Branden Williams' Security Convergence Blog

Here's a rare one from me, some Friday Night blogging! Why are you so lucky as to get this? Because I didn't have time to do it yesterday!

In speaking with a customer today, I remembered something that many companies (not this customer) are missing when it comes to building secure and compliant environments. It's really a scope creep issue when you look at it. Unfortunately, a very dangerous one.

What could this mystical threat be? That of core systems. Those systems that provide IT services to the larger server population. Here are a few systems to think about.

• Domain Controllers
• Anti-Virus Servers
• Log Aggregators
• Patch Management
• Remote Access
• Network Monitoring

Why are these a threat? Let's take a look at the special environments you built for your high security areas. Maybe you have some credit card data, so you have a nice little cardholder enclave. HR lives in their own zone (workstations too) because they have LOTS of protected employee data there. Marketing has a little separate area because they collect customer information for their uses. Seems OK right?

Well, all of those areas might use a common IT infrastructure to function! That means that an unpatched vulnerability in an Anti-Virus server could lead to the disclosure of sensitive data!

Unlikely you say? We've investigated breaches where this very thing has happened. Some common server that is relied on or trusted by protected servers is breached, then the bad stuff happens.

The lawyers, the consultants, and the PR daymare (because the worst parts happen during the day, not at night).

My suggestion to combat this is to do one of two things. Either secure those common servers into vaults (and maybe in their own firewall zones), or duplicate the functionality inside each zone of the firewall to reduce the impact that compromising a major infrastructure item would have.

Now, off to enjoy the weekend. See you for more fun next week!

Posted by Branden Williams at 3:53 PM | Permalink | Comments (2)

Are you one of the many companies that rely on satellites to communicate with your, uh... satellite offices? We security professionals often ask hard questions about how that data is protected en-route and usually are quickly dismissed with a "Oh, it is too hard to do and would require a six-figure investment in hardware to accomplish."

Well, thanks to Adam Laurie, you can do it for around $1,000!

If you are relying on satellite communications, you should now be asking those hard questions of your provider, and making sure that you have acceptable encryption on those lines preventing someone from intercepting or injecting traffic into that stream.

Posted by Branden Williams at 6:31 AM | Permalink | Comments (0)

Ever wonder how you can bulls eye the moving target that is PCI? It's possible! Many of our customers are rolling out our program to do this.

You have often heard me talk about our PCI Program Management service that was developed based on our customers asking for ways to sustain compliance and security between assessments. BitPipe now has our PCI Program Management Services data sheet available for download.

Go check it out!

Posted by Branden Williams at 11:21 AM | Permalink | Comments (0)

Here's a line you have heard many times--"but wait, don't look at this in black and white. You have to take a risk-based approach." We hear it all the time as a QSA. Sometimes there is a legitimate reason to take a sane, risk-based approach. In fact, the Council tells QSAs that PCI must be applied using a risk-based approach. That allows for some latitude in some areas, but can create problems in others.

Wait... problems? Why problems?

We don't have a single, industry-wide risk model to measure risk. This means that each QSA is empowered to use their discretion on how to measure and accept risk, leading to variance in interpretation and opinion shopping by companies hiring a QSA.

Many companies that are subject to PCI Compliance choose to roll the dice on compliance. As a QSA, I have seen some companies neglect certain controls that ended up making the difference in a breach. Things like log management, intrusion detection, and even more basic controls like vulnerability and patch management. The reason for the neglect is usually lack of resources; be it time or money.

Corporate leaders claim to be risk averse and will tell the Street they manage risk religiously. The truth is, most corporate leaders don't understand how information security plays into the risk equation, therefore they cannot make informed decisions on how to manage risk in that light. In fact, it usually takes something like a breach for corporate leaders to get religion with respect to security.

By then it is too late.

Some QSAs do the exact same thing. If you are a level 1 merchant, and you have two bids for a PCI Assessment at 100K, and two bids at 35K, how are you to choose? Corporate pressures tell you that you need to choose the lowest cost for the service you need. Since there are two bids at the low price, it looks legitimate enough to take the plunge.

So you roll the dice.

Here's what you may not know. Your QSA may be rolling the dice as well! Multiple breaches have occurred in the last two years from companies that had been validated as compliant by a QSA. Again, without speaking directly to those breaches, there has NEVER been a case we investigated where a company was compliant at the time of a breach (with the exception of something like a smash and grab, but those didn't make the news).

If your QSA is phoning most of the assessment in and shows up on site for two to three days to do the entire thing, your QSA is rolling the dice in hopes that you (the assessed company) will do enough to avoid a breach. If you ever reflected upon an assessment and thought to yourself, "Wow, that was surprisingly easy," you might just be the next victim.

My theory on this is as follows: It is probably OK if one of the two parties involved in a PCI Assessment rolls the dice. If a company being assessed does not do a good job of maintaining their compliance, a good QSA review will reveal those gaps. If a merchant is doing all the right things around PCI and has a rock solid security posture, a QSA may dodge a bullet by rolling the dice and doing a half-assed job on the assessment.

Where companies get into trouble is when both the company being assessed, AND the QSA roll the dice at the same time. Depending on the roll, you might be lucky enough to let the risk ride.

In the case of recent breaches, the roll came up Snake Eyes.

Posted by Branden Williams at 6:52 AM | Permalink | Comments (2)

It's official, I was selected as Payment Security Professional of the Year by the Society of Payment Security Professionals!

