Monthly Archive April 2016

PCI DSS Version 3.2 is released today – so what has made it through to the final cut?

The eagerly anticipated update to the global Payment Card Industry Data Security Standard (PCI DSS) has been released today, Thursday April 28th 2016. This update to the standard has been much discussed in online info security forums and at the PCI events this year. As we already know, the reason for publishing the standard early (it was scheduled for its usual October Release) was so that the revised timescales for the removal of SSL and TLS 1.0 could be included but what else is in store?

Well, as we know, the PCI DSS is considered to be a mature standard now, so it is unlikely that we will see radical changes to the contents and requirements. For those of you familiar with “Moores Law”, (https://en.wikipedia.org/wiki/Moore%27s_law ), the weakening of security ciphers is predictable, as computing power increases. This has resulted in the weakening of SSL as a means of encryption, and the development of more complex cryptographic protocols. SSL went through 3 basic versions, culminating in SSL 3.0, which was then developed into TLS 1.0. This version of TLS is also vulnerable to attack as it has the inherent ability to be downgraded to SSL 3.0, thanks to its close relationship with that protocol, hence why TLS 1.1 is the current starting point. So, enough of the cryptography lesson, what else has changed?

As technologies move on, the standards have to try to keep pace and this is reflected in some of the changes to the terminology used in the PCI DSS. “2 Factor Authentication” is now replaced with “Multi Factor Authentication”, for administrators accessing the CDE either from internal devices or remotely. That is probably one of the most significant changes for those in scope for a full PCI assessment.

Some further clarification around when PAN should be masked when displayed has also been included along with a completely new appendix aimed at service providers who process payment card data in bulk. It seems that this section will be completed upon request by either a card scheme or an acquirer, so it may take a while for this to filter through, depending on the speed at which the various industry bodies decide to act.

This new section is entitled the “Designated Entities Supplemental Validation (DESV) criteria for service providers”, which details some very sensible ‘business as usual’ activities for these companies. These new validation requirements range from ensuring Board accountability for the PCI environment and ensuring the scope of the secure environment is accurately documented to providing annual PCI DSS training and implementing a regular data discovery program. Each of the validation statements is neatly linked back to the related PCI requirement. The Data discovery program is linked back to the original “Scoping of the PCI DSS environment”, and rightly so as this was often overlooked by many in the industry.

So, in short, the new version of the standard is out now and is available for download from the PCI SSC portal. Is it ground-breaking? No, probably not but with the standard being as robust as it was already, these changes do hit the mark very well.

You can read the PCI SSC press release here and the standard is available to download from the document library on the PCI SSC website.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

The Emerging Market of Cyber-crime as a Service

One of the greatest misconceptions about cyber-crime is that you need to be a computer geek to be a cyber-criminal. The truth is the cyber-crime industry is starting to function like a normal business, with client-side applications and services allowing users to complete tasks more easily, offering them greater flexibility and efficiency.

Ecommerce sites operating on the Dark Web are renowned for their excellent customer service – really! The operators and users of these sites remain anonymous, therefore it is imperative for them to build a reputation based on customer reviews in the hope of increasing sales.

It then comes as no surprise that a market in Cyber-crime as a Service has emerged, opening a window of opportunities for criminals that are not tech savvy, yet still want to exploit the benefits of illegal online activity.

Cyber-crime as a Service is a market with multiple segments which includes Research as a Service (RaaS), Crimeware as a service (CaaS), Cybercrime Infrastructure as a Service (CIaaS), and Hacking as a Service (HaaS).

Research as a Service (RaaS)

The sale of zero day vulnerabilities is very valuable on the Dark Web. Once a zero day vulnerability has been identified, the researcher has the option to either exploit the vulnerability themselves, or they could sell it on the Dark Web for someone else to take advantage of it.

Spam services are also offered as RaaS. For some, it is much easier to buy email lists than build them up from scratch. Some spam service providers will also categorise email addresses by region, age or gender for a more targeted approach.

