Search

About

Enter your email address:

Delivered by FeedBurner

Categories

Westfield Links

Westfield Blogs

InfoSec Favorites

« May 2010 | Main | July 2010 »

June 2010

The Payment Card Industry Data Security Standard (PCI DSS)

There are a number of regulations and standards that have been established to protect the privacy of individuals and to prevent fraud.  One of these standards is called the Payment Card Industry Data Security Standard.  Here is an overview of how it was established and what it is:

Comprised of Visa, MasterCard, American Express, Discover, JCB, and Diners Club, the Payment Card Industry (PCI) developed the Data Security Standard (DSS), initially based on Visa’s Cardholder Information Security Program (CISP), to help prevent payment card fraud and identity theft.  It encourages and enhances cardholder data security and privacy by facilitating a broad adoption of a consistent, global data security standard.

The principle goal of the data security standard is to protect cardholder data at all times, whether processed, stored, or in transit.  The PCI DSS has been universally adopted by all major payment card brands and is governed by the PCI Security Standards Council (PCI SSC). 

Unlike laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Leahy Personal Data Privacy Security Act of 2009, and Massachusetts 201 CMR 17, all of which are enforced by federal or state governments, the PCI DSS is NOT a legal or regulatory directive but, rather, a contractual obligation.  The standard is enforced through a mandatory ‘contract chain’, whereby information security and privacy requirements are passed from payment card companies, to merchant banks and card processors, and eventually merchants, via contract language.  As a result, compliance to the PCI DSS transcends both industry and geography and necessitates heavy involvement, if not oversight, from an organization’s legal team.

The PCI DSS consists of 6 main control objectives, is comprised of 12 primary requirements and contains approximately 210 individual controls.  The control objectives address:

  • Building and Maintaining Secure Networks
  • Protecting Cardholder Data
  • Maintaining a Vulnerability Management Program
  • Implementing Strong Access Control Measures
  • Regularly Monitoring and Testing Networks
  • Maintaining an Information Security Policy

Failing to effectively manage and protect information while it is processed, stored, and transmitted, can be unlawful and negatively affect business reputation, customer base, employee morale, and revenue. 

Both customers and employees expect their personal information to be protected by the organizations with which they do business.  They are no longer willing to overlook an organization’s failure to keep their personal information secure and private.  Therefore, it is imperative organizations be aware of and educated on all Information Security and Privacy requirements with which they must be compliant; this includes not only applicable laws and regulations but contractual obligations as well. 

Bill Murray leads the Information Security and Disaster Recovery team at Westfield Insurance. Sharing Knowledge. Building Trust

Bill Murray on 15 June 2010 | | Comments (0)

| | | | | |

Email Attachments

Did you ever get an email with an attachment and wonder if your getting ready to open a  file infected with a virus? You already know you should never open an attachment from someone you don’t already know, right?

If you suspect a file is infected or just want to make sure it’s safe, there is a quick and easy way to check if it’s infected or safe. Instead of opening the file, save it to a folder on your hard drive and remember that location.

Now open your favorite browser (IE, firefox, etc) and type in the URL http://www.virustotal.com. VirusTotal is a great site that will allow you to check the file against 40+ different Anti-Virus (AV) programs for free! All you need to do is upload the file by pressing the “Browse” button and navigate to where you saved the attachment. When you have selected it, press the “Send File” button to upload it.

Virustotal1


Once the file is uploaded, it will begin scanning. When it’s completed, typically in less than a minute,look to see if any of the AV programs found the file as a virus. Here's a sample report.

Virustotal2

My rule of thumb is that if even one AV program tags it as a virus, DO NOT OPEN IT! As you can see in the example I used, there was no virus detected. This would give me enough assurance that the file was clean that I would open it.

Just to be completely clear, even if you scan the file and no viruses are detected, there is no positive guarantee the file is clean. It just means that it does not contain a virus previously seen by the site's AV vendors. But if over 40 vendors have not seen it, it will be safer than if you just opened it without checking.

Thanks for reading!

Jeff Gibson is a Vulnerability and Forensics analyst at Westfield Insurance. Sharing Knowledge. Building Trust

Jeff Gibson on 08 June 2010 | | Comments (0)

| | | | | |

Parental Controls Online - 6 Questions to Ask Your Family

8S22SRE498JM

Have you ever noticed how your child's favorite TV shows are directing them to the Internet to watch extra episodes and access special content like games and other shows? My daughter is just now starting to show interest in our family laptop, finding it wherever we might be hiding it. We keep putting off establishing parental controls, but it's only a matter of time before she figures out how to make the laptop work.  As a family we will be nervous with not only the content she will be introduced to, but the wide variety of identity theftand other serious dangers that lurk within. Struggling with allowing her to learn while keeping her safe is a big challenge, one every parent is going to encounter.

This led me on a path of research, searching the web for keywords like "family safe internet software" and "parental controls for the internet."  I saw quite a few sites selling software solutions like NetNanny, BSecure, and free tools like K9webprotection. There were others which carried with them some recommendations like FocusontheFamily and ConsumerSearch, which suggest pre-reviewed products to use.

Looking at all of the options, I can understand how it would be difficult to choose the best product for your family. Here are a few questions to help identify your family’s need for a tool like this:

1) Who in your family needs protecting? Yourself? Children? Adults who are wary of the Internet? Guests?
2) What devices do you need to protect? Smart phones? Laptops/Desktops? Wii?
3) What applications does your family use? Internet browsers? Instant messaging? Social networking sites like Facebook or Myspace?
4) What operating systems and versions do you have? Mac? Windows? Linux?
5) What are you willing to spend to keep your family safe from these dangers?
6) What kind of monitoring do you want to have access to? Web surfing logs? Online game play? Instant messaging usage?

Let me know your thoughts on this topic! Please chime in and let us know what you do to keep your family safe.

Jacob Harris is a Vulnerability and Forensics analyst at Westfield Insurance. Sharing Knowledge. Building Trust.

Jake Harris on 02 June 2010 | | Comments (4)

| | | | | |