Twitter
PCI DSS Control 1.3.8 talks about using NAT as one of the ways to hide Internal IPs of the organization. Find out more.
Archive for October, 2011
Under PCI DSS, SQL Injections are considered a major threat to card data web applications. What is SQL Injection ? How is it done ? Find SQL Injection in action.
Secured Password settings on a Cisco Device in two parts. Under PCI DSS, your auditor will definitely check for correct password configuration on your Cisco router, or switch.
The best ways of storing passwords is hashing them with a salt. What is a hash ? What is a salt ? Find out.
Oracle Transparent Database Encryption is a method of rendering the whole database or its columns encrypted. If the key management is done properly, that is the keys are managed through an independent method, Oracle TDE can render databases with card information unreadable very easily in PCI DSS compliant method. See how.
A roundup on ATM Skimming
Good introduction on how ATM skimming works
Restaurants have been identified as a high risk area for card skimming operations. Never loose your sight. See how card skimming works in a restaurant.
Hashing is one of the methods to render credit card data unreadable. An introduction to hashing using SHA-1 is explained. MD5 is another common algorithm. However please note that MD5, and SHA-1 are considered weak hashing methods. SHA-256 is currently a safe hashing method. An animation on SHA-1
Symmetric Encryption work with common keys. However common keys themselves cannot be transported as they are very sensitive. Common keys have to be generated independently by sender and receiver. This is accomplished through key exchange. There are 2 methods to do a Key Exchange. DH(Deffie Hellman), and RSA. As per PCI DSS 1024 bits or more key lengths for DH or RSA is needed. Internet Encryption SSL uses both DH and/or RSA for Key Exchange, to agree on 128 or 256 bit common key (SSL 128 or SSL 256). DH is explained in this presentation. Also explained is AES again.
AES Algorithm is a PCI DSS preferred and permitted cryptographic symmetric key algorithm. 256 bits key length is preferred though 128 bits is acceptable. A beautiful visualization under the hood on how AES algorithm works.
Daniel Compton, Information Security Consultant of 7Safe takes through a real life example of credit card data hack through seemingly secured corporate network using ”client side attacks” and “pivot attacks”.
A short video on how simple it is to crack WEP using AirPcap and Cain and Abel in Windows. Never use WEP in secured environments.
Short Video on life cycle of telnet password being cracked through bruteforce. Goes on re-inforce that passwords should be strong even for obscure telnet servers. Under PCI DSS, SSH should be used for remote administration, not Telnet.
Introduction to a free Open Source HIDS solution OSSEC, that fulfills HIDS requirements under PCI DSS. It also has Log Management features.
PCI DSS requires secured remote authentication. RADIUS and TACACS are two of the possible methods. This video explains RADIUS and TACACS.
Issues with Security Awareness
Introduction to Trojans and Backdoors
Introduction to Viruses
What are various backup strategies, and security issues with backups ?
Application Patch Management principles
What is Patch Management, & how should it be done.
Introduction to Switches, Firewalls and Routers
Security Policy Training and Procedures
Risk Analysis and Risk Calculations: One approach
User Rights and Permissions.
Incident Management is a mandatory requirement in PCI DSS. Understand the basics.
How can effective security polices reduce organization risk ?
What do we mean by Change Management
What is a VPN, and what are VPN Concentrators.
The basics of VLANs
What are the issues in secured remote access ?
Introduction to principles of Network Separation
Introduction to DMZ
Secured Router Configuration: An introduction
Introduction of Log Analysis
Introduction to importance of firewall rules.
Introduction to Web Application Firewalls
Introduction to Application Hardening.
Introductory concepts in Security Coding
An introduction to Operating System Hardening, a requirement of PCI DSS control 2
Introduction to Penetration Testing.
An introduction to assessment techniques: Baseline Reporting, Code review, application design review, and architecture review
Introduction to Physical Security
An introduction to general security tools like protocol analyzers, vulnerability scanners, port scanners, and honeypots.
Privilege management is a major PCI DSS concern. An introdution.
A general introduction to password controls. Note, the presenter password recommended values are not official PCI DSS approved values, and PCI SSC should be referred for latest permitted password configurations.
Access Control of credit card data is a mandatory requirement under PCI DSS, and covered in Control 7. An overview to access control.
PCI DSS Control 8 cover issues relate to identification and Authentication. An introduction to basic controls.
DLP is one of the proposed approaches to handle card card security distribution. An introduction to DLP. It is not known as yet how effective is the method of DLP to restrict data distribution, as it introduces management loads that can be overhelming. An introduction, nonetheless.
The presenter makes a reference to mydlp, with a free community edition for usage, which should be tried to try the concept.
Single Sign On is a desirable architecture for multiple applications to reduce number of username/passwords for a given user. Password controls can be applied only at one level, and it gets applied to all covered applications. An introduction to Single Sign On
Multi factor authentication is a mandatory requirement under PCI DSS for administrators and users to log into card network remotely. An introduction.
Kerberos is an MIT protocol for secured network authentication. An introduction.
This presentation explains the difference between WEP and WPA. WEP is not permitted in PCI DSS, and currently only WPA2 is a permitted wireless encryption protocol.
A layman introduction to Public and Private keys.
Many IT developers and Network administrators believe that Password stealing on network is a threat hyped up. See a demo to judge for yourself. The tool used is Wireshark, which is a free open source network sniffer.
SNORT is on open source IDS, and the software shows how to configure a rule in SNORT. SNORT is a permitted IDS.
Hashing is one of the permitted methods under PCI DSS to render card data unreadable. This presentation explains the basics of Hashing. Permitted hashing algorithms change, so please keep an eye of PCI Security Standards Council for latest guidelines on hashing.
This video explains how to install SNORT, a powerful open source Intrusion Detection System. As per PCI DSS, an Intrusion Detection System is required to monitor Internet traffic, and card data traffic in internal network.
This video explains the basics of Redundant Array of Independent Disks. RAID is the most common method or organizing hard disks so that data redundancy, and data distribution can happen. An understanding of RAID is necessary to understand card data security issues.
There is a lot of confusion in the difference between Storage Area Network (SAN) and Network Attached Storage (NAS). This presentation helps to clear it up. The design decides how in PCI DSS card data gets transmitted, and stored. SAN produces encryption issues under PCI DSS, a topic to be tackled later.
Virtualization is a one of the modern trends in Enterprise IT Designs and has implications for PCI DSS. This video is a primer on Virtualization.
A short video on configuring the free web application security scanner, Nessus from Tenable security. Nessus also has a PCI DSS plugin. Nessus is a permitted tool under PCI DSS.
An excellent use of tokenization to eliminate card data from customer communication.
This video gives an introduction to Buffer Overflows, which lead to applications getting hacked. This is an introductory video on Buffer Overflows.
In this video tennis balls are used to explain encryption without any jargons.
Wireless Encryption Protocol WEP is not permitted under PCI DSS as a mode for transmission of card data. See a demonstration of WEP being cracked. Usage of WEP has been identified as one of the biggest threats to card data security.
A humorous take on Anti-Viruses.
A video on multiple credit card skimming techniques.
Luhn’s algorithm is used to compute the check digit in a valid credit card number. Introduction and an example.
This gives a lay man introduction to a simple cross site scripting attack. Under Requirement 6 of PCI DSS, applications should not be vulnerable to cross site scripting attacks.
Under PCI DSS requirement 4, card data must travel in public network encrypted. SSL is an approved method. This video gives an introduction to SSL.