How I Retained My QSA Certification

In 2019, the Payment Card Industry (PCI) Security Standards Council (SSC) modified the Qualification Requirements for Qualified Security Assessor (QSA) employees. Prior to the modification, the requirements stipulated that QSA employees must hold either an Information Security certification or an audit certification, but now QSA employees must have a minimum of two (2) industry certifications:…

The post How I Retained My QSA Certification appeared first on TrustedSec.

Continue reading How I Retained My QSA Certification

Nine Things to Know About the CMMC

The Cybersecurity Maturity Model Certification (CMMC) (https://www.acq.osd.mil/cmmc/) is a program being developed to help ensure that specific types of unclassified data that exist outside of government systems remain adequately protected. Specifically, the CMMC applies to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in non-government systems. Eventually, this certification program will replace the process…

The post Nine Things to Know About the CMMC appeared first on TrustedSec.

Continue reading Nine Things to Know About the CMMC

Fear, Cybersecurity, and Right to Repair

Massachusetts is the latest state to grapple with Right to Repair legislation. A ballot question in the 2020 election asked the state’s voters to decide whether or not automobile manufacturers must make the telematics data collected by cars’ on-board computers available to independent repair shops. What seems like a debate over who can access the…

The post Fear, Cybersecurity, and Right to Repair appeared first on TrustedSec.

Continue reading Fear, Cybersecurity, and Right to Repair

The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1

They say, “Everything old is new again.” Or, if you are a Game of Thrones fan, “What is dead may never die.” For me, however, a mentor once told me, “Everyone is going forward. I’m going backward.” Enter NetSync… I find Twitter to be a good source for InfoSec tactics, techniques, and procedures (TTPs). Anytime…

The post The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1 appeared first on TrustedSec.

Continue reading The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1

The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1

They say, “Everything old is new again.” Or, if you are a Game of Thrones fan, “What is dead may never die.” For me, however, a mentor once told me, “Everyone is going forward. I’m going backward.” Enter NetSync… I find Twitter to be a good source for InfoSec tactics, techniques, and procedures (TTPs). Anytime…

The post The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1 appeared first on TrustedSec.

Continue reading The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1

The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 2

This is a continuation of The Tale of the Lost, but not Forgotten, Undocumented NetSync (part 1) and in this section, we will look to answer: What are Some Early Indicators to Detect NetSync at the Host-based Level? What are Some Possible Controls to Deter NetSync? In an accompanying blog post, Wes Lambert (@therealwlambert) steps…

The post The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 2 appeared first on TrustedSec.

Continue reading The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 2

Making EDR Work for PCI

The Endpoint Detection & Response (EDR) and Advanced Threat Protection (ATP) marketplace is abuzz with products that blur the lines of personal firewall, host-based intrusion detection system (IDS) and intrusion prevention system (IPS), anti-virus, system logging, and file integrity monitoring (FIM). These solutions are centrally managed from your web browser and include advanced dashboards for…

The post Making EDR Work for PCI appeared first on TrustedSec.

Continue reading Making EDR Work for PCI

Using Effectiveness Assessments to Identify Quick Wins

An organization’s overall security posture can be viewed from multiple different angles, such as technical assessments, program assessments, controls assessments, and risk assessments. A number of different frameworks for each of these assessment types exist, intended to help both technical teams as well as leadership organize security program building activities. Some of these include: Penetration…

The post Using Effectiveness Assessments to Identify Quick Wins appeared first on TrustedSec.

Continue reading Using Effectiveness Assessments to Identify Quick Wins

20 Tips for Certification Success

Over the years, it has been my experience that industry certifications have become standard for job consideration and/or advancement for many technical positions. This is, of course, in addition to having experience in the particular field. I obtained my first (modern-day) technical certification in 2014. It was the System Security Certified Practitioner (SSCP) offered by…

The post 20 Tips for Certification Success appeared first on TrustedSec.

Continue reading 20 Tips for Certification Success

Want Better Alerting? Consider Your Business Processes

Logging, monitoring, and alerting programs are some of the most critical elements of any security and compliance program, but traditional approaches for implementing and upgrading these capabilities are often noisy, expensive, and laborious. Traditional Alerting Approaches are Failing During program assessments, we find that a lot of clients are generating so many alerts that they…

The post Want Better Alerting? Consider Your Business Processes appeared first on TrustedSec.

Continue reading Want Better Alerting? Consider Your Business Processes