Enterprise compliance with PCI DSS is up, says Verizon

Verizon has some good news and some bad news about organizations’ compliance with PCI DSS.

In its 2017 “Payment Security Report,” Verizon analyzed the “compliance patterns and control failures” of organizations subject to PCI DSS. The report also pulled information from Verizon’s annual “Data Breach Investigations Report” and looked at the correlation between the findings of each.

The good news in the report is that more companies reached full compliance with PCI DSS in 2016 than in 2015.

“For the first time, more than half (55.4%) of companies we assessed were fully compliant at interim validation, compared to 48.4% in 2015,” Verizon wrote. “But that means that nearly half of stores, hotels, restaurants, practices and other businesses that take card payments are still failing to maintain compliance from year to year.”

While having more than half of organizations compliant is a positive trend, Verizon also noted that compliance doesn’t necessarily mean security, particularly because organizations tend to “lose focus” once they achieve compliance. The trick, according to the report, is not to focus purely on meeting the compliance requirements, but to “make sustainability and resilience part of their larger security program.”

The bad news is that those organizations not fully in compliance with PCI DSS are missing the mark by a wider margin than before. The companies that failed their compliance assessments in 2015 were missing 12.4% of the required controls, and in 2016, 13% of the controls were missing.

“Many of the security controls that weren’t in place cover fundamental security principles with broad applicability, and their absence could be material to the likelihood of suffering a data breach,” said Verizon.

However, the report said that this isn’t necessarily happening because companies aren’t putting effort into security, but one factor is that the controls they do implement are ineffective. This can be due to controls losing effectiveness over time or to controls that don’t adapt to other changes in the environment. Either way, the problem is significant.

“Over the past five years we’ve analyzed PCI DSS compliance, the proportion of companies achieving 100% has gone up almost fivefold,” Verizon said. “Despite this general improvement, the control gap of companies failing their interim assessment has actually grown worse. Looking at it requirement by requirement, five out of six of the worst performers are the same now as they were in 2012.”

In comparing the data in the “Payment Security Report” to the “Data Breach Investigation Report,” Verizon noticed another significant connection.

“Of all the payment card data breaches that Verizon has investigated between 2010 and 2016 — nearly 300 — not a single organization was fully PCI DSS compliant at the time of the breach.”

So, while compliance with PCI DSS may not guarantee the security of an organization, it likely decreases the odds of it being the victim of a data breach.

In other news:

  • The cyber-espionage group Turla has developed a new backdoor attack called WhiteBear. Kaspersky Lab APT Intelligence Reporting has been tracking these attacks that use Gazer — the name given by Eset to the second stage backdoor used in WhiteBear — since 2016. Turla, which is allegedly based in Russia, was targeting computers at various embassies, diplomatic and foreign affairs organization, but has recently turned its focus to defense-relation organizations. “WhiteBear infections appear to be preceded by a condensed spear phishing dropper, lack Firefox extension installer payloads, and contain several new components signed with a new code signing digital certificate, unlike WhiteAtlas incidents and modules,” Kaspersky Lab wrote on its site SecureList. “The exact delivery vector for WhiteBear components is unknown to us, although we have very strong suspicion the group spear phished targets with malicious pdf files.” Turla was also behind the recent plot to use Britney Spears’ Instagram account to conceal and spread malware.
  • A firmware update is now available to patients with a radio frequency-enabled St. Jude Medical implantable pacemaker or defibrillator. The devices from St. Jude Medical — now Abbott’s — have a flaw in the firmware that enabled attackers to remotely access them and cause rapid battery depletion and cause dangerous pacing or shocks. The patch was issued in January 2017 after months of drama from St. Jude Medical, which at first denied the existence of the flaw until a security researcher discovered it, allegedly shorted the company’s shares, and then finally went public with it. Now, the FDA has approved the patch and patients can start getting updates that don’t require surgery. However, the FDA does warn that the update has potential issues, including the reloading of an earlier firmware version, the loss of preprogrammed device settings, the loss of diagnostic data, and the complete loss of device functionality.
  • A group of security and technology companies banded together to take down the WireX Android DDoS botnet this month. Researchers from Google, Cloudflare, Flashpoint, Akamai, Oracle, RiskIQ and Team Cymru shut down the WireX botnet that at its peak may have infected hundreds of thousands of Android devices with malicious apps. The apps were sending a huge amount of requests to websites through HTTPS, which would deplete the resources of the servers the websites were hosted on. Google found the malware that infected the Android devices in its Play Store and removed the hundreds of infected applications. WireX may have been active as early as Aug. 2, but the attacks on the websites on Aug. 15 are what prompted the companies to work together. A blog post explaining the botnet and the efforts to take it down said that, though the attacks leveraged user apps, the users seemed to not be affected. “The applications that housed these attack functions, while malicious, appeared to be benign to the users who had installed them,” Akamai wrote. The post also praises the collaboration efforts, saying, “These discoveries were only possible due to open collaboration between DDoS targets, DDoS mitigation companies and intelligence firms. Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery.”

