PCI DSS

Retained Forensic & Incident Response Service: how planning for the worst can add value to your business

By Paul Brennecker, Principal Security Consultant and Lead QSA

Paul Brennecker gave a presentation at PCI London on 5th July 2018 and this article first appeared in that event’s publication. 

All too often the engagement of a Forensic Investigator is a distress purchase, made at a time of crisis when a breach has already occurred. Yet, waiting until there is a full blown emergency means organisations are missing out on the added value that specialist Retained Forensics professionals can bring.

Forensic Investigators don’t just operate in a crisis. When engaged to provide a Retained service, they can also help to develop a resilient defence strategy. This combines developing and delivering a full strategic cyber defence plan with Incident Response management. Their strategic guidance and practical knowledge enables them to help organisations reduce the level of impact while also meeting legal and regulatory responsibilities in the event of a breach.

In the event of a breach being reported, the Information Commissioner’s Office has made clear that it will look at the level of security in place, as well as the Incident Response strategy when considering the fines it will impose.

With forward planning it is possible to ensure that you get the maximum return for your investment and also secure the service that is best for your business. In business terms, a distress purchase is defined as a purchase made at some critical point, usually during a failure of other unplanned event. This is like buying a plastic cape when caught out in heavy rain: it is unlikely to be the best waterproof nor the best value for money but the purchase was forced by extreme circumstances. Similarly, that present bought in the late afternoon on Christmas Eve may turn out to be the most expensive gift ever purchased.

In today’s cyber security landscape such critical points come, not surprisingly, when least expected. No one can know when a breach or a security incident will take place. One day you are blissfully unaware of its existence; the next you are in a state of crisis with much to do in a very short period of time. This is particularly the case under the terms of GDPR which requires data breaches to be reported within 72 hours. GDPR also requires that you implement robust breach detection, investigation and internal reporting procedures.

One of the first tasks is to secure and contain the breach – a specialist job which can be time consuming and confusing – and for this an industry specialist must be appointed. There are not a vast number of suppliers to speak to. For example, when it comes to a PCI data breach, there are only eight companies in the UK which hold the necessary certifications required by the acquiring banks.

A cyber mature organisation knows that it is not enough to simply be reactive, however. Their aim is to anticipate the critical point and to scope, develop and implement a company-wide cyber security strategy which is constantly challenged and re-enforced. This type of strategic plan will help to ensure effective business continuity and protect from loss of income and reputation.

Working with a Retained Forensics specialist facilitates this strategic approach; from analysing potential weaknesses, to making detailed plans in the event of a breach. This is done in a number of ways, including through the process of Test and Exercise, starting with automated penetration testing to identify potential vulnerabilities. Manual testing is then employed to exploit and develop these weaknesses so the gaps can be plugged. The synergy of these tests provides valuable intelligence about where existing vulnerabilities lie and helps a business to build a robust defence around them.

The world of cybercrime does not stand still, however, and so defences must be continually reviewed and challenged to ensure they are as up to date as possible. So, although PCI compliance for example, is a vital annual check, it does not claim to guarantee that adequate defences are in place all year round. A more resilient strategy therefore uses a regular Test and Exercise programme to keep the process agile and responsive.

Where it is advisable to go a level deeper, organisations can also consider Red Team engagement. Red Teaming is where highly skilled and trained ethical hackers get into the mind-set of a potential adversary, using a range of tools and strategies. This enables organisations not only to identify where a potential attack might take place but also builds in a level of resilience by identifying where potential future vulnerabilities may lie.

The mature organisation works with Retained Forensics to scope the requirements of their business, making it possible to manage the whole process in a timely and cost-effective manner. While building a robust defence is a priority, making detailed plans for how to handle a crisis is equally important. It is perhaps counter-intuitive to plan for a successful attack, but the maxim ‘expect the best but plan for the worst’ is sound advice. Knowing how to react in the unfortunate event of a data breach is a crucial business benefit. An experienced Retained Forensics company will be able to assist you with your plans and help to stage an event, to get everyone into the right mind-set. If the worst does happen, then staff will have a framework to refer to, ensuring that vital steps are taken and time is not lost.

