J.J. Guy

I haven't seen any announcement about this, but the PCI Security Standards Council has published an update in the last few days to the "Guidance for PCI DSS Requirements 6.4.3 and 11.6.1" Information Supplement. In the original version, it said "Note that PCI DSS Requirements 6.4.3 and 11.6.1 do not apply to merchants with webpages that redirect to a TPSP’s page (for example, via an HTTP 30x redirect, a meta redirect tag, or a JavaScript redirect)." That's been removed, and in its place it now says "Note that, where scripts are used as part of a redirection mechanism, PCI DSS Requirements 6.4.3 and 11.6.1 will apply to those scripts." The thing is, by fully-redirecting to a PCI DSS-compliant payment service provider or processor to take payments, the merchant doesn't have a payment page - and it's only the payment page (or parent page when iframes are used) that these requirements apply to. While I think protecting all JavaScript on a website is a really good security best practice - whether that's using CSP+SRI, Jscrambler's Webpage Integrity product, or something else, I'm currently scratching my head as to how this change to the guidance - which "does not replace or supersede requirements in any PCI SSC Standard" - currently applies. I'm curious to hear what others think...

54

17 Comments

2024 set in motion major changes for certificate lifespans and DCV. In this Root Causes Podcast lookback episode Jason Soroko and I discuss the Apple 47-day proposal, stepping down certificate term, public versus private CA use cases, DCV reuse periods, MPIC, WHOIS, and other topics. Audio: https://lnkd.in/gH3Z-adY Video: https://lnkd.in/gN_VpVPy #pki #security

29

New - Investigating Hy-Vee’s massive data breach, Hudson Rock identified critical employees infected by infostealers, compromising Atlassian (Confluence and Jira) credentials. This likely enabled this Stormous group 53GB data heist. (tl;dr below) New Blog (4 minutes read) - https://lnkd.in/dPZYU_-f TL;DR: On June 23, 2025, Stormous breached Hy-Vee’s Atlassian accounts, stealing 53GB of sensitive data, including infrastructure diagrams and operational details. Hudson Rock’s research uncovered an infostealer infections Hy-Vee employee devices, exposing credentials that likely granted attackers access, fueling one of 2025’s boldest retail breaches.

37

Self-Healing IAM Systems - A Business Centric Framework 🚀"The Identity Navigator" Podcast - New Episode Alert🚀   A self-healing IAM system enhances enterprise security by automating identity governance, mitigating operational risks, and ensuring adaptive security resilience.  By leveraging this framework organizations can create dynamic, self-correcting identity frameworks that reduce administrative overhead and improve security posture. Self-healing mechanisms ensure robust access management by automatically detecting and mitigating disruptions, policy misconfigurations, or security anomalies.   https://lnkd.in/ecm7Bz8V   Tune in now and let's check them out together 🎧🔍   #TheIdentityNavigator #IAM #Podcast #TechTalk #IdentityAndAccessManagement #IAM

36

2 Comments

Discover how to harness Tetragon’s real-time Linux telemetry to bolster your security posture. In this video, we’ll guide you through deploying Tetragon for in-depth process, file, and network monitoring, then seamlessly forward those critical events to Wazuh for comprehensive SIEM analysis. https://lnkd.in/gN5UVjJ2

80

1 Comment

Stop whining about how much CMMC costs; It pales in comparison to the costs of not adequately defending your networks, and not just for you but all the taxpayers funding it. CMMC is about compliance and real security. While nation-state espionage represents a significant threat to the Defense Industrial Base, cybercrime presents the most immediate and operationally disruptive risk to your organization's daily operations and long-term viability. Cybercrimes occur every 39 seconds—translating to 2,244 incidents per minute and 3.2 million attacks daily. In 2022, 49% of US internet users experienced cybercrime. Global cybercrime damages are projected to reach $10.5 trillion annually by 2025, up from $3 trillion in 2015—making cybercrime the world's third-largest economy, trailing only the United States and China. Data theft for extortion has become nearly ubiquitous in modern cybercrime operations. Any Department of Defense data you have failed to properly identify, classify, and protect walks right out the door with along with all your other data. Whether the threat actor is China, Russia, or a financially motivated cybercriminal group, the result is the same: you have lost control of data critical to national security; and you will have to report it to the DoD along with your other stakeholders. Additionally, inaccurate Self-Assessment reporting to the DoD carries serious consequences and it is time we started treating it as such. When you sign a DFARS clause, you are making a commitment to the government and fellow taxpayers that you will maintain adequate cybersecurity controls. Achieving CMMC Compliance is not just a regulatory requirement but critical to safeguarding national security data. Knowingly or unknowingly providing false information about your cybersecurity posture can be considered breach of contract and potentially a charge under the False Claims Act. One of the most pressing challenges facing defense contractors is identifying and securing Controlled Unclassified Information (CUI) within their environments. Many organizations struggle with culling through millions of files to locate and properly protect all CUI they have been entrusted to safeguard. The first question is whether you have CUI in your environment, the second question is whether you know where it is and how to protect it before it's too late. P.S. If you are not completely confident on where you really are in compliance and actual security, we are happy to help with any or all of it. #capeendeavors #teramis #cmmc #cybersecurity #cyberthreats

