Payment processor Euronet Worldwide Inc said a “small portion” of its European business was the target of a criminal security breach late last year, sending its shares down as much 6 percent… - http://www.reuters.com/article/2012/01/23/us-euronetworldwide-idUSTRE80M2ET20120123

What’s worrying here that when you’re dealing with a payment processor, even a “small portion” can add up to a huge number of potentially compromised credit cards.  Being one of the biggest processors worldwide (market value close to $1bn), then I get the feeling someone somewhere is trying to play things down.

According to Euronet’s CEO, Michael Brown, they were informed about the breach by the card schemes.  So they didn’t even have the processes in place to detect the breach themselves.  Which gets interesting.  Brown then goes on to say “When we heard the first little inklings of this, we jumped in, figured it out, got third parties involved who are real experts at this, and closed the breach… between our discovery and our shutdown, it wasn’t a long period of time.”.  So is this saying that Euronet aren’t experts at detecting and dealing with security breaches?  I wonder…

There’s mention that “Expenses from the breach were less than 1 cent per share in the fourth quarter of 2011.”.  According to nasdaq.com, Euronet currently have 50,000,000 shares outstanding.  At one cent a share, that’s $500,000.  Which is quite a high expense in my opinion, to deal with a “small portion” of its European business.  That buys you a team of top notch forensic investigators for a year and access to some of the best security solutions around.

They had been audited in the past by one of the best known QSAs, whom no doubt did a thorough job, but it just goes to show that an audit can only help you so much.  It can never be absolute and always depends on just how much money an entity is prepared to spend on an assessment.  Period.

What happens next, I’m not sure.  Maybe when dealing with a $1bn company data breaches are just small fry and they can just gobble up the costs, but playing it down to be an insignificant event is wrong.  They should know better, as companies like this form the backbone of finance for private companies and SMEs and a lax attitude is exactly what encourages other companies that follow in Euronet’s footsteps to drop their guard.

Be vigilant.  If you’re a payment processor, be worried – there are criminals that are specifically targeting this area, whom have the resource and know-how to hack into a $1bn company that’s already paid through their teeth for security controls and an extensive PCI DSS audit.

2-sec 2secadmin Euronet reports breach at European business 2-sec - Information security, data protection and cyber defence

To get 2012 off to a start, I have five security predictions for the year ahead:

1) Brownouts

I predict a major brownout to occur during 2012.  By brownout I mean a critical failure in a key system due to over-capacity, with far reaching consequences.  Something somewhere is going to be overloaded and fail spectacularly due to under-engineering and failure to take a practical approach to business continuity and systems availability.  With the Olympics coming up in the UK, which has had known system problems already, I just feel something is just going to stop working.  What can you do?  Well.  Security has focused far too much on Confidentiality, with a spot of effort around Availability and a miserable attempt at ensuring Integrity.  We have already seen last year with RIM (the Blackberry guys), that their business continuity plan failed with regards to a key server.  The whole Blackberry network went down for days as a result.  A regular service restoration test of critical components (and of course, working out what should be termed critical) is essential for any business with reliance on IT systems.  There is too much reliance on “high availability” which makes companies lazy when it comes to taking and testing backups.  Why “Security” do you ask?  Well, availability is there in the CIA triangle and whether malware or a systems outage cause availability issues – they still need to be prepared for accordingly.  Also, an adversary can attack your systems with a denial of availability attack, which perhaps causes you to move to insecure, untested systems in your backup data centre, or take steps to restore systems that leave you wide open for a number of very simple to execute attacks.

2) The Cloud is Not Enough

Cloud based services were originally created in order to make use of spare capacity in data centres, that had been over-engineered to cope with high demand over particular periods, for example the retail boom over Christmas, major news events and major sporting events.  Bit by bit, this spare capacity is being sucked up.  It would be very expensive for a cloud provider to invest in new hardware to improve the performance and availability baseline 365/24/7 for all customers.  So what happens when the troughs of availability that cloud providers effectively “sell” get filled up?  Will the market start selling based on contention ratios as the ADSL market did ten years ago?  Without a doubt, expect to see a rise in prices of cloud based services that have the SLAs that you need.  Anything too cheap is likely too good to be true and you will be moved to more expensive service models once you start feeling the effects of other customer’s services taking up your CPU and Memory!