A Retained Forensics team will also undertake the preparation and testing of Incident Response, Business Continuity and Disaster Recovery plans to ensure they are up to date and ready to swing into play at the first sign of an incident. Not only will they have a detailed knowledge of an organisation’s systems and networks, they will have helped to set up breach notification protocols and mitigation strategies; all of which will already be in line with the requirements of GDPR. In this way any damage and disruption will be swiftly minimised and mediated.

Given the benefits of engaging a Retained Forensics service, it is perhaps surprising that some still overlook it, simply engaging a Forensic Investigator when compelled to in the event of a breach. The reason for this is perhaps that the challenge of managing third parties to achieve and maintain the various data standards and compliance is ever increasing, meaning that the procurement of services to assist in the event of a data breach is often overlooked.

Those who plan for the worst while hoping for the best, however, reap significant benefits and have the time to engage with a professional Retained Forensics service before a crisis occurs. By planning ahead, they ensure that they get the maximum return for their outlay and also secure the service that is the best for their business.

How PCI compliance puts you on course for GDPR

For a long time the General Data Protection Regulation has been looming on the horizon but in just a few short days it will arrive; a permanent aspect of the data protection landscape. From 25th May 2018 this European-wide data protection will be a legal requirement for virtually every UK organisation. The task should not be overwhelming; particularly for those who are already PCI compliant, or working towards it. This is because the PCI compliance process means they are already well on course for GDPR. All that remains is an identification of gaps to bring systems and policies in line with GDPR.

The important thing to bear in mind at this stage is that the GDPR, although aimed at the entirety of an organisation and largely enforceable, is less prescriptive than the PCI DSS standard that already exists. GDPR provides detail about what needs protecting but very little in the way of a solid action plan.

PCI DSS on the other hand offers a detailed framework upon which to build, specifying what needs to be done and how, and even giving regular updates and guidance on reviews. The two complement each other and therefore the GDPR will be best enacted alongside the existing PCI DSS. A further aspect to note, is that a PCI breach will also be a GDPR breach, since the information on your cardholder data environment is subject to regulation by GDPR.

GDPR should not be seen in a negative way. It is a positive piece of legislation which will help to build trust. Similarly, PCI DSS compliance provides you and your customers with peace of mind that data is secure. This is the metaphorical carrot. There is also a stick: those who do not comply and suffer a breach will face loss of customer trust, enforced PFI investigations and fines.

For those that are already compliant with the PCI DSS, an annual review of the data being processed should form an integral part of the project. This ensures that any new technologies or processes are not excluded and ongoing compliance is maintained. Once you have identified the data that GDPR affects, applying the PCI approach to the implementation of the GDPR will assist greatly as the framework is already there. There will still be a few gaps to fully adhere to GDPR so professional advice will be of benefit.

And for those who aren’t PCI compliant? Seeking guidance from a qualified advisor and reviewing the gaps in their documentation, policies, training, IT systems and processes should be a pressing matter.

With one of the largest QSA teams in Europe, SRM provide unrivalled technical and compliance expertise within the PCI arena. Our GDPR team provide a business-focused service to organisations at all ends of the GDPR-readiness spectrum. For help and support, or to discuss any aspect of PCI DSS compliance or GDPR contact Mark Nordstrom at mark.nordstrom@srm-solutions.com or 03450 21 21 51.

To gauge your level of GDPR readiness, complete our free GDPR Self Assessment Questionnaire

For more information on our GDPR services, visit our GDPR page.

To view a recording of our webinar GDPR: the roles of manual and automated penetration testing, click here.

Read more on GDPR related blogs.

PCI DSS: With charities gearing up for contactless payments what could possibly go wrong?

