Monthly Archive March 2016

Does Bitcoin threaten economic and business security?

Bitcoin is arguably the biggest shift in digital enterprise since the beginning of E-commerce – and has proved to have the potential to make even bigger changes to our everyday lives.

The world’s first cryptocurrency introduced the concept of a limited, decentralised, digital asset. This changes business, crime and the power of jurisdiction as we know it.

Bitcoin is a digital currency that is created and held electronically using a mathematical algorithm. New Bitcoins are generated by a competitive and decentralised process called “mining”. This process means that individuals are rewarded by the network for their services. Bitcoin miners are processing transactions and securing the network using specialised hardware and are collecting new Bitcoins in exchange.

Bitcoin is a limited currency. As of March 2016, just over 15 million Bitcoins (out of a possible 21 million) have been mined. This means there is approximately 27% of Bitcoins left to mine before mining stops for good. Simple economics will tell you that where supply is limited and demand is high, value is likely to increase considerably.

High demand is almost guaranteed due to the unique characteristics that Bitcoin offers. Like no other currency in the world, Bitcoin lacks any sort of centralised control over funds. In addition to this, the ability for transactions and accounts to remain anonymous is a valuable characteristic to many people.

Admittedly, it is expected to be popular with cyber criminals that operate on the dark web as this payment method has made them virtually untraceable. Furthermore, the lack of a centralised bank overlooking this technology means retrieving unlawful funds is near impossible. The digital aspect of it also means that no jurisdiction has power over it.

Think about it – if your company becomes the victim of a financial breach, once those finances are converted to Bitcoin, they are as good as gone.

Another aspect that adds to its value is the fact that many high street brands now legitimately accept Bitcoin. Big names like Dell, Microsoft and Expedia all seem to believe in the future of this currency.

Getting your head around cryptocurrency couldn’t be more important – it is changing how we do business, the extent to which the law can protect us and the values of our economies. Other cryptocurrencies have been introduced to market since Bitcoin was launched – some are even more untraceable, a lot easier to mine and have even greater security (Dash, Litecoin and Primecoin to name but a few). It really does take businesses to a new level of globalization.

Ensuring your organisation is ready for the change could not be more critical.

Who are the cyber criminals – hackers or attackers?

There was a time – back in the halcyon days of the 1990s – when cyber criminals and cyber security was so much simpler. At that time, anti-virus software and firewalls provided an adequate defence against hackers whose attempts to breach security could be described as more annoying than dangerous. Things changed in 2000 when the masterminds behind the Love Bug virus stole $410 billion from 20 different countries.

In 2016, the complexity and threat from cyber-security attacks continue to accelerate. For while cyber defence is light years on from those early days, the sophistication and expertise of hackers has multiplied in more than equal measure. In fact the term ‘hacker’ with its connotations of a lone student making mischief in his bedroom, no longer seems appropriate.

The Office for National Statistics has produced statistics for the first half of 2015 (released in October 2015) which reveal that more than 5 million cybercrime incidents occurred in the UK during that period. This type of crime represented 20% of Britain’s total economic crime in 2014 but the figure has exploded to 44% in the first half of 2015. And 72% of these cyberattacks came from organised crime gangs within the UK. So is it time to dispense with the term ‘hacker’ entirely and replace it with some more specific categories of attacker or refer to them all as cyber criminals?

Not necessarily. Most cyber crimes are still committed by individuals or small groups. But an individual who offers a product online and does not send it, or someone who pretends to be someone else in order to elicit private information for blackmail purposes; these are cyber criminals too. But while they are undoubtedly unpleasant individuals, they do not represent a risk to large corporates or organisations. The risk to business comes from attackers with more elevated ambitions. So just who does pose a threat to an organisation: who are the attackers?

Pranksters’ is a name sometimes given to those who hack into systems for fun. An example is the infamous cyber group called LulzSec who were studying computer sciences at college. Their name was based on their desire to ‘laugh in the face of the victim’s security measures’ but it was no laughing matter. In 2011 LulzSec took part in an Internet-wide attack on Sony, carrying out DDoS attacks and allegedly stealing source codes from their Developer Network.

A second group could be referred to as ‘attackers with a cause’. They usually have a political or social cause and usually operate as a small or loosely connected group of criminals. Similar to these are the ‘nation state attackers’ who also serve a cause and are often the most technically advanced of the type. One recent example of nation-state attacks happened right under the nose of a major cyber security firm, Kaspersky Labs. Kaspersky reported that Stuxnet and Duqu malware entrenched themselves in an effort to leech information about nation-state attacks that were under investigation as well as data regarding the detection software that can mitigate attacks. These attackers also present a threat to organisations because their political objectives are well-served by generating income from cybercrime in countries other than their own.

The fourth group, however, is the one that presents the greatest threat to organisations; they are the ‘super criminals’. Lacking any social or political agenda, they tend to work slowly and methodically, mimicking existing IT processes to ensure they aren’t detected until it is too late. They take advantage of any opportunity. There have been reports of cyber criminals flooding Brazil with malware disguised as a guide on how to treat the Zika virus.

