Much of my work circles around PCI DSS, and it was interesting to see an announcement from the SSC this week for yet another programme. This time, a select few that are priviliged to be in the right place at the right time, can register as QIRs – Qualified Integrator and Resellers for PA-DSS validated applications.

So now, the PCI SSC manage QSA, PA-QSA, ISA, ASV, PPTP, PTS, PFI and QIR programmes. My big sticking point with these are simply availability. The SSC can train no more than about 60 at a time and this leads to a situation where certified entities all charge a premium because of demand, use junior resource to improve profit margins, and drop customer projects mid-flow as all of a sudden, there are better things to do and more money to be made elsewhere.

I can’t help but think that the PCI SSC is profiteering – there’s a standard for pretty much everything now, and whilst it does need solid guidance and integrity, any security professional that knows what they’re doing would pretty much take care of this anyway. The Code of Ethics associated with ISC(2) and ISSA-UK membership, for example, can carry a hefty personal liability if things go wrong. It’s as if the PCI SSC has a distrust of the security community and has to put us through a registration process, just so it has the money to put everyone else through the same registration process.

The word process pretty much hits the nail on the head. All auditing work that I do under these standards must follow a documented process. Even if that process is wrong and introduces serious security vulnerabilities into an organisation, it must be followed or I lose my license.

If everyone follows the same documented process, then guess what? Criminals will know the gaps. Criminals will know what to go for and criminals will soon put any of these standards to shame.

2-sec Tim Holman QSA, PA-QSA, ISA, ASV, PPTP, PTS, PFI and QIR – acronyms going too far? 2-sec - Information security, data protection and cyber defence

I’ve been keeping a close eye on online banking as of late, as the banks slowly shift security breach liability to consumers.   Being an online banking customer myself, I was surprised to see a recent change to my terms and conditions:

“We are making some changes to clarify the wording of the guarantee. With effect from 30 days after you have read this notification the new guarantee wording will be:

We promise to protect you. In the unlikely event that you innocently suffer internet fraud on your xxxxxx bank account(s), we guarantee to cover the loss – no matter what the amount taken from your account, provided:

• You have not given your security details (including your passcode or memorable word) to someone else;
• The loss was not caused by your use of an account aggregation service (ie a service provided by another company that allows you to view all of your bank details on a single website);You have not sent us incorrect payment instructions;
• You have used reasonable care when using the internet banking service (eg logging off at the end of each internet banking session and not leaving your computer unattended while logged onto the internet banking service);
• You inform us as soon as possible of any security breach or potential breach of which you are aware;
• You have not acted fraudulently;
• You have complied with the security requirements in the terms and conditions which apply to your account.

The amount we will refund to you under this guarantee is limited to the amount fraudulently taken from your account by a third party. Barclays will not be responsible for consequential losses.”

The words “innocently” and “reasonable care” stick out like sore thumbs.  I don’t know how anyone could claim to be “innocent” in the event of a malware infection judging just how widespread anti-malware solutions and marketing is.  That might be a difficult defence to prove in a court of law.  ”Consequential loss” is a bit scary too.  What if a fraudster uses your money on the stock market and goes short on shares that shift upwards in value?  Ouch.  Or the fraudster buys a gun with your money and goes on a shooting spree.  Consequential loss?  Hmmm…

..and how would you define “reasonable care”?  Is it reasonable to expect that some consumers might be using shared computers, internet cafes or open wi-fi connections for online banking?  Absolutely.  Is it reasonable to expect these resources to be malware free?  Absolutely not, but dare the banks be this prescriptive and just say “don’t use shared computers”?  No, because it would cost them money as more people would just go back to the counter or use the telephone.

To delve a little deeper, I took a look at the “security requirements” in the terms and conditions, that had also been subject to subtle change.  These were:

“You agree to:

• ensure that your computer, modem or any other device you use is safe, efficient and complies with the standards and requirements we tell you from time to time;
• carry out your own regular virus checks and utilize firewall protection as well as take all actions necessary and otherwise reasonable to remove any computer viruses, worms, Trojan Horses, keylogger software or other malicious code from any computer equipment or hosted services from which you access the online electronic banking services and refrain from uploading any such malicious code to our system;
• advise us as soon as possible if you become aware of any failure, delay, malfunction, virus or error in the sending or receiving of instructions or any suspected fraud, and assist us in any remedial steps we propose.”

