
  • The most significant reason is that while both standards focus on protecting information and both deal with best practices, their fundamental objectives are quite different. Both are reactions to control failures that began more than a decade ago. SOX to Enron et al and PCI to Egghead, Card Systems, TJX, Hartland, Target, Home Depot, and many others. SOX is really all about accuracy and integrity for the purpose of supporting audited financial statements. PCI is about preventing payment card account data breaches. Consequently, SOX is concerned with who changed what, whereas, PCI is ultimately more concerned with who saw cardholder data.
  • PCI is far more prescriptive and detailed than SOX. Management and auditors have more flexibility in their choice and tuning of best practices adopted in a SOX world. SOX controls often come up short when viewed through a PCI lens.
  • PCI scope and applicability are often broader than under SOX. PCI scope extends across the entirety of unbounded networks and connected systems. As such it tends to consume entire corporate networks and all connected systems. While there is no requirement for internal segregation of systems under PCI, in many cases achieving full compliance without segregation is impossible in practice. SOX simply allows more flexibility and selectivity than PCI.
  • SOX controls are based upon well-established criteria for determining materiality. PCI has no similar built-in concept. The underlying regulations are written without regard to transaction/account volumes or risk. While the application of PCI under the payment brand regulations does include concepts of risk based on transaction/account volumes and payment channels, the lack of a materiality concept can be challenging in low risk situations.
Similarly, PCI and ISO/IEC 27001 also don't completely align and many gaps can arise if the ISO Information Security Management System (ISMS) doesn't specifically consider PCI DSS control requirements.

13 Years On and PCI DSS Is Still A Challenge

With PCI DSS entering into its 13th year, a fair question to ask would be "why are organizations still finding PCI challenging?" One reason is that PCI DSS validation isn't one size fits all :
  • The only organizations fully assessed (i.e. completing a Report on Compliance) under PCI DSS are the largest merchants and service providers (by transaction/account volumes), those unfortunate to have suffered a data breach, and any that voluntarily assess.
  • Smaller organizations are expected to be fully compliant but are measured using a lighter weight validation process (i.e. a Self-Assessment Questionnaire) that leaves out much of the detail and rigor of a full assessment.
  • Issuers of credit cards, often large banks, are also expected to be fully compliant but have been so far exempt from the mandatory formal annual validation required of those accepting credit cards.
The main reasons are that business and technology changes within the organization can be a significant factor contributing to the ongoing challenge. These almost always result in a PCI DSS scope change:
  • Business changes such as mergers, acquisitions, and new lines of business can introduce non-compliant elements.
  • Business changes that exploit new technologies (e.g. mobile applications, pay at the door) that will need to be compliant.
  • Business growth can lead to increased account/transaction volumes that can cross the threshold requiring a full assessment.
  • Previously unidentified cardholder data processes and flows such as Shadow IT going through their first assessment.
  • Technology changes (e.g. telephony) within the business can dramatically impact an organizations compliance footprint.
  • Contractual and other business requirements from customers (where the business is a service provider).
  • Inadequate due diligence on validating a solution, a service provider or other third party.
  • Businesses also need to be prepared for future mandated DSS requirements which are added to address new threats and feedback from breaches.
We believe we've covered the major reasons above; however, other factors such as staff changes, training, and even assessor changes can also create their own challenges. We hope that this provides some insight into why many organizations and some large players are still struggling with PCI DSS to this day. We also hope that you will find our learn more resources valuable.

Learn More

__________________________________________________________________________________________________________________ Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant. [post_title] => PCI DSS May Require Pulling Up Your SOX (or ISO) [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => sox-vs-pci-compliance [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ https://controlgap.com/blog/call-centers-pci-compliance/ https://controlgap.com/blog/pci-compliance-footprints/ [post_modified] => 2018-05-02 02:33:57 [post_modified_gmt] => 2018-05-02 02:33:57 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1621 [menu_order] => 38 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 3 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 1420 [post_author] => 7 [post_date] => 2018-04-11 11:25:21 [post_date_gmt] => 2018-04-11 11:25:21 [post_content] => Understanding PCI DSS requirements in depth can often be confusing and frustrating. The requirements covering penetration testing, PCI DSS 11.3, are a case in point. This article will help those of you who are seeking compliance to know what is expected and to guide you in the right direction. Specifically, we will look at what penetration testing is, how to perform penetration tests, the different types of penetration tests, and what you need to get out of penetration testing to be successful.

