maravis.com

As a consulting company, we are always looking to add good tools to our toolbox. We got a demo of a tool that can look for sensitive data within your network. It is called Surveyor Enterprise from Spyglass Software. While it can be used for a lot of purposes, for us the attraction was due to fact that it can help us in PCI-DSS engagements.

One of the things that I have noticed is that a lot of companies use production data for testing. They usually justify this by saying that some use cases can only be reproduced by using production data. PCI-DSS requires that production data is scrubbed or sanitized before being used for testing purposes. The Ponemon Institute has come out with some interesting (and scary) data on data security during development and testing.

There was a news article on the BBC website today about a man arrested for stealing 130 million credit card numbers. He along with a couple of Russian co-conspirators (unnamed), broke into several organizations such as 7Eleven, Hannaford Brothers, Heartland Payment Systems, to name a few and stole credit card numbers with the intent of selling them on.