For most organizations that accept credit cards for payment, compliance with PCI DSS is a necessary evil to keep your bank happy and ensure that money keeps coming in the door. And for compliance purposes, your company is likely being required to complete an SAQ, as only a relatively small percentage of large merchants (or […]
In this two-part blog series, we are looking at what you can expect after a penetration test. More specifically, what basic steps should you follow once you receive the report to start fixing the vulnerabilities uncovered. In the previous installment, we took a look at understanding the penetration testing report and coming up with an […]
So you have finally taken the plunge and had your first penetration test completed. Or maybe this is a yearly requirement, but for some reason you still aren’t getting the results you expected. Maybe you are running into hurdles securing your environment. For many, having a penetration test completed is an eye-opening experience that will […]
This is the final installment in our series reviewing each of the Self-Assessment Questionnaires (SAQs) available for organizations required to comply with the PCI DSS. This final blog is going to cover another sub-type of the SAQ D, the SAQ D – Service Provider. This SAQ is unique in that, if you’re a service provider, […]
After performing penetration tests for a myriad of companies over the last decade, there is one thing that stands out above all others…. People suck at making passwords. At first I thought “how hard can it be?” But after working with company after company, and trying to improve their password security, I have realized that […]
Each year, Verizon provides a Data Breach Investigation Report (DBIR) which looks at the trends from the past year’s data breaches. Verizon builds this report using 73 data sources, with a combined total of 41,686 security incidents. By looking at the trends, we can see what’s happening in the information security landscape and try to […]
This is the last merchant self-assessment questionnaire to cover in our series going through the organizational requirements to use each of the SAQs. We’ve talked a lot about why it’s so important to try and reduce scope and use the right SAQ for the payment channels utilized by your organization. The SAQ P2PE, in particular, […]
After discussing a number of the other Self Assessment Questionnaires (SAQs) that merchant organizations may need to complete for PCI DSS compliance, we have finally reached the peak if you’re a merchant. This final SAQ for merchants (we’ll cover D for service providers soon) is the catch-all that applies to any organization that isn’t able […]
Passwords are commonly one of the biggest weaknesses we find when performing a penetration test. It seems that no matter what password policy you have in place, users will still use Comany123, Spring2019, or a keyboard pattern for their password. An attacker can easily guess these and gain access to sensitive resources or even your […]
A penetration testing proposal or quote for penetration testing services serves two primary purposes. The first, obviously, is to provide a price for the requested services and clearly define the scope that those services will cover. Second, and maybe less obvious, is that a proposal acts as your first chance to begin vetting the penetration […]
