Posts by Tim Holman

Choosing a QSA – tips on how to find some of the better ones…

It is well known there is a low barrier of entry for a security company to become a certified QSA Company (QSAC). As long as a reasonable amount of security experience can be documented and an annual fee paid, the resultant QSA examinations are trivial to pass.  This unfortunately leads to a market that is [...]

Read more

Where did all the blogs go?

Sorry it’s been a while since you’ve be ingratiated with a 2-sec blog entry. You might have noticed recent UK press legislation that was put in place following the phone hacking scandal, that appeared to be ubiquitous and spanning all kinds of publishing media. I did at some point work out if I could actually [...]

Read more

The Bit9 incident

We see in the news another example of cyber criminals successfully stealing a private certificate and using it to their nefarious advantage. In this instance, cyber criminals allegedly exploited perimeter defences and web application security to gain access to one of Bit9′s private certificates - https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/. A private certificate is used to sign an encryption key, [...]

Read more

PCI SSC Third Party Security Assurance SIG

As you may have heard on the grapevine 2-sec’s SIG proposal for Third Party Security Assurance was accepted and we are currently working with the PCI SSC to flesh out plans for improving service provider engagement guidance and influencing the outcome of PCI DSS v3.0, to help better serve and secure the payments community. Control [...]

Read more

PCI DSS governance

PCI DSS 12.5 “Assign to an individual or team the following information  security management responsibilities” is not just about putting somebody’s name down to pass an audit and us QSAs are clamping down hard on those whom pay governance lip service, then forget about it for a year until the next audit is due. Even in smaller [...]

Read more

The Cunning Art of ASV Manipulation!

Well, maybe manipulation is a bit of a strong word, but the reason for this title is due to the increasing number of requests we get as QSAs to help out smaller, level 4 merchants, whom have been instructed by the likes of Worldpay, RBS Worldpay (aka Streamline), Barclaycard Business, HSBC or PayPal, to go [...]

Read more

PCI SSC Special Interest Group (SIG) – Third Party Assurance

I am presenting a proposal to setup a SIG for Third Party Assurance at both Orlando and Dublin PCI SSC Community Meetings.  The aim of the SIG is to provide additional guidance around control 12.8, which to date we think is somewhat open to interpretation. The control as it stands: 12.8 If cardholder data is [...]

Read more

Internet monitoring and civil liberties

The government has laid out plans to monitor internet usage in the UK, namely to tackle “serious” crime and make it easier to track criminals, through monitoring of webmail, social networking sites, internet phone calls and online gaming. The first reaction of any serious criminal will be to go underground, that’s if they’re not there [...]

Read more

2-sec exhibiting at PCI London, July 5th 2012

Look out for us at PCI Europe’s London event on July 5th, in association with Visa and Barclaycard - http://www.pci-portal.com/pci-europe/.  A limited number of tickets are still available and register quickly if you would like to come along.   The invite only, world renowned 2-sec after party returns in the evening, which offers an informal setting [...]

Read more

LinkedIn breach – the fallout

Since publication of 6.5 million LinkedIN password records by Russian hackers last week, reports have been flooding in of other accounts being subject to unauthorised access.  Where users have used the same email address and password for their LinkedIN account and  other accounts such as eBay, PayPal, Skype, Facebook, Amazon, Twitter and personal email accounts, [...]

Read more