3) Teenage Hackers

LulzSec and Anonymous seem to have quietened down following a series of arrests over 2011, yet new organisations are cropping up. Only recently this year a Saudi based hacking group exposed details of “zionists” on the web, so those they thought were pro-Israeli / anti-Arab.  Extremist organisations could do a lot of damage with this information.  Well that’s not quite a prediction as it has already happened, but as security knowledge spreads far and wide and with an ever changing world economy, there are no doubt an increasing number of disillusioned school kids that seek to impress the world with their anarchic hacking skills.  The bigger threat is state sponsored hacking, or economic information theft that China can use to her advantage.  We’ve seen blueprints go missing, an unquantified hack on critical information systems at the International Monetary Fund, the odd economic collapse preceded by suspicious overseas trading activity, trade secrets and bid information being stolen, all allegedly by Chinese companies.

4) Ooops

Some company that really should have known better is going to suffer a big breach.  At least one well known retailer will suffer a breach and lose credit card information and I suspect one or two third party payment service providers will be defeated by the ever advancing knowledge of our adversaries.

5) Security in the core

Silver bullet solutions and vendors that pitch them are going to struggle in 2012, unless they take a holistic approach to security and play ball with the joined up thinking we are starting to see from the Microsofts and Ciscos of the world.  Security is being built in to our systems as we speak and the value add of security vendors is dwindling.  Vendors are starting to sing the 2-sec message – Simplifying Security, even though it was them that complicated the whole thing in the first place!  Consultancies and testing houses will be doing well, but is there still a place in our hearts and wallets for magic bullets?

Whatever my predictions bring, we must all look at raising the bar for 2012 and ensuring we have a decent level of measurable baseline security controls in place.  As with brakes on a Ferrari, good security makes sure your company can go faster!

2-sec 2secadmin Top Five Security Predictions for 2012 2-sec - Information security, data protection and cyber defence

I’ve been to a few talks lately and it seems to be a growing theme. People think that being compliant doesn’t make you secure, and that to be “secure” you need to exceed what you are doing at a compliance level.

I have to say I disagree, and I wish people wouldn’t keep quoting such nonsense!

Compliance is a measure of security assurance at any given time and I’d have to say, with such a thorough standard like PCI DSS then it’s really difficult, unless you start talking APTs, to get around the standard and end up with insecure systems, unless of course you’re not doing it properly or are acting on inaccurate advice in the first place.

I think what people mean to say, is “getting your compliance program wrong without knowing it, doesn’t make you secure”. I can be very happy with that statement instead.

That leads us to an interesting dilemma. Experts on PCI DSS whom actually know what they’re doing are far and few between. The guidance from the PCI Security Standards website is good, but only if you understand it and don’t try to take short-cuts.

It’s such a pity that when the standard started out with all good intent, the compliance moniker has been trashed by people from all sorts of companies – consultancies, merchants, banks, vendors and even card schemes and QSAs themselves.

So what can be done about it? How do we get Compliance back on the pedestal and start giving it the respect it deserves?

We really must stop spreading the wrong message, as that in itself can cause vulnerabilities to open up when companies start skipping through compliance projects

We must not rewrite the rulebook. Countless GRC Applications are on the market now that try to do PCI DSS their own way. The value of credit card information is still not perceived at a board level “it’s not my data, I don’t care” and other business critical operations overtake it on the risk register, such as disaster recovery, resilience and of course new software features that help get more customers.

Compliance IS a very valuable security component in itself, and in my six years experience of PCI DSS Audits, I’ve never found a single entity to be Compliant from day one and there have ALWAYS been holes in controls that leave these entities vulnerable to certain types of attack.

So yes, being compliant DOES make you secure. Implicitly.

2-sec 2secadmin Being compliant doesn’t make you secure… 2-sec - Information security, data protection and cyber defence

Our next ISSA-UK event is on Tuesday 22nd November, 2011, at PWC in Leeds.