What Is Penetration Testing?

Security vulnerabilities are usually hidden, non-obvious, and easily overlooked by most people. Security testing brings these problems to light and should put them in perspective.  PCI DSS mandates objectives for several types of security tests including rogue wireless detection (PCI DSS 11.0), vulnerability scanning (PCI DSS 11.2), and penetration testing (PCI DSS 11.3). Rogue wireless detection and vulnerability scanning are basically technical surveying techniques. Penetration testing goes beyond this and can often include human factors as well. Penetration testing often utilizes a broad set of tools and skills that can be used to satisfy a wide range of security objectives but for this article we will focus just on PCI. Penetration testing is a process used by organizations to understand the impact of security vulnerabilities. In contrast to a vulnerability scanning, penetration tests aren't just a simple numeration of identified vulnerabilities and potential vulnerabilities reported with metrics and identifiers like (CVSS, and CVE).  While penetration tests often include vulnerability scans, they attempt to answer deeper questions about vulnerabilities, such as: How they can be exploited by attackers? How far attackers can go? What can attackers do? And, what are the implications to the organization? Penetration testers usually actively attempt to exploit systems but can use other techniques to go beyond vulnerability enumeration. The key to penetration testing is that it should provide an objective method to confirm vulnerabilities, to demonstrate how they can be linked, how they can be leveraged to attain greater network and system control, and to confirm the harm that can arise from a successful attack. Organizations can then leverage the results of these tests to achieve improvements and mitigate risks. By analogy, security testing allows you to see not only that your doors and windows are locked; but how good those locks are, and if your kids will let strangers into your house.

The Process

Penetration tests should be performed with a well thought out plan and objectives. Once the strategies and methods to be used are decided, the assessment usually begins with reconnaissance to determine information on systems,  processes, and people. This can be performed actively and/or passively and uses information from DNS interrogation, network surveys, web presence, and more. From here, vulnerabilities are identified using various methods such as vulnerability scanners, OS fingerprinting, banner grabbing, and service enumeration. Frequently used attack vectors include the discovery of weak user credentials, default-insecure configurations, software, protocol, and application vulnerabilities. Human focused activities such as Phishing and Social Engineering may also be attempted. Once vulnerabilities have been discovered, exploitation is attempted. The attacker will use manual and automated techniques to attempt to exploit identified vulnerabilities. If access is obtained, a diligent penetration tester will attempt to escalate privileges and maintain access. Tests should include a cleanup step to remove or nullify any modifications introduced by the tests. Finally, the tester will deliver a detailed report of findings. There are three main strategies used to approach penetration testing:

White-Box Testing

The tester is provided full disclosure of the environment prior to commencement.

Advantages:

  • Can effectively simulate attacks by insiders and organizations that are highly motivated or well funded and employ sophisticated methods
  • Time and cost effective way to address the in depth surveillance and research used by this type of attack

Disadvantages:

  • Security teams may be aware of the testing, thus a realistic assessment of detective controls or incident response may not be achieved

Grey-Box Testing

The tester is provided partial disclosure prior to commencement.

Advantages:

  • Helps balance the advantages and disadvantages of white and black box methods
  • Can provide very convincing demonstrations of vulnerabilities

Disadvantages:

  • Difficulties can be experienced when determining the exact level of knowledge to provide
  • Reporting can be a challenge if your audience (e.g. management) believes too much was shared

Black-Box Testing

The tester is provided minimal knowledge of the environment prior to attack.

Advantages:

  • Effectively simulates common attack scenarios and attacks of opportunity
  • Allows entities to test their detection and response methods

Disadvantages:

  • Lower threshold for attacker skill/effort may mean some findings and attack vectors are missed

Penetration Testing and PCI Compliance

Penetration tests can be time consuming and require specialized resources, however, they play an important role in the ongoing maintenance of a strong information security program. It is critical to ensure the objectives of penetration tests are well defined and understood to ensure an organization gets the most value from these exercises. The objectives will not only cover the scope and methods employed, but will guide how results are reported.  For example, a penetration test for PCI DSS will be less concerned with denial of service vulnerabilities than a penetration test to validate operational resilience. PCI DSS requires entities to complete penetration and segmentation tests as follows:
  • Following a methodology based on an industry accepted approach
  • Penetration tests annually and after any significant change
  • Coverage of the entire cardholder data environment perimeter and critical systems
  • Both network and application layer testing
  • Segmentation tests semi-annually  and after any significant change
  • Review of threats and vulnerabilities over the previous 12 months
  • Retention of records of testing and remediation

Segmentation Tests

Segmentation tests represent a forth strategy that differs from the penetration test methods previously discussed. Segmentation tests validate effectiveness of isolation of networks and components. In comparison to penetration tests, segmentation tests are not as intensive and are usually less expensive. Within PCI, proof of effective segmentation mechanisms is necessary for organizations seeking to simplify and reduce their scope.

