Blog

Blog

A Beginner’s Guide to PCI Compliance

PCI DSS, or the Payment Card Industry Data Security Standard, is the set of requirements for organizations who process card payments. Sounds simple enough, right? But PCI compliance can pose a major challenge to organizations if they’re not equipped with the proper knowledge and tools. Let’s take a quick look at the basics of PCI compliance, what...
Blog

Managed Vulnerability Management? Yes, You Read That Right

The importance of a mature vulnerability management program can’t be overstated. File integrity monitoring (FIM) and security configuration management (SCM) might be the bedrock of a strong cybersecurity program, but they can only go so far. Scanning for vulnerabilities needs to be a foundational part of your program, too. The Center for Internet...
Blog

Vulnerability Management: Myths, Misconceptions and Mitigating Risk

Vulnerability Management is a much-talked-about practice in the IT security industry. Whether it is the debate on vulnerability scoring, how to implement a suitable vulnerability management program based on your own resources or even trying to convince leadership a vulnerability management solution alone won't solve all your cybersecurity issues,...
Blog

Vulnerability Management Metrics: The Final Frontier

In Part 1 of this series, we looked at some of the metrics that an executive team would want to see to identify how the business risk is trending. It is very important to keep in mind that if the business does not see the information security program as effective and efficient, they will not continue to invest in information security projects. In...
Blog

Turning Data into Metrics: A Vulnerability Management Story

One of the main issues I find across the information security industry is that we constantly need to justify our existence. Organizations have slowly realized they need to spend on IT to enable their businesses. Information security, on the other hand, is the team that is constantly preventing the business from freely doing as they please. IT is...
Blog

The Power of Vulnerability Management: Are You Maximizing Its Value?

Tripwire has been in the business of providing vulnerability management solutions with IP360 for about 20 years. With over 20,000 vulnerabilities discovered last year alone, vulnerability management continues to be an important part of most security plans. And most organizations agree. In a recent survey, 89 percent of respondents said that their...
Blog

To Agent or Not to Agent: That Is the Vulnerability Management Question

With the evolution of technology comes new approaches to solving problems. Sometimes a new approach fixes the problem; sometimes it creates new ones. The good thing is as folks who work in fast-paced, high-tech environment, we information security professionals are great at quickly analyzing the new technologies and applying them to our daily lives....
Blog

Getting Creative with your Vulnerability Management Strategy

You don’t have to look hard to find organizations utilizing a small fraction of the capabilities of a vulnerability management tool. Often, that’s because the focus is on meeting a compliance obligation. For example, PCI DSS 3.2.1 says, “11.2.1 – Perform quarterly internal vulnerability scans.” It’s difficult to learn the capabilities of a tool...
Blog

Is Your Vulnerability Management Program Efficient and Successful?

Be organized and efficient. It’s a simple rule of life that makes things run a whole lot smoother. This is something especially important when running your vulnerability management program. There are only so many hours in a day, rather, there are only so many hours in a down cycle where the business will let you scan their environment for...
Blog

What is Vulnerability Management Anyway?

Vulnerability management (VM) programs are the meat and potatoes of every comprehensive information security program. They are not optional anymore. In fact, many information security compliance, audit and risk management frameworks require organizations to maintain a vulnerability management program. If you don’t have vulnerability management tools...
Blog

How the CIS Controls Can Help You Achieve PCI DSS 3.2 Compliance

Compliance with version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS) is a must for organizations that handle, process, transmit and store payment card data. But compliance isn’t always easy to establish or maintain. Indeed, there are certain challenges along the way that can make organizations’ compliance with PCI DSS 3.2...
Blog

PCI DSS Version 3.2.1 Published by PCI Security Standards Council

The Payment Card Industry Security Standards Council (PCI SSC) published a minor revision to version 3.2 of its Data Security Standard (PCI DSS). On 17 May, PCI SSC published PCI DSS version 3.2.1. The purpose of the update was to clarify organizations' use of the Standard and when they would need to upgrade their use of common cryptographic...
Blog

3 Key Challenges To Being PCI 3.2 Compliant and How To Resolve Them

The latest revision to PCI DSS, PCI 3.2, provides specific security guidance on the handling, processing, transmitting and storing of credit card data. PCI 3.2 presents an opportunity for retail, healthcare, finance and hospitality organizations to minimize the theft, exposure and leakage of their customer’s personal and financial credit information...
Blog

Putting PCI-DSS in Perspective

Much attention and excitement within the security world has recently been focused on the lucrative surge in crypto-mining malware and hacks involving or targeting cryptocurrency implementations themselves. Yet the volume of ‘real world’ transactions for tangible goods and services currently paid for with cryptocurrency is still relatively niche in...
Blog

A Guide to PCI DSS Merchant Levels and Penetration Testing

To distinguish the size of merchant companies and appropriately determine the level of testing required, the founding credit card companies created four different brackets ranging from Tier 1 to 4. Each tier is based on the number of transactions processed per year by the merchant and also dictates the testing a merchant must undertake. While...
Blog

Are You PCI Curious? A Short History and Beginner’s Guide

When I was a kid and we would go out to dinner, my dad would often pay using a credit card. The server would come over with an awkward, clunky device, put the credit card in it, and scan the card. By scan, I mean make an impression of the numbers on a piece of paper with a carbon receipt, which he would then sign and each party would get a copy. There were no wires, no electronic transmissions of...
Blog

Integrity: The New "I" in PCI Compliance

The retail industry saw more than its fair share of data breaches in 2017, with security incidents impacting at American supermarket chain Whole Foods Market and clothing companies Brooks Brothers, The Buckle, and Forever 21, to name a few. At least some of those events likely resulted from retailers' poor data breach preparation. Consider the fact...
Blog

What Is Vulnerability Management?

Enterprise networks regularly see change in their devices, software installations and file content. These modifications can create risk for the organization. Fortunately, companies can mitigate this risk by implementing foundational security controls. For example, enterprises can monitor their important files for change using file integrity...
Blog

5 Things You Should Know about PCI DSS Penetration Testing

The Payment Card Industry Data Security Standard (PCI DSS) was introduced to provide a minimum degree of security when it comes to handling customer card information. While the Standard has been around for over a decade, penetration testing has only recently been officially incorporated into the process. There’s a lot to cover in a PCI DSS...