For Sale – Core i3 Mini ITX Gaming PC, 6gb RAM, 500gb Drive, 960 GTX OC, CoolerMaster case,

Looking to sell my Gaming HTPC with the following specs

CoolerMaster Elite 110 case

AsRock H61MV-ITX gaming motherboard, with overclocking options and a full PCI-Express x16 slot, enabling a full height powerful graphics card to be installed

Core i3 3220 CPU, 3.3 Ghz dual core with HyperThreading

6Gb DDR3 Memory

600w PSU with 6-pin PCIe connections

500gb 2.5″ Sata 3.0gbps drive

KFA2 2GB 960 GTX OC

Windows 7 installed, activated and updated

I dont have the original box for the PC but will pack carefully (taking out the GTX) for shipping

Price and currency: 300
Delivery: Delivery cost is included within my country
Payment method: paypal, bank Transfer
Location: HENLEY-ON-THAMES
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

CI tried, but did not eliminate data center specialists

Reports of the death of the data center specialist are greatly exaggerated.

Despite growing use of converged infrastructure (CI) and hyper-converged infrastructure (HCI), enterprises still need data center specialists with deep knowledge of servers, databases and security, and finding those employees is harder than ever.

Two thirds of IT managers say the search for data center specialists to operate on-prem hardware is moderately difficult or very difficult, according to a new survey from 451 Research. Some traditional server specialists have transitioned into other roles, including cloud computing. And open server administrator roles often require a more diverse set of skills than ever before, with virtualization and container skills paramount.

“As a result, this new breed of administrator creates a high-demand atmosphere that leaves the pool smaller for prospective employers,” said Christian Perry, the 451 Research analyst who conducted the Voice of the Enterprise survey.

The findings also show that the move to the public cloud hasn’t negated the demand for traditional enterprise data center jobs, in part because many organizations remain in a holding pattern with public cloud adoption.

Perry was surprised to see how many organizations more closely evaluate their mix of on-premises and off-premises compute resources and spending. CI works well in environments with small staff sizes. But growing enterprises still need data center specialists, particularly within companies reluctant to move new workloads to the public cloud.

Maximus in Reston, Va., which runs call centers for insurance and healthcare providers, has specific positions devoted to VMware, storage and applications, and specialists wish to retain their focus within the data center. IT pros there looked at Cisco UCS Director for their environment, with IBM SAN Volume Controller and XIV Storage System in support, but the team ultimately rejected the idea, said Erik Shomsky, senior engineer of data center administration at Maximus.

Typically, he gets a message from a VMware admin to request block storage, for example, but otherwise, they don’t want to know how storage works or manage it. “I don’t think my VMware guys want to be in that environment,” he said. “They are perfectly happy coming to me to make it happen.”

Enterprises still need data center specialists in virtualization and, out of this rank, will come specialists in container management as enterprises adopt this technology, Perry said.

Applications and software specialists are also in demand, particularly in growing areas such as security and DevOps, Perry said.

A generalist position merges traditional specialist roles, such as server administrator or virtualization administrator, particularly if they involve management of CI. To successfully oversee CI, they must understand the storage ecosystem, Perry said.

Meanwhile, automation tools, such as Ansible, Chef and Vagrant, make it possible to create a generalist role that combines the ability to deploy and install a web server, as well as configure and manage the server, Perry said.

But the role of an Oracle database administrator, for example, is too complex and valuable to an organization, so it will likely not be absorbed into a generalist role, Perry said.

Old dogs, new tricks

In the days prior to products such as Cisco UCS and Vblock from VCE, enterprises tended to reject data center generalists. But thanks to customer pressure, vendors devised converged and hyper-converged platforms, which offer more automation and less complexity than traditional infrastructure. As cloud computing gained steam, IT teams sought public cloud-style agility within their own data centers.

Today, complicated data centers with CI and HCI still need specialists, said Richard Byrnes Jr., vice president for strategy and development at Global Technology Solutions Group, Inc., a data center consultant in Charlotte, N.C.

