Monthly Archive October 2015
Zen and the Art of PCI Maintenance
By Paul Brennecker, PCI QSA, PCI PFI, PCIP, Principal QSA, Security Risk Management Ltd
“Is it hard?’
Not if you have the right attitudes. It’s having the right attitudes that’s hard.”
Robert M. Pirsig, Zen and the Art of Motorcycle Maintenance
Is it hard to be PCI DSS compliant? Not if you have the right attitude. PCI data security compliance is not about ticking the box on a particular day; it’s about a change of outlook and meticulous ongoing maintenance.
A PCI DSS assessment is like an MOT; it only applies to a given moment in time. Picture this: your car passes its MOT in the morning but on the way home something – even something minor – occurs that renders your vehicle technically un-roadworthy. You know that if you took same car to the same garage at 5 o’clock on that very same day, it would not pass the test and would no longer comply with the Road Traffic Act. Although you would hold an MOT certificate in your hand, it no longer reflects the state of your vehicle. Ongoing maintenance is required to keep you safe.
In the same way, PCI DSS compliance requires ongoing maintenance. Of course, we all know that there are some for whom simply ticking the box on an annual basis is their modest ambition. But, like the driver with dodgy brakes, they are almost certainly heading toward disaster. They may be only one ill-conceived change of control request away from non-compliance.
Others have been working toward compliance for a long time and have a fully mapped programme of work spanning several years. For these companies, their QSA is like a good mechanic; they not only work to achieve compliance but also offer guidance in security best practice, using their experience to help design policies and procedures that will stand the test of time.
So, what guidance would a good PCI DSS mechanic give you? Given the fact that every business is different, they would certainly tailor a programme of activity to meet your specific needs. But, the principles of good practice remain constant and an awareness of these will stand you in good stead.
Firstly, know your environment. To do this, you should maintain an Information Asset Register so that you know what data you have access to and where it is. Use this information to feed an Information Management System and devise a Payment Strategy to ensure that all payments are accepted and processed in a standardised way. If you know your threat profile, you should exert maximum effort in these areas first but it is also important to establish a Security Diary to make sure that tasks are assigned and performed as required throughout the year.
Compliance should not ever be seen simply as a tick box exercise. In fact, certain requirements can actually help to improve working practice and add value to your business. For example: System Hardening Profiles can, in certain circumstances, be automated so that new servers or devices can be deployed quickly and securely; regular maintenance and patching can provide a more stable environment with less risk of failure and greater security; staff with a better understanding of data security are likely to be able to identify problems more effectively and before they become service affecting; diarising what some term as Audit Tasks throughout the year ensures stability and identifies issues in a timely manner, rather than just at MOT time.
For those who have met the PCI DSS standard, there is, of course, the requirement for ongoing re-assessment. There are some differences between the requirements for the initial PCI DSS assessment and those for re-assessment, principally a need to provide evidence to demonstrate activity throughout the preceding 12 months. For example, there is a requirement to show how System Patches are risk assessed and applied as well as how you have assessed and ranked Security Vulnerabilities as they have been discovered.
Re-assessment also requires evidence of at least two firewall reviews as well as how Cryptographic Key changes and Change Control Logs are used to support many aspects of compliance throughout the year. In addition, you must show evidence of how access is granted, amended and removed for users; provide 3 months of recorded data for review and a log must be in evidence detailing all visitors to the site within the previous 3 months.
For re-assessment, logs are also required to show the tracking of information for all media containing payment data; for logging data, 12 months of records are needed and for the System Audit Process there needs to be evidence of how the logs are reviewed and what actions are taken as a result. There are additional results and reports required to be available for review relating to Wireless Scanning, Internal Vulnerability Scanning, Penetration Testing, Policy and Document Reviews and Incident Logging and Response.
Perhaps inevitably, when the requirement for ongoing maintenance of your PCI DSS compliance are so prescriptive, there are a number of common issues that, if diligently planned policies and procedures are not being followed, may occur to jeopardise repeat assessments. Often staff are not accountable and, as a result, various tasks are not completed. For example, if six-monthly Firewall Reviews are not diarised and no one has been specifically allocated the task, who will remember?
Guidance from a QSA will assist with many of the common problems. Where payment procedures have been introduced that are at odds with the established methods for processing card data, a defined payment strategy is helpful. When there is a risk of critical patches not being risk assessed or applied within the 30 day window, a robust patching procedure is essential to limit exposure to risk. Expert advice will also help streamline processes for vulnerability scanning and the storage of unencrypted card data, which can all too often be found on desktops and servers.
PCI DSS compliance should not be considered an onerous or unnecessary burden, however. If taken to the heart of an organisation it can bring with it untold benefits in terms of efficiency and staff morale. Yet, not surprisingly, few could confidently navigate their way through PCI DSS compliance without the occasional slip up, no matter how much continuous effort they may exert. This is where input from a professional is key. Just as few of us would undertake complex maintenance or repair jobs on our cars (or motorbikes), there are times when it’s best to call in an expert.
