Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
TedKozenko
Newcomer I
‎08-01-2022 06:56 PM
‎08-01-2022 06:56 PM

July 2022 Meeting Minutes

Start: 17:35

Attendees: 32, 3 first time

Sponsor: Dell

Location: Improving, Independence, OH

Officers in attendance

  • Rob Netgen
  • Chris Hartley
  • Troy Sheley
  • Ted Kozenko

Information Security Summit Announcement

  • Call for volunteers
  • Announcement of registration

Job openings

  • Westfield: CISO, Sr. Security Architect, "regular" Security Architect
  • Federal Reserve CLE: Security Analyst
  • Cuyahoga County: Network, CCIE, HelpDesk, and Intern positions
  • Home Depot: Security Engineer & Security Analyst

Security Friends

  • PNC Warns against phishing scam
  • Experts uncover firmware root kit UEFI - CosmicStrand
  • Entire Canadian town of St. Mary's ransomware Lockbit
  • Digital security firm Entrust breached
  • NIST updates healthcare cybersecurity guidance
  • T-Mobile agrees to $350MM settlement + $150MM to update infosec
  • Hackers can bring ships & planes to a halt
  • CISA announces Linux vulnerability
  • Phishing scams in QR codes
  • Houston area reportedly dealing with cyberattacks
  • Cyberattack on Port of Los Angeles doubled since pandemic - 40MM count
  • Hardcoded password in Confluence leaked on Twitter
  • Cisco fixes bug that lets attackers execute commands as root
  • US seizes stolen funds from North Korean hackers
  • Hackers distribute password hack tools for PLCs
  • Malicious GPS tracker vulnerability

Topic 1: PCI DSS 4.0 Summary of Changes

  • Chip Wolford @ Protiviti
  • PCI Council to meet next month in Toronto
  • 2,000 PCI assessors globally
  • 4.0 released Q1 2022
  • No one using v4.0 as v3.2.1 retires Q1 2024
  • April 01, 2024 official first date
  • Noncompliance of merchants can face fines
  • Real risk in not necessarily noncompliance, but the banks issuing punitive damage fines
  • Changes
    • New customized approach
    • Defined a "significant change"
    • Frequency of many controls determined
    • Defined roles and responsibilities
    • Scope confirmation is a requirement
  • Not changed
    • 12 high level standards
    • Approach to scoping and handling encrypted data
    • Ability to use compensating controls
    • Not encryptions of internal data transmission
    • DLP not being a required control
    • Password requirement to align with NIST 800-63 for app and sys accounts
    • 3rd party provider not be PCI compliant, but have controls in place
  • Defined vs customized approach = traditional approach vs defined
  • Extensive proofs and documentation for customized approach, to make it difficult
  • Periodic frequency can be done but needs to be justified through a risk analysis and formally documented
  • Scope confirmation as the organization level with a verification by the QSA
  • There is more focus on remote personnel to ensure card data
  • Disk level encryption for removeable media only, not for other card data
  • Include social engineering training
  • Use layer 7 web application firewalls or vulnerability analysis annually
  • SIEM is required
  • Quarterly monitoring if critical security control failures
  • Increased security for the payment page
  • Application vs system accounts have formalized management and password
  • User accounts reviewed every 6 months for access
  • Updated to include MFA
  • SAQs levels remain the same
  • New SAQ requirements in place by 3/31/2024

End 19:30

Preview file
1085 KB
Reply
0 Kudos
0 Replies