“The landscape actually gets more complicated by introducing a bunch of ‘easy-to-manage’ components, like converged, since there is frequently an incomplete understanding of how these things work under the covers,” specifically around recovery and scalability, he said.

The landscape actually gets more complicated by introducing a bunch of ‘easy-to-manage’ components, like converged, since there is frequently an incomplete understanding of how these things work under the covers.
Richard Byrnes Jr.Vice president for strategy and development, Global Technology Solutions Group, Inc.

There is a narrow gap between generalist jobs and specialist jobs, Perry said. Any new products that are software-defined will require more generalists, but the need for generalists will not significantly eclipse the need for data center specialists, especially in midsize and large companies.

Healthcare provider eHealth in Regina, Saskatchewan, built its data center around the Dell EMC Vspex CI reference architecture. In doing so, eHealth Saskatchewan moved to more automation and changed its team dynamics from large, separate team environments centered around servers and storage to converged work.

New purchases take into consideration the new team structure, said Wilbour Craddock, the company’s vice president for information technology.

“When you are building something, you don’t want to retrain staff so they have to learn new technologies and new interfaces,” he said. “It is about how it fits our operations.”

Robert Gates covers data centers, data center strategies, server technologies, converged and hyper-converged infrastructure and open source operating systems for SearchDataCenter. Follow him on Twitter @RBGatesTT or email him at rgates@techtarget.com.

For Sale – Macbook 12″ retina 2016

Hello,

I’m interested in this. CeX sell this particular model for £735 in A Grade condition (which means it has to have it’s box and be VGC cosmetically also, like yours). Admittedly they don’t have stock in Space Gray right now but they do in Silver, so negligible difference.

It’s no too difficult to get CeX vouchers for 80% of their value so that would mean the cost would come in at £588 (735*0.8), and that would be with a 2 year warranty should anything go wrong.

In light of that, would you entertain discussion at £550?

WLAN administration challenges and how to tackle them

This week, as schools and universities began fall classes, Lee Badman used his WiredNot blog to discuss WLAN administration in the education arena. According to Badman, WLAN administration for education is particularly challenging because of the sudden increase in demand for connectivity when students return to school, often joining the network through a loose BYOD policy.

Badman cited a list of items university network administrators should follow as classes get back into full swing. Among them, networks need to be stable. “We stop making any significant network changes almost a full month ahead of the opening period, and rely heavily on the quality of the underlying code,” he wrote.

The university network must also be able to scale, and it must be predictable. At Badman’s institution, the network will serve almost 30,000 simultaneous users from more than 4,000 access points. That’s a lot of traffic to manage.

Additionally, IT teams must focus on performance and easy-to-use features — particularly in education, where many students need to be onboarded to a secure network in a short span of time.

“Part of our annual exercise is also realizing that big numbers on graphs may not reflect that our clients are really and truly using the network in ways now — as they get settled on campus — like they will a week from now. As it is every year, vigilance follows getting to our big numbers,” said Badman.

Read more of Badman’s thoughts on educational WLAN administration.

Cumulus launches virtual lab and container management system

Drew Conry-Murray, writing in Packet Pushers, explored Cumulus Networks’ launch of a new virtual lab system, along with Host Pack software for managing containers. According to Conry-Murray, the vendor launched Cumulus in the Cloud as a virtual lab designed to mimic a twin-rack leaf-spine network. The vendor assembled a prebuilt test environment to speed testing for customers, sparing them the time necessary to set up a custom test environment.

The launch coincides with the deployment of Host Pack, a bundle of software built around the vendor’s NetQ network telemetry and Cumulus Linux to host containers. The new offering, designed to run on a server and provide a routing stack, supports both Docker containers and Docker Swarm. It will add Apache Mesos support in the fall of 2017. NetQ is intended to improve container visibility, displaying connections between containers and physical switches. Host Pack costs $1,000 for each license — a fee that also covers a year of support.

Dig deeper into Conry-Murray’s thoughts on Cumulus.

Overcoming security analysis challenges

Jon Oltsik, an analyst with Enterprise Strategy Group Inc. in Milford, Mass., said most organizations face significant challenges with security monitoring and analysis. A recent ESG study, encompassing 412 IT professionals, found that 30% of respondents struggled with total cost of ownership, as organizations spend large sums on security without marked improvements.

