Research released today makes the damning assertion that, with more than half of all software failing to meet acceptable security levels, 80% of all web applications are at risk of failing a PCI audit.
via Infosecurity (UK) – Report claims 80% of web apps will fail a PCI DSS audit.
When Google this month fired a programmer for using the search giant’s database to investigate an intriguing teenager, it showed that even the most sophisticated and respected technology brands can have a trusted employee go rogue. This lesson should not be lost on retail executives, who may rely on several third-party service providers to process or analyze their payments.
via StorefrontBacktalk » Blog Archive » The PCI Lessons From Google’s Employee Data Breach.
The Department of Health and Human Services’ Office for Civil Rights received thousands of pages of comments from hundreds of organizations by the Sept. 13 deadline. Now, the office will spend the coming weeks fine-tuning the proposal issued in July.
via Plenty of Feedback on HIPAA Changes.
Heartland Payment Systems has agreed to pay $5 million to Discover to settle claims arising from the massive data breach disclosed by the payment processor last year.
In a brief statement on Wednesday, the Princeton, N.J.-based Heartland said the settlement “resolves all issues” between the two companies stemming from the intrusion.
via Discover to get $5M from Heartland for ’08 data breach.
A Nigerian man has been sentenced to 12 years in prison for sending out fraudulent e-mails offering victims big bucks in exchange for moving cash to the United States.
Okpako Mike Diamreyan, 31, was sentenced to 151 months of prison Wednesday by United States District Judge Janet Hall in Bridgeport, Connecticut.
via Nigerian advance-fee scammer gets 12 years.
Federal prosecutors this week charged nine former Sprint employees with fraud and aggravated identity theft after learning they had cloned customer cell phone numbers to make $15 million worth of calls. According to the complaint from federal prosecutors, the individuals who have been charged worked at Sprint stores in the Bronx, Bergen, N.J., and Tampa, Fla., and used company computers to get confidential information about thousands of customers. The data was used to create the so-called ‘clone’ cell phones. Of the $15 million worth of calls, a large percentage of them were international calls, said prosecutors.
via What security can learn from the $15M Sprint employee breach.
The payment system at a number of properties of HEI Hospitality – the hospitality operator that runs over 30 upscale hotels across the U.S. under brand names as Marriott, Hilton, Sheraton and others – has been breached and card data of some 3,400 customers has been compromised, says Databreaches.net.
via Hotel systems breached and card info stolen all over the U.S..
The recently released results of a security audit performed on the various systems used by the US-CERT to accomplish its cybersecurity mission revealed an unpleasant reality: a total of 671 unique vulnerabilities – 202 of which were high-risk – have been detected on the Mission Operating Environment (MOE) system.
via Audit reveals gaping security holes on DHS networks.
Network security audits are getting a lot of coverage these days thanks to standards like SOX, PCI-DSS, and HIPAA. Even if you don’t need to comply with any of those standards, business relationships with partners or customers may require you to show that your network is secure.
via Preparing For A Firewall Audit | Katonda.
I propose that ERM is worth doing and doesn’t have to be so complex if you simply “begin with the end in mind,” as Stephen Covey says in The 7 Habits of Highly Successful Security Leaders. Or would have said if he’d written such a book.
The basis of my thoughts is COSO’s ERM framework (link goes to a PDF of the Executive Summary). Here is the end to keep in mind as you begin your ERM efforts, taken from COSO’s work:
via Enterprise risk management: Get started in six steps.
