Hard Drives in Copy or Fax Machines are a HIPAA Risk | Supply Chain

Posted by on September 7, 2010 No comments

While everyone is worried about stolen laptops or unauthorized access to computer files, who ever thought the hard drive in copying and fax machines could be a potential HIPAA violation?

Copy machines, fax machines and scanners now contain hard drives — like computer hard drives — that store images of all the pages of information that ever ran through the machines, according to the Baudino Law Group.

The Des Moines, Iowa, law firm said after a copy machine was disposed by a New York-based managed care plan, the plan had to notify three state agencies, federal authorities and more than 400,000 members of a breach of protected health information under HIPAA.

via Hard Drives in Copy or Fax Machines are a HIPAA Risk | Supply Chain.

Writing A #PCI Compensating Control

Posted by on September 7, 2010 No comments

This is a very popular topic these days as more and more organizations have to rely on compensating controls to comply with the PCI DSS. With the exception of requirement 3.2 – do not retain track data, any of the other PCI DSS requirements can be met with a compensating control.

First, let us get familiar with what is required for a compensating control. For v1.2 of the PCI DSS, there are seven elements to the compensating control.

via Writing A Compensating Control « PCI Guru.

Roundup of largest data breaches / incidents

Posted by on September 7, 2010 No comments
records date organizations
130,000,000 2009-01-20 Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank
94,000,000 2007-01-17 TJX Companies Inc.
90,000,000 1984-06-01 TRW, Sears Roebuck
76,000,000 2009-10-05 National Archives and Records Administration
40,000,000 2005-06-19 CardSystems, Visa, MasterCard, American Express
26,500,000 2006-05-22 U.S. Department of Veterans Affairs
25,000,000 2007-11-20 HM Revenue and Customs, TNT
17,000,000 2008-10-06 T-Mobile, Deutsche Telekom
16,000,000 1986-11-01 Canada Revenue Agency
12,500,000 2008-03-26 LaSalle Bank, BNY Mellon Shareowner Services, Archive Systems Inc, The Walt Disney Company, SYNOVUS

1-in-4 worms spread through infected USB devices

Posted by on September 2, 2010 No comments

Hard on the heels of a report that a USB drive was used to compromise U.S. military networks in 2008, a security company today claimed that 25% of all new worms are designed to spread through the portable storage devices.

via 1-in-4 worms spread through infected USB devices.

Visa Raises The Bar For PA-DSS Applications And Vendors

Posted by on September 2, 2010 No comments

For example, using a PA-DSS validated application by itself does not make you PCI compliant. Rather, you still need to implement the application according to the vendor’s implementation guide (which is sometimes an issue when resellers are involved), and you have to implement it in a PCI-compliant environment.

via StorefrontBacktalk » Blog Archive » Visa Raises The Bar For PA-DSS Applications And Vendors.

Tenable Network Security Awarded U.S. Patent for Network Monitoring Technology – Technology | Centre Daily Times – State College, PA | Penn State, Nittany Lions, weather, news, jobs, homes, apartments, real estate

Posted by on August 27, 2010 No comments

Tenable developed the Passive Vulnerability Scanner PVS to complement its other market leading active network scanner, Nessus. Where Nessus allows organizations to audit networks for known vulnerabilities, conduct full patch and configuration and compliance audits at a point in time, Tenable’s PVS allows organizations to continuously monitor the same network by analyzing network traffic 24×7 and provide real-time updates to Tenable’s SecurityCenter on new devices, applications running on those devices and known vulnerabilities associated with those devices.

via Tenable Network Security Awarded U.S. Patent for Network Monitoring Technology – Technology | Centre Daily Times – State College, PA | Penn State, Nittany Lions, weather, news, jobs, homes, apartments, real estate.

Privacy software: Who are the early leaders? – software, security, privacy, ControlCase, Consult2Comply, brinQa, Avior Computing, Archer, applications, Agiliance – Security & Email – PC World Business

Posted by on August 26, 2010 No comments

Together they form what I’d call the “privacy GRC” market, where GRC stands for “governance, risk and compliance.” GRC makes up most of what privacy people do.

It’s not a big market. To put things into perspective, Gartner is only in its third year of analyzing the nascent IT GRC market. The privacy GRC market is at the moment no more than just a subset of that.

via Privacy software: Who are the early leaders? – software, security, privacy, ControlCase, Consult2Comply, brinQa, Avior Computing, Archer, applications, Agiliance – Security & Email – PC World Business.

Windows DLL load hijacking exploits go wild

Posted by on August 25, 2010 No comments

Less than 24 hours after Microsoft said it couldn’t patch Windows to fix a systemic problem, attack code appeared Tuesday to exploit the company’s software.

Also on Tuesday, a security firm that’s been researching the issue for the last nine months said 41 of Microsoft’s own programs can be remotely exploited using DLL load hijacking, and named two of them.

via Windows DLL load hijacking exploits go wild.

Visa offers new guidance on securing payment applications – Computerworld

Posted by on August 25, 2010 No comments

Visa on Tuesday announced a set of security best practices for vendors of payment applications and for the systems integrators and resellers responsible for implementing and managing them.

The guidelines are designed to address continuing vulnerabilities in the payment chain stemming from insecure implementations of the applications that are used in credit and debit card transactions, according to Eduardo Perez, Visa’s head of global payment system security.

via Visa offers new guidance on securing payment applications – Computerworld.

More On PCI DSS 2.0 « #PCI

Posted by on August 24, 2010 No comments

The biggest news out of this presentation is that requirement 6.5 will now apply to all in-scope applications, not just Internet-facing or browser-based applications. Based on all of the breach research that has been conducted, they have finally realized that any application in the cardholder data environment (CDE) is a potential hazard, not just those on the big, bad Internet. However, this is likely to cause problems for all of those legacy systems on HP (DEC) VAX, IBM iSeries and zSeries as well as other “antique” platforms. It is hard to apply a lot of the OWASP/CWE/CERT/etc. secure coding standards to applications that are not written in Java, PHP, .NET and the like. Some of these standards will apply, but the majority will not.

via More On PCI DSS 2.0 « PCI Guru.