Crimeware as a Service (Caas)

Malware is sold to criminals on the Dark Web who may not be tech-savvy enough to develop it themselves, allowing them to implement sophisticated attacks. This code has a high value on the Dark Web, and an example of this was seen as early as 2005 when a programmer was hired to develop the Zotob worm, a strain of malware that required an estimated $97,000 per company affected to clean-up affected systems.

Examples of the types of CaaS offered include:

  • Trojans – A malicious program that is concealed within a legitimate file to steal user information or login credentials from an infected system;
  • Rootkit services – Surreptitious code that conceals itself within the compromised system and performs actions as programmed;
  • Ransomware services – Software that restricts the user from conducting further activity until a specific action, such as making a payment, is completed.

Cyber-crime Infrastructure as a Service (CIaaS)

Once malware has been created, delivering the exploit is the next stage. Obtaining the required hardware can be both difficult and risky.

CIaaS provides cyber criminals with the necessary hardware to carry out their attack for an agreed rental price. This method is very convenient because the criminal can simply discontinue the subscription once they have completed their task. Furthermore, it is likely to be more cost effective than purchasing the equipment in most cases.

Hacking as a Service (HaaS)

There are two main categories of this kind of service; password cracking, and denial of service (DoS).

Password cracking services allow non-technical buyers to obtain a password to an email address simply by submitting the target’s name and email address.

DoS services only require the user to submit the website name they wish to launch an attack on. Service providers will agree a fee for the service, which can be as little as $2 per hour.

Navigating the minefield of info-security compliance

minefield

A company trying to navigate the minefield of info-security compliance may think of it as a daunting task. On one side is PCI DSS and Data Protection while on other looms ISO 27001 / 5. In the distance is the new GDPR and for some, the UK Gambling Commission Security Audit must be considered. Rather than seeing these standards as the minefield, however, think again. The minefield is actually the vast info-security landscape populated with potential pitfalls and dangers, some of which will be expensive to your business in terms of both money and reputation. The standards and audits are your way of navigating successfully. They are the safe ground.

To plot your path to the safe ground you need a clear roadmap. The key is to think long term so it is best to think big. The first step is to maintain an Asset Register so that you know what data you have, where it is and how long you are going to keep it. Also, devise a strategy to ensure that all sensitive data is process in a standardised way, that it is accurately detailed and that it does not contain any ‘fluffy’ words which might lead to inconsistent interpretation.

Keeping with the minefield analogy, you need to know what you are trying to avoid. Know your threat profile and exert maximum effort in these areas. Consider these questions:

  • Where do you store / process / transmit sensitive data?
  • How valuable is that data to you / to a hacker?
  • Is this data still required for business purposes?
  • Who has access to the data?

One way of doing this is to think about re-creating a security breach and considering how you might do this. Look at the audit log data; can you tell who has access to what and when? Ensure penetration testing has adequate coverage and check the scope of vulnerability assessments. A risk assessment will help make sure that everything is documented and help you to devise an effective strategy. Within your strategy identify which tasks need to be performed on a regular basis and set up a ‘Security Diary’ to schedule them. Remember, a security audit is only a snapshot of an environment at a given time. To keep it effective, ensure that tasks are assigned and performed as required throughout the year.

In certain circumstances, System Hardening profiles can be automated so that new servers or devices can be deployed quickly and securely. Regular maintenance and patching can provide a more stable environment with less risk of failure and greater security. Without this regular upkeep you may only be one ill- conceived change control request away from non-compliance.

How will all this help? Effective info-security can improve working practices and add value to a business. Staff with a better understanding of data security are likely to be able to identify problems more effectively and before they become service-affecting. Diarising what some term as ‘audit tasks’ throughout the year ensures stability and identifies issues in a more timely manner, rather than just at a specific audit time.

