OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Dataloss] Feds seek to nab credit card thieves in La., Miss.

macwheel99wowway.com
Date: Mon Aug 18 2008 - 21:58:43 CDT

A company can buy some computer system and not install, or manage, it
properly.
I am more interested in whether they had any PCI audits or other security
audits, and what if anything the audits had to say about their state of
security preparedness.

Here's what went wrong at TJX Max (click on preview to see document filed by
5/3 bank auditor AFTER the mess.) http://www.box.net/shared/ieae3qfqj9

 This is quite an eye-opener ... they had perfectly good computer systems,
but at some level of company leadership, there was no conception of their
security responsibilities, what it meant to be PCI compliant.

There were TWELVE cyber security standards applicable to TJX.
They had met THREE of them.

Buying and installing computer systems is not enough.

There has to be informed management of that systems have been properly
implemented, are doing the job they are intended to do, and continue to do
so, after any upgrades to related systems.

When that does not happen, we cannot blame the computer vendors. That's like
blaming an auto manufacturer because a drunk is driving around, on a flat
tire, with broken lights.

 TS Glassey wrote
> It would be interesting to know who's Management Systems these shops
> all bought.
>
> Todd
>
> ----- Original Message -----
> From: "lyger" <lygerattrition.org>
> >
> > Courtesy Victor Chavez:
> >
> > http://www.forbes.com/feeds/ap/2008/08/18/ap5334017.html
<snip>
> > The restaurants began reporting the thefts beginning in March in Baton
> > Rouge, followed by similar cases in Flowood, Miss., Lafayette, Lake
> > Charles and West Monroe. The hackers have swiped credit and debit card
> > numbers off 16 restaurants' computer systems,
> >
> > The cases appear connected and probably involve a criminal network that
> > stretches overseas, which would be consistent with other identity theft
> > <http://www.forbes.com/feeds/ap/2008/06/25/ap5152958.html?partner=alerts
> >> cases, U.S. Attorney David Dugas said.
> > [...]

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml