Branden Williams' Security Convergence Blog

I had a customer ask me if they had to make the Administrator account/password comply with Requirement 8 of the PCI Standards. Requirement 8 deals with assigning a unique ID to each person with computer access to those systems dealing with cardholder data. Specifically, no generic or shared accounts should be used--especially those that are administrators!

The answer is YES, they must comply with the requirements. What does that mean from an operational standpoint?

We see customers attack this from various angles. For those corporate systems, they are typically just disabling the Administrator account, and putting special alerting in place to see if it is ever used (as in something bad is happening, go deploy the calvary).

In the case that you have a non-directory setup, things become much more painful. You are essentially looking at deploying a password escrow type service where no one person knows the password, only the system does. Passwords would then be checked in and out, and either stored in a secured area (think like a vault) with appropriate logging. Essentially, if someone uses that account, you want to be able to prove which individual used it since the logs will just say "Administrator" or "root."

More than half of the customers we deal with have directory services deployed to all systems, albeit in many cases multiple directory services. In one case, a customer standardized completely on Active Directory and RACF. All Unix variants pointed back to LDAP via Active Directory.

Posted by Branden Williams at 10:22 AM | Permalink

For our VERY FIRST installment of "What Do Other Companies Do" (WDOCD), Randy Smith has asked the following:

"What specifications do other companies require for Secure Tape Destruction (especially for older tapes that could have pre-encryption account number data). To my understanding PCI does not provide a specification.

Do you feel that standard is OK to relax when all the account number data is encrypted?"

Excellent question Randy! Virtually every company we work with has some sort of destruction policy for media, and it varies from using a bulk eraser, to pulling out the DeWalt and drilling a hole right through it (yes, one company we have done work for does exactly this after a bulk erase), to enlisting a third party media destruction firm, to transferring the media back to the manufacturer for analysis and destruction. A quick search on YouTube will show you many more creative methods to destroy these devices (though not recommended by this humble security consultant).

Specific to PCI, the only destruction standards mentioned are ISO standards that have nothing to do with destruction at all. Slight oversight that we hope will be corrected soon.

What is actually required is some method to destroy the data or media such that the data cannot be recovered. Small tape strips are minor risk, but incineration or shredding seems to be the best method to ensure the data is not recoverable.

For tapes where the account number is encrypted, I do believe a relaxed method would be appropriate. In fact, if you filled a FedEx truck with tapes of encrypted data, and then left it in the open for people to take those tapes, you would not be required under state laws (today) to notify the affected individuals! The card associations might take a different view of this of course.

The answer: For unencrypted tapes, be sure you do a very thorough degaussing before taking them to your vendor for physical destruction. This will ensure that any leftover fragments will not have any data on them to recover. For encrypted tapes, shredding with 3 to 6" tape strips left over should be acceptable.

Thanks for the question Randy! For your time, keep your eyes open for a little gift from us!

Posted by Branden Williams at 10:06 AM | Permalink

Well folks, it's time. Yes, I've been running this blog for a whopping month or so, and I just want to see if anyone is reading. So far, the only comments that have been submitted are those for "Biagra" and some "Hot New Penny Stock" that promises to make me rich beyond my wildest dreams. While those are certainly enticing links, I think we could make this much more productive.

What I'm looking for is to play a game called "What Do Other Companies Do" (similar to "Spin the Topic Wheel" for any P1s out there). Essentially, I'd like you to email questions to TheSecurityBlog@gmail.com asking how other companies address various security practices. For example, "What do other companies do related to code review of applications?" For those of you interested, the short answer is "not much."

There are a ton of good questions out there and we have a ton of inside knowledge we can share, so let's get to discussing!

Posted by Branden Williams at 08:00 AM | Permalink

Please use the following link for the RSS feed for this blog. Waiting on the developers to update the one on the bottom left....

http://feeds.feedburner.com/BrandenWilliamsSecurityConvergenceBlog

Posted by Branden Williams at 07:51 AM | Permalink

Well they are finally done! The PCI Security Standards Council has released the Spanish and Portuguese versions of the PCI Standards and Security Auditing Procedures.

Visit https://www.pcisecuritystandards.org/tech/supporting_documents.htm for more info!

Posted by Branden Williams at 09:24 AM | Permalink

Greetings folks. My new article entitles "More Strategies for Eliminating Cardholder Data" has now been published on the VeriSign website. This is an expansion of my previous article which primarily relied on Hashing. Based on clarifications from the card associations, hashing is not a silver bullet (do you know of any that are?) and hashed data is still considered cardholder data. The real risk is that rainbow tables can be created if someone knows how the hash is created. Since the keyspace is so small, the rainbow table creation is rapid.

This article expands that and takes a more holistic approach to data elimination and talks about many other strategies. It does not address the culture shift question that someone pointed out to me at an ISSA Meeting in Dallas yesterday, but that is for another time.

Posted by Branden Williams at 12:15 PM | Permalink | Comments (1)

Going to privacyrights.org will clue you into a large cause of data breaches--the stolen laptop.

This type of incident is a repeated example of why knowing where data lives in your enterprise is so vital. When we are called into a customer for PCI consulting services, rarely do we see a holistic approach to understanding data flows. There are certainly experts who know their part, and 80% of the time they are right on. But they often lack an over-arching perspective of the data flows, and are unaware of data flows that lie outside of their bailiwick. The level of documentation required for overarching visibility is considerable, but it is also extremely valuable. Imagine being able to see the entire picture at once and instantly be able to identify risky areas or understand how a new service or acquisition could compromise security.

Of course, someone violating policy will not show up a formal diagram. How do you protect against the outliers?

Several companies including (but not limited to) Tablus, Vontu, and Verdasys have taken a focus on locating and tracking data from credit card numbers, to personally identifiable information, to intellectual property throughout a corporate network and it's workstations. Using this data in conjunction with that magical map can help point to high risk areas as well as policy violations. This are not the end all solution by any means, as education and awareness can be just as effective from the "honest mistake" type breach. It is a key piece to the Layered Security strategy your company takes.

Why are these tools not the end all solution? This will help prevent the accidental exposure, but will not prevent the sophisticated insider from siphoning this data off site. If data flows are encrypted for example (by say an SSL VPN), many of the data flow analysis tools fall down because they cannot see inside the stream. You can always block all encrypted traffic, but if you allow people to browse out to an SSL site, you may be allowing this data to leave without your knowledge. It also may not cover USB Drives, iPods, or other temporary storage if it it is not mounted at the time of the scans. USB Drives have long been a debated topic for good reasons.

The moral of this story is really beginning to think about the data.

Posted by Branden Williams at 12:11 PM | Permalink

eWeek is reporting that Visa has announced it is relaxing the fine and fee deadline of September 30th.

Essentially, what this means for non-compliant merchants is that the proposed interchange rate hikes are lessened to simply say that non-compliant merchants will not be eligible for the "best available" tiered interchange rates. However, non-compliant retailers are still facing costs potentially in the millions by not being able to qualify for lower rates during the ever important holiday shopping season.

Posted by Branden Williams at 10:53 AM | Permalink

I know, I know... You guys JUST finished reading my previous post and now I'm posting something about PCI.

The PCI-SSC released two items of note today. The first is that their participating organization program has surpassed 275 members. When you look at the list of members, there are some pretty impressive names up there! The first big summit is scheduled to be in September.

In addition, the German translation of the PCI-DSS has been released. This brings the total translations to 6.

Posted by Branden Williams at 12:54 PM | Permalink