Sunday, September 22, 2013

Study Material - Treasury Institute blog

The Treasury Institute is focused on PCI compliance for colleges and universities.

The person posting on this blog is "Gene Willacker [who] is the PCI Compliance Officer for Michigan State University (MSU)".

Gene has compiled a great list of PCI 3.0 information in his blog.

The link is [here]

Saturday, September 21, 2013

Study Material - Some web explanations

Sometimes it helps to get a second explanation or description of things.  Here are some:

Requirements 1.1.3, 1.3.1, 1.3.2, 1.3.4  DMZ

Requirement 1.3.6  Stateful Inspection

Requirement 1.3.8  Network Address Translation (NAT)

Requirement 1.3.8  Proxy Servers

Requirement 2.1, 2.1.1  Simple Network Management Protocol (SNMP)

Requirement 2.1.1  Wired Equivalent Privacy (WEP)
Note:  This encryption technique is not secure.

Requirement 2.1.1 Wi-Fi Protected Access version 2 (WPA2)

Requirement 2.2  Industry accepted standard organizations

Center for Internet Security (CIS)

International Organization for Standardization (ISO)

SysAdmin Audit Network Security (SANS)

National Institute of Standards Technology (NIST)

Requirement 2.2.1  Domain Name Servers (DNS)

Requirement 2.2  Secure Shell (SSH)

Requirement 2.2  Secure File Transfer Protocol (S-FTP)

Requirement 2.2  Secure Sockets Layer (SSL)

Requirement 2.2  IP Security Encryption (IPSec)

Requirement 6.5.7  Cross Site Scripting (XSS)

Requirement 6.5.9  Cross Site Request Forgery (CSRF)

Requirement 12.3.2  Token

Tuesday, September 17, 2013

Study Material - SDLC

The Systems Development Life Cycle (SDLC) is a commonly used "methodology" for creating applications and systems.

The SDLC steps vary depending on who you talk to but they usually involve a lot of the same steps:  initiation/planning, analysis, design, develop/test, implement, maintenance/support.

PCI DSS requirement 6.3 addresses secure application development, commonly called "S-SDLC".

Microsoft has some useful info on this to show how security should be integrated into software development [HERE]