How I Retained My QSA Certification

In 2019, the Payment Card Industry (PCI) Security Standards Council (SSC) modified the Qualification Requirements for Qualified Security Assessor (QSA) employees. Prior to the modification, the requirements stipulated that QSA employees must hold either an Information Security certification or an audit certification, but now QSA employees must have a minimum of two (2) industry certifications:…

The post How I Retained My QSA Certification appeared first on TrustedSec.

Continue reading How I Retained My QSA Certification

An Update On Non-Aggressive Reporting

Reporting is an essential piece of the penetration testing puzzle. It’s the product your client will be reviewing within their organization, representing you and your company to those you may not have worked with directly. With that in mind, it’s important that your product, the report, strikes a balance between professional tone and cold facts….

The post An Update On Non-Aggressive Reporting appeared first on TrustedSec.

Continue reading An Update On Non-Aggressive Reporting

Two Simple Ways to Start Using the MITRE ATT&CK Framework

While there is a wealth of free information intended to help larger organizations use the MITRE ATT&CKTM Framework, these resources often assume that the reader has dedicated security teams, deep technical skills, and/or a catalog of supporting security tools. But what if small organizations, compliance teams, or risk management professionals want to leverage ATT&CK? Never…

The post Two Simple Ways to Start Using the MITRE ATT&CK Framework appeared first on TrustedSec.

Continue reading Two Simple Ways to Start Using the MITRE ATT&CK Framework

Want Better Alerting? Consider Your Business Processes

Logging, monitoring, and alerting programs are some of the most critical elements of any security and compliance program, but traditional approaches for implementing and upgrading these capabilities are often noisy, expensive, and laborious. Traditional Alerting Approaches are Failing During program assessments, we find that a lot of clients are generating so many alerts that they…

The post Want Better Alerting? Consider Your Business Processes appeared first on TrustedSec.

Continue reading Want Better Alerting? Consider Your Business Processes

Vendor Enablement: Rethinking Third-Party Risk

Third-party risk management is an essential element of information security. It is common to see news about a large company being breached, and after learning more, you find out the breach was the result of a vendor. When you depend on another organization for a critical business process and allow them access to your network,…

The post Vendor Enablement: Rethinking Third-Party Risk appeared first on TrustedSec.

Continue reading Vendor Enablement: Rethinking Third-Party Risk

Is Zoom’s Lack of End-To-End Encryption a Problem?

All of the work-from-home activity coupled with all of the media about Zoom’s lack of end-to-end (E2E) encryption has resulted in a few clients asking us if Zoom can still be trusted to host meetings. It’s not exactly as they portray For those of you catching up, Zoom’s privacy and security have been the target…

The post Is Zoom’s Lack of End-To-End Encryption a Problem? appeared first on TrustedSec.

Continue reading Is Zoom’s Lack of End-To-End Encryption a Problem?

Securing a Remote Workforce: Top Five Things to Focus on For Everyone

Deploying a remote workforce is uncharted territory for some organizations, while others have been perfecting the model for years. Most security programs have different ways to handle their workforce. For on-premise users, which has traditionally used more of castle mentality where you attempt to prevent outsiders from penetrating the network perimeter (similar to a castle…

The post Securing a Remote Workforce: Top Five Things to Focus on For Everyone appeared first on TrustedSec.

Continue reading Securing a Remote Workforce: Top Five Things to Focus on For Everyone

Crossover Sec: Breaking Down the Silos

People who know me well, or who saw the Derbycon 6 talk I gave with Adam Hogan, “Adaptation of the Security Sub-Culture,” know of my non-InfoSec hobby and history of playing in loud bands that recorded and toured across the U.S. and Canada, mostly in the 90s. It was music in the 80s that had…

The post Crossover Sec: Breaking Down the Silos appeared first on TrustedSec.

Continue reading Crossover Sec: Breaking Down the Silos