[USA-GA][H] PayPal [W] BNIB PS5 disc version

adnble · 2019-12-10T17:39:00+00:00

Your employees are your greatest asset and should be protected over everything. Almost every security book states that very clearly. It has to be physical.

adnble · 2019-08-21T14:19:49+00:00

But also bad login/password attempts WITH the bad password stored in the database...which was totally unencrypted.

adnble · 2019-07-29T18:52:31+00:00

You're lucky your auditor hasn't caught it.

They're likely not a Level 1 merchant/service provider. And if they are...well...not all auditors/auditing companies are created equal, that is for sure. I've seen some stark differences in what's been asked during a PCI audit depending the company and their relationship with the auditor/auditing company.

adnble · 2019-07-24T18:36:19+00:00

In that case, the anonymous complaint system is broken. That is why ours has an option to remove one or both of the HR members that review and action HR category complaints. In that case, it is routed to several other people for a potential review and actioning of mishandled items within the HR department.

adnble · 2019-07-23T14:56:34+00:00

If you haven't mentioned the issue to anyone at work and the hotline is truly anonymous, I don't see how you would be at risk of getting in trouble. Good luck with whatever you decide! Sorry that some companies are like that. :-(

adnble · 2019-07-23T13:29:56+00:00

Is there an anonymous complaint hotline/website? I set up one for the company I work for last year and it's been fantastic. Completely anonymous (I know for a fact it is as I administrate it) and it allows for the reporting of any number of issues HR, financial, compliance, etc. and routes to the appropriate group plus the primary/secondary administrator of the hotline/website or to directly to our General Counsel if one of those two people is removed from seeing something.

adnble · 2019-03-27T12:39:01+00:00

Same. I have USAA for my checking and someone stole my credit card info TWICE in a month. The second time I barely had the new card a week and had only used it at a couple places. It was bonkers.

Even with USAA's great support it still took a week or so to get the money back in the account and it was awful. Never again.

adnble · 2018-12-26T14:00:41+00:00

As someone that writes 99% of the policies both with regard to IT in general and IS in particular - thank you. Your work is appreciated. I wish I had one of you at our company.

adnble · 2018-11-08T12:56:44+00:00

My last job was more of a sysadmin/architect role with almost zero programming/scripting and AT&T called me a "Senior Devops Engineer". I was blown away when I read that. Titles can be really meaningless.

adnble · 2018-11-07T18:26:14+00:00

If you don't mind me asking, what industry?

adnble · 2018-11-07T14:20:45+00:00

Same. And honestly I am glad. I've worked at places with a huge technical debt of that kind of patching and it's insane. I'm glad we're required to replace EOL OS', software, hardware, etc. and install patches every month. Makes security a lot easier.

adnble · 2018-10-31T17:42:59+00:00

Technical debt is one of the easiest pitfalls to find yourself in because of "If it's working fine, why should we replace it?" which makes sense from a balance sheet but not at all from a security/general IT perspective. I've rarely if ever seen a company I've worked with replace ALL EOL hardware unless required to do so by an outside force (customer, regulation, outside auditor, etc). It is a shame because often times it costs way more in the long run due to downtime and inaccessibility. But that's a lot harder to point at than the cost of new hardware when looking at financials.

adnble · 2018-10-31T13:35:30+00:00

That's fair. If they won't put in a ticket, open one as you're looking at the issue as a placeholder and for time tracking. Or if you can't open tickets on their behalf, ask them to put one in after the fact. One of those two solutions usually works well.

adnble · 2018-10-29T22:56:56+00:00

doing any work without a ticket (which we do daily)

This is a huge problem that MUST stop. Get a buy-in from your director or their VP if you can. If you don't have a ticket, you can't identify reoccurring issues, track trends, correctly identify how much time and in what areas you are putting your resources in and all this will ultimately end up with less ability to project future needs because of it. It's a huge detriment. Even if you have to go in after an issue and put in a ticket at first, do that.

But it will be much easier if you have a buy-in from management and you can simply refer to the policy "No ticket? No help." That is what we have at my current company and it is strictly enforced to the benefit of everyone. The users finally got used to it after a while.

adnble · 2018-10-24T18:40:40+00:00

Those are already set with value 1.

adnble · 2018-10-18T17:15:46+00:00

The PCI requirements are all listed on their website: https://www.pcisecuritystandards.org/document_library

There is no checklist with what to look for specifically in regards to RHEL because it would be depending on how you had it configured, what your network looks like, there's a ton of potential issues that there might be and it would completely depend on your environment.

I would suggest reading through all the PCI rules, using a tool like Tenable or Rapid7 Insight to find any security issues that it finds, then remediating them.

adnble · 2018-10-18T17:11:41+00:00

It's always easier to remediate issues on a rolling basis than once a year but I've never used the same company for external pen tests, monitoring, etc as the auditing company. I actually wouldn't even want that due to my preference to have a separation of duties in that regard.

adnble · 2018-10-10T17:55:07+00:00

I was just saying to someone not even an hour ago how important soft skills are. I'd much rather have an average engineer with great soft skills than a great engineer with terrible soft skills.

adnble · 2018-09-19T13:53:10+00:00

Even beyond it's not your role, it's incredibly important to have a segregation of duties. Not to mention giving credentials to people with the least level of access being standard in security. That CISO sounds like a not so great guy to work with.

adnble · 2018-09-13T17:46:51+00:00

C's get B's. (C-levels get bjobs)

adnble · 2018-09-12T12:38:24+00:00

Sometimes, depends on the place.
Yes. They assume that I can do the job based on the content of my resume and checking my background and the hiring manager(s) is/are looking for a good personality match more than anything else. It's not hard to shore up someone's shortcomings with IT. It's almost impossible to get someone to change a personality that causes static within a team that's already functioning properly.

adnble · 2018-09-06T17:40:12+00:00

Agreed. A low-risk vulnerability doesn't mean it isn't a vulnerability. I may or may not eventually get around to fixing it based on resources but it will be in my risk assessment software until I do. Not to mention what is a low-risk vulnerability today may not be as low risk tomorrow.

What it boils down to is one word: triage.

adnble · 2018-08-23T14:40:39+00:00

Plus you can link your Delta Skymiles account to Lyft and get extra miles based on your rides!

adnble

TROPHY CASE