Learn More

For more information on penetration testing, see: _______________________________________________________________ Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant. [post_title] => The 3 Approaches to Penetration Testing for PCI DSS [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => penetration-testing [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ [post_modified] => 2018-04-24 19:57:39 [post_modified_gmt] => 2018-04-24 19:57:39 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1420 [menu_order] => 28 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 45 [max_num_pages] => 15 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => 1 [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => 1 [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 0573d79d0a353cbc766661db59ba41a2 [query_vars_changed:WP_Query:private] => 1 [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )
WP_Query Object ( [query] => Array ( [post_type] => post [post_status] => publish [cat] => 14, 134, 1 [orderby] => date [order] => desc [posts_per_page] => 3 [paged] => 1 [ignore_sticky_posts] => 1 ) [query_vars] => Array ( [post_type] => post [post_status] => publish [cat] => 14 [orderby] => date [order] => DESC [posts_per_page] => 3 [paged] => 1 [ignore_sticky_posts] => 1 [error] => [m] => [p] => 0 [post_parent] => [subpost] => [subpost_id] => [attachment] => [attachment_id] => 0 [name] => [static] => [pagename] => [page_id] => 0 [second] => [minute] => [hour] => [day] => 0 [monthnum] => 0 [year] => 0 [w] => 0 [category_name] => charity [tag] => [tag_id] => [author] => [author_name] => [feed] => [tb] => [meta_key] => [meta_value] => [preview] => [s] => [sentence] => [title] => [fields] => [menu_order] => [embed] => [category__in] => Array ( ) [category__not_in] => Array ( ) [category__and] => Array ( ) [post__in] => Array ( ) [post__not_in] => Array ( ) [post_name__in] => Array ( ) [tag__in] => Array ( ) [tag__not_in] => Array ( ) [tag__and] => Array ( ) [tag_slug__in] => Array ( ) [tag_slug__and] => Array ( ) [post_parent__in] => Array ( ) [post_parent__not_in] => Array ( ) [author__in] => Array ( ) [author__not_in] => Array ( ) [update_post_term_cache] => 1 [suppress_filters] => [cache_results] => [lazy_load_term_meta] => 1 [update_post_meta_cache] => 1 [nopaging] => [comments_per_page] => 50 [no_found_rows] => ) [tax_query] => WP_Tax_Query Object ( [queries] => Array ( [0] => Array ( [taxonomy] => category [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id [operator] => IN [include_children] => 1 ) ) [relation] => AND [table_aliases:protected] => Array ( [0] => wpcm_term_relationships ) [queried_terms] => Array ( [category] => Array ( [terms] => Array ( [0] => 14 [1] => 134 [2] => 1 ) [field] => term_id ) ) [primary_table] => wpcm_posts [primary_id_column] => ID ) [meta_query] => WP_Meta_Query Object ( [queries] => Array ( ) [relation] => [meta_table] => [meta_id_column] => [primary_table] => [primary_id_column] => [table_aliases:protected] => Array ( ) [clauses:protected] => Array ( ) [has_or_relation:protected] => ) [date_query] => [request] => SELECT SQL_CALC_FOUND_ROWS wpcm_posts.ID FROM wpcm_posts LEFT JOIN wpcm_term_relationships ON (wpcm_posts.ID = wpcm_term_relationships.object_id) WHERE 1=1 AND ( wpcm_term_relationships.term_taxonomy_id IN (1,14,134) ) AND wpcm_posts.post_type = 'post' AND ((wpcm_posts.post_status = 'publish')) GROUP BY wpcm_posts.ID ORDER BY wpcm_posts.menu_order, wpcm_posts.post_date DESC LIMIT 0, 3 [posts] => Array ( [0] => WP_Post Object ( [ID] => 1420 [post_author] => 7 [post_date] => 2018-04-11 11:25:21 [post_date_gmt] => 2018-04-11 11:25:21 [post_content] => Understanding PCI DSS requirements in depth can often be confusing and frustrating. The requirements covering penetration testing, PCI DSS 11.3, are a case in point. This article will help those of you who are seeking compliance to know what is expected and to guide you in the right direction. Specifically, we will look at what penetration testing is, how to perform penetration tests, the different types of penetration tests, and what you need to get out of penetration testing to be successful.

