Written by Kiran Murthy & Eishu Richhariya Introduction PCI-DSS stands for Payment Card Industry Data Security Standard. This standard first came into the picture in 2004, and it was formed by Visa, MasterCard, Discover Financial Services, JCB International, and American Express. It is governed by PCI SSC, i.e., Payment Card Industry Security Standards Council. Applicability- PCI-DSS applies to companies/organization which accepts, store, process and/or transmits cardholder data. When will the new version PCIDSS v4.0 take effect? Until March 31, 2024, PCI assessments will choose the version (v3.2.1 or v4.0) for conducting the assessment. After this date, v3.2.1 will be retired, and v4.0 will become the singular standard. PCI-DSS v4.0 New Requirements The new version contains a substantial number of new requirements—64 in total. When using v4.0, only 13 out of 64 are mandatory. Until March 2025 additional 51 remain “best practices”; after the retirement of v3.2.1, it will be mandatory to complete a PCI DSS assessment. Changes in the Security Objective of PCI-DSS v4.0? PCI-DSS v3.2.1 PCI-DSS v4.0 Build and Maintain Secure Network and Systems Build and Maintain Secure Network and Systems Protect Card Holder Data Protect Account Data Maintain a Vulnerability Management Program Maintain a Vulnerability Management Program Implement Strong...

Last week a Remote Code Execution vulnerability was disclosed in Spring. Spring is an open-source application framework that provides infrastructure support for creating Java applications that can be deployed on servers as independent packages. Approximately, 70 percent of all Java applications use it. What is CVE-2022-22965? CVE-2022-22965 was assigned to the vulnerability and is considered critical as it can result in an RCE. RCE vulnerabilities will allow a malicious actor to execute custom code of choice on the machine. The vulnerability was named after the previous infamous log4shell vulnerability, spring4shell. The vulnerability was first reported to VMWare on March 29th, 2022 after which VMWare informed this to the spring team. On the next day, Spring started the vulnerability response procedure. It was during this process, that the vulnerability was leaked to the public and exploitation began in the wild. Are you affected? For the application to be vulnerable, several requirements are to be matched as laid out by Spring. JDK version 9+ Apache Tomcat for serving the application Spring-webmvc or spring-webflux dependency Spring Framework versions 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19 and older versions. Application built as a WAR file Certain REST API which will process user input. What...

Authentication bypass due to weak verification of SAML Token What is authentication bypass in web applications? The web application vulnerability - authentication bypass occurs when there is improper validation of the user’s identity on the server-side. Generally, a successful authentication bypass requires the attacker to have knowledge of either the username/email ID unlike the case of SQL injection where the attacker can attempt to log into the application using any user. What is SAML? SAML (Security Assertion Markup Language) is a standard for authenticating and authorizing users across multiple applications by leveraging the logged-in session of one application. In simple words, you log into a dashboard where you see multiple applications like Salesforce, AWS, Slack, ADP, etc. and when you click on any one of the icons, you would directly get signed into that application. Unlike other tokens, the SAML token is XML-based for transferring identity between two parties. So, who are these two parties? 1. Identity Provider (IdP) 2. Service Provider (SP). IdP is responsible to authenticate the user and subsequently sending the token to the service provider and SP trusts the identity provider and authorizes/authenticates the user to access the requested application. Some applications implement SAML for the...

If there is a central key aspect of healthcare security, it is HIPAA. The Health Insurance Portability and Accountability Act of 1996 changed the way healthcare providers increased the security of patient data and information. Every person that works in healthcare, from the front desk person to a brain surgeon, learns exactly what HIPAA is and how they must incorporate it in their jobs. But is following the basic rules of HIPAA truly enough to be secure? Why is HIPAA not enough? First, the HIPAA Security Rule is meant to cover a wide range of medical practices, from the small single-doctor office to a huge university teaching hospital. The wide range meant that many of the security elements are necessarily vague. While this allows the Security Rule to apply to the wide range, it also allows for gaps in how patient data is securely treated. Second, not every standard is required. This is because HIPAA provides guidelines and a framework for security, but it is not prescriptive. It is up to each company or clinic to define what compliance means to them. Addressable standards can be eliminated if the location can document a business reason for not addressing the particular...

Accorian at UPES, Dehradun Despite industry-wide hiring freezes as a result of COVID, Accorian has established its first university recruitment channel with UPES Dehradun for their security graduates; having hired two members from the university to our team in 2020. This year alone, Accorian has grown 150% since the start of COVID across all levels, adding breadth and depth to our compliance and security teams. Accorian is looking to carry this momentum into 2021 with 6 more junior positions opening up in January in concert with more experienced roles. As this growth continues, Accorian will continue to establish new campus-recruitment channels to ensure we are finding the best talent to grow with us to become leaders in the industry. The role of university-recruitment is crucial to the growth and culture of any company. Whether it is an intern, a full-time employee, or a leader, Accorian is committed to creating an atmosphere of growth, camaraderie, and accountability for every member of our team. Accorian is a full-service cybersecurity, compliance, and consulting firm helping companies improve the way they approach and manage risk. Accorian is always looking for driven security enthusiasts as we continue to grow. If you feel you are a good...