Cisco Blogs


Cisco Blog > Security

Simplifying PCI Compliance for SMBs

Payment Card Industry (PCI) compliance can often be overwhelming for all enterprises, let alone small and medium businesses (SMBs).  Given limited budgets and IT resources, SMBs face an even greater challenge than large enterprises.

The PCI Data Security Standard (DSS) 2.0 is complex on several levels:

  • It requires expertise on a range of network systems and security technologies.
  • It requires continual monitoring and management of access to cardholder data.
  • There is no “silver bullet” technology that can address a growing list of detailed standards and requirements. Technologies such as encryption, tokenization, as well as Europay, MasterCard, and Visa (EMV) smartcards address portions of your infrastructure, but none provide a single compliance solution.
  • It’s dynamic and requires ongoing diligence.  Being compliant at the time of your audit is a snapshot in time that requires simplified maintenance.

These requirements take time, effort and funding, which are all in short supply in SMBs.

Help is at hand. Cisco and many of its partners offer cost-effective PCI compliance services--including assistance for SMBs as they complete their self-assessment questionnaire or assess PCI readiness.   In a recent article  authored by Cisco and partners Verizon Business and Presidio, we examine ways to simplify compliance for small and medium businesses.  Learn the 5 key strategies to securing your customer information while incorporating security best practices from Aaron Renolds, QSA and Principal Consultant at Verizon Enterprise Solutions and Sean Wallis, Senior Security Consultant at Presidio Networked Solutions.

Advice to Managers: Five Ways to Simplify Your PCI 2.0 Compliance:

http://www.cisco.com/cisco/web/solutions/small_business/resource_center/articles/do_business_better/advice_to_managers/index.html

Tags: , , , , , , ,

“War, what is it good for” as a security metaphor?

I have a thing for metaphors. I wrote my dissertation on them. And they have helped me enormously as a non-engineer working in IT security.

Metaphors are powerful tools (that’s a metaphor, by the way). Literally referring to something as something else enables us to make mental connections between concepts that are not really the same. War and weapons have proven historically useful metaphors. In wartime, everything changes. We look at the situation, our opponents, and even ourselves very differently (I like the image of a noble warrior on the battlefield more than that of a guy who spends most of his day sitting and typing…)

But metaphors also cause trouble, especially when we use them to over-simplify. I am skeptical of “security as war” metaphors, including that of the arms race. The metaphor detracts from the very real threats of cyber- and information warfare. War doesn’t define security any more than war defines firearms. Unless we are specifically talking about threats from nation states (and a few other actors) using information technology as part of armed conflict, we are not talking about war. And this is not what we are usually talking about in information security.

Read More »

Tags: , , , ,

Network Defense at Blackhat 2012

Just back from presenting lab-based training session Detecting & Mitigating Attacks Using Your Network Infrastructure with Joe Karpenko at Blackhat USA 2012. Great to see a Defense track of Briefings which included Intrusion Detection Along The Kill Chain: Why Your Detection System Sucks And What To Do About It and more of an emphasis on protecting or remediating network infrastructures in topics like Targeted Intrusion Remediation: Lessons From The Front Lines. I attended several of these briefings and was impressed with the breadth of information provided for network operators. The Defense briefings align well with the network security best practices advocated by Cisco and presented in our training. These best practices include: Read More »

Tags: , , ,

Work Your Way, Securely

August 2, 2012 at 11:17 am PST

Hear how financial innovator Diebold gains visibility and control of the 87,000 devices on their network. David Kennedy, former Chief Security Officer at Diebold recognizes there is no stopping new mobile devices and sets course to secure the organization while ensuring the business may continue to generate revenue. Workers want to work their way securely and prefer that the security is transparent so that they have the optimal experience. He speaks to the unique granularity that the Cisco Identity Services Engine (ISE) offers to segment access by user, device, access method, posture, and time. So that engineers may have access to their codebase while marketing professionals like me have no access from my new iPad:

Read More »

Tags: , , , ,

Cyberspace – What is it?

Today, the word “cyberspace” is used in many contexts, but it is not always clear what exactly that term describes and what it means. In this post we will compare the definitions of cyberspace from several sources with the purpose of establishing a range of notions as to what cyberspace is and to derive its ontology. Sources are relevant entities like national or regional government, standardization bodies, and dictionary.

The reason why the term “cyberspace” is chosen is that all other terms (e.g., cyber security, cybercrime, cyberwar, cyberterrorism, etc.) are based on, or derived from, cyberspace itself. Therefore, cyber security is security of cyberspace. Cybercrime is crime committed within cyberspace or where elements from/of cyberspace are used as a vehicle to commit a crime, and so on for other derived terms.

Read More »

Tags: ,