What Is Penetration Testing?

Security vulnerabilities are usually hidden, non-obvious, and easily overlooked by most people. Security testing brings these problems to light and should put them in perspective.  PCI DSS mandates objectives for several types of security tests including rogue wireless detection (PCI DSS 11.0), vulnerability scanning (PCI DSS 11.2), and penetration testing (PCI DSS 11.3). Rogue wireless detection and vulnerability scanning are basically technical surveying techniques. Penetration testing goes beyond this and can often include human factors as well. Penetration testing often utilizes a broad set of tools and skills that can be used to satisfy a wide range of security objectives but for this article we will focus just on PCI. Penetration testing is a process used by organizations to understand the impact of security vulnerabilities. In contrast to a vulnerability scanning, penetration tests aren't just a simple numeration of identified vulnerabilities and potential vulnerabilities reported with metrics and identifiers like (CVSS, and CVE).  While penetration tests often include vulnerability scans, they attempt to answer deeper questions about vulnerabilities, such as: How they can be exploited by attackers? How far attackers can go? What can attackers do? And, what are the implications to the organization? Penetration testers usually actively attempt to exploit systems but can use other techniques to go beyond vulnerability enumeration. The key to penetration testing is that it should provide an objective method to confirm vulnerabilities, to demonstrate how they can be linked, how they can be leveraged to attain greater network and system control, and to confirm the harm that can arise from a successful attack. Organizations can then leverage the results of these tests to achieve improvements and mitigate risks. By analogy, security testing allows you to see not only that your doors and windows are locked; but how good those locks are, and if your kids will let strangers into your house.

The Process

Penetration tests should be performed with a well thought out plan and objectives. Once the strategies and methods to be used are decided, the assessment usually begins with reconnaissance to determine information on systems,  processes, and people. This can be performed actively and/or passively and uses information from DNS interrogation, network surveys, web presence, and more. From here, vulnerabilities are identified using various methods such as vulnerability scanners, OS fingerprinting, banner grabbing, and service enumeration. Frequently used attack vectors include the discovery of weak user credentials, default-insecure configurations, software, protocol, and application vulnerabilities. Human focused activities such as Phishing and Social Engineering may also be attempted. Once vulnerabilities have been discovered, exploitation is attempted. The attacker will use manual and automated techniques to attempt to exploit identified vulnerabilities. If access is obtained, a diligent penetration tester will attempt to escalate privileges and maintain access. Tests should include a cleanup step to remove or nullify any modifications introduced by the tests. Finally, the tester will deliver a detailed report of findings. There are three main strategies used to approach penetration testing:

White-Box Testing

The tester is provided full disclosure of the environment prior to commencement.

Advantages:

  • Can effectively simulate attacks by insiders and organizations that are highly motivated or well funded and employ sophisticated methods
  • Time and cost effective way to address the in depth surveillance and research used by this type of attack

Disadvantages:

  • Security teams may be aware of the testing, thus a realistic assessment of detective controls or incident response may not be achieved

Grey-Box Testing

The tester is provided partial disclosure prior to commencement.

Advantages:

  • Helps balance the advantages and disadvantages of white and black box methods
  • Can provide very convincing demonstrations of vulnerabilities

Disadvantages:

  • Difficulties can be experienced when determining the exact level of knowledge to provide
  • Reporting can be a challenge if your audience (e.g. management) believes too much was shared

Black-Box Testing

The tester is provided minimal knowledge of the environment prior to attack.

