Contextual Security Solutions Blog
INFORMATION EVOLVES
SECURITY & COMPLIANCE BLOG
PCI DSS 3.2.1 to 4.0 Control Changes
Now that you are looking at your timeline, you may be wondering how you can get from where you are now, a sage of PCI DSS 3.2.1, to where you will need to be by 2024. The PCI DSS 4.0 Summary of Changes Using the PCI DSS Summary of Changes document, you can...
Don’t Deploy Vulnerabilities
We are constantly updating and evolving our deliverables in an effort to provide more context around our security services. With that in mind we have been tracking some metrics since 2020 that allow us to see why organizations remain vulnerable to compromise. One of...
BloodHound Basics
“Hacking” isn't magic, but sometimes it is presented that way. Much of penetration testing and “hacking” is learning the tools of the trade and how they work "under the hood." In this series we hope to provide a high-level overview of common offensive tools, how they...
Exploiting the JMX Console (A slightly different path to compromise)
On a recent engagement, the client I was assessing had a relatively strong security posture. None of the old standby attacks were working. The client had disabled LLMNR and WPAD based on a previous security assessment, and all the client’s Windows machines were...
PCI DSS 4.0 Timeline
March 2022 forever changed the compliance landscape for all time. PCI DSS 4.0 was launched, the world was ushered into an era of bliss. Ok, seriously, bliss and compliance frameworks are, for most, not even in the same solar system. But, PCI DSS 4.0 is here and, for...
Intro to PCI DSS 4.0
Does your organization do anything with credit cards? Chances are you must be Payment Card Industry (PCI) compliant in some form or fashion. PCI compliance touches financial institutions, merchants, hardware and software vendors, managed support vendors, and a variety...
The Need for Incident Response Playbooks
The most recent Cost of a Data Breach Report (Ponemon 2021) found that “Lost Business Cost” represented the largest percentage (38%, or $1.59M) of the $4.2M average cost of a data breach. One of the key contributors to the “Lost Business Cost”, along with the cost of...
0-Day
What are we talking about? On May 30 CVE 2022-30190, https://nvd.nist.gov/vuln/detail/CVE-2022-30190, was issued by Microsoft. According to the Common Vulnerability Scoring System this is currently ranked as a high-severity vulnerability with a 7.8 out of 10. A...
False Positives / What Are They Doing Here?
False positives can be difficult to disprove and even harder to understand. They stem from an automated product, like a vulnerability scanner, doing its best to determine whether a specific condition exists or not. Unfortunately, a lot of people end up trying to...
Visibility and “Actionable” Metrics / #ExpectMore Series
Continuing with our #ExpectMore series, I want to explore some commonly used terms and what they might look like during a penetration test in your environment. “Visibility”, “Actionable Metrics”, these terms are frequently used in the cybersecurity world by vendors...