- PCI « Secure Thinking

Posts tagged - PCI

Friday, January 27, 2012

The PCI Council’s ASV Program Gets a Makeover

By Sushila Nair, Security Specialist, BT

In order to be PCI compliant It is required that customers scan their networks quarterly and for their external presence to be scanned by an Authorized Scanning Vendor program (ASV).

In 2011 the PCI Council changed the ASV program significantly. ASVs have always been required to conduct network security scanning against a test network with predefined vulnerabilities operated and configured by the PCI SSC. ASVs are expected to produce a sample report and document all of the predefined vulnerabilities.

Authorized scanning vendors were, however, criticized for not always understanding their role or being able to advise their customers appropriately, especially in the scoping arena and on how to best identify and eliminate false positives.

So, last March the PCI SSC changed the program to require that ASVs have at least two qualified ASV employees who have done the online training program and passed a multiple choice exam. The training program ensures that the authorized personnel doing the scan are not only able to do the scan but understand the PCI DSS standards and are able to act as a trusted advisor to the customer in the area of vulnerability management, much like QSA act within the security control audits.

The objective is to bring a consistent understanding on how to evaluate network segmentation and really understand the requirements of the standard. ASV organizations are also required to have a quality assurance process in place to ensure that the reports produced, and the analysis of the results, are consistent and accurate.

The requirement for a QA program to be in place has been a requirement for QSA organizations for some time. The scan customer is ultimately responsible for defining the appropriate scope of the external vulnerability scan and must provide all Internet-facing IP Addresses and/or ranges to the ASV. If an account data compromise occurs via an externally facing system component not included in the scan, the scan customer is responsible. It is critical to work with an ASV that works as a trusted advisor, scoping is a critical components in being compliant and often merchants are confused about which systems are in scope for external scans. The ASV should be able to advise on not only which systems are in scope but also how to handle anomalies and systems that are failing the scan.

Organizations that are not guided by PCI but are conducting vulnerability scans as part of best practices or other regulatory requirements would be well advised to use the ASV certification as a method of being able to select a good scanning vendor. The fact that the vendor has passed exams, has qualified staff on board and has a QA process in house and this has been validated makes a great screening process and is a definite indicator that the organization would meet the needs of any organizations concerned about vulnerability management.

Monday, November 28, 2011

How Do We Encourage Companies to Embrace Cybersecurity Proactively?

By Jill Knesek, Chief Security Officer, BT Global Services

At the end of last month I had the pleasure of traveling to Washington, D.C. to speak at Booz Allen Hamilton’s conference on the significance of the cybersecurity dilemma. For over 90 minutes the panel delved into the question of why most companies approach cybersecurity reactively and why they don’t plan for it as part of their business operations.

Usually when we talk about cybersecurity as it relates to businesses we focus on the negative impact of an attack on brand reputation, on customer relations, and on remediation. But by then, the damage has already been done; reactive strategies mean that our network is already compromised, that data is already lost, and that our reputation could be in tatters.

What if the market demanded that focus on cybersecurity be proactive? What if there were incentives to drive investment into advance persistent threat research or building comprehensive understanding of threat vectors and how and why they change? Moreover, why do companies not currently feel enough pressure from government and industry regulations to change their behaviors? Or is expecting cybersecurity assuredness to be legislated into action a false expectation?

Click here to watch my response to the panel or click here to watch the full panel discussion.

Monday, August 15, 2011

Security Around the World: APAC – Rapid Change, High Stakes

by Sabyasachi Chakrabarty, Chief Security Officer, Asia Pacific Region

In the second installment of our Security Around the World series we meet with Sabyasachi Chakrabarty, CSO of AsiaPac for BT. We wanted to find out what were the most pressing security issues facing the region and how BT helps its customers address these challenges. It’s interesting to compare Sabyasahi’s perspectives with those of his colleague, Ramiro Rodrigues, CSO of BT Latin America and Iberia, who blogged about network security issues in his region last week.