Information Security / Computer Security changes and evolves constantly. What are the latest trends? ISSA brings you some thoughts on potential issues which we need to consider as a part of the corporate security strategy.

Agenda:

16:00 Registration

16:30 Introduction, Les Fraser, ISSA-UK

16:40 Understanding Application Risk: The Current State of Software Security, Jamie Cowper, Veracode

17:30 Security implications of merging business and private use of IT, Lloyd Bridges, Senior Manager, PWC

18:10 The Consumerization of IT – David Horn, Security Consultant, Sapphire

18:50 Some thoughts on regulatory, legal and legislative issues, Stewart James, DLAPiper

19:25 Conclusion

19:30 Networking

The event is worth 3 CPE / CPD credits and ISSA are recognised by ISC(2) and ISAACA as an education provider.

There is a small charge for returning non-members to attend this event, athough you may join/renew your UK Chapter or UK Affiliate membership via www.issa-uk.org/join, current ISSA International membership fees are $95 per year.

We also operate a first event free policy, so please feel free to come along and try us out.

Please register here:

http://leeds22november.eventbrite.com

We look forward to seeing you there!

Many thanks,

Tim

2-sec 2secadmin ISSA-UK Event – Trends in Information Security, Leeds 2-sec - Information security, data protection and cyber defence

ISSA-UK and Microsoft have arranged a Microsoft Security Training Day on Tuesday December 13th, 2011.

The aim of Security Training Days are to educate delegates as to new developments in technologies and solutions that will help them in their day-to-day security roles. This event is worth 5.5 CPDs/CPEs to contribute toward your ongoing security training certifications.

This event will focus on a wide range of Microsoft solutions – desktops, servers, gateways, identity based access, rights management, certificate management, identity federation and of course the cloud.

The event will be held at Microsoft’s London Headquarters in Cardinal Place, Victoria and we can accomodate up to 200 delegates.

AGENDA

09:30 – Arrival and Registration (tea, coffee, biscuits)

10:00 – Introductions & Welcome
Tim Holman, President, ISSA UK
Stuart Aston, Chief Security Advisor, Microsoft UK

10:10 – Cyber Threat & Microsoft Strategy
Stuart Aston, Chief Security Advisor, Microsoft UK

10:45 – Identity Based Access Technologies and the Cloud
Rob Jones, Technology Architect IDA RMS, Microsoft UK

11:30 – Securing the desktop, your servers and your gateway
Tony Clark, Identity and Security Specialist, Microsoft UK

12:15 – Buffet lunch

13:15 – Rights Management – Securing Critical Data
Robert Jones, Technology Architect IDA RMS, Microsoft UK

13:45 – Certificate and PKI Management
David Hoyle, Security Program Manager, Microsoft UK

14:25 – Coffee break

14:50 – Active Directory Federation Services
David Hoyle, Security Program Manager, Microsoft UK
Robert Jones Technology Architect IDA RMS, Microsoft UK

15:20 – Panel (questions & answers)

16:20 – Conference wrap-up

16:30 – Networking Reception (tba)

18:00 – Close

Sign up link – http://microsoftdec2011.eventbrite.com/

2-sec Tim Holman ISSA-UK Microsoft Security Day, London 13th Dec 2011 2-sec - Information security, data protection and cyber defence

ISSA-UK are holding their next training workshop in Bristol on Wednesday 9th November, 13:30 – 17:30.

This is essential training for anybody with full or partial responsibility for Incident Response Management within their respective organisations.

You will be hearing from our highly experienced workshop leader, Adrian Wright, ex-CISO Reuters and CEO/founder of Secoda, whom has kindly donated his time.

The workshop will be worth 3 CPEs, for those that need to maintain CISSP, CISA, CISM and QSA certifications, but more importantly, will provide you invaluable knowledge as to how the develop and maintain an effective Incident Response Plan.

The workshop is free for ISSA-UK members, and there is a small charge of £20 for non-members to cover administration and catering costs.

Please take a moment to look through the agenda and register here: http://bristolnov09.eventbrite.com/

Opportunities like this do not come around often and equivalent training would cost you hundreds of pounds, but as a not-for-profit organisation, ISSA-UK are committed to deliver high quality education to the security community at a fraction of the cost.

