It is well known there is a low barrier of entry for a security company to become a certified QSA Company (QSAC). As long as a reasonable amount of security experience can be documented and an annual fee paid, the resultant QSA examinations are trivial to pass.  This unfortunately leads to a market that is awash with inexperienced auditors, that have made some very expensive decisions on behalf of entities whom have had to demonstrate validation against the standard.  We would recommend you consider the following starting points prior to engaging a QSAC…  read more here.

2-sec Training Courses

Advanced PCI DSS Training Course
June 13-14 2013 London, UK - LAST REMAINING PLACES

2-sec 2secadmin May 2013 Newsletter 2-sec - Information security, data protection and cyber defence

It is well known there is a low barrier of entry for a security company to become a certified QSA Company (QSAC). As long as a reasonable amount of security experience can be documented and an annual fee paid, the resultant QSA examinations are trivial to pass.  This unfortunately leads to a market that is awash with inexperienced auditors, that have made some very expensive decisions on behalf of entities whom have had to demonstrate validation against the standard.  We would recommend you consider the following starting points prior to engaging a QSAC:

• Insist on a named auditor that you can verify – remember your ongoing face-to-face relationship will be with the QSA Consultant and not the QSAC.
• Check the auditor’s credentials – do they have experience working with companies such as yours?
• Validate the QSAC and QSA Consultant on the PCI Security Standards website (it’s surprising how many people don’t) – are they “In Remediation”?  If so, contact the QSA and find out why.  Is this for a minor infringement, or is the QSA soon to disappear off the list?
• Check the consultant has actually performed a PCI DSS Audit before and ask how many audits they have previously completed.
• Get written references from the QSA’s previous customers.  Not just for the QSA Company, but for the actual auditor you will be using.
• A good auditor will be able to provide a number of satisfied customers that would be more than happy to take your call to discuss their past performance.
• Interview your auditor prior to the engagement starting and ensure they understand your technology, infrastructure and business. It has been said that some QSAs don’t even know what a POS is!
• Get familiar and trained with PCI DSS before engaging a QSA and make a head start on documenting cardholder data flows and scope – it’s not rocket science to identify where in your organisation cardholder data is being stored, processed or transmitted.
• Remember that just because payments might be outsourced to a service provider does not mean you are out of scope.  Assess all service providers and connected entities too.
• Insist that the audit is completed within a set amount of time and at an agreed job rate.  The QSA should know how to structure an audit to save you time and an “open day rate” is inadvisable for audit work, as might indicate the QSA does not have a structured methodology.
• Keep your Audit, Advisory and Penetration Testers separate.  These should never be the same person.  If using services from the same company, ensure you will be handled in an ethical manner and all conflicts of interest are disclosed prior to engagement.
• Don’t make a selection solely on cost.  An experienced QSA will cost more to start with, but will save you money in the long run by assisting with any payment re-architecture and improvement of business processes.  You get what you pay for!
• The QSAC might have the flashiest website, marketing material and accolades available, and claim to have the largest number of QSAs available globally, but do you really want to work with a QSA Consultant you may never see again, perhaps selected from a pool of “salary efficient” individuals with only the minimum required experience?

The PCI SSC are making clear efforts to clean the market up and remove inexperienced QSAs from the program, and also those that have made continual errors and fail quality checks, but they cannot vet everybody and it is essential you perform due diligence prior to engagement, as it’s doubtful that anyone else has.

If you are unlucky enough to choose a QSA that’s not up to scratch, you are entitled to submit feedback and be treated anonymously on the PCI SSC website.  This would not affect any previous AoC or RoC that has been submitted by the QSA in question, which will remain completely valid until assessment is up for renewal.  In short, if you’ve got a bad RoC you will not have your compliance status revoked.

If you’re still with us, take a moment to review the PCI SSC’s own expectations of what to expect from a QSA.  This pretty much sums up what you should be looking for and I do hope other QSA Companies read this and up the bar too!

2-sec Tim Holman Choosing a QSA – tips on how to find some of the better ones… 2-sec - Information security, data protection and cyber defence

Sorry it’s been a while since you’ve be ingratiated with a 2-sec blog entry. You might have noticed recent UK press legislation that was put in place following the phone hacking scandal, that appeared to be ubiquitous and spanning all kinds of publishing media. I did at some point work out if I could actually join a press self-regulator, but myself along with other bloggers appeared devoid of any meaningful response, other than to engage a solicitor and spend lots of money.

The good news is that blogs with a turnover of less than £2m and less than 10 employees are exempt. As I don’t think my blog makes any money and we don’t employ bloggers, then I’m hoping the exemption still stands – http://www.bbc.co.uk/news/uk-22221666.

