WatchGuard posts list of “PCI Pitfalls for Retailers”

Watchguard, provider of quality firewall and security products for small, media and enterprise business made a “Social Media Release” today that outlines a list of PCI Pitfalls for Retailers.

It is quoted below  in its entirety but can be found here.

I’ll be posting about the new WatchGuard XTM 33 designed for Small/Medium businesses, and may be ideal for retailers!

Should you wish to purchase a WatchGuard product, receive more information or support, please call us at 864.990.4748 or email info@homelandsecureit.com… We are a WatchGuard partner!

Social Media Release:
WatchGuard Lists PCI Pitfalls for Retailers

NEW YORK (January 16, 2012) – WatchGuard Technologies

Highlights / News Facts:

Businesses that process, transmit or store cardholder data must implement security controls as defined by the latest PCI DSS standard. The following are the nine common PCI DSS compliance pitfalls that many retailers fall into and tips to avoid them.

  • 1) Faulty firewall installation or configuration
    Many DIY (do it yourself) projects are easy; properly configuring a firewall is not one of them. According to WatchGuard research, a majority of small business security breaches are the result of improperly configured firewalls. Best practice: Use security certified technicians or trained resellers to ensure firewall configurations are proper and up to date; regularly audit firewall configurations as people and IT resources constantly change.
  • 2) Relying on vendor supplied defaults for system passwords
    Not only is it critical to change vendor supplied default passwords, be sure to use something other than “password” as a password. According to a recently published research report, the most common passwords are: 1) password, 2) 123456, 3) 12345678, 4) qwerty, 5) abc123, 6) monkey, 7) 1234567, 8) letmein, 9) trustno1, and 10) dragon. Best practice: Change vendor settings and utilize strong passwords.
  • 3) Failing to utilize IPS to protect stored cardholder data
    There are multiple ways to help protect stored cardholder data. One key technology that is often overlooked is IPS (intrusion prevention systems). IPS is to hackers as anti-virus is to viruses. IPS keeps hackers out and helps cardholder data stay safe. Best practice: Make sure intrusion prevention systems (IPS) are up and running.
  • 4) Not encrypting transmission of cardholder data across open, public networks
    Encryption is a key component to PCI DSS compliance. A common problem occurs in the transmission of credit card data, which is often done in unencrypted email. Best practice: Use encryption everywhere, and especially in email systems where any type of sensitive information may be transmitted.
  • 5) Failing to use and regularly update anti-virus software or programs
    Unlike desktop/endpoint anti-virus (AV), gateway anti-virus stops threats right at the entry point of a network. Using gateway AV adds an additional layer of defense at the primary point of attack, and because it functions at the gateway, users see no degradation of performance on their local computer. Best practice: Use gateway AV in addition to endpoint AV for maximum defense in depth.
  • 6) Not maintaining secure systems and applications
    Many businesses do a good job at maintaining secure systems, however what is often overlooked in today’s social media business world is application security. Most firewalls are incapable of distinguishing a web application from a website. Because of this, crafty cyber-crooks create web applications as a way to sneak past the firewall and steal cardholder data. Best practice: To gain control over web applications, businesses utilize the latest generation of UTMs and firewalls that include application control.
  • 7) Providing access to cardholder data to those who do not need to know
    About 80 percent of security violations happen from within an organization. In order to reduce that figure, businesses should use the “least privilege rule,” which parallels the same concept of “need to know.” Users should be granted the minimum necessary permissions and privileges that are required for them to accomplish their jobs. When employees have access to data that they should not, bad things often result. Best practice: Use RBAC (role based access controls), separation of duties and other forms of “least privilege” to make sure data is restricted to those who absolutely must have access to it.
  • 8) Forgetting to track and monitor all access to network resources and cardholder data
    Unfortunately, many businesses take a “fire and forget” approach to network security; once the firewall is set, they forget to check the reports. Many security breaches can me mitigated early on simply by checking reports and logs on a regular basis. Best practice: Establish a routine of checking logs and reports to spot trouble before it blossoms into headline security news.
  • 9) Not having an information security policy
    In order to meet PCI compliance, businesses must create an information security policy that is up to date, and that addresses the security requirements as proscribed by PCI DSS. This should also include operational security, system usage, security management and other related policies. Best practice: Get IT, HR and other business stakeholders to regularly review information security policies.

Keywords:

PCI DSS, Network Security, Firewall, Cardholder Data, Passwords, Encryption, IPS, Anti-Virus, Application Control, Next-Generation UTM, Policy

 

Quote:

  • “The PCI DSS standard is a model that many businesses – even non-retailers can look to in order to maintain best security practices,” said Eric Aarrestad, Vice President at WatchGuard Technologies. “The devil is in the details when it comes to security. Hopefully, this quick list helps remind businesses owners and IT management that little things can make a big difference in preventing data loss.”

Google’s personal search results can be turned off if you prefer not to see them

Over on lifehacker.com there is a great post about how to turn off the Google personal search results feature.