The Society has gained a ton of momentum in the industry and launched their two excellent certifications, the Certified Payment-card Industry Security Manager (CPISM), and Certified Payment-card Industry Auditor (CPISA). If you are looking to get into this industry, or work for a company subject to PCI compliance and have responsibility for PCI, you should have these certifications.

This training is better than the training that we receive as QSAs for a few reasons, but mainly because it covers a much wider base than just PCI-DSS. Anyone that has heard me speak about the negatives associated with a breach and/or non-compliance has heard me say that PCI is not the scariest thing out there. The training covers those scarier items in addition to the basics of PCI.

Thank YOU to all that nominated me and thank YOU to the board for selecting me! I am extremely flattered to be selected for this award!

Posted by Branden Williams at 10:56 AM | Permalink | Comments (5)

I'm sitting in my big metal tube ready to depart ORD for DFW. Thank you to the Council for putting together our requalification training! We enjoyed our new trainer, Jeff Foresman, and I thought of several good blog posts for next week.

Don't worry Bob... I won't bust a copyright :)

Look for some posts next week about how things will evolve over 2009, and some thought provoking discussion (hopefully) on the acceptance of risk and rolling the dice!

Posted by Branden Williams at 6:36 PM | Permalink | Comments (0)

I'm not Seth Meyer. I'm not a television star. I don't have a team of writers feeding me stuff on cue cards.

That said....

According to an article by Fred Aun, Peter Alguacil from Pingdom released a report recently suggesting "there are probably 219,000 sites with outdated SSL certificates."

Probably.

Fred, who rounded the original 219K figure from Peter up to 250K in his posting, goes on to describe the "bit of math" that Peter used to come to this conclusion using data from two different sources. First, Netcraft estimates there are one million sites with valid SSL certificates. Next, a report by Venafi released in 2007 suggests 18% of Fortune 1000 sites had expired certificates. So then Peter does the math and says that since Netcraft does not count invalid certificates, if we were to estimate 18% of one million, we'd probably end up with 219,000 sites.

Really Peter?

That sounds a lot like the math we used to get in the venture capital world during the Dot Com boom. "There are 300 million people on the internet, and if I can get just 1% of those to pay me $20, we will have $60 million in revenue! IT'S SO FREAKING EASY! So your $10 million, no strings attached, cash investment is basically like buying bars of gold and leaving them in a vault! CHA-CHING BABY!"

Are there sites out there with expired certificates? Abso-freaking-lutely. Are they sites that you use every day and trust? Probably not.

Sure, we're all human, and sometimes we make mistakes. If a large company does not single source its certificates through a company like VeriSign that can offer a managed solution to prevent something like that from happening, it is feasible that sites like Google or Yahoo could end up with an invalid certificate for a few hours. It has happened in the past.

The moral of this story is, any time an alert comes up in your browser about a problem with a certificate, you should be wary. There are too many attacks out there to ignore those warnings.

The moral of this blog post is math is great. "Dot Com math" should be questioned.

Posted by Branden Williams at 5:46 AM | Permalink | Comments (1)

Rick Moy and I sat down at the PCI Community Meeting in Orlando and discussed some of the trends that we see for PCI. While this video was created almost six months ago, the content is still relevant! The audio is a bit low, so you will need to get some headphones or just turn the volume up. There are no mean tricks like a scary zombie screaming or anything, so you should be safe. Just remember, all of your OTHER audio will be much louder too.

Just saying, don't spit out your coffee because Outlook reminded you of something.

Posted by Branden Williams at 6:13 AM | Permalink | Comments (0)

The first challenge to securing your data (or meeting compliance) is understanding where your data lives. An alarming number of people I speak with in the industry have no idea how bad their problem is because they only know where half of the data lives and goes.

HALF! That is a BIG problem.

Engaging in data flow mapping exercises can be painful. So painful, that you might be forced to look outside your organization for help!

Yes, VeriSign has a service that does this... OK, shameless plug complete.

Where do you start? In an article that I published last year entitled, "Data Flows Made Easy," I detail an adaptation of the Design Structure Matrix that can be used to help map data flows in your organization. The first step you have to take is to interview your teams and figure out if the implementation teams that live in the real world of IT have implemented the same system that the designers that live in their perfectly architected world created.

The one drawback to relying only on interviews is that you are victim to the Garbage In, Garbage Out problem. If you have never gone through this type of exercise before, you can be sure that you will have some inaccuracies.

But, when you have gone through the process and have something like Figure 6 in the article, you should find one of the many DLP vendors that have a data discovery feature in their tool to validate that the diagram is complete. Or, you can engage someone like VeriSign to bring in partners and consultants to do this for you.

Trust, but verify.

If you use the data flow method that I have outlined in the article, you will find that your flows are much easier to maintain, and you will spend less time explaining complex Visio diagrams to auditors. Several top, global retailers have taken the concept and converted all of their data flows into this format. It's the first step in our PCI Program Management offering, but could easily be used in any security or compliance program. It's a two-dimensional matrix that is begging for someone to write a cool front end interface.

Oh, and to those of you that tried to download the latest Herding Cats and got a Forbidden message, I fixed that, and set the SGID bit on the directory so that should never happen again.

Posted by Branden Williams at 8:20 AM | Permalink | Comments (0)

Anton Chuvakin has assembled three fantastic roundup posts that pull both news articles and prominent bloggers opinions together for a couple of hours worth of reading (if you hit everything). Check them out:

• On Heartland I


• On Heartland II


• On Heartland III

Posted by Branden Williams at 12:22 PM | Permalink | Comments (1)