The bad news is that you’ll have to put up with my blogs for a little longer I’m afraid.  So stay put, more content coming soon…  :)

2-sec Tim Holman Where did all the blogs go? 2-sec - Information security, data protection and cyber defence

We see in the news another example of cyber criminals successfully stealing a private certificate and using it to their nefarious advantage. In this instance, cyber criminals allegedly exploited perimeter defences and web application security to gain access to one of Bit9′s private certificates - https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/.

A private certificate is used to sign an encryption key, to ensure the end user knows they are dealing with an encryption key that was actually generated by the entity itself, and not some arbitrary organisation in between.  It can also be used to sign anything else, from a PDF document through to an email, to prove the owner’s identity.  Think of the traditional written signature and you’ve pretty much the equivalent of a digital certificate in the paper world.

Thus a private certificate should be kept VERY secure, and access limited to perhaps 2 or 3 people within an organisation.  Ideally it should take these 2 or 3 people working in conjunction to access or use the certificate (we call this dual-control in the industry).

Full details of the hack are not yet available, but it appears that cyber criminals managed to get through web defences and pull out a private certificate.  Bit9 are understood to have confirmed they fell victim to a SQL Injection attack last summer, which led to the compromise.  Whether the private key was stored on a stable in a SQL database or pulled out by manipulating the application, we don’t know.

You might not know what Bit9 do, but they make a white-listing product and use this private key to sign signatures that correspond to trusted files.  So what the cyber criminals did was use the certificate to sign malicious pieces of code.  That put anyone that used Bit9 software at risk of recognising malware as known, good, trusted software and allowing users to execute it.  Looking at their website they have a large government / defense customer base - https://www.bit9.com/customers/ and I would guess that those were the intended targets.

The compromised private certificate was use to sign malware in July 2012 and Bit9 only learned of the issue in January 2013.  The private certificate in question has now been revoked and the issue fixed.

This is yet another attempt to defeat a layered security approach and go for the security controls themselves.  The well documented RSA breach may have been used to defeat two factor authentication, and this attack used to defeat anti-malware controls.  We can see how such an attack might be orchestrated – a “media.exe” file, signed by the Bit9 certificate, is emailed to an employee of a Bit9 customer.

The employee, perhaps thinking that Bit9 won’t let them open any unauthorised files, then opens the file and executes the malware.  If the desktop has an internet connection, a remote access session is established with a command and control centre and cyber criminals have full access to the affected machine.

There would be little a target could do about this.  If white listing controls are defeated, then there goes your last line of defence, as no other security control could prevent custom malware from being executed and cyber criminals can just bide their time, investigate disabling other security layers and strive to find a way in.  A well configured proxy server might block the remote access tunnel, SIEM might detect unusual activity if correctly tuned, but only through collecting the big data and effectively monitoring it for suspicious activity would a target ever discover something malicious going on.

That leads us to the next ISSA-UK event being held in London on March 28th, which appropriately will be themed around Big Data and what we as security professionals should be advising our clients to combat emerging threats from Cyber Criminals.  Please register here – http://bigdata28thmarch.eventbrite.com and we look forward to seeing you.

2-sec Tim Holman The Bit9 incident 2-sec - Information security, data protection and cyber defence

Tim Holman, CEO 2-sec featured in the UK’s leading national newspaper, The Guardian, talking about social media. Both in print and online.

http://www.guardian.co.uk/media-network/media-network-blog/2013/feb/11/social-media-workplace

2-sec 2secadmin 2-sec in The Guardian today… 2-sec - Information security, data protection and cyber defence

Presented by ISSA International & Generously Hosted by Deloitte
Theme: Secure Information for Europe

The 2013 ISSA London Conference will focus on some key challenges we all face; Cyber Crime, Cyber Conflict & Cyber Espionage. At this conference attendees will hear from leading European & International speakers that will inform and set our future direction in Information Security.