Brilliant.  So the bank now expects consumers to remove malicious code (all actions necessary means what it says on the tin!) from any computer equipment (including shared computers that don’t even belong to the consumer) and hosted services (i.e. the Cloud)?  Also, if you have a virus or find one, then you’re also expected to report it to the bank, which actually might be a good idea as does the consumer really know what various flavours of virus actually do?  Let me find their virus reporting phone number…  oh.. they don’t have one.

In short this means the consumer is now effectively screwed they get malware on their system, unbeknownst to them, and money is pulled out of their accounts by fraudsters.  This is putting a lot of discretionary power back to the banks, but given the spates and cost of online banking fraud, isn’t it about time they admitted that the big wide open Internet just isn’t a safe place to conduct online banking business, and issue some practical guidance, such as:

• Don’t use shared computers for online banking.
• Don’t use open wi-fi connections for online banking.
• Rebuild your PC to a known, secure state before every time you decide to access an online banking website.

That would be a far more practical way for consumers to avoid causing the banks loss… and what’s scary, is that as I know this, I’m not innocent and this would fall under the reasonable care I would be expected to take, as someone who knows about these things.

It’ a bit like saying – here are the keys to my Ferrari, but if it comes back with a little scratch, you’ll have to buy me a new one.  Actually, make that two so we can pay our banker’s a bonus this year.

2-sec Tim Holman Online Banking and Personal Risk Exposure 2-sec - Information security, data protection and cyber defence

In January, the European Commission proposed significant reforms of the 1995 EU Data Protection Directive.  When these rules were implemented, less than 1% of Europeans used the Internet.  Today, the Internet is a widely-used, powerful tool of commerce.  Massive transfers of data occur between countries, across continents and around the world at the speed of light.

Like other EU directives, the Data Protection Directive was addressed to the member states.  It was up to the member states to transpose the directive’s elements into internal law.  By 1998, all member states had enacted their own data protection laws.

One of the problems with the 1995 Directive was that the 27 member states implemented the rules differently.  This created a confusing and expensive compliance environment for multi-national companies.  Under the new rules, organizations will only have to deal with a single national data protection authority in the EU country where they have their main establishment.

Other key changes in the reform:

• A single set of rules on data protection, valid across the EU.
• Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
• Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
• A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.

Where the 1995 Directive lacked adequate enforcement, the new rules would include fines for those breaching EU data protection rules of up to €1m, or 2% of their global annual turnover.

Viviane Reding, EU Justice Commissioner said, “The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information.”

The European Commission’s rules will now be handed off to the European Parliament and EU Member States for discussion.  If approved, they will take effect two years after they have been adopted.

Source: European Commission – Press release (Brussels, 25 January 2012)

2-sec Jim Sabinske European Commission proposes significant reforms of ’95 EU Data Protection Directive 2-sec - Information security, data protection and cyber defence

Payment processor Euronet Worldwide Inc said a “small portion” of its European business was the target of a criminal security breach late last year, sending its shares down as much 6 percent… - http://www.reuters.com/article/2012/01/23/us-euronetworldwide-idUSTRE80M2ET20120123

What’s worrying here that when you’re dealing with a payment processor, even a “small portion” can add up to a huge number of potentially compromised credit cards.  Being one of the biggest processors worldwide (market value close to $1bn), then I get the feeling someone somewhere is trying to play things down.

According to Euronet’s CEO, Michael Brown, they were informed about the breach by the card schemes.  So they didn’t even have the processes in place to detect the breach themselves.  Which gets interesting.  Brown then goes on to say “When we heard the first little inklings of this, we jumped in, figured it out, got third parties involved who are real experts at this, and closed the breach… between our discovery and our shutdown, it wasn’t a long period of time.”.  So is this saying that Euronet aren’t experts at detecting and dealing with security breaches?  I wonder…

There’s mention that “Expenses from the breach were less than 1 cent per share in the fourth quarter of 2011.”.  According to nasdaq.com, Euronet currently have 50,000,000 shares outstanding.  At one cent a share, that’s $500,000.  Which is quite a high expense in my opinion, to deal with a “small portion” of its European business.  That buys you a team of top notch forensic investigators for a year and access to some of the best security solutions around.

They had been audited in the past by one of the best known QSAs, whom no doubt did a thorough job, but it just goes to show that an audit can only help you so much.  It can never be absolute and always depends on just how much money an entity is prepared to spend on an assessment.  Period.

What happens next, I’m not sure.  Maybe when dealing with a $1bn company data breaches are just small fry and they can just gobble up the costs, but playing it down to be an insignificant event is wrong.  They should know better, as companies like this form the backbone of finance for private companies and SMEs and a lax attitude is exactly what encourages other companies that follow in Euronet’s footsteps to drop their guard.

