NetSPI Blog

Lee Buttke
November 12th, 2009

Brand Reciprocity Revoked by Visa and MasterCard: What It Means for Merchants

Brand reciprocity refers to how the card brands acknowledge the different merchant levels of the other card brands. For example, if an organization is a Level 2 Visa merchant but a Level 4 MasterCard merchant (both designations based upon transaction volume), brand reciprocity means that the merchant would be classified as a Level 2 merchant. […]

Scott Sutherland
November 10th, 2009

Internal Penetration Testing: Attacking Systems That Matter

When you are conducting internal penetration tests in large environments, prioritizing attacks can be a challenging task, because of the number of systems and vulnerabilities. Attacks performed during testing are commonly prioritized based on the nature and severity of the vulnerabilities identified. However, the effectiveness of that approach can be greatly increased by focusing on […]

Ryan Wakeham
November 9th, 2009

“60 Minutes” on Cyber Security Risks

On November 8, CBS’s “60 Minutes” ran a segment on information security weaknesses called “Sabotaging The System.” This piece highlighted security vulnerabilities in segments of our nation’s critical infrastructure, including banking, power, and national defense. In addition, former and current government officials confirmed that the threats exist; not only are probes and attacks occurring with […]

Dan Gardner
November 6th, 2009

Do Not Use the Back Door!

In system development a “backdoor“ creates a way of bypassing normal authentication to allow access to a system. Secret backdoor credentials often exist deep in the thousands or millions of lines of code that make up a system. This is just one reason why building your own user management/authorization/authentication schemes into systems is a bad […]

Alex Crittenden
November 5th, 2009

Questions on PA-DSS from Software Companies and Straight Answers

This post is a result of many, many conversations with software companies regarding the PCI Payment Application Data Security Standard (PA-DSS).  What’s really interesting about all those conversations is that they tend to fit into two categories – the first involves software companies that know that they need to go through PA-DSS validation and are […]

Deke George
November 3rd, 2009

PCI in Europe Today

I attended the 2009 PCI Community meeting in Europe last week. Since this was a feedback year, there wasn’t a significant amount of new content; however, there were some interesting points regarding PCI adoption in Europe. It’s been discussed quite frequently that the Europeans are behind North America in implementing PCI, especially at the merchant […]

Seth Peter
November 2nd, 2009

Vulnerability Scanning with Multiple Products

Should you rely on just one solution to identify all of your vulnerabilities? Most of us rely upon just one anti-virus scanner, right? Every vulnerability scanner claims to be better than its competitors, but how could this be? Where is the Consumer Reports on this subject? I think there is a mix of reasons why […]

Lee Buttke
November 2nd, 2009

European PCI Community Meeting: Some Impressions

The trip back to the U.S. from the European PCI Community Meeting in Prague took about 12 hours. For someone who lives and breathes PCI, that equals one hour for each of the 12 requirements of the Data Security Standard (DSS). Here are my impressions of the conference. First, the PCI Security Standards Council did […]

Deke George
October 22nd, 2009

Where the CISO Reports

Since the role of the Chief Information Security Officer (CISO) and how he or she reports has a major impact on security and risk, I think it’s interesting to look at how different organizations have structured the position. With that said, there is very little consistency other than a correlation with the industry vertical’s understanding […]