Featured Article

Posted on by Security Consulting Team

Introduction Over the years, our team has performed thousands of penetrations tests. In the first 15 minutes of a pen test there are a handful of issues that we often discover. These issues are simple to understand and they’re easy to correct, but they’re almost always there.  They don’t require authentication, need minimal expertise to find, and aren’t the focus of the OWASP Top 10. HTTP Server Configuration The findings that are easiest to correct exist within web server configurations, …

Continue reading →

More Articles

Posted on by Jerry Holcombe

I went to this year’s RSA Conference in San Francisco with the intention of learning more about risk management, which led me to select sessions called “Advancing Information Risk Practices,” “How Infosec Maturity Models are Missing the Point,” and “How to Measure Anything in Cybersecurity Risk.” While I was intrigued by all of the presenters, it was Jack Jones that drew me in. All three of the sessions, even if not presented by him, centered on his body of work …

Continue reading →


Posted on by James Adamson

The cloud services industry has grown tremendously over the past several years, resulting in new vulnerabilities and associated risk. How you protected your cloud environment in the recent past no longer suffices. This was a hot topic at this year’s RSA Conference as several sessions provided strategies for securing the cloud environment. Using virtualization to make rapid changes has made cloud security exponentially more difficult than traditional environments. In one day you can monitor more changes and updates in a …

Continue reading →


Posted on by Steve Levinson

Can you tell the difference between an authentic email and a phishing message? Even for security professionals who live and breathe Information Security, it has become harder and harder to decipher phishing messages from authentic emails. Just the other day I received an email that looked remarkably similar to a PayPal email. It wasn’t from PayPal and the scary part is that there were potential serious consequences if I had clicked on the link in the email: I could have …

Continue reading →


Posted on by James Adamson

Maybe you’ve seen the latest security scare video that’s making its way across the Internet. A group of men are shown installing a credit card skimmer over the entire PIN pad in under three seconds. This latest attack example reinforces the importance of new requirements that were introduced in PCI 3.0 requiring organizations to inventory and conduct periodic physical inspections of PIN pads. So, what can you do to identify these issues quickly? Addressing a physical security problem like this …

Continue reading →


Posted on by Steve Levinson

While the Federal Trade Commission (FTC) is stepping in to gain a better understanding of the state of PCI DSS assessments, it’s a good time to evaluate your own assessment quality and compliance policies. Referring back to last week’s blog, it’s very rare to see a company “score” 100% on a PCI compliance assessment. This can be for a myriad of reasons  – a shift in staff, a new technology, a change in the threat landscape, etc. The bottom line …

Continue reading →


Posted on by Steve Levinson

The Payment Card Industry world felt some very interesting shockwaves this week as the Federal Trade Commission (FTC) issued a news release announced that they would be issuing orders compelling 9 QSA (PCI Qualified Security Assessor) companies to provide information to the FTC on how they conduct PCI assessments. This order was made as the FTC attempts to gain a better understanding of the state of PCI DSS assessments. Why is this significant? A conclusion that one may draw from …

Continue reading →


Posted on by Steve Levinson

The PCI Data Security Standard continues to evolve gracefully to address the ever-changing threat landscape. In April 2015, the Payment Card Industry (“PCI”) Security Standards Council issued the “Migrating from SSL and Early TLS” Information Supplement which serves as a guideline pertaining to deprecated SSL/TLS protocols. The document served as basis of the changes to the PCI standard from version 3.0 to 3.1. In December 2015, the PCI Council released a blog post providing an update and further clarification. Our …

Continue reading →


Posted on by Steve Levinson

It’s probably because I insulted the city of Oakland by saying in a recent Facebook post that the Oakland Coliseum was post-apocalyptic, that karma came knocking at the door, or to be more exact, came smashing through the rental car window and stealing my backpack (which had my laptop) during the time it took to purchase my coffee at Starbucks. Since I’m pretty paranoid about these things – after all, it’s something I do for a living – I figured …

Continue reading →