Be vigilant.  If you’re a payment processor, be worried – there are criminals that are specifically targeting this area, whom have the resource and know-how to hack into a $1bn company that’s already paid through their teeth for security controls and an extensive PCI DSS audit.

2-sec Tim Holman Euronet reports breach at European business 2-sec - Information security, data protection and cyber defence

To get 2012 off to a start, I have five security predictions for the year ahead:

1) Brownouts

I predict a major brownout to occur during 2012.  By brownout I mean a critical failure in a key system due to over-capacity, with far reaching consequences.  Something somewhere is going to be overloaded and fail spectacularly due to under-engineering and failure to take a practical approach to business continuity and systems availability.  With the Olympics coming up in the UK, which has had known system problems already, I just feel something is just going to stop working.  What can you do?  Well.  Security has focused far too much on Confidentiality, with a spot of effort around Availability and a miserable attempt at ensuring Integrity.  We have already seen last year with RIM (the Blackberry guys), that their business continuity plan failed with regards to a key server.  The whole Blackberry network went down for days as a result.  A regular service restoration test of critical components (and of course, working out what should be termed critical) is essential for any business with reliance on IT systems.  There is too much reliance on “high availability” which makes companies lazy when it comes to taking and testing backups.  Why “Security” do you ask?  Well, availability is there in the CIA triangle and whether malware or a systems outage cause availability issues – they still need to be prepared for accordingly.  Also, an adversary can attack your systems with a denial of availability attack, which perhaps causes you to move to insecure, untested systems in your backup data centre, or take steps to restore systems that leave you wide open for a number of very simple to execute attacks.

2) The Cloud is Not Enough

Cloud based services were originally created in order to make use of spare capacity in data centres, that had been over-engineered to cope with high demand over particular periods, for example the retail boom over Christmas, major news events and major sporting events.  Bit by bit, this spare capacity is being sucked up.  It would be very expensive for a cloud provider to invest in new hardware to improve the performance and availability baseline 365/24/7 for all customers.  So what happens when the troughs of availability that cloud providers effectively “sell” get filled up?  Will the market start selling based on contention ratios as the ADSL market did ten years ago?  Without a doubt, expect to see a rise in prices of cloud based services that have the SLAs that you need.  Anything too cheap is likely too good to be true and you will be moved to more expensive service models once you start feeling the effects of other customer’s services taking up your CPU and Memory!

3) Teenage Hackers

LulzSec and Anonymous seem to have quietened down following a series of arrests over 2011, yet new organisations are cropping up. Only recently this year a Saudi based hacking group exposed details of “zionists” on the web, so those they thought were pro-Israeli / anti-Arab.  Extremist organisations could do a lot of damage with this information.  Well that’s not quite a prediction as it has already happened, but as security knowledge spreads far and wide and with an ever changing world economy, there are no doubt an increasing number of disillusioned school kids that seek to impress the world with their anarchic hacking skills.  The bigger threat is state sponsored hacking, or economic information theft that China can use to her advantage.  We’ve seen blueprints go missing, an unquantified hack on critical information systems at the International Monetary Fund, the odd economic collapse preceded by suspicious overseas trading activity, trade secrets and bid information being stolen, all allegedly by Chinese companies.

4) Ooops

Some company that really should have known better is going to suffer a big breach.  At least one well known retailer will suffer a breach and lose credit card information and I suspect one or two third party payment service providers will be defeated by the ever advancing knowledge of our adversaries.

5) Security in the core

Silver bullet solutions and vendors that pitch them are going to struggle in 2012, unless they take a holistic approach to security and play ball with the joined up thinking we are starting to see from the Microsofts and Ciscos of the world.  Security is being built in to our systems as we speak and the value add of security vendors is dwindling.  Vendors are starting to sing the 2-sec message – Simplifying Security, even though it was them that complicated the whole thing in the first place!  Consultancies and testing houses will be doing well, but is there still a place in our hearts and wallets for magic bullets?

Whatever my predictions bring, we must all look at raising the bar for 2012 and ensuring we have a decent level of measurable baseline security controls in place.  As with brakes on a Ferrari, good security makes sure your company can go faster!

2-sec Tim Holman Top Five Security Predictions for 2012 2-sec - Information security, data protection and cyber defence

I’ve been to a few talks lately and it seems to be a growing theme. People think that being compliant doesn’t make you secure, and that to be “secure” you need to exceed what you are doing at a compliance level.

I have to say I disagree, and I wish people wouldn’t keep quoting such nonsense!

