https://community.isc2.org/t5/Cleveland-Chapter-Discussion/July-2022-Meeting-Minutes/m-p/52262#M15 <P>Start: 17:35</P><P>Attendees: 32, 3 first time</P><P>Sponsor: Dell</P><P>Location: Improving, Independence, OH</P><P>Officers in attendance</P><UL><LI>Rob Netgen</LI><LI>Chris Hartley</LI><LI>Troy Sheley</LI><LI>Ted Kozenko</LI></UL><P>Information Security Summit Announcement</P><UL><LI>Call for volunteers</LI><LI>Announcement of registration</LI></UL><P>Job openings</P><UL><LI>Westfield: CISO, Sr. Security Architect, "regular" Security Architect</LI><LI>Federal Reserve CLE: Security Analyst</LI><LI>Cuyahoga County: Network, CCIE, HelpDesk, and Intern positions</LI><LI>Home Depot: Security Engineer &amp; Security Analyst</LI></UL><P>Security Friends</P><UL><LI>PNC Warns against phishing scam</LI><LI>Experts uncover firmware root kit UEFI - CosmicStrand</LI><LI>Entire Canadian town of St. Mary's ransomware Lockbit</LI><LI>Digital security firm Entrust breached</LI><LI>NIST updates healthcare cybersecurity guidance</LI><LI>T-Mobile agrees to $350MM settlement + $150MM to update infosec</LI><LI>Hackers can bring ships &amp; planes to a halt</LI><LI>CISA announces Linux vulnerability</LI><LI>Phishing scams in QR codes</LI><LI>Houston area reportedly dealing with cyberattacks</LI><LI>Cyberattack on Port of Los Angeles doubled since pandemic - 40MM count</LI><LI>Hardcoded password in Confluence leaked on Twitter</LI><LI>Cisco fixes bug that lets attackers execute commands as root</LI><LI>US seizes stolen funds from North Korean hackers</LI><LI>Hackers distribute password hack tools for PLCs</LI><LI>Malicious GPS tracker vulnerability</LI></UL><P>Topic 1: PCI DSS 4.0 Summary of Changes</P><UL><LI>Chip Wolford @ Protiviti</LI><LI>PCI Council to meet next month in Toronto</LI><LI>2,000 PCI assessors globally</LI><LI>4.0 released Q1 2022</LI><LI>No one using v4.0 as v3.2.1 retires Q1 2024</LI><LI>April 01, 2024 official first date</LI><LI>Noncompliance of merchants can face fines</LI><LI>Real risk in not necessarily noncompliance, but the banks issuing punitive damage fines</LI><LI>Changes</LI><UL><LI>New customized approach</LI><LI>Defined a "significant change"</LI><LI>Frequency of many controls determined</LI><LI>Defined roles and responsibilities</LI><LI>Scope confirmation is a requirement</LI></UL><LI>Not changed</LI><UL><LI>12 high level standards</LI><LI>Approach to scoping and handling encrypted data</LI><LI>Ability to use compensating controls</LI><LI>Not encryptions of internal data transmission</LI><LI>DLP not being a required control</LI><LI>Password requirement to align with NIST 800-63 for app and sys accounts</LI><LI>3rd party provider not be PCI compliant, but have controls in place</LI></UL><LI>Defined vs customized approach = traditional approach vs defined</LI><LI>Extensive proofs and documentation for customized approach, to make it difficult</LI><LI>Periodic frequency can be done but needs to be justified through a risk analysis and formally documented</LI><LI>Scope confirmation as the organization level with a verification by the QSA</LI><LI>There is more focus on remote personnel to ensure card data</LI><LI>Disk level encryption for removeable media only, not for other card data</LI><LI>Include social engineering training</LI><LI>Use layer 7 web application firewalls or vulnerability analysis annually</LI><LI>SIEM is required</LI><LI>Quarterly monitoring if critical security control failures</LI><LI>Increased security for the payment page</LI><LI>Application vs system accounts have formalized management and password</LI><LI>User accounts reviewed every 6 months for access</LI><LI>Updated to include MFA</LI><LI>SAQs levels remain the same</LI><LI>New SAQ requirements in place by 3/31/2024</LI></UL><P>End 19:30</P> Mon, 01 Aug 2022 22:56:27 GMT TedKozenko 2022-08-01T22:56:27Z