Advantages:

  • Effectively simulates common attack scenarios and attacks of opportunity
  • Allows entities to test their detection and response methods

Disadvantages:

  • Lower threshold for attacker skill/effort may mean some findings and attack vectors are missed

Penetration Testing and PCI Compliance

Penetration tests can be time consuming and require specialized resources, however, they play an important role in the ongoing maintenance of a strong information security program. It is critical to ensure the objectives of penetration tests are well defined and understood to ensure an organization gets the most value from these exercises. The objectives will not only cover the scope and methods employed, but will guide how results are reported.  For example, a penetration test for PCI DSS will be less concerned with denial of service vulnerabilities than a penetration test to validate operational resilience. PCI DSS requires entities to complete penetration and segmentation tests as follows:
  • Following a methodology based on an industry accepted approach
  • Penetration tests annually and after any significant change
  • Coverage of the entire cardholder data environment perimeter and critical systems
  • Both network and application layer testing
  • Segmentation tests semi-annually  and after any significant change
  • Review of threats and vulnerabilities over the previous 12 months
  • Retention of records of testing and remediation

Segmentation Tests

Segmentation tests represent a forth strategy that differs from the penetration test methods previously discussed. Segmentation tests validate effectiveness of isolation of networks and components. In comparison to penetration tests, segmentation tests are not as intensive and are usually less expensive. Within PCI, proof of effective segmentation mechanisms is necessary for organizations seeking to simplify and reduce their scope.

Learn More

For more information on penetration testing, see: _______________________________________________________________ Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant. [post_title] => The 3 Approaches to Penetration Testing for PCI DSS [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => penetration-testing [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ [post_modified] => 2018-04-24 19:57:39 [post_modified_gmt] => 2018-04-24 19:57:39 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1420 [menu_order] => 28 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 1673 [post_author] => 2 [post_date] => 2018-03-20 14:43:11 [post_date_gmt] => 2018-03-20 14:43:11 [post_content] => We've been following security and breaches for a long time and they have been getting unquestionably worse. While mega-credit card breaches seem to have been falling off lately, other industries like healthcare, research analytics, and financial services have quickly taken their place. Last year was a record breaker for vulnerabilities and data breaches. We thought that Equifax was about as bad as it could get short of an all-out cyber-war. In light of recent events, that opinion now looks optimistic.

What Could Eclipse Equifax?

The big news that has emerged over the weekend and on Monday, March 19th is a breach or theft of data from Facebook by Strategic Communications Laboratories and Cambridge Analytica.  It's not so much the scale of the breaches as Equifax is currently about 3 times larger. It is the very nature and exploitation of the breach/theft. If the reporting on this is accurate, this is far more disturbing than the neglect and apparent incompetence that led to the Equifax breach. The reporting not only hints at neglect and disinterest but carries strong suggestions of criminal activity.  Currently, Facebook is aggressively investigating the incident and Cambridge have denied these claims. What is certain at this point is that both Facebook and Cambridge need to do some serious explaining.  It's not just that Cambridge took the data but also that Facebook appears to have known and been less than forthcoming about what they knew. There will be multiple inquiries and investigations in many countries. There will also be lawsuits and possibly criminal trials; as well as calls to put limits on tech companies or possibly break them up. Lastly, even if Facebook naively trusted a researcher who lied and cheated, there will be demands for changes. Another thing that is certain is that Cambridge Analytica's role in the Brexit vote will raise questions in the UK. Their association with the Trump campaign in the 2016 US elections and connections to political figures like Steve Bannon, a one-time VP with Cambridge, and Donald Trump will further intrigue and add fuel to the already fragmented US political scene. Reporting indicates the Muller investigation will also be looking into Cambridge. Finally, investigative journalists in the UK went undercover and have video of Cambridge executives talking about setting up opponents to look like they're corrupt or involved with prostitutes and leaking videos on the Internet. Cambridge is denying it, claiming it was a setup and that they were lured into a "hypothetical discussion." Taken together and if accurate, Cambridge may have gone far beyond just targeting election ads. They may have actively manipulated and deceived the public. They may possibly be real "fake news." Based on what has been reported to date, if accurate, we'd be surprised if Cambridge Analytica can survive as a company. Facebook too may be wounded even if it is too large to be killed. Even if the US doesn't take action against Facebook, other jurisdictions can.  Several states with breach disclosure laws may act and the EU already has a tense relationship with Facebook. One thing that is certain is that there is a lot more to this story and we will be hearing about it for a long time to come. What follows is a summary of news articles which should get you started.  Keeping up on this will surely challenge everyone given the rate of new articles that keep appearing.

What Has Been Reported?

Cambridge Analytica, Strategic Communications Laboratories, and SCL Elections (all related) used a personality app to profile approximately 270K Facebook Users, using a further "loophole" they were able to gather information on another 50M users without asking for any consent, these were in turn used to generate over 30M psychographic profiles.  The company has further been denying this for years. Facebook denies this was a breach, confirms that Cambridge stole it's data, and shuts out the whistle-blower, Strategic Communication Laboratories, and Cambridge Analytica

Some background

Not to be confused with ...