REGISTER HERE – http://www.issa.org/?2013EuropeanConf

February 5, 2013
9:30 -10:00	Registration & Breakfast
10:00-10:20	Welcome & Introduction Geoff Harris – European Conference Chairman & Director, ISSA International Mike Maddison – Partner, Deloitte
	European Perspectives & Initiatives
10:20-10:50	Opening Keynote Digital Identity, State Protective Monitoring & Civil Liabilities Right Honourable David Davis – MP House of Commons,UK Parliament
10:50-11:30	European Commission’s Cyber Security Strategy Alessandra Falcinelli – Legal Officer, Trust and Security European Commission Communications Networks, Content and Technology Directorate-General
11:30-11:50	Break for Morning Coffee & Refreshments
11:50-12:30	Cooperation in Securing National Critical Infrastructure Dr. Steve Purser – Head of Technical Competence Department, European Network & Information Security Agency (ENISA)
12:30-13:10	CyberCrime Challenges for Europe Dr. Victoria Baines – Europol Cyber Crime Centre
13:10-13:50	Lunch
13:50-14:30	Establishing Trust Across International Communities Patrick Curry OBE Director – British Business Federation Authority
14:30-15:10	Insider Attacks – Lessons Learned Dr. Thiébaut Devergranne – Docteur en droit/Doctor of Law in France
15:10-16:00	Mike Maddison – Partner, Head of EMEA Security & Resilience, Deloitte
16:00-16:20	Break for Afternoon Tea & Refreshments
	Wider International Perspectives
16:20-17:00	Eddie Schwartz – VP & Chief Information Security Officer, RSA The Security Division of EMC
17:00-17:45	Closing Keynote Red Dragon Rising Across Europe Lt Col William Hagestad II USMCR
17:45-18:00	Summary – Closing Thoughts Geoff Harris
18:00-20:30	Drinks, Canapés & Networking in Exhibit Area and Sponsor Prize Drawings

REGISTER HERE - http://www.issa.org/?2013EuropeanConf

2-sec 2secadmin ISSA European Conference – Feb 5 2013 2-sec - Information security, data protection and cyber defence

As you may have heard on the grapevine 2-sec’s SIG proposal for Third Party Security Assurance was accepted and we are currently working with the PCI SSC to flesh out plans for improving service provider engagement guidance and influencing the outcome of PCI DSS v3.0, to help better serve and secure the payments community.

Control 12.8 was subject to a large amount of feedback made to the council over the past year and the community has long been duped by vendors/service providers whom maintain their offerings are “PCI DSS Compliant”, yet have little or no validation to back this up until negotiations hit the contract stage and just seem to get signed off anyway.

Any ideas or feedback as to what you’d like to see the SIG doing would be much appreciated, especially any case studies or examples where 12.8 has gone wrong and how it could be better improved.

To facilitate discussion we have created a thread in the following LinkedIn group. This group is limited to PCI Professionals only and membership moderated to ensure high quality, relevant discussion:

http://www.linkedin.com/groups/PCI-DSS-Professionals-1174827/about

Do get in touch if you would like any further information – tim.holman@2-sec.com

2-sec Tim Holman PCI SSC Third Party Security Assurance SIG 2-sec - Information security, data protection and cyber defence

PCI DSS 12.5 “Assign to an individual or team the following information  security management responsibilities” is not just about putting somebody’s name down to pass an audit and us QSAs are clamping down hard on those whom pay governance lip service, then forget about it for a year until the next audit is due.

Even in smaller organisations, governance and oversight of physical, network, software and human security is critical to making any information security programme a success.  Assigning sole information security responsbility to your infrastructure team is rarely a good idea and it needs a holisitc approach and input from all personnel involved to be effective.

As a recommendation for those that might need it, why not form a Security Committee, that can provide independent oversight of information security throughout the organisation? Monthly minuted meetings are essential to demonstrate that your company takes information security governance seriously, and thus to comfortably mark PCI DSS Control 12.5 in place.

2-sec Tim Holman PCI DSS governance 2-sec - Information security, data protection and cyber defence

Well, maybe manipulation is a bit of a strong word, but the reason for this title is due to the increasing number of requests we get as QSAs to help out smaller, level 4 merchants, whom have been instructed by the likes of Worldpay, RBS Worldpay (aka Streamline), Barclaycard Business, HSBC or PayPal, to go off and get an ASV Scan before access is granted to use their Payment APIs.

More often than not, the payment provider directs the merchant to a QSA for further assistance, should they have any queries.  As 2-sec is the top of the QSA list (by alphabetical order, not saying we’re best or anything), then guess what?

The advice we give:

1) A merchant will most likely need an ASV Scan, not a QSA, to issue a certificate that you can present to your payment provider and get setup to use their API.

2) ASV companies vary in quality.  For most intents and purposes, merchants can get a free scan from most vendors.

3) After free scans have expired, merchants can sign-up with a subscription.  You get what you pay for.

4) Merchants may or may not need to present any further ASV Scans to the provider, after all, using a hosted payment page, merchants would most likely be completing SAQ-A, which doesn’t require any ongoing ASV Scans.

What we find odd, is that a passing ASV certificate alone seems to be enough to get merchants boarded, whether or not merchants know what a hosted payment page actually is.  We find a few variants.  Some merchants have their own web form, that takes and transmits payments to the payment provider’s web form (via HTTP POST).  Some merchants will accept card numbers by email, and submit them via HTTP POST.  Some by telephone, mail order and so forth.  The only validation that seems to be required, is an ASV scan.