The instructions for doing so are simply to click on the settings cog at the top of the Google page, then select “Search Settings”.

Next find “Personal results” and select “Do not use personal results”.

This makes the “Hide personal results” the default for your searching pleasure.

Thank you to Melanie Pinola for posting that as I have already had a few people inquire about it!

 

Secure IT Alert: Adobe patches address Reader & Acrobat vulnerabilities

Secure IT Alert Header

Homeland Secure IT Alert

Homeland Secure IT Alert for Wednesday, January 11, 2012

Yesterday was Adobe’s first patch day of the new year and the security bulletin describes a total of six vulnerabilities in Adobe Reader and Acrobat X 10.1.1 and older, on both Microsoft Windows and Apple Mac.

The issues that are addressed are considered “critical” in nature and the solution is to download and deploy updates or to allow the Adobe Software Updater to perform the updates for you.

Adobe Reader X 10.1.2

Adobe Acrobat X 10.1.2

If you require assistance with these updates or any other security related issues in the Greenville / Upstate SC area, please call us at 864.990.4748 or email info@homelandsecureit.com
Homeland Secure IT Alert Footer

Homeland Secure IT Alert

Charter starting initiative to replace older generation docsis 1 and 1.1 modems

We have been informed by our Charter rep that starting today (January 10, 2012), Charter is starting an initiative focused on removing older generation docsis 1 and 1.1 modems from the customer user base that currently subscribes to MAX, PLUS and ULTRA.

The email included the following information:

  1. This is a company-wide project focused on technically positioning our customer base for advanced HSI products and increased speeds.
  2. The communication is handled via a browser message that will alert only those customers with older docsis 1 or 1.1 modems and asking them swap.
  3. Replaced at no cost to the customer, including customer owned modems. See sample screenshot image below…
  4. The customer will communicate with us via phone at 877.739.0427 or use the browser link to expedite the delivery.
  5. All modems will be sent via mail to the mailing address on the account. (again, at no cost to the customer)
  6. The modems will be mailed as a self install kit from a central distribution center.

Here’s the link: https://connect.charter.com/replacemodem/

If you have any questions about Charter internet, phone or television, either home or business, please call us at 864.990.4748 or email info@homelandsecureit.com

 

 

Could your next internet connection be satellite based? ViaSat would like to believe so.

Satellite internet connections have been around for a while, and if you have used that technology, you have likely been disappointed.

Hughes probably has the highest market penetration, and those using it have been quick to complain about caps and upload speed.

This is where ViaSat comes in. They revealed their home satellite system at CES and Engadget has a pretty good write-up with a video that tells more about the 12 Mbps down/3 Mbps up service that runs $50.oo per month.

What is left out is what types of data caps they may have.

Microsoft Security Bulletin Advance Notification for January 2012 – Happy New Year!

Microsoft rings in the new year with updates!  HAPPY NEW YEAR!!!!

The Advance Notification outlines 7 bulletins that cover updates from “important” to “critical” in Microsoft Windows (XP / Server 2003 / Vista / Server 2008) and Microsoft Developer Tools & Software.

Most will require a restart, or at least MAY require a restart.

On the Advance Notification page you can find out more about the updates coming your way on January 10th.

If you require assistance with these updates or any other security issue in the Greenville / Upstate SC area please call us at 864.990.4748 or email info@homelandsecureit.com

Happy birthday to my baby girl, Megan!!!!! (AKA @MegzCA / Megz)

Today is a special day… It’s the birthday of Megan, my daughter!

But what makes it any different than her other birthdays? Well, for one, this birthday is her first as a young lady out on her own, or close to being on her own. She’s attending college and though it is only an hour away, it feels like she has moved halfway across the country!

But, at least she has today and tomorrow off, so, tonight, we are going out to eat and live it up…

If you see her, wish her a happy birthday, even if it is next week. Honestly, our family celebrates “Birth WEEK”, so this could go on for another few days!

Happy Birthday Megan – I love you so much – MORE!  =) =)

 

 

Using Apple Safari as your web browser on Windows 7 64 bit? You might want to be aware of this…

This is kind of old news, but seeing a blog post by someone else today reminded me that it is not patched yet…

Apple Safari web browser can be used as an avenue that would allow malicious code on a web site to be run with whatever privileges you have on that computer.

Here’s an actual security bulletin you can read about this:

https://secunia.com/advisories/47237/

Until this is patched for sure, I believe I would not be using the Apple Safari browser on a Windows 7 machine.  Just my two cents.

HP addresses LaserJet vulnerabilities

Remember the flaw that was announced around the beginning of December 2011, where hackers could possibly cause HP printers to burst into flames?

Well, HP released a fix for that a week or so back… However, they didn’t mention fire issue.

None-the-less, you may wish to consider upgrading.

