Two days ago  Microsoft released an unprecedented 13 patches, covering 34 vulnerabilities and roughly requiring 30MB of code to fully patch a system. 

Microsoft has rated several of these vulnerabilities as critical and recommends rapid adoption of these patches as exploits are expected to begin circulating for several in the next few days.  No small task when you’re talking about thousands of endpoints.

McAfee customers using Total Protection for Endpoint were once again secured by zero-day protection enabled by default.  With this protection, IT teams patch less frequently and urgently to save time, money, and effort.

McAfee VirusScan’s buffer overflow protection is expected to provide proactive protection against exploits of 22 out of 34 new vulnerabilities this month. McAfee’s Host Intrusion Prevention is expected to provide proactive protection against exploits of 22 out of 34 new vulnerabilities this month, including enhanced exploit reporting beyond VirusScan’s General Buffer Overflow Protection.

Other security vendors will be working around-the-clock with Microsoft on new signature updates to address these vulnerabilities. 

(This post was co-authored by Evelyn DeSouza and Scott Taschler, a McAfee systems engineer.)

This year’s theme at the Gartner Risk and Compliance Summit centered on directions and tools to help organizations maximize their Governance, Risk and Compliance programs. No doubt, a reflection of the current economic climate.

Especially interesting was that few vendors really had anything innovative or different to offer compared to last year. Some were niche vendors who solve one piece of the puzzle but are trying to expand their offerings while others were broader GRC vendors that had matured their offerings.

What was clearly apparent is that customers are more then ever bent on consolidating vendors. The idea that you could have one platform to manage both security and compliance and with separation of duties built in, has gained momentum. And, controls automation, while a well-worn topic is also something that customers are becoming much more serious about as part of reducing the cost of audits.

McAfee co-presented a session with Tyco International on leveraging a risk-based approach to sustain compliance efforts, which resonated very well with attendees. Taking a risk-based approach could have helped mitigate some of the most publicized recent data breaches. Through regular automated audits and vulnerability scans and applying countermeasures to reduce residual risk, organizations can focus on assets most at risk – we call this the 80-20 rule.

Tyco International talked about their efforts to streamline compliance and how they have adopted this risk-based approach. They eliminated multiple disparate tools through using one integrated solution and a highlight for many attendees, they expect to reduce the number of hours they spend on external audits from thousands to days.

It’s beginning to feel like every other day that we learn about yet another data breach, where credit card information or other sensitive consumer data is compromised. An air of complacency has settled in; we are becoming almost immune to the rash of incidents taking place.

The effects on consumers who have been breached are hardly insignificant. Having to cancel credit cards is a terrible experience: combing through account statements to figure out the extent of transactions that did not actually occur is rather unsettling. For those who find themselves in a more harrowing position of being sought after by bill collectors for accounts that they never opened it would be their worst nightmare come true.

What should service providers and organizations that handle credit card data be doing? It’s not just enough to follow PCI DSS in a checklist fashion. These organizations really have a higher level of responsibility to protect the consumer. It’s really refreshing that the PCI Security Standards Council has recognized the need to help organizations on the path to being more vigilant about protecting credit card data. This month they issued a 15-page document that details a “prioritized approach” for complying with the rules; specially designed to help those overwhelmed with the slew of 220+ requirements. This approach focuses on issues with the highest risk and building compliance milestones around these. For example, purging sensitive card-authentication data from systems and limiting the amount of information that companies collect and retain. In addition, the PCI Security Standards Council also released a spreadsheet-based tool where organizations can plot progress against the milestones.

This approach seems to be more in line with the overall approach that organizations should be taking to mitigate risk and to better safeguard sensitive data.

The last couple of months have seen a flurry of announcements and updates to the Payment Card Data Security Standard (PCI DSS).

So, what is the impact of these changes and announcements?

Certainly, it appears that PCI is going to be at the forefront of the minds of retailers and is not going to lessen in importance anytime soon. Recent updates to the PCI standard (v1.2) were welcomed clarifications. The updates were very minor changes and focused primarily on helping to improve wireless security, which previously had been an exploited vector by hackers.

Some of the newest changes include:
- Removal of WEP as an acceptable wireless encryption algorithm
- Wireless must use industry best practices and strong encryption

Visa has also gotten serious about enforcing secure payment applications with the rollout of the Payment Application Data Security Standard (PA DSS) and its aggressive deadline of July 2010.

The recent announcement of global deadlines for PCI is yet another evolution of enforcing cardholder security. Setting global standards will help drive PCI compliance as a universal expectation, rather than a region-by-region initiative.

September 30, 2009, is when “global merchants and service providers” (who operate in more than one of the Visa-defined regions) must attest that they do not store full magnetic stripe data (track data), security codes or PIN data after transaction authorization. September 30, 2010, is when all service providers and Level 1 merchants have to submit reports on compliance.

With the official release now two days away, several stakeholders now have been privy to version 1.2. Considering two years has gone into revising the Payment Card Industry Data Security Standard (PCI DSS), this prescriptive IT security standard hasn’t changed that much.

What most merchants need to know is “How will v1.2 impact my organization?”  The good news is that some requirements have been altered to better meet existing risk management procedures.

Requirement 1 eases firewall rules reviews from quarterly to every six months. The patching specification in Requirement 6, now reads “….that a risk-based approach may be used to prioritize patch installation” instead of patching every 30 days. A thorough approach to patching takes longer than 30 days in order to fully test, prioritize, and ensure a robust deployment process. The change allows for countermeasures such as Host and Network Intrusion Prevention technologies to apply a virtual shield to systems until patches can be deployed.

Finally, the anti-malware requirement has been updated to include “all operating system types.” This may place more strain on organizations as they will be required to put in place a series of compensating controls especially for older systems.