One of the challenges I face as the CSO for the Asia Pacific region is that it is such a diverse group of countries with starkly different levels of infrastructure and economic development. However, what unites the region is rapid growth – both of legitimate business opportunities and the opportunity for nefarious online activity. Of course, the ability to carry out attacks is only heightened by the explosion of low-cost high speed Internet capacity which has allowed malware to spread, well, quite literally, like a virus.

While some network security attacks are certainly perpetrated by those seeking to showcase their talents and to gain publicity, what I see is that most attacks are designed for profit ranging from gaining real monetary value to stealing intellectual property whether the attack is against a company or the government.

One of the greatest challenges I face in my role is how to manage the responsibilities of complying with the requirements of a network service provider. Unlike North America and the UK/Europe where legislation and regulation have provided some degree of protection for both businesses and consumers, often times in countries in the Asia Pacific region, responsibility lies with the Telecom Service Provider. For example in some countries, it is spelled out in the license conditions that the Network Service Provider is responsible for ensuring that encryption beyond a certain key-size is not used , not the companies who actually use it. Likewise, some countries put the onus on the telco to deploy some form of protection within their network, rather than requiring the individual business to assume that responsibility.

As the analysts at Frost and Sullivan pointed out recently the level of sending on data security in the Asia Pacific region must increase as social media application usage and virtualization expose networks to more threats and expose vulnerabilities. Learn more about the work BT does in the Asia Pacific region.

Wednesday, March 23, 2011

When Near Enough Isn’t Good Enough

By Tara Savage, Senior Marketing Manager, BT Global Services

Application security has been a hot topic of discussion on the SecureThinking blog lately, and it seems to be weighing heavily on the minds of other industry experts, as well.

At the recent RSA 2011 conference, George Hulme reported on the growing consensus that “good enough” might not actually be good enough when it comes to application security, especially when acquisitions are involved.

The main problem, as Dan Holden, director of DVLabs at TippingPoint pointed out, is that there’s a lack of pressure on software developers and coders to protect their customers. He points to the many recent security incidents involving legitimate web browsers visiting legitimate e-commerce sites, “only to be redirected someplace else and infected with malware.” From his perspective, the connection between customer satisfaction and good development practices needs to be made explicit if this problem is to be fixed.

But it’s not only the development process where issues of application security are relevant. Josh Corman, research director of enterprise level security at the 451 Group, made an excellent point. “When it comes to our IT systems, the notion of having a defensible infrastructure almost never comes up in our acquisition negotiations,” Corman said to the audience during a panel on application security at the RSA Conference. “And those expecting new technologies, such as cloud computing, to auto-magically solve the problem are going to be disappointed.”

To read George Hulme’s article in full, click here.

Friday, February 25, 2011

Getting Back to the Basics of IT Security

By Tara Savage, Senior Marketing Manager, BT Global Services

In the February issue of Bank Technology News, Ben Rothke explores how those responsible for securing the banking industry can get 2011 off on the right foot. He addresses issues ranging from accountability and the importance of an effective CISO to developing security policies and casting a critical eye on new technologies.

Ben says that getting back to basics in security is a must and can best be explained through this quote from the film, Bull Durham: “This is a very simple game. You throw the ball, you catch the ball, you hit the ball.” He draws an analogy between security and baseball — you encrypt the data, you decrypt the data, you use the data.

As 2011 starts, the key to data security is all simplicity and getting back to the basics.

Want to read more? Read Ben’s full article here.

Wednesday, January 26, 2011

PCI Survey Reveals Organizations are Prepared, Spending More, and Focusing on Education

By Tara Savage, Senior Marketing Manager, BT Global Services

Cisco Systems recently issued the results of its PCI Pulse Survey, which revealed some surprising sentiments from those whose job it is to implement PCI programs.