Compliance is a measure of security assurance at any given time and I’d have to say, with such a thorough standard like PCI DSS then it’s really difficult, unless you start talking APTs, to get around the standard and end up with insecure systems, unless of course you’re not doing it properly or are acting on inaccurate advice in the first place.

I think what people mean to say, is “getting your compliance program wrong without knowing it, doesn’t make you secure”. I can be very happy with that statement instead.

That leads us to an interesting dilemma. Experts on PCI DSS whom actually know what they’re doing are far and few between. The guidance from the PCI Security Standards website is good, but only if you understand it and don’t try to take short-cuts.

It’s such a pity that when the standard started out with all good intent, the compliance moniker has been trashed by people from all sorts of companies – consultancies, merchants, banks, vendors and even card schemes and QSAs themselves.

So what can be done about it? How do we get Compliance back on the pedestal and start giving it the respect it deserves?

We really must stop spreading the wrong message, as that in itself can cause vulnerabilities to open up when companies start skipping through compliance projects

We must not rewrite the rulebook. Countless GRC Applications are on the market now that try to do PCI DSS their own way. The value of credit card information is still not perceived at a board level “it’s not my data, I don’t care” and other business critical operations overtake it on the risk register, such as disaster recovery, resilience and of course new software features that help get more customers.

Compliance IS a very valuable security component in itself, and in my six years experience of PCI DSS Audits, I’ve never found a single entity to be Compliant from day one and there have ALWAYS been holes in controls that leave these entities vulnerable to certain types of attack.

So yes, being compliant DOES make you secure. Implicitly.

2-sec Tim Holman Being compliant doesn’t make you secure… 2-sec - Information security, data protection and cyber defence

Our next ISSA-UK event is on Tuesday 22nd November, 2011, at PWC in Leeds.

Information Security / Computer Security changes and evolves constantly. What are the latest trends? ISSA brings you some thoughts on potential issues which we need to consider as a part of the corporate security strategy.

Agenda:

16:00 Registration

16:30 Introduction, Les Fraser, ISSA-UK

16:40 Understanding Application Risk: The Current State of Software Security, Jamie Cowper, Veracode

17:30 Security implications of merging business and private use of IT, Lloyd Bridges, Senior Manager, PWC

18:10 The Consumerization of IT – David Horn, Security Consultant, Sapphire

18:50 Some thoughts on regulatory, legal and legislative issues, Stewart James, DLAPiper

19:25 Conclusion

19:30 Networking

The event is worth 3 CPE / CPD credits and ISSA are recognised by ISC(2) and ISAACA as an education provider.

There is a small charge for returning non-members to attend this event, athough you may join/renew your UK Chapter or UK Affiliate membership via www.issa-uk.org/join, current ISSA International membership fees are $95 per year.

We also operate a first event free policy, so please feel free to come along and try us out.

Please register here:

http://leeds22november.eventbrite.com

We look forward to seeing you there!

Many thanks,

Tim

2-sec Tim Holman ISSA-UK Event – Trends in Information Security, Leeds 2-sec - Information security, data protection and cyber defence

ISSA-UK and Microsoft have arranged a Microsoft Security Training Day on Tuesday December 13th, 2011.

The aim of Security Training Days are to educate delegates as to new developments in technologies and solutions that will help them in their day-to-day security roles. This event is worth 5.5 CPDs/CPEs to contribute toward your ongoing security training certifications.

This event will focus on a wide range of Microsoft solutions – desktops, servers, gateways, identity based access, rights management, certificate management, identity federation and of course the cloud.

The event will be held at Microsoft’s London Headquarters in Cardinal Place, Victoria and we can accomodate up to 200 delegates.

AGENDA

09:30 – Arrival and Registration (tea, coffee, biscuits)

10:00 – Introductions & Welcome
Tim Holman, President, ISSA UK
Stuart Aston, Chief Security Advisor, Microsoft UK

10:10 – Cyber Threat & Microsoft Strategy
Stuart Aston, Chief Security Advisor, Microsoft UK

10:45 – Identity Based Access Technologies and the Cloud
Rob Jones, Technology Architect IDA RMS, Microsoft UK

11:30 – Securing the desktop, your servers and your gateway
Tony Clark, Identity and Security Specialist, Microsoft UK

12:15 – Buffet lunch

13:15 – Rights Management – Securing Critical Data
Robert Jones, Technology Architect IDA RMS, Microsoft UK

13:45 – Certificate and PKI Management
David Hoyle, Security Program Manager, Microsoft UK

14:25 – Coffee break

14:50 – Active Directory Federation Services
David Hoyle, Security Program Manager, Microsoft UK
Robert Jones Technology Architect IDA RMS, Microsoft UK

15:20 – Panel (questions & answers)

16:20 – Conference wrap-up

16:30 – Networking Reception (tba)

18:00 – Close

Sign up link – http://microsoftdec2011.eventbrite.com/

2-sec Tim Holman ISSA-UK Microsoft Security Day, London 13th Dec 2011 2-sec - Information security, data protection and cyber defence

ISSA-UK are holding their next training workshop in Bristol on Wednesday 9th November, 13:30 – 17:30.