https://community.isc2.org/t5/Cleveland-Chapter-Discussion/July-2022-Meeting-Minutes/m-p/52262#M15 <P>Start: 17:35</P><P>Attendees: 32, 3 first time</P><P>Sponsor: Dell</P><P>Location: Improving, Independence, OH</P><P>Officers in attendance</P><UL><LI>Rob Netgen</LI><LI>Chris Hartley</LI><LI>Troy Sheley</LI><LI>Ted Kozenko</LI></UL><P>Information Security Summit Announcement</P><UL><LI>Call for volunteers</LI><LI>Announcement of registration</LI></UL><P>Job openings</P><UL><LI>Westfield: CISO, Sr. Security Architect, "regular" Security Architect</LI><LI>Federal Reserve CLE: Security Analyst</LI><LI>Cuyahoga County: Network, CCIE, HelpDesk, and Intern positions</LI><LI>Home Depot: Security Engineer &amp; Security Analyst</LI></UL><P>Security Friends</P><UL><LI>PNC Warns against phishing scam</LI><LI>Experts uncover firmware root kit UEFI - CosmicStrand</LI><LI>Entire Canadian town of St. Mary's ransomware Lockbit</LI><LI>Digital security firm Entrust breached</LI><LI>NIST updates healthcare cybersecurity guidance</LI><LI>T-Mobile agrees to $350MM settlement + $150MM to update infosec</LI><LI>Hackers can bring ships &amp; planes to a halt</LI><LI>CISA announces Linux vulnerability</LI><LI>Phishing scams in QR codes</LI><LI>Houston area reportedly dealing with cyberattacks</LI><LI>Cyberattack on Port of Los Angeles doubled since pandemic - 40MM count</LI><LI>Hardcoded password in Confluence leaked on Twitter</LI><LI>Cisco fixes bug that lets attackers execute commands as root</LI><LI>US seizes stolen funds from North Korean hackers</LI><LI>Hackers distribute password hack tools for PLCs</LI><LI>Malicious GPS tracker vulnerability</LI></UL><P>Topic 1: PCI DSS 4.0 Summary of Changes</P><UL><LI>Chip Wolford @ Protiviti</LI><LI>PCI Council to meet next month in Toronto</LI><LI>2,000 PCI assessors globally</LI><LI>4.0 released Q1 2022</LI><LI>No one using v4.0 as v3.2.1 retires Q1 2024</LI><LI>April 01, 2024 official first date</LI><LI>Noncompliance of merchants can face fines</LI><LI>Real risk in not necessarily noncompliance, but the banks issuing punitive damage fines</LI><LI>Changes</LI><UL><LI>New customized approach</LI><LI>Defined a "significant change"</LI><LI>Frequency of many controls determined</LI><LI>Defined roles and responsibilities</LI><LI>Scope confirmation is a requirement</LI></UL><LI>Not changed</LI><UL><LI>12 high level standards</LI><LI>Approach to scoping and handling encrypted data</LI><LI>Ability to use compensating controls</LI><LI>Not encryptions of internal data transmission</LI><LI>DLP not being a required control</LI><LI>Password requirement to align with NIST 800-63 for app and sys accounts</LI><LI>3rd party provider not be PCI compliant, but have controls in place</LI></UL><LI>Defined vs customized approach = traditional approach vs defined</LI><LI>Extensive proofs and documentation for customized approach, to make it difficult</LI><LI>Periodic frequency can be done but needs to be justified through a risk analysis and formally documented</LI><LI>Scope confirmation as the organization level with a verification by the QSA</LI><LI>There is more focus on remote personnel to ensure card data</LI><LI>Disk level encryption for removeable media only, not for other card data</LI><LI>Include social engineering training</LI><LI>Use layer 7 web application firewalls or vulnerability analysis annually</LI><LI>SIEM is required</LI><LI>Quarterly monitoring if critical security control failures</LI><LI>Increased security for the payment page</LI><LI>Application vs system accounts have formalized management and password</LI><LI>User accounts reviewed every 6 months for access</LI><LI>Updated to include MFA</LI><LI>SAQs levels remain the same</LI><LI>New SAQ requirements in place by 3/31/2024</LI></UL><P>End 19:30</P> Mon, 01 Aug 2022 22:56:27 GMT https://community.isc2.org/t5/Cleveland-Chapter-Discussion/July-2022-Meeting-Minutes/m-p/52262#M15 TedKozenko 2022-08-01T22:56:27Z