I ran across these today and thought I would pass them along.
The first article discusses the lessons that can be learned from the Google attack, also known as ‘Aurora’, on Web sites. What is interesting is that if your organization was complying with the PCI DSS, the attack would have been almost immediately been identified. At that point, the attack could have been mitigated. And remember, mitigation can include unplugging your network from the Internet. Granted, that is a drastic action to take, but this was a drastic attack and would have warranted such an approach. Most organization’s incident response plans never discuss disconnecting their organization from the Internet. However, disconnecting your organization from the Internet might be a valid action to take in certain circumstances such as with ‘Aurora’.
The second article discusses the issue of using proprietary encryption algorithms. It amazes me the number of people that need to reinvent the wheel all in the name of putting their personalization and creativity on a given project. Encryption is not a place to reinvent the wheel. So all of you “experts” out there that think you can do better than AES, get over it. You cannot do better.
If you are not keeping up on security, you really need to keep up. To ease the pain, get a free RSS Feed reader such as FeedDemon and subscribe to a number security RSS feeds so that you can keep informed on security and threats.
PCI Guru 