NetSPI Blog

Yan Kravchenko
August 21st, 2009

You Cannot Outsource the Consequences of a Breach

Mozilla is known to most people for its open-source and free software, most notably Firefox. However, starting around August 4th, it also became known as yet another company whose merchandise store was breached. Following the announcement on the company’s blog and closure of Mozilla’s store, the following headlines filled trade pubs and the blogosphere: “Mozilla […]

Seth Peter
August 11th, 2009

Social Media and Corporate Guidance

One of the common themes I took away from the 2009 Blackhat Briefings was the inherent security risks associated with using social media and networking sites. (These concerns have also received some coverage in trade pubs; see, for example a recent Computerworld article: http://tinyurl.com/mc7yb8) Using social media applications is not just a personal computing trend; […]

Deke George
August 11th, 2009

Healthcare Organizations and Tighter Security Requirements

Because of increasing threats, high-profile data breaches, and increased awareness of the damage they cause, we anticipate a substantial tightening of regulations and contractual requirements that will significantly impact information security in healthcare. Today, HIPAA, CCHIT, and state breach notification laws are the main standards that govern security within healthcare systems that deal with protected […]

Alex Crittenden
August 6th, 2009

The Far-Reaching Impact of the PCI DSS

The last few years have seen a great deal of discussion, arguing, hand-wringing, and posturing within the retail / hospitality community regarding the PCI DSS.  It has also driven a lot of investment in technology–and a lot of investment by technology companies. Then PA-DSS came along. The PCI Council took a voluntary program (PABP) and […]

Lee Buttke
July 15th, 2009

PCI and Assessment Consistency

As many organizations that have hired QSAs recently have seen, the Report on Compliance (ROC) has changed quite dramatically for v1.2 of the PCI DSS standard from previous versions. Although previous versions of the DSS required that a QSA address all the controls and properly document them, in fact many ROCs failed to provide adequate […]

Seth Peter
July 14th, 2009

Is your Compliance Driven by More Than an Audit?

Preparing for an audit can be one of the best ways to fund and improve your security program, but this “stimulus package” for your compliance effort typically dwindles once an organization completes or passes an audit. I see this happen frequently in recurring or annual audits, but it is particularly relevant with the recent news […]

Deke George
July 14th, 2009

Compliance vs. Risk

As a company, we’ve tried to understand which organizations are most likely to mature their information security programs. It seems that the answer should be obvious: organizations with valuable assets or the need to have data highly available should be very concerned about information security. This could translate into organizations that have a lot to […]