More than 40 organisations, including McMillan Cancer, the NSPCC, the RNLI and the Church of England, have introduced technology which means that donations can be made with a quick tap of a card. But as the charitable sector embraces contactless payments their enthusiasm must be tempered by robust compliance with Payment Card Industry (PCI) standards or they risk a world of pain. Just one whiff of a breach will bring notoriety and loss of reputation, bringing this Brave New World of charitable giving crashing down around their ears.

The driver for this new approach is clear. The NSPCC ran a trial which showed that donations by card are higher, compared to cash donations and Barclaycard has estimated that charities will miss out on £80m a year if they only accept cash donations. Some have gone even further with things like the Helping Heart jacket, developed so digital donations can be made via this piece of clothing worn by collectors to a homeless charity, and the Blue Cross ‘tap dogs’ who wear a vest with a sewn-in pocket that holds a contactless device.

So what could possibly go wrong? Well, firstly, in spite of the benign motivation behind the new approach, there is no getting away from the fact that where there is money, there will be crime. Defences will therefore need to be geared specifically for this new technology or charities will risk fatal damage to their reputations.

Secondly, the regulatory environment is getting more stringent with the implementation of the General Data Protection Regulation (GDPR) on 25th May 2018. In addition, the Payment Card Industry (PCI) continues to be hyper vigilant when it comes to the Data Security Standard (PCI DSS) and it has already proved that charities are not exempt from the full force of the law when it comes to administering fines for non-compliance.

If an incident occurs, swift action is required to minimise the impact of an individual attack. But prevention is always better than cure. Those organisations that retain an information security consultant to assist with PCI compliance and to ensure their defences are robust, will reduce the potential of being breached.

SRM offers a full range of services to protect the online environment. Using a range of tools from penetration testing to vulnerability assessments and network security testing, we enhance risk mitigation and ensure that the online environment of our clients is as robust as it is possible to be. We work extensively with charities and HM Government as well as all shapes and sizes of businesses and organisations across various business sectors. For many we provide a bespoke retained PCI Forensic Investigation (PFI) service, working proactively through regular strategic reviews to develop enhanced risk mitigation. Anticipating the potential risk areas for attack, we provide highly-targeted cost-effective solutions.

Given the constantly evolving world of cybercrime and the ingenuity of hackers, attacks can and do happen, however. But with a retained PFI already familiar with a charity’s systems, remediation is rapid and disruption minimal.

For more information on SRM’s PCI services please visit our website.

Or visit our blog:

Network intrusions are on the increase: time to engage a Retained Forensic specialist

 

Coinhive attacks and how to prepare for the (almost) inevitable

This week’s report that more than 5,000 websites, including that of the Information Commissioner’s Office (ICO) have been hacked, shows that it really can happen to anyone. Other affected websites where malware took over the processing power of their user’s devices include the Student Loans Company, the council website for Manchester City, Camden and Croydon and the home page of the United States Courts. Although the initial reaction may be one of schadenfreude – pleasure in someone else’s misfortune – a more measured response would be to realise and accept that hackers are now so ingenious and creative that everyone, including those with top class cyber defence, is likely to be subject to attack at some point.

This latest hack involved a piece of cryptocurrency mining malware, called Coinhive, which ran in the background while the webpages of the hacked organisations were open. This forced visitors’ computers to run the mining programme which can then be used to gain small fractions of cryptocurrency from each victim.

So, how can we protect ourselves? The honest answer is that we can’t fully. What we can do, however, is to be prepared for the probability that our systems will be attacked at some point and to reduce the potential impact this will have. Developing a robust Incident Response protocol is an important start and here a Retained Forensic (RF) service will be of immense benefit. With a detailed knowledge of your systems, an RF team is able to mitigate the damage swiftly and effectively.

Damage limitation is crucial but, in the long term, building additional layers of security into your system’s architecture is also key. We need to ensure we are not giving away information without meaning to. We should also consider our defensive architecture but it is important that we balance the need for security with the practical requirement for our systems to be functional and easily navigable.

