Branden Williams' Security Convergence Blog

Two weeks ago, we released our recent study on why companies are failing PCI. We based our report findings on 60 recent PCI assessments involving 50 different large companies. Since then, there have been multiple media outlets that have picked up and commented on the report. One in particular I'd like to review is an article by TechTarget (which interestingly enough, now has a new title).

When Keith Gosselin of the Biddeford Savings Bank in Maine was told that our report showed that nearly half of the companies are failing requirement 11.2 (quarterly scanning), he stated, "It surprises me how high that number is." I think this was a big shocker for us as well, but after letting the shock wear off, we created a couple of hypotheses around why this is failing.

1) Companies fail this because they are doing quarterly scanning, but are not scanning until they receive a clean scan (as required by PCI Requirement 11.2). Having an automated process run is pretty easy to do, but you also must remediate and rescan. Many of our customers did not close the loop.

2) Companies are not properly scanning internal systems. When we started this process many years ago, it was typically out of the IT or Security groups. Now we are working for the office of the CFO in most cases. Back then, most companies had at least 1 guy who could get a halfway consistent Nessus engine running. Today it seems priorities have changed, but someone forgot to set up an outsourced partner to do this. VeriSign currently partners with Qualys to perform this service (both internal and external scanning).

The other thing he mentioned was that he was shocked companies did not understand their data flows. Until recently, PCI has had a much more reactive and tactical effect on our customers. Now that some companies have seen the light and understand this type of compliance requires a programmatical approach, they are beginning to get to the root of the problem--the data. They know they have to find it, and then secure it. Surprisingly enough, it is a rarity that a payment system in a company is so simple that someone knows it from start to finish. I can think of a couple of examples out of the hundreds we have done. Knowing where your data lives is something I've discussed before, and will continue to be a struggle for companies as they grow.

My favorite comments in this article are from Roger Nebel, Director of Strategic Security for a consulting firm in DC. He states that the report doesn't always account for some critical differences and inter-relationships between a threat, a vulnerability, and an asset, all of which result in some level of risk.

Yep, you hit the nail on the head!

I do want to make a slight correction, however. The perceived problem is not with the report, but with the standard. In fact, there was a gentleman at the recent PCI Community Meeting with specific feedback for the council on creating a quantifiable method to calculate risk. While I seriously doubt that the council will want to create such policy around the standards, it is a valid point for those folks who are focused on doing the absolute minimum. The absolute minimum is sometimes a reality, but for those folks that complain that PCI is a moving target, I suggest they might want to strive for something north of the minimum so they are not continually chasing compliance like a cat chases a mouse.

Finally, Nebel took issue with our finding that clients who passed requirement 6 of PCI DSS still have applications at risk. My thoughts on this is that he was either mis-quoted, or he is not familiar with the PCI DSS. Specifically, if you look at the current version of PCI, requirement 6.5 lists the former OWASP Top 10. This year, OWASP released an updated version of the Top 10 which is still just a subset of the total number of application vulnerabilities that you might be able to find on any given day.

Granted, I think Nebel's point is that if you have a super-sexy Software Development Life-Cycle (SDLC), you should not have application vulnerabilities in the first place. PCI does not require, nor does it address fully, something like that. It just requires that security is baked into the SDLC, and it does not account for human error. After all, we are all people running this process. You can detail it all day, but that does not prevent someone from inserting some cryptic looking code that opens up a vulnerability.

PCI is trying to build a baseline, and baselines are good, but do not eliminate risk. Even if you take a conservative view on the standards, you still have risk in your applications if you fully meet requirement 6. Maybe that's another story for another time.

(Note, some sections of this post were taken from the TechTarget article to provide a common ground for comments. The full article for your reference is available at http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1273153,00.html.)

Posted by Branden Williams at 10:16 AM | Permalink | Comments (0) | TrackBacks (0)

This one still amazes me every time I see it happen. I would think that by now, people would try to understand what they don't know so they can deal with it.

I am dead wrong.

I'd like to reflect back to a conversation I had with an Information Security Director in a prominent company in the transportation industry. The reason why the industry is important here, is we met with this individual after the 9/11 attacks. Most people in the transportation industry were hyper-sensitive to security at the time.

We went in and were pitching enterprise security intelligence services--something that might be relevant to this individual. This individual welcomed us into an office, allowed us to talk about this service for 20 or so minutes, and then looked us in the eyes and said with a straight face...

"This service looks great, but I don't want to know about threats out there because if I know about it, I have to do something about it."

....

I could imagine some guy at a 5 man shop saying that, but this is a major company we are talking here. I don't know if I held it together in front of the individual, but I was shocked to say the least.

This incident relates to the current corporate mindset in many companies today. If I don't know about it, I don't have to do anything, therefore I have plausible deniability. The hard problems are there to be tackled, not ignored. So go get 'em fella!

Posted by Branden Williams at 06:33 AM | Permalink | Comments (0) | TrackBacks (0)

In an effort to continue to boost compliance, Visa USA is now publishing a report that details their merchant compliance by level. According to my contacts inside Visa USA, this list will be updated on a monthly basis. We are all expecting the numbers of compliant Level 1 & 2 merchants to increase as fine deadlines approach.

Posted by Branden Williams at 12:01 PM | Permalink | Comments (0) | TrackBacks (0)

I recently did some work for a customer that had an interesting perspective on the physical security of devices. We were talking about putting some specific controls in place to hold encryption keys, and when we mentioned that we could put them on little USB sticks (not an HSM, but think like that), they said "Oh, if we do that they will disappear from the stores."