  [post_title] => Equifax Move Over, Here Comes The Cambridge Analytica and Facebook Scandal! [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => cambridge-analytica-facebook-scandal [to_ping] => [pinged] => [post_modified] => 2018-03-20 14:45:39 [post_modified_gmt] => 2018-03-20 14:45:39 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1673 [menu_order] => 33 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 1621 [post_author] => 2 [post_date] => 2018-02-22 15:03:29 [post_date_gmt] => 2018-02-22 15:03:29 [post_content] => Executives and managers in organizations preparing for their first onsite PCI security assessment may feel confident that having passed a SOX audit will make passing a PCI audit relatively easy. And while it’s true that it can make passing PCI easier, there can often be significant and expensive gaps between complying with the two frameworks.

SOX and PCI Have Different Programs, Objectives and Methods

Perhaps it's human nature to confuse these very different programs. That certainly seems to be what we've seen in the industry. Without question, SOX and PCI require strenuous effort to achieve compliance and complete audits; however, we find that the gaps can be so significant which is often unexpected and surprising. Understanding why, requires a slightly deeper look as there are several reasons why SOX and PCI don’t align:
  • The most significant reason is that while both standards focus on protecting information and both deal with best practices, their fundamental objectives are quite different. Both are reactions to control failures that began more than a decade ago. SOX to Enron et al and PCI to Egghead, Card Systems, TJX, Hartland, Target, Home Depot, and many others. SOX is really all about accuracy and integrity for the purpose of supporting audited financial statements. PCI is about preventing payment card account data breaches. Consequently, SOX is concerned with who changed what, whereas, PCI is ultimately more concerned with who saw cardholder data.
  • PCI is far more prescriptive and detailed than SOX. Management and auditors have more flexibility in their choice and tuning of best practices adopted in a SOX world. SOX controls often come up short when viewed through a PCI lens.
  • PCI scope and applicability are often broader than under SOX. PCI scope extends across the entirety of unbounded networks and connected systems. As such it tends to consume entire corporate networks and all connected systems. While there is no requirement for internal segregation of systems under PCI, in many cases achieving full compliance without segregation is impossible in practice. SOX simply allows more flexibility and selectivity than PCI.
  • SOX controls are based upon well-established criteria for determining materiality. PCI has no similar built-in concept. The underlying regulations are written without regard to transaction/account volumes or risk. While the application of PCI under the payment brand regulations does include concepts of risk based on transaction/account volumes and payment channels, the lack of a materiality concept can be challenging in low risk situations.
Similarly, PCI and ISO/IEC 27001 also don't completely align and many gaps can arise if the ISO Information Security Management System (ISMS) doesn't specifically consider PCI DSS control requirements.

13 Years On and PCI DSS Is Still A Challenge

With PCI DSS entering into its 13th year, a fair question to ask would be "why are organizations still finding PCI challenging?" One reason is that PCI DSS validation isn't one size fits all :
  • The only organizations fully assessed (i.e. completing a Report on Compliance) under PCI DSS are the largest merchants and service providers (by transaction/account volumes), those unfortunate to have suffered a data breach, and any that voluntarily assess.
  • Smaller organizations are expected to be fully compliant but are measured using a lighter weight validation process (i.e. a Self-Assessment Questionnaire) that leaves out much of the detail and rigor of a full assessment.
  • Issuers of credit cards, often large banks, are also expected to be fully compliant but have been so far exempt from the mandatory formal annual validation required of those accepting credit cards.
The main reasons are that business and technology changes within the organization can be a significant factor contributing to the ongoing challenge. These almost always result in a PCI DSS scope change:
  • Business changes such as mergers, acquisitions, and new lines of business can introduce non-compliant elements.
  • Business changes that exploit new technologies (e.g. mobile applications, pay at the door) that will need to be compliant.
  • Business growth can lead to increased account/transaction volumes that can cross the threshold requiring a full assessment.
  • Previously unidentified cardholder data processes and flows such as Shadow IT going through their first assessment.
  • Technology changes (e.g. telephony) within the business can dramatically impact an organizations compliance footprint.
  • Contractual and other business requirements from customers (where the business is a service provider).
  • Inadequate due diligence on validating a solution, a service provider or other third party.
  • Businesses also need to be prepared for future mandated DSS requirements which are added to address new threats and feedback from breaches.
We believe we've covered the major reasons above; however, other factors such as staff changes, training, and even assessor changes can also create their own challenges. We hope that this provides some insight into why many organizations and some large players are still struggling with PCI DSS to this day. We also hope that you will find our learn more resources valuable.