Supposedly, all ASV companies are supposed to be the same, and offer consistent advice and approach.  The PCI SSC do set an assault course to ensure the ASV can pick up a number of common vulnerabilities on one of their test systems, but the subsequent reporting and handling of false positives can vary immensely.  To pass the ASV assault course, guess what?  The ASV enables every known vulnerability check under the sun, to ensure they pass first time (otherwise, I think it’s $10,000 for a re-test).

So anyone whom runs an ASV scan will probably pick up something, that requires patching/reconfiguration and away they go.  Not a bad thing, but much of this patching doesn’t actually improve things and much patching of false positives is going on.

So a quick look round to see who is doing what:

SecurityMetrics - well, I get a 404 Not Found from the Enroll link on their home page, but this was quite a popular option for Merchants as they had been advised to use it by some of the larger banks.  Cost I think was around $95 per year, but if you can’t even buy it (sort your web page out guys), then next.  The Burger King of the PCI World (but closed on Saturdays, it seems).

Commodo HackerGuardian – 30 day trial option, and from £165 per year, keenly priced.  Interface is a bit clunky.  A big worry is that it has been known to miss things.   The Kentucky Fried Chicken of the PCI World (chicken heads and fried mice are known to appear in their buckets).

Trustwave – well, apparently they are an ASV, but there is no clear indication on their website as to how to buy their service online.   In this day and age, small businesses don’t really want to “explore how Trustwave can help them”.  For something that’s probably less than £200, they just want to buy it and move on.  The McDonald’s of the PCI World (mass produced, but very consistent quality, if you want extra ketchup with your Big Mac, they’ll knock down a rainforest and build a brand new store for you (and bill you for it)).

QualysGuard PCI Compliance - 14 day free trial.  Simple sign-up.  Works.  From $395 per year, includes PCI questionnaires and self assessment options.  If you want something that you don’t have to worry about and know works properly, then highly recommended.  Qualys only provide vulnerability and compliance management solutions – they don’t digress into other fields and offer a high quality, reliable and accurate service.  I was about to coin the name of a fast food chain, but this is more the Hilton Club Sandwich.  Not cheap, but consistent, always performs and tastes OK too.

2-sec Tim Holman The Cunning Art of ASV Manipulation! 2-sec - Information security, data protection and cyber defence

I am presenting a proposal to setup a SIG for Third Party Assurance at both Orlando and Dublin PCI SSC Community Meetings.  The aim of the SIG is to provide additional guidance around control 12.8, which to date we think is somewhat open to interpretation.

The control as it stands:

12.8 If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following:
12.8.1 Maintain a list of service providers.
12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.
12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.

So what’s wrong with this control?  Well, firstly, “if cardholder data is shared” implies that service providers only need to be considered if you give them cardholder data.   Fair enough, one might suppose this is the biggest risk, but how about managed firewall providers, or providers of desktop/server support? Cardholder data is not shared with these types of provider, but they may have access to it, or could potentially alter a security control that secures it.

During a PCI assessment, these entities are supposed to fall into an entity’s scope of PCI DSS Compliance.  So a managed firewall provider would need to be assessed against all relevant PCI DSS Controls.  This of course rarely happens.  Service providers are generally unwilling to become audited, namely due to the cost and resource it consumes, but also as they have never agreed to be PCI DSS Compliant in the first place.

If service providers are not PCI DSS Compliant, then it falls upon the assessed entity to measure and monitor the service provider and potentially control what they do.  Control 12.3.9 implies that an entity only permits access to their cardholder data environment in a controlled manner:

12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use

..but then what about 24/7 outsourced support operations?   Is an entity expected to implement controlled remote access to service providers that access systems out of hours?  Technically yes, even if they are fully PCI DSS Compliant!

I’ve blogged and spoken about this in the past, but my one pet hate is the number of providers out there that are marketed to be “PCI DSS Compliant”, or a sales guy on the end of a phone says their service is “PCI DSS Compliant” and the entity goes ahead and buys it.  Fault at both ends there really, and will be a fascinating challenge for the proposed SIG to undertake.

There are many controls in the standard that may or may not involve service providers, and each case is going to vary from entity to entity.  Variance in the eyes of PCI DSS is bad, as very difficult to measure, monitor and improve card data protection in the industry as a whole if each entity is doing things in a different way. To cut a long story short (you can hear the long version at the community meetings), we propose to set this SIG up to address issues such as this, and help ensure PCI DSS-applicable entities know how to handle third party risk.

If you would like to be involved, let me know.  If you are a Participating Organisation, then your vote would be much appreciated as this affects all of you!  :)

2-sec Tim Holman PCI SSC Special Interest Group (SIG) – Third Party Assurance 2-sec - Information security, data protection and cyber defence