ADVERTISEMENT


Check-off PCI requirements! Learn how to get the low-hanging fruit with a free, on-demand webcast: "Security Testing: The Easiest Part of PCI Certification." You'll see how security testing with CORE IMPACT provides compliance with Requirement 11.3 and validates multiple other PCI mandates for successful compliance audits. View the webcast now

ABOUT US

Launched in 2007, WhiteHatWorld.com is the online resource for key decision makers working in the security industry.

WhiteHatWorld.com looks at all aspects of the security industry, with in-depth analysis, webcasts, whitepapers and targeted regional training opportunities.

Think of WhiteHatWorld.com as your security information gateway!

LATEST NEWS

(ISC)2 members can receive CPE Credits for all WhiteHatWorld webcasts.

 

WhiteHatWorld.com is Growing!

We will be opening two new offices in 2011 to serve the EMEA and Pacific Rim countries. We are currently seeking experienced Sales, Marketing & Administrative Support staff for these two new offices. Please submit a copy of your resume and letter of introduction to: HR@whitehatworld.com

Upcoming Events

Date Event/Topic

September 7, 2010
2:00PM EST

THOUGHT LEADERSHIP ROUNDTABLE
The Case for Vulnerability Analysis and Penetration Testing
Sponsor: Core Security Technologies
Moderator: Mark Bouchard

Although vulnerability assessment (VA) is regarded as a fundamental IT security practice, for most organizations it has typically taken somewhat of a back seat to protective, threat-centric defensive measures such as firewalls, anti-virus software, and intrusion detection and prevention systems. The same could also be said for penetration testing. But is this treatment really deserved? Shouldn’t organizations spend at least as much time and effort on practices and solutions that definitively stop threats by removing the weaknesses they prey on in the first place? In this Thought Leadership Roundtable, we’ll explore not only what leading organizations are doing in the areas of vulnerability assessment and penetration testing, but also how they are justifying related investments and balancing them with all of the other “must-haves” of a modern security and compliance program. Specific questions our panel of experts will tackle include:


* Where should today’s organizations focus their VA and penetration testing efforts and what approaches are most effective for justifying corresponding investments? * Why are solutions needed in both of these areas and how should they be woven into the rest of an organization’s security infrastructure and processes?
* What is the state of the art with regard to VA and penetration testing tools and services?
* Which architectures and delivery options make the most sense for VA and penetration testing?

September 15, 2010
2:00PM EST

THOUGHT LEADERSHIP ROUNDTABLE
The Top 5 Database Security Mistakes
Moderator: Rich Mogull

September 22, 2010
2:00PM EST

THOUGHT LEADERSHIP ROUNDTABLE
Security for Employee Owned IT
Moderator: Rich Mogull

   

Click Here to register for any upcoming WhiteHatWorld.com webcast.

PCI Assessment Mistakes to Avoid

By avoiding these five mistakes, organizations can improve their PCI DSS assessment processes as well as their security efforts

by Rich Mogull, CEO and Analyst, Securosis

Maintaining your PCI compliance and managing the assessment process are challenging even when you have a solid security program. Everything from a bad assessor to a rogue business unit to simple documentation mistakes can derail the process and increase costs. Based on conversations with hundreds of security professionals, here's my list of the top five mistakes to avoid when managing PCI DSS assessments:

Mistake #1: Not interviewing your assessor. While they may graduate from certified training courses, not all Qualified Security Assessors (QSAs) are created equal. One of the most common complaints among organizations struggling with a bad assessment cycle is an uninformed or disorganized QSA. When interviewing a potential QSA, it's important to evaluate both their technical knowledge and their project management skills/philosophies. Make sure the person you are interviewing will be the one actually assigned to your project.

Mistake #2: Failing to prepare before the assessment starts. If you talk with QSAs, one of their most common complaints is unprepared clients. QSAs will arrive to begin an assessment and a project team isn't set up, there's no current documentation, and no one has contacted the key business units involved with the assessment. Before your assessment starts, you need to have the following components in place:

  • A project team with representation from the business units
  • A point of contact/project lead established with an executive sponsor and the clout to obtain timely responses
  • An understanding of what networks, systems and processes are in scope
  • Ready access to necessary documentation and reports (updated policies specific for PCI – not some unrelated or overly-generic boilerplate)

Mistake #3: Treating PCI as an annual event. PCI DSS compliance doesn't begin and end with the annual assessment; ir is actually a continuous compliance requirement that happens to have an annual assessment. Therefore it's important to continually assess the organization and follow proper security and compliance procedures throughout the year leading up to the assessment. If an organization happens to fall out of compliance between assessments (as is common) and suffers a breach, it will be treated as if it were not in compliance, exposing the organization to fines and penalties. By maintaining security posture and ongoing documentation (most security tools contain PCI reports), you can reduce your potential liability and gain more negotiating leverage should a breach occur. Maintaining documentation and continued assessments are also far less costly than trying to update all PCI DSS documentation only once a year. Like balancing your checkbook, keeping up with incremental changes is more effective (and cheaper) in the long run.

