Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Today, for enterprises and even SMB companies, IT is a sprawling but interconnected universe of applications, devices, and services all running in tandem to maintain the lifeblood of these organizations—data. Navigating the complexities of this arrangement is not just a challenge for security teams (something which Nightfall customers have attested to, before adopting our platform), it’s a genuine challenge for anyone who must manage and use information.

Broadly speaking, an information security program is a set of activities and initiatives that support a company’s information technology while protecting the security of business data and enabling the company to accomplish its business objectives. An information security program safeguards the proprietary information of the business and its customers. The Gramm-Leach-Bliley Act (GLBA) has a more specific definition of what a security information program should entail.

In early April, the tech industry witnessed a major GitHub security incident targeting GitHub organizations using Heroku and Travis CI. GitHub was made aware of this threat via an attack leveraging AWS API keys to GitHub’s own npm production infrastructure. As upstream security risks within SaaS platforms become more common, organizations that leverage these platforms are relying on tools like Nightfall to protect themselves.

The Gramm-Leach-Bliley Act (GLBA) aims to protect consumer financial privacy with three provisions: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Provisions. In our previous post, we covered the GLBA Financial Privacy Rule and what financial institutions, as defined by the GLBA, need to know to be compliant.

We’re pleased to announce that Nightfall has joined Snyk’s Technology Alliance Partner Program (TAPP). Nightfall will sit alongside partners like RedHat, and Hashicorp to provide critical DevSecOps functionality to developers.

Last month’s revelation that Okta had been hacked created a seismic impact in the world of security, with organizations still bracing themselves for the fallout from this incident. While resources, like Microsoft’s article on Lapsus$ (tracked as DEV-0537), have broadly dissected the attack vectors used in the group’s attacks, we wanted to expand on the broader trends and context surrounding the Okta hack.

PCI DSS stands for Payment Card Industry Data Security Standard. This standard is set forth by the PCI Security Standards Council, an organization founded in 2006 by American Express, Discover, JCB International, Mastercard and Visa Inc. The PCI DSS sets security rules for any business that accepts their cards, with the goal of protecting customer credit and debit card data. Any business that accepts any non-cash payments needs to meet the PCI standards.

PCI compliance is a complicated matter. There are a number of different steps to meet and validate your achievement of the PCI DSS standard. In this guide, we’ll break down the steps in PCI compliance testing, the different types of PCI compliance tests, and how much it costs to complete this process.

Network segmentation is a practice that can dramatically lower the time, effort and cost of a PCI DSS assessment. Not only is it an industry best practice for security cardholder data, but it’s also an effective way of controlling the annual commitment of meeting your PCI compliance requirements. Here’s how network segmentation works, as well as some key best practices for using network segmentation to reduce the scope of your PCI assessment.

PCI compliance applies to businesses of all sizes: In fact, the PCI Council sets compliance standards according to how many card-based transactions a business handles each year. There are four merchant levels are Small businesses usually fall under level four. If you’re not sure what level your business falls into, your point-of-sale (POS) reports may be able to tell you.