2-sec Tim Holman Incident Response Training – Bristol, Wed 9th November 2011 2-sec - Information security, data protection and cyber defence

I ran a couple of sessions at RSA Europe 2011 to talk about PCI DSS and Risk Based Compliance.

What struck me was the make up of the audience. One or two years ago, I could have put good money on the make up of the audience being 90% merchants, but now, an equal balance of issuers/acquirers, service providers, mobile payment providers, merchants and people from outside of the UK trying to get a hold on what PCI DSS is all about.

The majority of the audience were under the impression Risk Based Compliance was a shortcut, method or tactic to avoid PCI DSS Compliance altogether, which was even more interesting.

To reiterate, Risk Based Compliance is something that banks have put together to enable better progress reporting from Level 1 merchants, as most appear to be “stuck” at having completed all the quick wins, have 60-70% compliance scores.

The banks have thought “great – they’re almost there!”, and in my opinion, have assumed that each PCI DSS control is equally weighted, requires equal effort and cost and that a score of 60-70% is actually quite good.

The introduction of TIP in the states was brought up, where it has been widely been promoted as a shortcut to PCI Compliance. As long as 95% of in store transactions are taken via an approved chip and PIN device, merchants only need to validate against milestones 1/2 and be compliant against milestones 1/2/3/4 to avoid any breach fines.

TIP is taking off in the UK, even though the other card schemes that make up the council haven’t quite yet agreed to it, and indeed is an easy win as 99% of the market is already using chip and PIN devices (yes, some merchants still don’t…).

But hit the US, with 1,000+ banks and limited EMV architecture, then there’s a HUGE step to be taken before any merchant can even get the infrastructure in place and start validating against TIP. We’re at least 2 or even 3 years away from the US adopting chip and PIN on a large scale. The TIP carrot might help.

We also covered off the changes in PCI DSS v2.0 and again I had to tell everyone there hadn’t been any (major ones), although a few did pipe up and say “our QSA” or “our vendor” said there have been lots of changes and needed to know what to do next. Reading the Summary of Changes Document would be a good start, as it details exactly what typos have been corrected in PCI DSS v2.0 over v1.2.1.

The points I draw from this are that there is still evidently a “quick-win” culture out there, that does nothing to improve security, all it does is boost compliance score. The schemes and banks have picked up on this, and moved risk assessments to milestone 1, as this should catch any medium/high/critical risks that quick-win compliance hasn’t covered.

Secondly, the applicability of TIP and Risk Reduction Programmes in relation to PCI DSS, are reserved for large merchants. If you’re level 2, 3 or 4, then self assessment is still perfectly acceptable. Some larger level 2′s might benefit, but generally speaking, self assessment is all that is required. Plus of course actually being compliant, as opposed to ticking the boxes…

To conclude, the RSA Conference was great fun, but delegates just seemed to be drawn to those speaking about FUD. They weren’t really interested in my attempt-to-educate at all, really, which was a shame. Do I really have to make a move into the entertainments business??

I’ve changed jobs in the meantime – am now CEO at 2-sec. Watch this space…

2-sec Tim Holman Risky Business and Quick Win Compliance 2-sec - Information security, data protection and cyber defence

I’ll be talking about PCI DSS and Risk Based Approaches at RSA Europe this week, Thursday 13th October at 13:00 – 13:50.

If you are planning to attend, would be great to see you. If you can’t make it, you can download my presentation here:

GRC-304 – Taking a Risk Based Approach to PCI DSS Whilst Still Checking the Boxes.pdf

I will also be chairing DSG-200B, PCI DSS Discussion Group on Wednesday, 12:10 – 12:50 if you would like a more informal discussion around risk based compliance approaches.

There’s a fantastic lineup of other speakers at the event and as always, a great privilege to be able to present there.

Do let me know if you are around – there are plenty of break out opportunities where we can go and grab a coffee.

