The Payment Card Industry Data Security Standard (PCI DSS) has long been the benchmark for organisations that handle cardholder data, providing a framework for securing payment systems and protecting sensitive information. With the release of PCI DSS vv4.0, organisations must adapt to the updated requirements or risk facing significant fines for non-compliance. As the […]
Category: researchblog
Navigating Data Protection Regulations and Compliance
Data protection regulations are crucial in today’s digital age, especially for industries like healthcare that handle sensitive information. Understanding and complying with these regulations can be daunting, but it’s essential for safeguarding data and maintaining trust. This article will help you navigate data protection regulations and compliance with practical tips and tools. Understanding Data Protection […]
HIPAA Penetration Testing Checklist
In the healthcare sector, data security is paramount. Patient information must be safeguarded at all costs. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal legislation applicable to American citizens and healthcare organisations. It sets the standard for protecting the privacy and security of sensitive patient data. Any organisation within or […]
Preparing for DORA: How Threat-Led Penetration Testing (Red Teaming) Can Enhance Your Digital Resilience
As the financial sector becomes increasingly digitised, the risks associated with cyber threats and operational disruptions are growing. To address these challenges, the European Union has introduced the Digital Operational Resilience Act (DORA), a comprehensive regulation designed to ensure that financial institutions can withstand and recover from all types of digital disruptions. One key aspect […]
PCI DSS 4 Requirements for Code and Payment Pages
As we help our customers with transitioning to PCI DSS 4, some immediate and future dated requirements are standing out for special attention, specifically: 6 – Code repositories used for custom code and configuration information 6.4.3 – Authorization of payment page scripts 11.6.1 – Change and tamper detection for payment pages, including scripts Code Repositories […]
Breaking into the Cloud: Red Team Tactics for AWS Compromise
Traditionally, Red Teaming has always put an extensive focus on environments with an on-premises network managed by Active Directory. The MITRE ATT&CK framework (https://attack.mitre.org/) includes a number of TTPs for these environments, such as the exploitation of Active Directory-specific services and scenarios (e.g. Kerberos, NTLM issues, escalation to Domain Admins). However, nowadays a large number […]
The Growing Cybersecurity Risks of AI and Mitigations: External and Internal Threats
As artificial intelligence (AI) continues to advance and permeate various industries, it brings about significant benefits and transformative capabilities. However, along with its tremendous potential, AI could also impact organisations’ cyber risk profile by introducing new risks which have not been previously considered. In this article, we will explore the growing threats associated with AI, […]
How to Classify Sensitive Data within Your Organisation (2/2)
In this second part of our two-part blog we will discuss the requirements to correctly classify your data. Following on from part one once the identification and classification of your data has been completed you need to focus upon data handling. Establish Data Handling Requirements There are numerous forms of technical, operational and management controls […]
How to Classify Sensitive Data within Your Organisation (1/2)
A crucial first step towards ensuring your data is secure is to identify and classify your information assets. Without considering these tasks you will neither know where your assets are nor how to keep them secure. Information · which assets are more valuable than others · which assets require additional security controls Failure to classify […]
The New NIS2 Directive: What do I need to know?
The Network and Information Systems (NIS) Regulations, aimed at raising levels of cyber security and resilience of key systems across the EU, came into force on 10th May 2018. On 16th January 2023, the NIS2 Directive came into force. The NIS2 Directive rescinds the original NIS Directive and creates a more extensive and standardised set […]