Sunday, September 22, 2013

Study Material - Treasury Institute blog

The Treasury Institute is focused on PCI compliance for colleges and universities.

The person posting on this blog is "Gene Willacker [who] is the PCI Compliance Officer for Michigan State University (MSU)".

Gene has compiled a great list of PCI 3.0 information in his blog.

The link is [here]

Saturday, September 21, 2013

Study Material - Some web explanations

Sometimes it helps to get a second explanation or description of things.  Here are some:

Requirements 1.1.3, 1.3.1, 1.3.2, 1.3.4  DMZ
http://searchsecurity.techtarget.com/definition/DMZ

Requirement 1.3.6  Stateful Inspection
http://kb.kerio.com/product/kerio-control/firewall-packet-filtering/what-is-stateful-packet-inspection-429.html

Requirement 1.3.8  Network Address Translation (NAT)
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml

Requirement 1.3.8  Proxy Servers
http://whatismyipaddress.com/proxy-server

Requirement 2.1, 2.1.1  Simple Network Management Protocol (SNMP)
http://compnetworking.about.com/od/networkprotocols/g/snmp-management-protocol.htm

Requirement 2.1.1  Wired Equivalent Privacy (WEP)
Note:  This encryption technique is not secure.

http://searchsecurity.techtarget.com/definition/Wired-Equivalent-Privacy

Requirement 2.1.1 Wi-Fi Protected Access version 2 (WPA2)
http://www.computerworld.com/s/article/9002706/Tutorial_How_to_set_up_WPA2_on_your_wireless_network_

Requirement 2.2  Industry accepted standard organizations

Center for Internet Security (CIS)
http://www.cisecurity.org/

International Organization for Standardization (ISO)
http://www.iso.org/iso/home.html

SysAdmin Audit Network Security (SANS)
http://www.sans.org/

National Institute of Standards Technology (NIST)
http://www.nist.gov/

Requirement 2.2.1  Domain Name Servers (DNS)
http://www.howstuffworks.com/dns.htm

Requirement 2.2  Secure Shell (SSH)
https://kimmo.suominen.com/docs/ssh/

Requirement 2.2  Secure File Transfer Protocol (S-FTP)
http://kb.iu.edu/data/akqg.html

Requirement 2.2  Secure Sockets Layer (SSL)
https://www.ssllabs.com/projects/rating-guide/

Requirement 2.2  IP Security Encryption (IPSec)
 http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml#intro

Requirement 6.5.7  Cross Site Scripting (XSS)
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

Requirement 6.5.9  Cross Site Request Forgery (CSRF)
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29

Requirement 12.3.2  Token
http://searchsecurity.techtarget.com/definition/security-token



Tuesday, September 17, 2013

Study Material - SDLC

The Systems Development Life Cycle (SDLC) is a commonly used "methodology" for creating applications and systems.

The SDLC steps vary depending on who you talk to but they usually involve a lot of the same steps:  initiation/planning, analysis, design, develop/test, implement, maintenance/support.

PCI DSS requirement 6.3 addresses secure application development, commonly called "S-SDLC".

Microsoft has some useful info on this to show how security should be integrated into software development [HERE]