2-sec Tim Holman Taking a Risk Based Approach to PCI DSS Whilst Still Checking the Boxes 2-sec - Information security, data protection and cyber defence

You might have noticed things have gone a little quiet round here, as my last blog post seemed to get me into a spot of trouble…

Anyway. It’s certainly not my style to tread on the feet of a major UK acquirer and in the end I was asked to remove the names of the entities in question and delete the comments thread, which I’ve now done (btw it’s cached, let me know if you’d like the link!).

In general, acquiring banks seem very keen for merchant risk management programs to align, all fit together and be measurable in terms of a percentage score that they can then relay to the card schemes.

First off, this isn’t really risk management as you, I and other information security professionals see it. It’s a controls based approach that results in a score.

Secondly, if you’ve looked at taking a risk based approach to PCI DSS, then you’ll note that in most cases, it increases workload, as adds more controls, increases reporting requirements and sends waves of subjective confusion around the company.

How does the payment security risk of a hotel compare with that of a high street retailer, or an ecommerce retailer, for that matter?

By nature, some companies are just more riskier than others when it comes to payment card security, and it’s that balance a score-based approach will not address.

Risk management also introduces a lot of subjectivity. One board of a company might approach risk management in a completely different way to another, and push areas of high risk under the carpet, mostly non-intentionally.

So by introducing risk based compliance, we’re ending up with a scenario where PCI DSS goes out of the window and companies submit risk assessments instead, which give even more scope for the truth to be warped.

It’s an interesting area and I’m looking at it closely. I suspect that risk based compliance will be reserved for the Level 1 Merchants only, that have had challenges in adopting PCI DSS word for word, but it will be quite intriguing to see the volumes this approach will reach.

Risk management is NOT risk measurement. As soon as you try and slap relative scores or numbers onto risk, then it’s true value flies out the window.

Merchants might all be Merchants, but every merchant I’ve had the pleasure to deal with over the past five years, and we’re talking close to 200, have all been different. Different people, different cultures, different products, as believe it or not, even close competitors need differentiators.

The scary thing is, if Merchants all embark on risk management programs and do this in a unique way that is of course to be expected when dealing with unique companies, then any means to measure risk go out of the window…

2-sec Tim Holman Risk, Risk Management and PCI DSS, part 2 2-sec - Information security, data protection and cyber defence

We all know what risk is. It’s like stepping outside of the house in the morning, looking up at the sky, working out whether or not you think it’s going to rain and then working out whether or not it’s going to rain enough to warrant taking an umbrella, full waterproofs or avoiding the rain altogether and staying at home.

Risk is simple. Being able to take calculated risks might burn up a few more neurons, and applying our innate risk assessment ability to business should in theory be easy too, right?

According to a recent presentation by a well known acquiring bank and QSA, risk is a hugely complex thing that only scientists understand, but rest assured, you can buy their cloud-based risk management software that takes away this complexity and buries intricate risk assessment algorithms beneath a nice shiny GUI.

What was that algorithm again? Let me check…

Risk = Probability x Impact

Hopefully you don’t need the backing of a Cambridge Research Laboratory to help you get that.

As you all might expect, with the fast forwarding of Risk Assessment to Milestone 1 of PCI DSS, vendors are jumping on the bandwagon and forcing GRC products down our throats, without any real understanding of our unique risk environments.

You can never expect to have a mature risk management framework from the go. They all need a starting point, and if you’re going through PCI DSS for the first time, then QSAs are not expecting you to have a highly developed, mature framework in order to tick the box.

I quite liked the ICO’s own internal approach, there’s a Risk Management Policy and Procedure section in their vast array of policy documents:

http://www.ico.gov.uk/about_us/policies_and_procedures.aspx

Which takes an easy to understand approach, uses 5 categories of probability, 5 categories of impact and a resulting 5×5 traffic light matrix that hopefully even your CEO would understand.

..and it’s exactly that. Working out risks and articulating them in a manner that everyone can understand, preferably a risk register on a sheet of A4 paper that board members can read in between rounds of golf or over champagne and canapes, or whatever you think they get up to.

If things are starting to look complex, people are falling asleep or things just don’t look right, then things are going wrong.

Keep risk management simple.

2-sec Tim Holman Risk, Risk Assessments and PCI DSS 2-sec - Information security, data protection and cyber defence