Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a benchmark with tenure in the industry, with the first version being introduced in 2004. The PCI DSS was unique when it was introduced because of its prescriptive nature and its focus on protecting cardholder data. Cybersecurity is a changing landscape, and prescriptive standards must be updated to address those changes. The most recent update to the PCI DSS was in 2018, and the world has certainly changed since then.

When a business concept is born, building out a tech stack based on cybersecurity is not always the first item of concern. The need to simplify cybersecurity often comes later in the growth phase of a business. Start ups are well-known for everyone on staff pitching in in different areas. Technology, software purchases are often based on last minute needs, lowest costs, etc. It is often assumed that security is covered by the manufacturers of the chosen technology.

When security analysts choose technology, they approach the process like a mechanic looking to purchase a car. They want to look under the hood and see how the product works. They need to evaluate the product as a technologist. On the other hand, the c-suite has different evaluation criteria. Senior leadership approaches the process like a consumer buying a car.

Attack Surface Assessment tools enable information security teams to look at their organizations “outside-in” from the attacker’s point of view, prioritizing the issues that attackers will see first.

The vendor risk management process is now an essential requirement of all cybersecurity programs. Without it, you're a sitting duck for supply chain attacks and third-party data breaches. In recognition of this, regulatory bodies are increasing their third-party risk compliance requirements and enforcing obedience by threatening heavy financial penalties for non-compliance.

Cyber insurance coverage? Through the roof these days. Also, coverage is not that easy to get. The many breaches and the dollar judgements handed down make cyber insurance another costly operating investment. A mid-sized client of mine, as an example, pays $1 million in annual cyber insurance costs just to do business with its commercial and government customers. The issue adds another twist to the topic of third-party risk.

While 1Password is usually there to autofill your passwords, sometimes you still have to manually type them in.

During the assessment of one of the financial applications built upon the flutter framework, we came across that the application was using PGP encryption for encrypting the API requests. It is pretty common for financial applications to be implementing traffic encryption, with AES seen to be the preferred algorithm for encrypting traffic. There is plenty of research already available on decrypting AES encrypted traffic.

A company can accumulate massive amounts of information that security analysts are not able to monitor instantly. This can mean that priority security alerts either go unnoticed or are considered a false alarm because the appropriate technology is not available, which results in organizations failing to take action in time.