Volume 2 Issue: 3
|
March 14, 2008
|
This issue of The Aegis deals with two hot topics: wireless security and the protection of web-based applications. As The Aegenis Group deals with questions on these topics every day, it seemed appropriate to dedicate this issue to the questions and concerns around application and wireless security. Also included are a series of Frequently Asked Questions about wireless security.
As always, please feel free to foward this newsletter to anyone who might find it useful.
|
| Wireless Security in the Payments Industry
Securing wireless networks
| The use of wireless networking has skyrocketed in the past several years. While the ubiquity of the systems has made life easier for many retailers and other organizations, it also opens many new doors for those individuals seeking to compromise cardholder and other sensitive personal information.
Some may seem discouraged about the use of wireless. It has many benefits but may be seen as to difficult to adequately secure. This is not the case, however. There are a number of ways to secure a wireless network that will achieve compliance and help to secure data. To address this growing concern in the industry, Michael Dahn of The Aegenis Group worked with a group of industry recognized wireless security experts to develop a Frequently Asked Questions document around wireless security.
Click here to download the FAQ document.
|
The Importance of Application Security
The growing prominence of application breaches
|
In the early months of the year, the Federal Trade Commission (FTC) has already settled a case with a prominent clothing retailer. The finding was that the retailer made a promise on its website to protect customer data from exposure. When that same retailer suffered a SQL injection breach that resulted in the exposure of customer data, the FTC found that the retailer was actually acting in a manner contrary to their posted security policy. As a result, the retailer must now submit to FTC oversight of its security and privacy policies for the next twenty years.
The point to the above story is that application security is not something to be undertaken for the sake of PCI DSS compliance alone. It is a growing concern to government entities of all shapes and sizes. The aftermath of such a breach is extremely detrimental to both brand and customer confidence.
In today's environment the two most common methods of protecting applications are the use of an application firewall or through application scanning. Application Layer Firewalls are preventative controls that also provide the ability to detect and response to an attack to stop it from continuing. Application Layer Firewalls are devices or applications that review packets at the application layer of the OSI where conventional stateful packet inspection firewalls work at the network layer of the OSI. Application layer firewalls can detect specific attack patterns associated with SQL Injection or other exploit methods that would be completely invisible to a network layer firewall. Additionally, application layer firewalls provide the ability to block the attack.
Application vulnerability scanning, on the other hand, provides a snapshot of the vulnerabilities in the application. It cannot prevent an attack from occuring, it merely alerts to the fact that a vulnerability exists. The vulnerability must then be corrected in the application.
These methods, combined with secure coding practices, can severely reduce the number and magnitude of breaches resulting from application level vulnerabilities.
|
The Regulatory Eight Ball Rolls On
Several states following Minnesota's Lead
Last year, Minnesota passed a law which prohibited the storage of sensitive authentication data and gave issuing banks the ability to recoup the losses associated with data breaches. At the time, Texas and California were debating similar deals. While the California legislation was vetoed, the Texas legislation remains on the docket for debate. In the meantime a handful of other states have also embarked on the road towards legislating PCI DSS compliance.
The following states have begun the discussion on creating laws around PCI DSS:
- Michigan
- Indiana
- Florida
- Alabama
- Washington
Many of these revolve around the ability of the issuer to recover expenses incurred from fraud, reissuance and notification of the breach. As was seen with the evolution of the state notification laws, it is likely that many more states will embark on the same path, each law containing enough difference to make compliance with each cumbersome.
|
|
| Industry Events and Happenings |
Merchant Acquirer Conference 2008 MAC Annual Conference - March 19-21, 2008 Las Vegas, NV
Southeast Acquirers Association 2008 Conference - March 24-26, 2008 New Orleans, LA
Source Media, Inc. 20th Annual Card Forum & Expo - April 6-8, 2008 Miami, FL
Electronic Transaction Association Annual Expo - April 15-17, 2008 Las Vegas, NV
| |
|
About The Aegenis Group
The Aegenis Group is dedicated to helping companies navigate the choppy waters of data security, information risk, and privacy regulation. The Aegenis Group believes that the ability to understand not just the regulatory mandates themselves, but their total impact on the business environment can act as a compelling tool for business enablement. From understanding the ways in which your products and services can protect sensitive data to making the right compliance decisions for your business environment, The Aegenis Group can assist your company in facing the risks associated with an increasingly complex landscape of the business world.
Sincerely,
The Aegenis Group
|
|
|
|
| Read Articles by The Aegenis Group |
|
The Aegenis Group are frequently writers, as well as speakers in the industry. Here are links to recent articles written by Principals of The Aegenis Group:
Dr. Mark recently co-authored an article in Direct Selling News. Read the article, "Protecting Cardholder Data," here.
Michael Dahn has written an article in the Sept. issue of Digital Transactions.
Dr. Mark frequently writes for Transaction World. Access her articles here. Shelley Johnson recently co-authored an article in Innovate, Journal of Online Education. Click here to read the article or see the associated webcast.
|
|
| Aegenis Events
|
ISACA Kentucky Chapter Louisvillle, KY; March 28, 2008
ETA Annual Expo April 15-17
The 19th Annual Association of Airport Internal Auditors Conference Anchorage, AK June 1-4, 2008
ICLS 2008, Utrecth, Netherlands;
June 24-28
|
|
|