This is essential training for anybody with full or partial responsibility for Incident Response Management within their respective organisations.

You will be hearing from our highly experienced workshop leader, Adrian Wright, ex-CISO Reuters and CEO/founder of Secoda, whom has kindly donated his time.

The workshop will be worth 3 CPEs, for those that need to maintain CISSP, CISA, CISM and QSA certifications, but more importantly, will provide you invaluable knowledge as to how the develop and maintain an effective Incident Response Plan.

The workshop is free for ISSA-UK members, and there is a small charge of £20 for non-members to cover administration and catering costs.

Please take a moment to look through the agenda and register here: http://bristolnov09.eventbrite.com/

Opportunities like this do not come around often and equivalent training would cost you hundreds of pounds, but as a not-for-profit organisation, ISSA-UK are committed to deliver high quality education to the security community at a fraction of the cost.

2-sec Tim Holman Incident Response Training – Bristol, Wed 9th November 2011 2-sec - Information security, data protection and cyber defence

I ran a couple of sessions at RSA Europe 2011 to talk about PCI DSS and Risk Based Compliance.

What struck me was the make up of the audience. One or two years ago, I could have put good money on the make up of the audience being 90% merchants, but now, an equal balance of issuers/acquirers, service providers, mobile payment providers, merchants and people from outside of the UK trying to get a hold on what PCI DSS is all about.

The majority of the audience were under the impression Risk Based Compliance was a shortcut, method or tactic to avoid PCI DSS Compliance altogether, which was even more interesting.

To reiterate, Risk Based Compliance is something that banks have put together to enable better progress reporting from Level 1 merchants, as most appear to be “stuck” at having completed all the quick wins, have 60-70% compliance scores.

The banks have thought “great – they’re almost there!”, and in my opinion, have assumed that each PCI DSS control is equally weighted, requires equal effort and cost and that a score of 60-70% is actually quite good.

The introduction of TIP in the states was brought up, where it has been widely been promoted as a shortcut to PCI Compliance. As long as 95% of in store transactions are taken via an approved chip and PIN device, merchants only need to validate against milestones 1/2 and be compliant against milestones 1/2/3/4 to avoid any breach fines.

TIP is taking off in the UK, even though the other card schemes that make up the council haven’t quite yet agreed to it, and indeed is an easy win as 99% of the market is already using chip and PIN devices (yes, some merchants still don’t…).

But hit the US, with 1,000+ banks and limited EMV architecture, then there’s a HUGE step to be taken before any merchant can even get the infrastructure in place and start validating against TIP. We’re at least 2 or even 3 years away from the US adopting chip and PIN on a large scale. The TIP carrot might help.

We also covered off the changes in PCI DSS v2.0 and again I had to tell everyone there hadn’t been any (major ones), although a few did pipe up and say “our QSA” or “our vendor” said there have been lots of changes and needed to know what to do next. Reading the Summary of Changes Document would be a good start, as it details exactly what typos have been corrected in PCI DSS v2.0 over v1.2.1.

The points I draw from this are that there is still evidently a “quick-win” culture out there, that does nothing to improve security, all it does is boost compliance score. The schemes and banks have picked up on this, and moved risk assessments to milestone 1, as this should catch any medium/high/critical risks that quick-win compliance hasn’t covered.

Secondly, the applicability of TIP and Risk Reduction Programmes in relation to PCI DSS, are reserved for large merchants. If you’re level 2, 3 or 4, then self assessment is still perfectly acceptable. Some larger level 2′s might benefit, but generally speaking, self assessment is all that is required. Plus of course actually being compliant, as opposed to ticking the boxes…

To conclude, the RSA Conference was great fun, but delegates just seemed to be drawn to those speaking about FUD. They weren’t really interested in my attempt-to-educate at all, really, which was a shame. Do I really have to make a move into the entertainments business??

I’ve changed jobs in the meantime – am now CEO at 2-sec. Watch this space…

2-sec Tim Holman Risky Business and Quick Win Compliance 2-sec - Information security, data protection and cyber defence