Learn More

__________________________________________________________________________________________________________________ Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant. [post_title] => PCI DSS May Require Pulling Up Your SOX (or ISO) [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => sox-vs-pci-compliance [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ https://controlgap.com/blog/call-centers-pci-compliance/ https://controlgap.com/blog/pci-compliance-footprints/ [post_modified] => 2018-05-02 02:33:57 [post_modified_gmt] => 2018-05-02 02:33:57 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1621 [menu_order] => 38 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 3 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 1420 [post_author] => 7 [post_date] => 2018-04-11 11:25:21 [post_date_gmt] => 2018-04-11 11:25:21 [post_content] => Understanding PCI DSS requirements in depth can often be confusing and frustrating. The requirements covering penetration testing, PCI DSS 11.3, are a case in point. This article will help those of you who are seeking compliance to know what is expected and to guide you in the right direction. Specifically, we will look at what penetration testing is, how to perform penetration tests, the different types of penetration tests, and what you need to get out of penetration testing to be successful.

What Is Penetration Testing?

Security vulnerabilities are usually hidden, non-obvious, and easily overlooked by most people. Security testing brings these problems to light and should put them in perspective.  PCI DSS mandates objectives for several types of security tests including rogue wireless detection (PCI DSS 11.0), vulnerability scanning (PCI DSS 11.2), and penetration testing (PCI DSS 11.3). Rogue wireless detection and vulnerability scanning are basically technical surveying techniques. Penetration testing goes beyond this and can often include human factors as well. Penetration testing often utilizes a broad set of tools and skills that can be used to satisfy a wide range of security objectives but for this article we will focus just on PCI. Penetration testing is a process used by organizations to understand the impact of security vulnerabilities. In contrast to a vulnerability scanning, penetration tests aren't just a simple numeration of identified vulnerabilities and potential vulnerabilities reported with metrics and identifiers like (CVSS, and CVE).  While penetration tests often include vulnerability scans, they attempt to answer deeper questions about vulnerabilities, such as: How they can be exploited by attackers? How far attackers can go? What can attackers do? And, what are the implications to the organization? Penetration testers usually actively attempt to exploit systems but can use other techniques to go beyond vulnerability enumeration. The key to penetration testing is that it should provide an objective method to confirm vulnerabilities, to demonstrate how they can be linked, how they can be leveraged to attain greater network and system control, and to confirm the harm that can arise from a successful attack. Organizations can then leverage the results of these tests to achieve improvements and mitigate risks. By analogy, security testing allows you to see not only that your doors and windows are locked; but how good those locks are, and if your kids will let strangers into your house.

The Process

Penetration tests should be performed with a well thought out plan and objectives. Once the strategies and methods to be used are decided, the assessment usually begins with reconnaissance to determine information on systems,  processes, and people. This can be performed actively and/or passively and uses information from DNS interrogation, network surveys, web presence, and more. From here, vulnerabilities are identified using various methods such as vulnerability scanners, OS fingerprinting, banner grabbing, and service enumeration. Frequently used attack vectors include the discovery of weak user credentials, default-insecure configurations, software, protocol, and application vulnerabilities. Human focused activities such as Phishing and Social Engineering may also be attempted. Once vulnerabilities have been discovered, exploitation is attempted. The attacker will use manual and automated techniques to attempt to exploit identified vulnerabilities. If access is obtained, a diligent penetration tester will attempt to escalate privileges and maintain access. Tests should include a cleanup step to remove or nullify any modifications introduced by the tests. Finally, the tester will deliver a detailed report of findings. There are three main strategies used to approach penetration testing:

White-Box Testing

The tester is provided full disclosure of the environment prior to commencement.

Advantages:

  • Can effectively simulate attacks by insiders and organizations that are highly motivated or well funded and employ sophisticated methods
  • Time and cost effective way to address the in depth surveillance and research used by this type of attack

Disadvantages:

  • Security teams may be aware of the testing, thus a realistic assessment of detective controls or incident response may not be achieved

Grey-Box Testing

The tester is provided partial disclosure prior to commencement.

