28May
Author: ben
Categories: IT Management, Security
I’ll kick off my much-delayed series on compliance and regulation with the Payment Card Industry’s Data Security Standard. This highly visible, widely applicable standard applies to any company that processes credit card data. Importantly, the standard was developed by the industry rather than congress. This is in direct contrast to many other industries (such as health care and finance) that are regulated by the federal government.
The standard consists of 12 requirements, each with a number of sub-requirements, ranging from firewall configuration to security policy to ongoing vigilance. There are four tiers of merchants, and slightly different requirements apply depending on the tier. Read on for details and tips.
Read more »
17May
Author: ned
Categories: Infrastructure, Ramblings
MySQL didn’t escape the Sun acquisition unscathed… hopefully Oracle doesn’t make the same dumb mistakes.
I took (what I thought would be) a few minutes this afternoon to upgrade a group of production MySQL servers at Applied Trust. I started by following the same process I have followed for at least four or five years: browse to mysql.com, click on “Download”, and follow the links to the latest RPMs for my Linux distributions.
The download went as expected, with the consistent MySQL branding lulling me in to a false sense of ease – this was something I’ve done dozens of times. I shouted down the hall that I’d be ready to start grilling dinner in a few minutes. Next, I scheduled downtime, did the necessary change documentation, and brought one of the slave MySQL servers down – I was ready to upgrade the database. I typed sudo rpm -Uvh MySQL-*-5.1.34-0.rhel5 and my pleasant ride through upgrade-land came to a screeching halt:
Read more »
01May
Author: terry
Categories: IT Management, Security
Many organizations think they don’t need to worry about incident management. They think their data is not interesting enough, or they are too small – no one will find them, or they have a firewall – so they feel secure. Unfortunately, none of these things are true. In 2008, the FBI reported that 43% of the companies they surveyed had sustained a breach in the prior 12 months. This is scary, particularly given the fact that if 43% actually had a breach, it is like that nearly 100% of the companies had an attempted breach.
Now is the time to prepare for an incident. Industry best practice incident management begins with being well prepared. Some things to keep in mind:
Read more »