34

1 Comment

K-12 Cybersecurity Insider | 8/25/2025 In this edition: * When SSO and MFA Aren't Enough: Hidden Credential Risk in K-12 * L.A. Schools Telehealth Vendor Waited 8 Months to Report Breach * If a 14-year-old could hack them, how weak was security for 400,000 confidential student records? * K12 SIX Announces 2025-26 Steering Committee Read more and sign up to get it delivered straight to your inbox: https://lnkd.in/enaKAHCb #edtech #edusec K12 SIX

26

1 Comment

🎙️ Big News: 'Simply ICS Cyber' is About to Drop! 🚀 Ever wondered what keeps industrial control systems running securely in our increasingly connected world? Get ready for the inside scoop from the trenches of OT/ICS cybersecurity! 🚨Thrilled to announce the launch of "Simply ICS Cyber" - hosted by Good times and EXPERTS Don C. Weber and Thomas VanNorman, CISSP, GICSP ----------------------- Get a fresh take on industrial cybersecurity featuring two battle-tested ICS security veterans who've seen it all. From power plants to manufacturing floors, we're pulling back the curtain on what it really takes to protect critical infrastructure. ----------------------- 🎬 Premiere Episode: February 19, 2025 at 9:30 AM EST 📍 Where: Simply Cyber YouTube Channel https://lnkd.in/e9FS-3B5 ----------------------- Want a sneak peek? Check out our teaser video that just dropped! 👇 Don't miss this if you're: 👀 An ICS/OT security professional 👀 Working in critical infrastructure 👀 Interested in industrial cybersecurity 👀 Looking to bridge the IT/OT security gap Trust me, you won't want to miss what our experts have to share! ----------------------- Repost ♻️for your network and hook'm up! Follow 👉🏼 Gerald Auger, Ph.D. for more content like this ----------------------- #ICSSecurity #CyberSecurity #OTSecurity #IndustrialCybersecurity #SCADA #CriticalInfrastructure #SimplyICSCyber 

55

4 Comments

Autonomy in the SOC shouldn’t mean black-box automation. What it should mean? ✅ Transparent decisions ✅ Documented steps ✅ The ability to audit and override ✅ Learning that compounds Too many tools confuse “autonomy” with “hands off.” Security leaders can’t afford that. The next generation of platforms must offer more visibility, not less.

34

🚨 Contractors are under pressure to meet CMMC 2.0 requirements—but the top performers are already ahead of the game. What do they have in common? ✅ Smart planning ✅ Strong partnerships ✅ A proactive security-first mindset The new Coalfire and Kiteworks State of CMMC 2.0 Readiness Report reveals what’s working (and what’s not) based on insights from 209 real contractors. Don’t get left behind. Read the full report now! ⤵️ https://ow.ly/EkYo50VLqU3 #CMMC2 #CyberRisk #ComplianceMatters #CyberReadiness

25

2 Comments

Most defense contractors won’t fail CMMC because of the audit. They’ll fail because they waited for the audit to get serious. Right now, your proof of cybersecurity readiness; your SSP, your POA&M, your SPRS score; is what buyers and primes are looking at. Not your certificate. Not yet. So stop stressing about the cert, and start proving you’re secure. Cybersecurity is about behavior, not badges. And readiness is the real competitive advantage. Watch this video if you need clarity on what to prioritize now. 👇 #CMMC #Cybersecurity #DefenseContractors #ValorCybersecurity #Compliance #DoD

12