While some security practitioners think that PCI requirements are just another façade of security theatre, the survey respondents beg to differ, with 70% expressing positive opinions about the improved security posture that comes with being PCI compliant. What is also interesting is that organizations are increasing their spending and investment in technology in advance of PCI requirements, rather than in response to pressure to comply. Next on the agenda for most companies is education and, in particular, education and training for employees in how to handle credit card data properly.

Overall, the survey appears to show a growing maturity of PCI as a standard. But I wonder, based on other results and findings, if the survey doesn’t actually reveal an on-going weakness in PCI. If, as the report states, 85% believe they would pass a PCI audit and 78% passed their initial assessment, then why do we still see so many data breaches?

What’s your take? Let us know in the comments below or send us a tweet.

Tuesday, December 28, 2010

Feeling No Pain: Consumer Indifference and Merchant Risk Acceptance

By Sushila Nair, Product Manager, BT Counterpane

In a world where the consumer makes choices on purchasing based on the lowest price, is there really a driver for organizations to invest in security?

Working for clients around the world, I see them bending over backwards to stay competitive by providing greater functionality, endlessly providing more diverse methods for ordering products and services and methods for paying for those products and services. Customers are largely driven by “best value,” and the question becomes not only are organizations willing to pay for security but even more so, is the customer willing to pay for security?

It is interesting to note that the Federal Trade Commission (FTC), in penalizing TJX, which lacked the security controls to prevent Gonzalez from successfully stealing 45 million credit cards in 2007 from its premises, said that the organization was practicing unfair business practices. The implication being that the consumer has the right to expect a level of security when an organization takes payment in the form of a credit card. The FTC, however, was not able to apply any financial fines because the FTC doesn’t have authority to levy civil fines for violations of the FTC Act, which prohibits unfair business practices.

Post incident, how did the companies that have suffered from a breach been impacted? TJX’s results for 2009 indicate above average year-over-year performance versus other entrants in the industry. TJX was not alone in being victims of Gonzalez; some other named companies are 7 Eleven, Heartland, Hannaford, J C Penny, Target TJX, BJ’s, Boston Market, Sports Authority, Dave & Buster’s, Office Max, Sports Authority, Forever 21, and DSW. Again, looking at the financial performance of these companies, we see no correlation between a breach and a loss in consumer sales.

It would seem that despite the fact that a company incurs some financial liability in the form of penalties from the card companies, company profits are reasonable following the breach, especially given the current market. In essence, it would appear that the consumer is not deterred from shopping at store that has been affected by a breach. One wonders if that is because the consumer doesn’t care about the security of their credit cards or assumes simply that the government (FTC) or the card companies will take care of it?

Time and time again, I hear that the security controls required, especially in retail environments, are not in line with what the organization is willing to spend, and it is, therefore, a business risk that the company is willing to take. After all, in a capitalist society, organizations are focused on the beauty pageant that is the stock market; and if consumers do not seem to be making purchasing decisions based on security, then what possible driver is there for businesses to provide good security controls?

The zero consumer liability is often highlighted as the reason why consumers do not make purchasing decisions based on the security of their data — which would certainly imply that companies will not suffer consumer wrath for a lack of security controls. So the fines and penalties must therefore be large enough that the business risk tips in favor of implementing reasonable security controls, given there is not a one-to-one correlation between the lack of controls and a breach.

Certainly the fines and penalties offered by the credit card companies and government organizations remain the only reasons for companies to secure payment card data. As breaches impact the credit card companies and affect their profit line, they move to share the cost of the lack of security with the banks and merchants. The banks share it with the consumer through fees and other means, and the retailer simply compares the cost of the control and wonders if it’s worth the gamble that it just won’t happen to them.

PCI DSS, with its annual audit, has forced organizations to, at the very least, be penalized if suitable controls are not in place, even if a breach has not occurred. However, with the lack of any frameworks around the control of other sensitive data, one wonders — do organizations take a similarly laissez faire attitude towards security and bet on “it won’t happen to me”? Even if a breach does occur, you can bet the companies are also evaluating whether the consumer will actually care about the results as long as they can have cheaper merchandise available to purchase via the most convenient method. And, sadly, I think the answer is that the consumer does not care.