The TalkTalk Breach – A Lesson for Us All
By Tom Fairfax, Managing Director, SRM
Whilst everyone has a responsibility to manage their Cyber Security to the best of their ability, no-one is completely safe and despite their best efforts, we may all be attacked. In practice, there are two sides to this.
It goes without saying that we all have a responsibility to manage our own Cyber Security measures in an appropriate manner. We must remain alert to the fact, however, despite everyone’s best efforts, there may be a successful attack and we all need to take responsibility for our own resilience.
We can blame third parties who are breached as much as we like – in some cases with reason – but that isn’t going to do us any real good in the short term. Whether we are organisations or individual members of the public, we need to ensure that we have taken the simple steps necessary to ensure that we can respond when the inevitable happens.
Regardless of the detailed causes – which may or may not become clear during the analysis – TalkTalk appear, at this stage, to be managing this issue in a clear and decisive way. Let’s be clear, however, they are not the only ones to be attacked. The TalkTalk breach has been identified – there are many which haven’t. We must all assume that somewhere, our data may have been compromised. That is where we come in as individuals. There are some simple steps that we can all take to ensure that we raise the bar to attackers. Some of these are not as complicated as you might imagine:
- We need to have (kept safely) a list of all of our cards, and the emergency telephone numbers to ring. This information needs to be kept securely in a form that is available when our computers are not. If we are travelling, we may choose to leave these details with someone trusted whilst we are away;
- We need to check all of our bank and card statements carefully and promptly;
- We need to be alert and sceptical. For example, if we are unexpectedly refused credit, this would be a good indication that we should check our credit record for compromise;
- We need to maintain our cyber hygiene (http://blog.srm-solutions.com), keeping our computers protected and up to date, ensuring that we change our passwords regularly, and that we remain alert for suspicious activity.
Hang on, I hear you say – this is old hat! Sadly, this is the world in which we live. We must all assume that, at some stage, our details may be compromised whether directly or via a third party, probably through no fault of our own. We need to able to take responsibility for our own personal resilience.
If we don’t we will be vulnerable. If we haven’t taken the common sense measures to ensure we can respond to a problem, we can blame no-one but ourselves.
Email fraud – how to protect yourself from cyber criminals
There have been a number of news reports in recent days about people erroneously transferring large sums of money to fraudsters who have intercepted their email traffic. In one example, a woman received an email, supposedly from the agent handling the purchase of a house on her behalf, informing her that the previous email had given incorrect bank account details and asking her to send to an alternative bank account. Everything looked normal and only one letter of the email address of the fraudster differed from the correct one. By the time the crime had been discovered, the money had been divided up into offshore accounts.
But crimes like this are not limited to large sums of money. Even at the level of charities or small community organisations, fraudsters are cutting in on email traffic and misleading unsuspecting individuals into sending funds to alternative bank accounts. Tom Fairfax recently warned the public through his local newspapers in Northumberland but the advice remains true wherever you live.
A recent spate of attacks on email group lists in Northumberland has shown that even ‘low risk’ membership organisations are being exposed to potential fraud and only good cyber hygiene can defend an organisation.
Fairfax says: “There have been recent instances of local mailing lists belonging to ‘low risk’ membership organisations being compromised, exposing their members to attack by cyber criminals. In one Northumberland example, a request for annual subscriptions sent via an open email list was intercepted and false bank details passed to the group members, some of whom paid their (not insubstantial) annual subscription into the attacker’s bank account.
“People assume that once we know their bank details, we can track down the criminal. Sadly it may not be as easy as that; many attackers will use stolen account details belonging to a bank account which has been previously compromised (a ‘mule account’). Funds will then often be swiftly transferred out and through a network of different stolen bank accounts to cover the trail.
“The cyber-crime industry is huge (estimated at nearly twice the size of the global narcotics economy) and it’s not just big organisations who are vulnerable – vast databases of personal and small business’s personal and financial information are traded on the “dark web” and used to enable very real frauds. We all have a shared responsibility in making it harder for criminals to steal our information – we might be enabling them it to steal from others in our communities.”
If you are part of, or running, a mailing list – even a small one – there are a few simple steps you can take to make it harder to attack:
• Place your address list in the bcc box of the email address not the cc field. This means that recipients will not see it. It also means that any intercepted emails are harder to automatically turn into attack tools. If your list is very big, you may increase the likelihood of your email being swept up by spam filters, in this case…..
• Consider using a credible email distribution tool like mail chimp or google groups. These will also make it easier for owners and members to manage the list and reduce the likelihood of attack.
• Don’t send sensitive information over a list – once an email is sent – it is in the wild – you have no control. If one of your members has been compromised (statistically probable for any list with more than half a dozen members), your information is out there. As a rule of thumb, if you wouldn’t put it on a public noticeboard, then think carefully about how you send it by email.
• Ensure that any machine used to manage the list is properly protected by the appropriate, up to date, security software. This makes it a tougher (though not impossible) nut to crack for the criminals.
• Encourage all list members to ensure that their systems are properly protected with up to date firewalls and anti-virus software and that all system updates are applied.
• If you must send important information, then put it in a PDF attachment with a recognisable letterhead. This makes it harder (not impossible) to subvert.