Advantages:

  • Helps balance the advantages and disadvantages of white and black box methods
  • Can provide very convincing demonstrations of vulnerabilities

Disadvantages:

  • Difficulties can be experienced when determining the exact level of knowledge to provide
  • Reporting can be a challenge if your audience (e.g. management) believes too much was shared

Black-Box Testing

The tester is provided minimal knowledge of the environment prior to attack.

Advantages:

  • Effectively simulates common attack scenarios and attacks of opportunity
  • Allows entities to test their detection and response methods

Disadvantages:

  • Lower threshold for attacker skill/effort may mean some findings and attack vectors are missed

Penetration Testing and PCI Compliance

Penetration tests can be time consuming and require specialized resources, however, they play an important role in the ongoing maintenance of a strong information security program. It is critical to ensure the objectives of penetration tests are well defined and understood to ensure an organization gets the most value from these exercises. The objectives will not only cover the scope and methods employed, but will guide how results are reported.  For example, a penetration test for PCI DSS will be less concerned with denial of service vulnerabilities than a penetration test to validate operational resilience. PCI DSS requires entities to complete penetration and segmentation tests as follows:
  • Following a methodology based on an industry accepted approach
  • Penetration tests annually and after any significant change
  • Coverage of the entire cardholder data environment perimeter and critical systems
  • Both network and application layer testing
  • Segmentation tests semi-annually  and after any significant change
  • Review of threats and vulnerabilities over the previous 12 months
  • Retention of records of testing and remediation

Segmentation Tests

Segmentation tests represent a forth strategy that differs from the penetration test methods previously discussed. Segmentation tests validate effectiveness of isolation of networks and components. In comparison to penetration tests, segmentation tests are not as intensive and are usually less expensive. Within PCI, proof of effective segmentation mechanisms is necessary for organizations seeking to simplify and reduce their scope.

Learn More

For more information on penetration testing, see: _______________________________________________________________ Becoming PCI Compliant can be difficult, so why not let Control Gap guide you. We are the largest dedicated PCI compliance company in Canada. Contact us today and learn more about how we can help you: Get PCI Compliant. Stay PCI Compliant. [post_title] => The 3 Approaches to Penetration Testing for PCI DSS [post_excerpt] => [post_status] => publish [comment_status] => open [ping_status] => open [post_password] => [post_name] => penetration-testing [to_ping] => [pinged] => https://controlgap.com/blog/connected-to-pci/ [post_modified] => 2018-04-24 19:57:39 [post_modified_gmt] => 2018-04-24 19:57:39 [post_content_filtered] => [post_parent] => 0 [guid] => http://controlgap.com/?p=1420 [menu_order] => 28 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 45 [max_num_pages] => 15 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => 1 [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => 1 [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 0573d79d0a353cbc766661db59ba41a2 [query_vars_changed:WP_Query:private] => 1 [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )
The 3 Approaches to Penetration Testing for PCI DSS
April 11 2018

Understanding PCI DSS requirements in depth can often be confusing and frustrating. The requirements covering penetration testing, PCI DSS 11.3, are a case in point. This article will help those of you who are seeking compliance to know what is expected and to guide you in the right direction. Specifically, we will look at what

Read More
Equifax Move Over, Here Comes The Cambridge Analytica and Facebook Scandal!
March 20 2018

We’ve been following security and breaches for a long time and they have been getting unquestionably worse. While mega-credit card breaches seem to have been falling off lately, other industries like healthcare, research analytics, and financial services have quickly taken their place. Last year was a record breaker for vulnerabilities and data breaches. We thought

Read More
PCI DSS May Require Pulling Up Your SOX (or ISO)
February 22 2018

Executives and managers in organizations preparing for their first onsite PCI security assessment may feel confident that having passed a SOX audit will make passing a PCI audit relatively easy. And while it’s true that it can make passing PCI easier, there can often be significant and expensive gaps between complying with the two frameworks.

Read More

e-newsletter

Want important PCI information delivered to you? Sign-up to our e-newsletter and be the first one to know about industry news and trend, offers and promotions.

×

Contact

×

PCI Pilot™ is coming soon!

Our highly-anticipated online tool will be launching very soon to make your PCI SAQ process quick and seamless.

Sign-up today and be among the first to know when PCI Pilot™ is live!