Monday, November 29, 2010

Verifying Your On-line Shopping Experience: Is it Time to Move Beyond the Social Network?

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Last year we talked about how the online shopping extravaganza isn’t just about prices lower than traditional stores – it’s about all the possible risks that irresistible deals introduce, and who is responsible if your credit card or other personal information is compromised in pursuit of saving that extra dollar.

This year we want to offer up some thoughts on why online reputations are a huge component of whether an overall deal is attractive or not. Clearly, there are countless thousands of legitimate merchants vying for your attention this season. Some maintain their own e-storefront and work hard to draw visitors via online ads and other high-visibility placements. These specialists dream of being featured in various Gift Guides. Martha Stewart’s magazine points to lots of stores which sell things you can still get at Amazon, but the smaller vendors capitalize on the new visitors looking for quality, a good selection of niche products, and the assurance that, if something goes wrong, customer support will be strong and empowered to help.

But what can a vendor do, without a high-profile endorsement or the budget to buy lots of click-throughs? And how can consumers assure themselves of a site’s legitimacy?

Right now the model relies on social networking – reviews, star ratings, aggregated via an independent forum. But what stops the credit card issuers, or even the broader card brands themselves, from publishing live dashboards on store credibility? They know exactly how many complaints, charge-backs and other issues have come up on every merchant, and they know when a single merchant account is being used on multiple storefronts. They know how long the merchant has operated on that account, and they know all sorts of correlating data points about whether a brand new storefront is more or less likely to be risky. They could even offer an incentive scheme – jointly paid by the merchant and the card network – to support merchants with a certain quality score via a small additional discount on purchases.

The quality score itself should take into account the longevity of the merchant, how many transactions it has successfully processed (with no issues after 90 days), the average transaction size (either in absolute terms, or as a percentage of the weighted-average price point across all items for sale), the geography of the store’s real address, all that sort of thing. The score could be provided as a live banner to every storefront’s shopping cart, or the customer could enter the URL of the store in question into a portal and receive an immediate answer.

The goal, of course, is to reduce fraud. The card issuers pay for it today, but the trickle-down effects still impact the merchants and the cardholders. As consumers, we should demand schemes which do validate the quality of our chosen merchants, and reward them for doing things right, rather than simply throwing a fantasy price point on a website and then making up the loss via inflated extra fees, shipping charges, and the like. And clearly, the charlatans who are outright thieves should be outed as early and as quickly as possible.

But the consumers still need to take the responsibility of questioning whether an online merchant is still a safe choice. Just as you probably wouldn’t bother saving five cents per pound on ground beef because some guy was selling it out of an unrefrigerated van in the parking lot of your supermarket, you should question whether the absolute lowest price is sufficient justification to set aside the same common sense you use in the bricks-and-mortar world of retail.

Happy holiday shopping season, and please share any good stories you encounter via the comments below!

Monday, October 11, 2010

Amazon, Starbucks and Information Security Data – Part #2

By Ben Rothke, Senior Security Consultant, BT Global Services, CISSP CISA

In Amazon, Starbucks and Information Security Data – Part #1, I wrote of the dearth of effective and objective information security data. With the problem identified, the issue is to identify where you can find usable data.

I noted that vendors have a particular incentive to connect the data to the solution they are proposing. But that doesn’t necessarily mean that all vendor supplied data should be dismissed, simply caveat emptor.

For example, CyberSource, an online payment and fraud management services firm, publishes an annual online fraud report. It recently released the 2010 edition, which includes detailed fraud metrics based on their empirical data.

In the webinar, Social Media: Malware’s Latest Gateway to Your Network, Vanessa Alvarez of Frost & Sullivan not only shows the results of the Frost & Sullivan study, but also includes the actual data, the quantities, the specific questions, and more.