Achieving this balance is a complex issue. SRM’s VirtualCISO (vCISOtm) service can resource and support the incumbent CISO or DPO in managing this task. From providing expert strategic guidance to taking on the full CISO role, our vCISOtm team has many years’ experience in providing robust yet agile defences. We work with our clients across a range of services including Incident Response, Retained PFI, Digital Forensic Investigation and Security Breach, Incident Management and Containment Support.

To find our more, visit our website or contact Mark Nordstrom on 03450 21 21 51 or mark.nordstrom@srm-solutions.com

PCI SSC Europe Community Meeting: free one to one meetings with PCI DSS industry thought leaders

Delegates at the PCI SSC Europe Community Meeting in Barcelona this week will have a lot on their minds. Changes to compliance, the security of customer payment card data, issues concerning the Cloud and the ever-present threat presented by hackers and cyber criminals will have brought the industry together to share in a range of seminars and talks which will help to address these issues.

The agenda is diverse ranging from the keynote presentation by the PCI Security Standards Senior Team on Wednesday to an outline of the security road map for the next generation of payments; from the Miracle on the Hudson to the weaknesses in IoT. So why, with all this information readily available, and so many people offering advice, should you spare half an hour to talk to the guys from Security Risk Management (SRM)?

The short answer is this: people. Yes, we are the leading PCI Forensic Investigation company in the UK and cyber security supplier to HM Government. Yes, our team boasts some of the most highly qualified professionals within the world of information security and, yes, our clients range from enterprises and government departments to SMEs and the third sector so we understand all sizes and types of organisation. But when it comes to working with your business, it is the individuals who really make the difference.

Paul Brennecker has been with SRM since 2008. Formerly he was PCI Compliance Manager with Barclaycard and successfully drove the compliance programme forward, working with both VISA and Mastercard in the process. With many years’ experience and a host of high level qualifications (including QSA), Paul is widely recognised as a PCI DSS compliance thought leader, regularly speaking at events. Known for his approachable manner and depth of knowledge, he has a particular skillset in conducting pre-compliance scoping and de-scoping exercises, conducting gap analysis assessments, creating remediation plans and assisting with intrusion detection and prevention systems. Paul is available at the Barcelona event for free one to one consultations.

James Hopper is SRM’s Operations Director, having worked previously within the worlds of consultancy and local government service improvement, delivering significant Transformation Programmes. He also has experience in consultancy, operations and innovation with a large FTSE 100 outsourcing company and a large NHS organisation. James brings this vast strategic experience to the process of company-wide information security solutions. At SRM he ensures that our service is constantly evolving to deliver first class service to a range of clients across many sectors. With a reputation as a clear-thinking no-nonsense problem-solver, James can cut through to what is specifically required so that top level compliance can be achieved in a cost-effective manner. James is also available at the Barcelona event for free one to one consultations.

James and Paul are interested in meeting those involved with PCI DSS compliance programmes. They also have a thorough knowledge of the whole information security sector and can advise on other issues as part of a company-wide strategy. But they are only two people from a highly skilled, experienced team and, where necessary, they can put you in touch with someone with a specific expertise.

Established in 2002, SRM has a proven track record in the industry. As a company it continues to grow in excess of industry norms. It is structured to respond to the continual changes within the world of information security and to ensure that its innovative service offerings evolve to better suit the needs of existing and future clients.

To book your free consultation simply email paul.brennecker@srm-solutions.com or james.hopper@srm-solutions.com.

To find out more about us, visit http://www.srm-solutions.com or to read our blog visit http://blog.srm-solutions.com/

http://blog.srm-solutions.com/win-a-free-days-consultancy-october-offer-to-celebrate-national-cyber-security-awareness-month-ncsam/

http://blog.srm-solutions.com/pci-europe-community-meeting-barcelona-24-26-october-2017/

SRM Blog