Should you require assistance applying updates to your devices, servers or computers in the Greenville or Upstate SC area, you can call upon us at 864.990.4748 or email info@homelandsecureit.com

 

Microsoft out-of-band security bulletin for December 29, 2011 addresses .NET framework issues

Yesterday, Microsoft issued a security bulletin for the .NET issues mentioned the other day.  That document can be found here:

http://technet.microsoft.com/security/bulletin/ms11-dec

Critical Security Bulletins

============================

 

MS11-100

 

– Affected Software:

– Windows XP Service Pack 3

– Microsoft .NET Framework 1.1 Service Pack 1

– Microsoft .NET Framework 2.0 Service Pack 2

– Microsoft .NET Framework 3.5 Service Pack 1

– Microsoft .NET Framework 4

– Windows XP Professional x64 Edition Service Pack 2

– Microsoft .NET Framework 1.1 Service Pack 1

– Microsoft .NET Framework 2.0 Service Pack 2

– Microsoft .NET Framework 3.5 Service Pack 1

– Microsoft .NET Framework 4

– Windows Server 2003 Service Pack 2

– Microsoft .NET Framework 1.1 Service Pack 1

– Microsoft .NET Framework 2.0 Service Pack 2

– Microsoft .NET Framework 3.5 Service Pack 1

– Microsoft .NET Framework 4

– Windows Server 2003 x64 Edition Service Pack 2

– Microsoft .NET Framework 1.1 Service Pack 1

– Microsoft .NET Framework 2.0 Service Pack 2

– Microsoft .NET Framework 3.5 Service Pack 1

– Microsoft .NET Framework 4

– Windows Server 2003 with SP2 for Itanium-based Systems

– Microsoft .NET Framework 1.1 Service Pack 1

– Microsoft .NET Framework 2.0 Service Pack 2

– Microsoft .NET Framework 3.5 Service Pack 1

– Microsoft .NET Framework 4

– Windows Vista Service Pack 2

– Microsoft .NET Framework 1.1 Service Pack 1

– Microsoft .NET Framework 2.0 Service Pack 2

– Microsoft .NET Framework 3.5 Service Pack 1

– Microsoft .NET Framework 4

– Windows Vista x64 Edition Service Pack 2

– Microsoft .NET Framework 1.1 Service Pack 1

– Microsoft .NET Framework 2.0 Service Pack 2

– Microsoft .NET Framework 3.5 Service Pack 1

– Microsoft .NET Framework 4

– Windows Server 2008 for 32-bit Systems Service Pack 2

– Microsoft .NET Framework 1.1 Service Pack 1

(Windows Server 2008 Server Core installation not affected)

– Microsoft .NET Framework 2.0 Service Pack 2

(Windows Server 2008 Server Core installation not affected)

– Microsoft .NET Framework 3.5 Service Pack 1

(Windows Server 2008 Server Core installation not affected)

– Microsoft .NET Framework 4

(Windows Server 2008 Server Core installation not affected)

– Windows Server 2008 for x64-based Systems Service Pack 2

– Microsoft .NET Framework 1.1 Service Pack 1

(Windows Server 2008 Server Core installation not affected)

– Microsoft .NET Framework 2.0 Service Pack 2

(Windows Server 2008 Server Core installation not affected)

– Microsoft .NET Framework 3.5 Service Pack 1

(Windows Server 2008 Server Core installation not affected)

– Microsoft .NET Framework 4

(Windows Server 2008 Server Core installation not affected)

– Windows Server 2008 for Itanium-based Systems Service Pack 2

– Microsoft .NET Framework 1.1 Service Pack 1

– Microsoft .NET Framework 2.0 Service Pack 2

– Microsoft .NET Framework 3.5 Service Pack 1

– Microsoft .NET Framework 4

– Windows 7 for 32-bit Systems only:

– Microsoft .NET Framework 3.5.1

– Microsoft .NET Framework 4

– Windows 7 for 32-bit Systems Service Pack 1 only:

– Microsoft .NET Framework 3.5.1

– Microsoft .NET Framework 4

– Windows 7 for x64-based Systems only:

– Microsoft .NET Framework 3.5.1

– Microsoft .NET Framework 4

– Windows 7 for x64-based Systems Service Pack 1 only:

– Microsoft .NET Framework 3.5.1

– Microsoft .NET Framework 4

– Windows Server 2008 R2 for x64-based Systems only:

– Microsoft .NET Framework 3.5.1

(Windows Server 2008 R2 Server Core installation affected)

– Microsoft .NET Framework 4

– Windows Server 2008 R2 for x64-based Systems Service Pack 1 only:

– Microsoft .NET Framework 3.5.1

(Windows Server 2008 R2 Server Core installation affected)

– Microsoft .NET Framework 4

(Windows Server 2008 R2 Server Core installation affected)

– Windows Server 2008 R2 for Itanium-based Systems only:

– Microsoft .NET Framework 3.5.1

– Microsoft .NET Framework 4

– Windows Server 2008 R2 for Itanium-based Systems

Service Pack 1 only:

– Microsoft .NET Framework 3.5.1

– Microsoft .NET Framework 4

– Impact: Elevation of Privilege

– Version Number: 1.0