PGI Monthly Cyber Bytes

PCI DSS Raising the Bar in 2018

Does your business deal with credit card payments of any sort? Do you know about and are conforming to the new requirements of PCI DSS? Service providers and merchants, this article is for you…

The current version of the Payment Card Industry Data Security Standard (PCI DSS) has been in place since April 2016. However, there are a number of requirements within this version 3.2, that up until this year have not been mandatory. Instead the PCI Security Standards Council (SSC) had marked these particular points as “best practice” to allow organisations time and space to implement them.

There is a danger, however, that these “best practice” requirements may have been over looked by some companies, so that when they come to do their 2018 attestation of compliance, they may suddenly be faced with significant areas of non-compliance.

Let’s discuss these “best practice” points in turn, and highlight what needs to be in place from end January 2018 to maintain compliance…

Read the full article here 

PCI DSS -PGI Can Help

So… you take card payments and need more help with the new mandatory requirements of PCI DSS?

As a business, working out realistically what you do and don’t need to invest in to ensure compliance can be complicated. Why not start with the basics?

PCIDSS

We offer 4 main services which will guide you through the whole compliance journey, or just a part of it :

  • Compliance advice
  • Gap Analysis
  • Testing and Monitoring
  • Audit and Reporting

GCHQ Fears Energy Smart Meters Could Expose Millions of Brits to Hack 

In the United Kingdom, new smart energy meters that are set to be installed in 27 million homes were found vulnerable by GCHQ.

Unsecured IoT devices are a privileged target for hackers and unfortunately smart energy meters belong to this category. In the UK, new smart energy meters that are set to be installed in 27 million homes were found vulnerable by GCHQ.

According to the intelligence agency, the vulnerabilities could be exploited by hackers to compromise the IoT devices, posing a serious risk to the users…”

PGI says…

Another week, and another article about an Internet Of Things (IOT) device that is vulnerable. The news story here is that a device being rolled out to 27 million homes is currently in a “damage limitation” step, with public statements to the effect of “it’s not a big problem, don’t worry”.

Here at PGI we regularly see customers that have ordered an IT system and not specified “the solution provided must be secure, and it must be possible to maintain this state”. When one buys a car, they do not really put on the list of features that they are looking for “has car alarm”. The motor industry has matured to the stage where this is a standard feature. Sadly, this isn’t yet the case in the IT market place.

In an increasingly squeezed market place, customers often take the lowest bidders solution, but fail to ask if the price difference is due to a lower cost base due to clever management, financing and structure; or if it is due to the removal of “implied” requirements. This is especially the case with “complex” purchases, often with non-specialist procurement teams.

If your company is designing an IOT device contact PGI for security consultancy, from design to production testing and ongoing maintenance solutions.

Read the source article here

Don’t Fall for Fake iTunes and App Store Messages 

 

Ever received an email that looks for all the world like it’s from Apple? Maybe a receipt from an iTunes purchase that you don’t remember making?

Well, that’s easy to fix, right? Just click on the link to update your account information and…Ooops! Increasingly, chances are if you click, you wind up being phished.

Phishing scams that pose as official Apple emails are getting more and more sophisticated. On Tuesday, 9to5Mac reported on one recent version: phishing attacks posing as App Store subscription renewal messages…”

PGI says…

This is another example of people trusting a company that’s come to them. If your bank sent a representative to your front door to help you “update your bank account details” you’d think that the situation is rather odd. The same applies here.

Historically companies have not been helping themselves, by placing links to their websites inside of their communications to customers.

Ideally, instead the customer would be instructed to go to the apple website and update their details without a link being provided. This would make the appearance of a link in one of these emails suspicious. Yet even the banks have followed this practise of sending out links. Why?…

Read the full source article here

 

For more information on the exclusive services Halcyon Super Yacht Security provide click here