Navigating the minefield is made easier by taking it in measured steps rather than running at it once a year. The key here is to know your battlespace, afterall only by having an awareness of where the threats are coming from can you hope to avoid them.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

The reputational benefits of being a Cyber Essentials UK company

Gaining Cyber Essentials certification protects a business’ reputation as well as its cash flow. With over £50 billion in annual online retail sales in the UK, it is becoming increasingly essential for businesses of all sizes to protect their customers from all types of potential fraud. For at the same time as Internet sales have increased, so has the capability of online fraudsters. And with alarmingly regular reports detailing the thefts of both personal and financial data, online shoppers are also wising up to the inherent risks of dealing with companies that do not adhere to recognised online safety measures. Certification as a Cyber Essentials UK company benefits a businesses’ reputation by demonstrating a robust cyber security stance to its customers.

At a glance, these reputational benefits of Cyber Essentials certification are:

  • It shows your commitment to security; demonstrating to your business partners, regulators and suppliers that you take cyber security seriously.
  • It is a mandatory requirement for government suppliers and for all public service contracts.
  • It enables you to safeguard commercially sensitive data.
  • It protects your company’s profits and reputation by avoiding the financial implications any negative publicity associated with a cyberattack.
  • It gives you a competitive advantage, particularly in comparison to rivals without accreditation.

So what does Cyber Essentials certification entail? The scheme provides five fundamental technical security controls that an organisation needs to have in place to defend against the most common form of cyber attacks emanating from the Internet. These controls are then independently assessed for Cyber Essentials accreditation.

  • Boundary firewalls and internet gateways; these must be designed to prevent unauthorised access to or from private networks.
  • Secure configuration; ensuring that systems are configured in the most secure way for the needs of the organisation.
  • Access control; ensuring only those who should have access to systems to have access and at the appropriate level.
  • Malware protection; ensuring that virus and malware protection is installed and is it up to date.
  • Patch management; ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.

Expert advice will help you to navigate the process in a cost-effective manner and ensure that you achieve full compliance. Anyone wishing for more Cyber Essentials UK company information may view the following resources or contact SRM direct.

Introduction to Information Security Management

Introduction to PCI DSS

 

The real risk of ransomware

“We do not negotiate with terrorists” is a patriotic statement used by many countries. Does this notion still hold when you risk losing your data? The short answer is no.  In October 2015, Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s Cyber and Counterintelligence Program is on record stating that “…we often advise people just to pay the ransom;  the ransomware is that good”.

He was referring to ransomware programs like Cryptolocker, Cryptowall, Reveton and other malicious programs that encrypt the contents of a victim’s hard drive, as well as other directories accessible from the infected system.

Ransomware is a form of malware. It works by either holding your entire computer hostage or by blocking access to all of your files by encrypting them. Once infected, a person generally receives a message stating that he or she must pay a certain amount of money, usually $500 or more, within a specific timeframe (usually 24 hours) to get the key that will decrypt their data. If they don’t meet this deadline, their data is deleted. Surprisingly, upon paying the ransom, sometimes the decryption key is actually sent to you and access to your computer is fully restored. Nevertheless this just increases the chances that a victim will pay the ransom.

The lag between the skills and resources of cyber criminals and the skills and resources of law enforcement personal is evidentially getting dangerous. Businesses are increasingly seeing themselves in a position where they have to help themselves. Keeping up to date with security updates and patches has never been more important.

To be fair to law enforcement agents, once hackers have your computer hostage, there isn’t much they can do other than give them what they want. However, there are ways of getting around this. BACK UP YOUR DATA. Copy data to an offline hard drive, use a cloud – do anything to ensure that your costs are minimised. If you have to pay $1000 for a decryption key, you might as well buy a new computer and update it with the backup data. Not only do you get a nice upgrade, you play your part in reducing the revenue streams of online criminals.

In most cases, paying the ransom does not guarantee that you will retain access to your computer. However, regularly backing up your files will ensure you have something to fall back on.

In these difficult times, we have seen governments threaten citizens with imprisonment when they have tried to raise money when their loved ones have been held hostage by terrorists abroad. Yet the same law enforcement agents encourage civilians to pay ransoms towards what can be argued to be more sophisticated criminal organisations in the digital world. The cybercrime economy is booming, and the white hats have yet to show that they have it under control. 2016 is set to see the highest rate of ransomware cases. Is it really a good idea to encourage more funding?