Employee or customer theft of devices sure does not come up as something we deal with every day.

This particular company ran largely a cash-based business, and had a very small group of customers that paid by credit card. They were actually considering completely dropping all credit card acceptance because of the added risk they took on. The nature of this customer's business includes high turnover.

When asking more about the physical security component, they built in some component of "acceptable loss" into any purchase going into their stores. For example, RAM would regularly be stolen out of PCs placed in stores. Part of their decision making process to purchasing equipment was based on how easy it was to steal, and what the replacement costs were. Meaning, they had built in an acceptable loss component into certain purchases for IT.

That was a unique perspective. For them, it is cheaper long term to just buy equipment that is hard to steal than it is to build physical security into pieces of their infrastructure.

Posted by Branden Williams at 06:51 AM | Permalink | Comments (1) | TrackBacks (0)

The PCI-SSC announced today (ok, the date says Tuesday, but it was not posted until this morning) that they are adding PIN Entry Device (PED) security requirements into their domain of responsibility.

Posted by Branden Williams at 01:23 PM | Permalink | Comments (0) | TrackBacks (0)

One of the big problems with building a business is ensuring that processes & procedures scale. Information Technology programs are no exception. We spend as much time as we can building in automation such that our precious resources are not consumed repeating a task over and over.

Security is no different.

In fact, there are several tactical security tasks that require strategic planning in order to scale them. For example, patch management tends to be a big issue for many companies, especially retailers. How do I create a system that allows me to do massive patching with limited (if any) downtime? How can I ensure a high rate of success? How do I keep exception management to a minimum?

We work with several large companies that deal with this on a daily basis. Ultimately, when faced with a deadline, companies are more likely to react with a tactical solution (let's hire 100 contractors and go run Windows Update) as opposed to investing the time & money to make a viable long term solution that scales. Cost is definitely an issue, but long term gains are to be had with strategic security and IT planning.

What are some other areas that have issues with scale?

1. Identity Management
2. User Provisioning
3. Hardware Provisioning
4. Software Deployment

Branden says: "Include the ability to scale and meet the needs of the organization's growth for current and upcoming projects!"

Posted by Branden Williams at 06:51 AM | Permalink | Comments (0) | TrackBacks (0)

Late last night (well for me in Central time), Visa posted a new brief on their CISP website regarding eliminating the storage of prohibited cardholder data. Essentially, this is just another data brief explaining how to look for and remove prohibited data. Prohibited data as defined by the PCI Data Security Standards, Requirement 3.2, includes such things as CVV/CVC Data (as found in the magnetic stripe of the card), CVV2/CVC2/CAV2/CID (3 or 4 digit code in the signature panel or front of the card), and the PIN or PIN Block. According to the brief, there has been a number of compromises recently where prohibited data was stored.

For more strategies on eliminating cardholder data, please read my paper entitled "More Strategies for Eliminiating Cardholder Data".

Posted by Branden Williams at 05:05 PM | Permalink | Comments (0) | TrackBacks (0)

This episode of What Do Other Companies Do is typed before a live studio audience. The question comes from Bill of Jack's Joke Shop (Remember, "If it ain't funny, it ain't worth jack!"), and he asks:

"We're looking for a large file transfer solution that will secure data in-transit. We have a small I/T shop and Help Desk and do not have the capacity to handle user provisioning & management for a solution, and really don't want to start managing a file repository with aging requirements. Like most companies, we are subject to various compliance initiatives such as PCI, HIPAA, and GLBA, but our top management has asked us to exceed compliance baselines where possible.

What do you see other companies doing to attack this problem?"

Excellent question Bill. Many companies struggle with file transfer systems for various reasons. Most large file transfers are automated and handled with various forms of secure file transfer like SFTP/SCP (which requires software on both ends of the connection) or Pretty Good Privacy (PGP). For those tranfers that are ad-hoc or smaller, email is a dangerous solution by itself. It's very easy to drop a file as an attachment to an email, but unless you add additional security features to the message, the information is no longer safe. You should only put things in email that you would be comfortable telling someone face to face in a crowded Starbucks.

Several companies have created solutions to assist in providing secure file transfer solutions that are low maintenance. Some solutions started with a focus on email such as Tumbleweed, Voltage's SecureMail, and ZixCorp's ZixMail. That said, most of those companies also offer non-email based file transfer solutions. Another company of note is Accellion that provides a combined product that hooks into Outlook or Lotus Notes with a plug in and also focuses on secure file transfer management with an appliance for files that just don't need to be sent via email (think size constraints).

Some of these solutions can exceed SOME baseline requirements (these solutions just appear to meet PCI Requirement 4, not exceed), but your mileage may vary depending on exactly how it is implemented.

There are other products as well (thank you Google!), but the ones mentioned above are ones that this consultant has seen in use at various companies, large and small.

Thanks for the question Bill! And here's a guy that needs to visit your shop!

Posted by Branden Williams at 08:00 AM | Permalink | Comments (0) | TrackBacks (0)

This month in Harvard Business Review, we finally get a case study that applies to Information Assurance! "Boss, I Think Someone Stole Our Customer Data" ($4 PDF) tells a story that many CEOs fear, and some can give you a first hand account about--a breach of customer data.

While the case study does speak in some general terms, it is an excellent table-top exercise to run through during your regularly scheduled incident response plan test. This exercise should include various functional groups such as Legal and Marketing in addition to the traditional security or information technology employees. The case study is written in general terms, and can be used multiple times as the law changes.

Posted by Branden Williams at 07:24 AM | Permalink | Comments (0) | TrackBacks (0)