In fact, (ISC)² just announced that it will be using Frost & Sullivan for its 2011 Global Information Security Workforce Study. The largest study of its kind, it provides detailed insight into important trends and opportunities within the information security profession and aims to provide a clear understanding of pay scales, skills gaps, training requirements, corporate hiring practices, security budgets, career progression, and corporate attitude toward information security that is of use to companies, hiring managers and information security professionals.

Other sources of good data include:

Verizon – the company demonstrates it has a good handle on the pulse of the industry with its Payment Card Industry Compliance Report and Data Breach Investigations Report. Also, the beauty of the PCI Compliance Report is that many of the authors are known experts, such as Michael Dahn, Alex Hutton and Pete Lindstrom.
InformationWeek’s Global Threat, Local Pain: 2010 Strategic Security Survey has a decent survey size of more than 1,000 respondents.
Veracode’s State of Software Security Report: The Intractable Problem of Insecure Software report is a code-level analysis of 2,922 applications.
CERT Coordination Center - CERT/CC, based out of Carnegie Mellon University, has an extremely strong academic and practical focus on the industry. Its security analysts have unparalleled breath and depth, reflected in their reports and data.
US-CERT – a partnership between the DHS and private sectors. It provides information about current security issues, vulnerabilities and exploits via the National Cyber Alert System, working with software vendors to create patches for security vulnerabilities.
SANS Internet Storm Center – source of excellent real-time data. One of the best sourced to learn about new attack trends.
DataLossDB – excellent source on worldwide known and reported data loss incidents

Ultimately, the best data is what can identify what is occurring on your network. Many enterprises have the tools in place to get that data but rarely take advantage of the power of these tools, leaving a lot of capabilities and insight on the table.

Kevin Beaver, founder and principal information security consultant at Principal Logic, notes that: “Most of the enterprise-level security tools can provide insight into what’s going on in your environment. Firewalls, IPS, DLP, vulnerability management, to anti-malware and more; they each serve their unique purpose and can provide valuable data on your current state.”

The industry indeed does have good data; one just needs to know two things — where to find the data and who is behind the data. Was the data extracted for a Starbucks cappuccino, or via lengthy discussions with an industry expert?

Ultimately, it’s the 90% of poor data that gives the other 10% of good data a bad name.

Friday, September 24, 2010

PCI Community Meeting

By Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

This week I’ve been attending the PCI Community Meeting in Orlando. And, as some commentators, like Tracy Kitten at bankinfosecurity.com have noticed, the conference has changed a lot in the last few years. For me, what was most striking this year was that there were many, many more organizations from Latin America and Asia participating in the meeting and that more than 50% of the feedback to the Council on the new standards came from outside the U.S. This is good news for the PCI Council and for companies doing business on a global scale.

The other good news emerging from the conference is the emphasis on clarification. In particular, many sub-requirements have been broken out so that it is clear that each section has to be met and not just the overall spirit of the standard. The role of the ASV is better defined, and the addition of an Internal Standards Auditor (ISA) qualification is another check and balance on the system. And as someone who assists customers with understanding their obligations and liabilities with PCI DSS, I was very pleased to hear that the web sites and the FAQs will be refreshed.

A key message from the conference is that security, as BT’s Chief Security Technology Officer Bruce Schneier has said for years, is a process and not a product. There is no product that will make PCI DSS redundant, and the only realistic path ahead is a layered approach to securing networks and good methodologies. And, it was good to hear more discussion surrounding the issue that you can do everything right and be in compliance and yet still have a breach — and how best to solve this thorny issue. The council is frowning on push button ASV’s, and there is an expectation that the ASV should be working with the customer. The ASV has to sign off on scan and will now be required to go through training and will be held accountable.

There are, quite literally, another dozen topics that I’d like to get stuck into discussing from EMV to encryption, not to mention a fascinating analysis of the TJX breach and Gonzalez’s sentencing. But I’ll be back next week with those stories.