Dara Security

Archived News from 2015

PA-DSS 3.1 Released – June 1, 2015

The PCI Security Standards Council (PCI SSC) has released Payment Application Data Security Standard (PA-DSS) Version 3.1 to address vulnerabilities in the Secure Socket Layer (SSL) protocol.  This update removes SSL and early TLS as examples of strong cryptography.  PA-DSS 3.1 is effective June 1, 2015. 

The PCI DSS requirements that are directly affected by this update are:

Requirement 8.2: The payment application must only use or require use of necessary and secure services, protocols, daemons, components, and dependent software...

Read More

Winner of the 2015 Nevada Business Awards

The entire Dara Security team is honored and humbled to receive this award.  

Many thanks to Nevada Business Magazine, Nevada State Bank, and their sponsors for recognizing our team's efforts.  

We are energized to reach greater heights!

 

Read More

Quid Pro Quo – What’s the Cost of a Free Gift?

We continue our series on social engineering with this explanation of Quid Pro Quo, the social engineering tactic that relies on a criminal’s ability to tempt victims with a free service or gift.  Latin for “this for that,” Quid Pro Quo is yet another classic social engineering scheme, relying on an individual’s gullibility to allow a criminal to access sensitive information.   

How is Quid Pro Quo Done?

Quid Pro Quo occurs when an attacker promises a free service or gift in exchange for information.  The attacker could impersonate an IT...

Read More

PCI DSS 3.1 Released – April 15, 2015

April 15, 2015 brought us more than tax day; it brought us the much-anticipated release of the PCI DSS standard from the PCI Council.  As SSL and early TLS are no longer considered strong cryptography, this release describes how the industry is to move forward in regard to the use of SSL and early TLS versions and how current PCI DSS status is impacted. 

The PCI DSS requirements that are directly affected by this update are:

Requirement 2.2.3: Implement additional security features for any required services, protocols, or daemons that are considered to be...

Read More

Phishing - Would you Click?

As part of our ongoing series on social engineering, this article highlights phishing, the most widely used social engineering tactic.  Like other social engineering schemes, phishing relies solely on an individual’s trust and/or gullibility to provide a criminal with open access to sensitive information.

How is Phishing Done?

Phishing occurs when a criminal sends a target individual a specially crafted email.   The ideal phishing email will appear as if it is from a trustworthy source, perhaps the individual’s bank or a reputable website or group. Phishing...

Read More

Notice: NIST Deems SSL No Longer Acceptable for Secure Communication

The National Institute of Standards and Technology (NIST) has identified the Secure Socket Layers (SSL) v3.0 protocol (a cryptographic protocol designed to provide secure communications over a computer network) as no longer being acceptable for protection of data due to inherent weaknesses within the protocol.

Because of these weaknesses, no version of SSL meets PCI SSC's definition of "strong cryptography." Furthermore, with the recent release of issues with TLS, the only acceptable measures for secure communications is to use TLS 1.2 with the AEAD-Cipher Suite. ...

Read More

Social Engineering - Would You Take the Bait?

As a follow-up to our recent blogpost on social engineering, this article explains more about baiting, the specific type of social engineering where criminals use malware-laden devices to manipulate employees into providing access to a company's sensitive information. Similar to other types of social engineering, baiting relies on an employee's lapse of judgment to create a weakness in a company's network. When the desire to satisfy curiosity or fulfill temptation overrides an employee's knowledge of the company's security protocols, the social engineer's baiting scheme is a success....

Read More

Notice: PCI DSS and PA-DSS v3.1 Revisions Coming

In a notification to QSAs and ASV providers, the PCI SSC announced that in order to address a few minor updates, clarifications, and one impacting change, there will be a revision for PCI DSS and PA-DSS v3.0 in the very near future. The impacting change is related to several vulnerabilities in the SSL protocol.

In short, because of the publically released vulnerabilities with SSL, no version of SSL meets PCI SSC's definition of "strong cryptography." The PCI SSC will issue updates to the standards to address this. In the near future, this will mean that if a payment...

Read More

Social Engineering: The Art of The Con

When securing critical systems and sensitive data, companies immediately think of firewalls, intrusion prevention systems, anti-virus software, and other similar protections. Although these safeguards are essential to overall information security, companies tend to overlook what has evolved into the weakest link in the security chain: the company employees. By neglecting to include employees when considering a company’s information security posture, a company leaves itself open to a security threat known as “social engineering.”

Social engineering is a non-technical way...

Read More