Nearly a quarter of respondents cited a lack of tools and processes, lack of skills or the rapid addition of new applications and network hosts as factors complicating their security strategies. Close to 30% of respondents also lamented the time their security operations center teams had to focus on high-priority emergencies, leaving less time for strategizing.

“When it comes to cybersec operations, many organizations suffer from ‘death by a thousand cuts’ syndrome with multiple issues across people, processes and technologies,” Oltsik wrote. “Given this, CISOs [chief information security officers] should think in terms of 3-year strategic security operations planning rather than adding the latest next-generation security tool and only exacerbating operational inefficiencies,” he added.

Explore more of Oltsik’s thoughts on security analysis.

For Sale – Alienware M17x R4 Red

Selling this beast of a gaming laptop. I bought this machine from Dell about 4 years ago and it has spent its entire life sat on a desk in my office and therefore is in excellent condition. The only sign of wear is on the under-side where the bottom got a bit scratched. Besides this, the screen does not have any dead pixels and the laptop is in perfect working order.

I also have the original box and accessories that the laptop came with from Dell UK

Specs:
Intel Core I7-3740QM
Nvidia GTX 680m
16 GB Corsair Vengeance Ram
512gb Samsung 840 Evo SSD
500gb HDD
1080p screen

Price and currency: 650
Delivery: Delivery cost is not included
Payment method: BT or Paypal
Location: London
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Quad Core 3.6Ghz / AMD HD6670 / 4GB RAM / 800GB HD / Win 10 (Base Unit Only)

AMD Quad Core 3.6Ghz FX-4100 Black CPU + Stock Heatsink/Fan
Gigabyte 78LMT-USB3 Motherboard
4GB DDR3 1333Mhz RAM
AMD Radeon HD6670 Graphics Card (DVI/HDMI/VGA)
1 x 500GB Hard Disk
1 x 320GB Hard Disk
DVDRW Drive
500w OCZ Power Supply
Case
Windows 10 Home (Fresh licensed install)

Full working order – Base Unit Only (no Monitor/Keyboard/Mouse)

Collection can also be arranged from West Wickham (Nr. Bromley / M25)

IMG_2342.JPG

IMG_2347.JPG

IMG_2344.JPG

IMG_2345.JPG

Price and currency: £160
Delivery: Delivery cost is not included
Payment method: Bank Transfer or PPG
Location: West Wickham
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I prefer the goods to be collected

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – 13″ Macbook Pro Retina (Early 2015) i5 8GB 128GB – 2yr Applecare

Full tech specs here: MacBook Pro (Retina, 13-inch, Early 2015) – Technical Specifications

CPU: 2.7Ghz i5
Memory: 8GB
Storage: 128GB SSD
Battery Cycle Count: 87 (Condition Normal)

Purchased as a student on 04.08.2016 with 3 years of Apple Care (just over 2 remaining).

Selling due to my work now providing me with a laptop.

Has remained unused for the last 6 months.

Near mint condition, only mark I could find was a small scuff on the underside near the bottom right foot (as pictured).

Don’t currently have the original box (left it with family as I moved recently), can get it if necessary.

Happy to answer any questions, can be flexible with delivery/collection and payment method.

Thanks :)
Details.png

bottom.jpg

charger.jpg

screen-off.jpg

screen-on.jpg

top.jpg

Price and currency: £800
Delivery: Delivery cost is not included
Payment method: Paypal/BT/Cash
Location: London
Advertised elsewhere?: Yes
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Reduced – Microsoft Surface Pro 4, i5 8GB RAM 256GB SSD, Keyboard and Case

Reduced to £650 delivered in UK.

IMG_0125.jpg

IMG_0127.jpg

IMG_0128.jpg

Microsoft Surface Pro 4 Laptop/Tablet

Excellent condition, no damage, boxed with instructions.
Intel i5 processor with 8GB RAM and 256GB solid state hard drive.
DisplayPort, USB port, headphone and Micro-SD card slot.
Can be used in laptop and/or tablet mode.
Surface Pen included (+ spare AAAA batteries).
Optional Surface Keyboard included (Blue).
Will also include a DisplayPort to HDMI lead to connect to monitor or TV.
Snugg soft case.
Windows 10 installed, fully reset for new owner.
All less than 12 months old (purchased Nov 16).

The pen may be faulty as I can’t seem to get the erase function to work. Everything else is fine, so it may be a config issue. Either way it should be replaceable under warranty.

Price and currency: £700 now £650
Delivery: Delivery cost is included within my country
Payment method: Cleared BT
Location: Lee-on-the-Solent
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.