• Be aware of your responsibilities under the data protection act (we will deal with this in detail under another BLOG article).
• Ensure all members are aware that an email list in clear view will always be at risk – and apply common sense when acting on email contents… a combination of common sense and sensible cyber hygiene are our best defence.
Fairfax says: “We must always be aware that however useful the cyber environment is, that we are not alone in it – and if we fail to take basic measures to protect ourselves, we will become a resource that is farmed as a commodity by the criminal community.”
Improving the odds
Data security in the gambling industry
by Paul Brennecker, PCI QSA, PCI PFI, PCIP, Principal QSA, Security Risk Management Ltd
Complying with the mandatory security regulations within the gambling industry may appear to some to be a pain in the proverbial. Yet, be under no illusions because there is no grey area here: online security compliance is a legal requirement. Simply meeting minimum standards, perhaps grudgingly or under sufferance, however, offers no tactical advantage within the industry because everyone is subject to the same rules.
So, while a practical organisation accepts that these compliance standards need to be met, going a step further and deciding to build enhanced compliance standards into the operational framework is the sign of a pragmatic organisation. This is because enhanced compliance significantly improves the odds in their favour. However, before detailing the advantages of such an approach, it is firstly important to understand the three main standards pertaining to the gambling industry. Like an onion skin, under each layer there is another layer, protecting, at the heart, the interests of customers.
UK Gambling Commission requirements
The UK Gambling Commission states that it is ‘committed to the protection of privacy of personal data’. A full copy of the Data Protection Act 1998 is available on the ICO’s website (www.ico.gov.uk).
The main standard relating to stored payment card data is the Payment Card Industry Data Security Standard (PCI DSS). Gambling firms risk fines, reputational damage and restrictions on processing cardholder data if they, or their suppliers, do not comply with the industry’s standards on storing payment card details.
The UK Gambling Commission has indicated that wherever possible this framework should be followed. Anyone working in PCI knows that 27001 is the inner layer of the onion: the bedrock for compliance.
More and more organisations are now asking for the ISO 27001 approach because within its framework, is an inherently inbuilt flexibility. Used as a basis, it is possible to use its methodology to manage several compliance programmes and to build security into each layer of operation.
Meeting minimum standards is a basic necessity but surpassing these standards must be an aspiration for all mature organisations. With compliance at the core, it is possible to establish documented procedures which set out clear boundaries. Having developed a strategy with compliance built in, it is then possible to replicate that framework when another product is brought on line, thus making this process much quicker and cheaper.
An example of this is a payments strategy for whole procedure. Starting with PCI DSS compliance, a robust payments protocol can be used across all new products within company. It can replicated in the full knowledge that it will be compliant.
Another example is with firewalls. Having met the highest standard levels from the outset, it is possible to establish fire wall protocols, enabling the business to grow in a manageable way without additional risk.
One client in the gambling industry is following this principle and is now able to bring new products online within a fortnight because, while establishing protocols, they have automated much of the process. With this practice of streamlining, standardising and automating protocols there are added inherent advantages: employees know what they should do within defined boundaries which, as well as minimising risk, makes for happier more productive staff.
There are many potential pitfalls when dealing with PCI and compliance in general. The main one is selecting the wrong product; but others include not specifying correctly or misinterpreting the intent of the standards. Using a consultant experienced in the gambling industry reduces these risks while improving the odds of a successful integrated and cost effective strategy.
The Impact of the Safe Harbour Ruling
This week the European Court of Justice ruled that the transatlantic Safe Harbour agreement, which lets American companies use a single standard for consumer privacy and data storage in both the US and Europe is now invalid.
What is the issue?
Since 2000, the ‘Safe Harbour’ pact has enabled US Companies to self-certify that they conform to EU data protection rules. This has been necessary as US data protection legislation does not meet EU standards. In the EU, data privacy is treated as a fundamental human right, whereas in the US, ‘other concerns’ sometimes take priority.
The Safe Harbour pact was designed to provide a ‘streamlined and cost effective’ way for US firms to get data out of Europe without breaking the rules. But Edward Snowden’s NSA leaks showed that European data stored by US companies was not safe from surveillance that would be illegal in Europe. As a result of a challenge in the wake of these leaks, the European Court of Justice has now ruled that personal data may not be transferred to US companies purely on the basis of Safe Harbour certification.
According to the new ruling any organisation that wants to export personal data must draw up and sign Model Contract Clauses (available from the ICO website). This is not just a paperwork exercise but may have significant implications with respect to liability for breaches. US organisations must also now ensure that not only their paperwork, but also their practice, conforms to EU requirements. This will have a significant compliance and assurance overhead for organisations who are party to transatlantic arrangements involving personal data.
There is likely to be a significant amount of contract and legal work to ensure companies fall in line with the legislation. Organisations on both sides will also need to review their compliance frameworks to ensure that appropriate levels of assurance are maintained.
What do we need to do?
The first thing that any organisation should do is to conduct a risk assessment to identify whether any of the personal data for which they are responsible is being stored in the US. If they are found to be exposed, then they should take steps to ensure that appropriate contractual and compliance arrangements are in place to protect the data.