BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

PCI DSS 2.0

Posted September 16, 2010    Brad Hibbert

Yes its PCI time again.

PCI DSS 2.0 has just completed final review and is expected to come out next month. As indicated in the summary of changes document , there are no major changes expected. Refinements to better align standards, provide clarifications, increase merchant flexibility, and additional guidance on specific technologies including virtualization and web applications are expected (For example Requirement 2.2.1 will be clarified to further define the “one primary function per server” as it relates to virtualization).

Some of our customers were anticipating that the PCI severity levels were going to change. In fact, Requirement 6.2 is being adjusted to allow for a risk-based vulnerability assessment process so that those vulnerabilities with the highest ranking are addressed first, versus just patching everything within a 30 day period. This lends itself well to both Retina’s existing risk scoring capabilities and integrated patch module being released next month.

The updated standards are to be issued in final form on October 28th and are to be in effect on Tuesday, January 11, 2011. We continue to wait to see what PCI delivers in the way of details, and will rework our standard PCI reports to align with any changes to the 12 Requirements, shortly after it is released.

As a shameless plug, I should also mention that if you are in need of a PCI Approved Scanning Vendor (ASV), eEye is launching this service to our customers over the next several weeks. If you have the need, just contact our sales team.

Tags:
, , , ,

Leave a Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,