Featured Article

Posted on by Steve Levinson

Visa recently issued a Security Alert to merchants, acquirers, and point of sale (POS) integrators discussing the most recent attack vector used (successfully) by miscreants to gain access to critical systems – in this case, POS systems. This posting is not only to provide a high level synopsis of that notification, but also to provide general advice to help prevent this type of attack, and to assist you in providing ongoing user awareness training so that your company’s employees can …

Continue reading →

More Articles

Posted on by Steve Levinson

My team and I have delivered or participated in several hundred, if not more, PCI assessments over the past ten years. I find that the PCI DSS has matured nicely as the PCI Council has done a great job of toeing the fine line between creating a standard that is both relevant and reasonable. The standard continues to evolve to address the latest threats and issues, and overall is one of the most detailed, prescriptive, and well-defined security frameworks in …

Continue reading →


Posted on by Steve Levinson

It seems hardly a few weeks pass by without yet another breach being announced. And it’s not just the big companies – smaller ones are targets as well. Attackers have become increasingly sophisticated in their methodologies while maintaining a high level of determination and perseverance to walk away with the trophy (compromised data) time after time. One common factor in almost all of these attacks has been the attackers’ ability to capture administrative credentials – once this has taken place, …

Continue reading →


Posted on by Steve Levinson

For the longest time, when people discussed “Social Engineering” in the IT security arena, it was equated to schmoozing your way past the guard, or calling the Helpdesk to get a password. Social Engineers like Kevin Mitnik have been amazingly successful in working these angles to get inside hundreds, if not more, of applications and systems. But that was so 20th century – it didn’t scale well. As our connectivity to Everything Internet has become ubiquitous, there’ been a dramatic …

Continue reading →


Posted on by Steve Levinson

This blog post is a culmination of dozens – no, hundreds – of discussions with clients, partners, and above all else, my awesome colleagues about the magic behind successful consulting. While some of these topics apply primarily to the art of security consulting, many of them transcend industry boundaries and apply to life in general. They are not presented in any particular order as some musings will resonate differently with each reader. There’s no sheet music. The beauty of the consulting …

Continue reading →


Posted on by Steve Levinson

I’ve had dozens of discussions with our clients over the past decade to help them determine if they are doing a reasonable job in evaluating risk in their PCI environment (note – you can replace “PCI” with “any data/critical assets that you care about”). Over the course of participating in hundreds of PCI assessments, we have noticed that many companies’ risk assessment processes have been maturing nicely. Many moons ago, it was rather common for clients to ask, tongue in …

Continue reading →


Posted on by Steve Levinson

In the Internet we Trust. At least we used to. Given today’s announcement that the “Heartbleed” bug exposes vulnerabilities in the mechanisms that we’ve relied upon for protecting sensitive information on the web (think passwords, credit card numbers, ANYTHING that is entered on a website), it is cause for immediate concern. In layman’s terms, this vulnerability allows for an attacker to parse (capture) the memory of the web servers running particular versions of OpenSSL, a cryptographic software library, potentially exposing …

Continue reading →


Posted on by Steve Levinson

As most folks know, Microsoft’s flagship operating system, Windows XP, is going end-of-life as of April 8. Given the fact that about one out of every three computers runs this OS, there may be some strong ramifications for those who opt for the “do nothing” alternative. If you are running this operating system, you may not be vulnerable the day that it goes end-of-life, but as soon as there is a known vulnerability and if you HAVEN’T done anything to …

Continue reading →


Posted on by Steve Levinson

As most of the world is aware by now, the recent credit card breach at Target (between November 27 and December 15) netted the attackers 40 million credit and debit cards, as well as personal information, such as phone numbers and addresses, of as many as 70 million more. For a few very long weeks, there was scant information about the attack vector and the malware involved with the attack. This posting is a follow-up to my recent posting where …

Continue reading →