Mistake #4: Waiting until your assessment to discover orphan data. According to the Verizon Data Breach Investigations Report, one of the most common deficiencies discovered during assessments is unencrypted cardholder data stored in violation of PCI. In my experience, orphaned, unencrypted cardholder data is one of the top deficiencies and a very common source of real security breaches. Content discovery tools, such as those in Data Loss Prevention products, can continuously scan the environment for cardholder data sitting around where it shouldn't be. Ongoing scanning produces reports that can be correlated and handed to the QSA to save significant time and money during the assessment.

Mistake #5: Letting PCI drive your security program. Security programs should be prioritized based on the risks to each particular business, not just based on one external standard protecting one subset of an organization's systems and data. So keep PCI in context: PCI isn't a security regulation, it's a contractual requirement for any organization handling credit card numbers. It's far better to focus on good overall security than to merely respond to assessment deficiencies. To hear more PCI DSS assessment advice, tune into a WHW round table webcast I moderated on May 19 on the same topic here.

Career Bootcamp

New Careers in Risk Management: A Roadmap for Success

By, Tracy Lenzner and Victoria Lee of IT staffing firm, LenznerGroup

As our globally competitive and hyper-connected digital marketplace has grown, so too has the field of risk management. Organizations are establishing comprehensive enterprise risk management programs to streamline security processes, mitigate risk, and meet compliance.

This shift is leading to the ‘operationalizion’ or embedding of IT security into broader business and IT functions. As such, security professionals can expect to see growth in operational process and control areas including risk assurance, data governance, technology governance and risk compliance, legal compliance and standards, digital rights management, privacy, cybercrime investigation, forensics and e-discovery, and identity management.

Job titles are already showing movement in this direction: Hybrid and newly created roles such as Chief Data Officer, Legal Technology Risk Officer, Information Risk and Compliance Officer, Cyber Law and Compliance Officer, etc., are already emerging and creating new disciplines and direction for security professionals.

This means that practitioners have broader opportunities for specialized and converged areas including information risk management, data governance, technology law, regulatory compliance, operations, cyber assurance, and intelligence, to name a few.

However, as more experienced professionals become available, technical competencies that were once highly sought in the marketplace eventually become a commodity, become redundant, or move offshore. So the question becomes, what are the keys to career advancement and success?

A strategic and tactical plan that outlines key goals and resources and is helpful. The plan should include:

- Self-Assessment. Who are you? Where are you now? Where do you want to be?
- Career Assessment. What have you accomplished? What experience, education training and soft skills do you still need?
- Goals & Objectives. Match your goals with a timetable and strategy to get there. If you are not sure what that is, that’s OK; keep going and keep mapping.
- Consideration of Key Strengths. Leverage your expertise, what you like and what you do best.
- Resume & Bio. Develop an impressive, polished, well-written and up-to-date resume. It should be a synopsis to showcase your experience and background, highlighting areas of accomplishment, business acumen, and expertise. Also maintain a short, one paragraph bio of career highlights. It’s also a great way to track your accomplishments!
- Credentials. Continuing education, training, certifications, licenses and advanced degrees will always be a part of staying relevant in the IT-related workforce. Keep an eye out for certification trends going forward.
- Positioning. Get involved in your organization’s initiatives, special projects, community and volunteer activities. Increase professional recognition with speaking engagements, white papers, media briefings, presentations, and publications.
- Plugging In. Join professional social networks and industry forums, increase your knowledge and expand industry relationships and contacts.
Mentoring. Find a mentor, a coach or trusted person who has skills and insight to help you evaluate, identity and achieve your goals.
- Characteristics of Champions. Integrity, confidence, emotional intelligence, and business acumen are sought-after traits for any employee. Risk management professionals will also need the ability to engage, communicate, strategize, collaborate, execute, lead by example, and provide mentorship.

The shift toward risk management brings growth opportunities for security professionals to broaden their partnerships and alliances across business units and among their greater community of peers. To nurture a career in a changing risk climate, focus and determination are critical. Keep in mind opportunities for advancement, professional fulfillment, earning power, respect and recognition while on your career journey.

Trivia

With the summer success of "The A-Team" (and it's theme song ringing in our ears), we surveyed and received a little over 1,100 responses to the following question:

Q: Which TV show from the 80's would you be most willing to go to the movies and see the same weekend it opens?
1) "Seinfeld"
2) "Knight Rider"
3) "MacGyver"
4) "Fantasy Island"
5) "ALF"
6) "The Jetson's"

Please note that this poll is unscientific and basically worthless unless you have time to kill and someone available to argue the Pro's and Con's of the true meaningless value which would be experienced by resurrecting one of the above mentioned TV shows into a full length movie.

CONTACT US

Please fill out the form below to be included in our weekly email communication, which will notify you of our upcoming webcasts and/or other events.
First Name Address
Last Name Address2
Company City
Job Title State/Zip
email Phone
message