As well as being unprincipled, large professional organised crime groups find new ways to commit old crimes, treating cyber crime like a business and forming global criminal communities. Criminal communities share strategies and can combine forces to launch co-ordinated attacks. They are difficult to crack down on as the Internet enables people to act anonymously from any location on the globe. Crime laws are different in every country too making it more complicated to bring criminals to justice if they launch an attack in another country.

One of most high profile examples was when ‘super criminals’ stole 40 million credit/debit card details from Target. It cost Target $4,200 million to replace compromised cards and it is estimated the criminals generated $453.7 million for themselves. Big businesses like Home Depot, Sony Pictures and JP Morgan Chase were also breached in 2015 through super-criminal attacks.

Identifying the instigator of any breach is part of the forensic investigation process but for the moment the important thing to remember is that most breaches are the work of intelligent and motivated attackers, who are cyber criminals and not hackers.


PCI DSS is a useful tool in GDPR compliance

By Paul Brennecker, Principal QSA, PCI PFI, PCIP

The countdown to European-wide data protection is on. But while some businesses will be anxious about how to ensure compliance with the new GDPR regulation by 2018, those that are already PCI-DSS compliant, or heading that way, are more than half way there and can use this existing framework to build GDPR compliance into their operating systems.

When John Lennon said, “Imagine there’s no countries…” he was unlikely to have been thinking of data protection or the borderless reach of cloud computing and the global economy. But he could have been. Because national borders and individual legal systems do not apply in this era of global data storage. So it is inevitable that borderless regulations are being enacted to counter security issues regarding personal data. PCI-DSS already recognises that national borders or laws are not relevant and the General Data Protection Regulation (GDPR), which is due to come into force in 2018, goes one step further.

Although there are still some additional bodies that have to approve it, the EU Parliamentary committee for civil liberties, justice and home affairs voted positively in December 2015 to accept and implement GDPR and because it will be a regulation it becomes law across all member states as soon as it is fully approved. There will be a single Data Protection Authority rather than the 28 existing authorities in Europe. There is no need for member states to create a local law to enact it.

The important thing to bear in mind at this stage is that the GDPR, although far-reaching and enforceable, is less prescriptive than the PCI DSS standard that already exists. GDPR provides detail about what needs protecting but little in the way of an actual action plan. PCI DSS on the other hand offers a detailed framework upon which to build. The two complement each other and GDPR compliance will be best enacted alongside the existing PCI DSS.

The first challenge is for entities to understand what personal data is processed and how to protect it. The GDPR goes into considerable detail on this. Personal data is “any data relating to an individual, whether it relates to their private, professional or public life.” This can be anything from a name, photo, email address, bank details, payment card number, mobile phone identifier (IMEI code), computer IP address and even posts on social networking sites.

Data Discovery forms an essential part of this. As part of our work as QSAs we regularly see examples of stored personal data that has dropped off the map. This may be as simple as card numbers found in the browsing history of a desktop computer or as serious as a live webserver containing historic personal information that was serving no purpose to the parent company. Using a tool to assist in the search for this data has proved an invaluable part of the PCI DSS assessment process. Appropriate security goals must therefore be based on a risk analysis and privacy impact assessments will have to be performed regularly (annually).

Also in scope is biometric data (face, finger prints, heart beat and voice recognition all being considered by UK Banks) and DNA. UK banks, according to some reports, are looking at this technology for authentication. Also included are IP address (online identifiers) and mobile device identifier (location identifiers). Even general descriptions of individuals (often in the form of additional notes on a system) are considered to be personal data.

In addition to protection of data, there will be increased rights for an individual to know and have access to personal any information you hold on them. You cannot charge for access to this. A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. In addition, the data must be provided by the controller in a structured and commonly used electronic format.

Where you have 250 or more employees or process 5000 data objects in a 12 month period you must appoint an independent Data Protection officer (DPO). Under the GDPR, the DPO will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any standard and it is likely that the GDPR will provide that such breaches must be reported to the Supervisory Authority as soon as they become aware of the data breach. This is much in the same way as PCI card payment breaches are handled.

Similarly, any third parties who process data on your behalf will be just as accountable as the data processor under the new regulation for any breaches of the regulation.

Most of us in the Information Security industry recognised PCI compliance as a giant step forward for those entities processing card payment data. Now it seems that the rest of Europe is catching up with this, which can only be a good thing for us in our personal lives. Like PCI however, GDPR does carry a burden, so a carefully thought out implementation plan is going to save time and resources in the long run.

Non-compliance of GDPR will have severe consequences. Financial penalties will be tier based and are likely to be up to €20,000,000 or 4% of turnover whichever is the greater. Written warnings can also be issued for initial and non-intentional breaches and it is unlikely that many would want to be the first to test this. Sanctions will now also include regular data protection audits.

For those that are already compliant with the PCI DSS, an annual review of the data being processed should form an integral part of the project. This ensures that any new technologies or processes are not excluded and ongoing compliance is maintained. Applying the PCI approach to the implementation of the GDPR will assist greatly as the framework is already there. This is a tremendous bonus to those that have already implemented PCI or those that are currently scoping a project. By integrating the PCI DSS framework to the GDPR principles, you already have a head start.

The presentation upon which this article is based was delivered at the PCI London event on 28th January 2016.

Read more on GDPR and the strengthening of individual data protection rights.

SRM Blog

SRM Blog