The new audit defense?

I’ve seen a trend recently although it’s probably been around for ages but I’ve only just noticed.

In many cases where an organisation’s security has been compromised, either the organisation itself or the investigative body sent in to look into the situation have responded to direct questions with vague, non-committal answers.

This approach first caught my eye with the TJX situation where both the company and investigators have repeatedly said “we’re not sure” when asked questions starting with the words “How”, “Who”, “When” and “What”.

The latest I’ve seen relates to “U.S. Visit”, the IT system intended to keep track of foreigners entering and leaving the United States. Congresswoman Zoe Lofgren asked a simple question:-

“Was the US Visit database hacked?”

And the answer from A Mr. Keith A Rhodes, Director of the Center for Technology and Engineering at the US Government Accountability Office?

"I did not see controls in place that would prevent it and did not see defensive perimeter and detection systems in place to tell whether it had or had not been hacked.”

So basically, the answer is, “don’t know and have no way of knowing”.

I do hope that this does not become the new way of “defending” yourself against the auditors. As in, put fairly useless tracking systems in place so that if something bad does happen, no one can find out how bad it was, for how long it occurred and what was actually affected.

I guess it’s up to the standards themselves to remove this as a defence. Perhaps things like PCI DSS need predefined approaches to the “we don’t know” style of defence. Maybe, a standard fine structure for dealing with a lack of information is required.

I’m not sure but I have a horrible feeling that this could develop into a well used method if instances like this are not stamped on in short order.

I don't understand

I don't understand the lack of focussed PCI DSS related sites on the internet. Considering the depth of the requirements and the coverage area that it can have on organisations' network systems and business processes, I would have thought that there would be a lot more.

There is the following dedicated site:-

PCI Answers

which is a good source of general info. I like it (and contribute when relevant) because it discusses the underlying issues linked to PCI DSS and not just individual aspects. Even so, I wouldn't say that it is heavily used (although it may be heavily read, I guess).


I've found the following forums:-

PCI Answers Forum
PCIFile Forum

which do not have that many members and no where near the traffic I would have expected.

There is also the following Yahoo Group which has very low traffic:-

PCI Standards

However, even all these together don't get anywhere near what I would have expected. I have Googled for others, no dice. I have tried Technorati and although there are many individual posts relating to PCI DSS, no dedicated sites.

Perhaps this is because PCI DSS is considered "just another compliance requirement". I'm not sure about that because then you would expect more chatter on generalised forums and communities like Security Catalyst Community . This is a very good all round community site with some exceptionally talented people on it. However, I posted a question about PCI DSS a while back and got one reply.

I don't get it. Maybe I'm missing something but I think PCI DSS is a bigger deal than this.

Time flies when you're, erm, busy....

WOW!!!! 13 days since I last posted, I can't believe it.

Well, I've been on a few management courses, had a couple of days off and dealt with a few issues with the Acquirer.

No excuse though, I'll pull my finger out over the weekend and post something (providing I have something to say, I don't believe in posting for the sake of it).

The “customer concern” argument for InfoSec is dead

Various news outlets are reporting that TJX has now been named in over 20 law suits, some class action. HarborOne Credit Union has apparently billed TJX $590k for costs and damage to brand .

TJX have reported an increase in sales of 5% according to Reuters yesterday. Analysts ere apparently expecting 3.9% so on that basis it has out performed market expectations.

TJX’s share price dipped by over 2.5% at one point after the two announcements.

What does this all mean?

Well, customers don’t care, revenue is up. I can’t find any details about profit levels and it is possible that TJX slashed their prices to “buy” the customer. However, if that is the case, they it’s simply a case of price compensates for poor security. If TJX did not slash their prices, then the consumer simply doesn’t care .

So, as an organisation, you can be shown to lose over 45 million credit card details, cause at least $8M worth of fraud transactions and still increase sales.

Surely, this means that one of the staple arguments for InfoSec, that of “Brand Protection” is dead and buried. No one cares.

That said, the share price dipped by over 2.5% after the announcements. Was that due to “poor” trading or because of the law suits? The results have outstripped analysts’ expectations so it doesn’t appear to be poor trading. This could suggest that the longer term effects of the law suits and the impact on profit levels from all the associated costs might be playing on shareholder’s minds.

I don’t know but the interesting point this raises is that maybe us Security Professionals have been trying to sell the wrong issue. Perhaps we should be selling “shareholder confidence protection” and not “consumer confidence protection”.

Worth thinking about, I reckon.

Approach to Encryption within PCI DSS

Dave Whitelegg raises a point that’s been niggling me for a while. For all the good in the PCI DSS, the whole process gets considerably weakened by the Acquiring banks insistance on the transmission of data from merchant’s system to acquiring bank’s systems in plain text. Sure, the transmission channel is SSL encrypted over a point to point / VPN link but the data is still unencrypted and then transmitted (albeit over an encrypted channel). This is a subtle difference but important nonetheless.

From the title, Dave questions whether this means the “PCI Encryption Practice is flawed”. I say “no”, it isn’t flawed but the implementation of the solution to the requirement may well be. As I said in my comment on his blog, I need (and have been meaning to for ages) to study the PCI DSS with this issue in mind. But, logic dictates that the standard would require the data to be encrypted everywhere.

If this is the case then the Standard isn’t at fault, the implementation of the solution is.

I’ll look into this and give my thoughts in due course.

I've been assessed!!!!

The Company has organised some management training courses and the first entitled “Personal Leadership Style” was today. Why is this InfoSec relevant? Well, I’ll tell you later.

The day was good, in my opinion. I don’t think I learnt anything new about myself (which was sort of the point) but learnt a lot about “leadership styles”. There were a number of practical exercises and assessment based on the “Myers-Briggs Type Indicator” methodology.

For those that are familiar, I am a ISTJ (Introvert-Sensing-Thinking-Judging) type. The verbal description for type is as follows:-

Serious, quiet, earn success by concentration and thoroughness. Practical, orderly, matter-of-fact, logical, realistic and dependable. See to it that everything is well organised. Take responsibility. Make up their own minds about what should be accomplished and work towards it steadily, regardless of protests or distractions.

This is spot on, I have to say, I describes me to a T.

Now, why is this related to InfoSec? Well, it’s the old “communication” chestnut. In order to communicate with your audience for awareness issues, getting people on side, selling the concept of InfoSec etc. then if you can understand you audience better, you’ll make more headway. So, what I need to do now is assess (without them knowing, I suspect) my colleagues and identify their traits. In that way, I can adjust my approach as necessary and hopefully make progress.

A question I’ve been considering since the type classification was made is “is this the right type for the job?” I think it is, assuming that the job is what I believe it is. I’ve still to agree the job description and will get to that as soon as the PCI DSS Compliance project allows.

The Company Newsletter article

As you will know, I have an issue with awareness in my Company. To that end, I agreed to write a short article for the company newsletter on me and InfoSec in general.

I remembered guidance I received from Rob Newby on keeping things short and sweet so as not to scare off the reader so the fir st article is exactly that. I'm going to write some follow up articles on InfoSec in general and PCI DSS in particular over the next few weeks in order to keep chipping away at the ignorance issue.

I've anonomised it somewhat as the original contained names of the innocent(!!), for now, this is the article, don't get too excited!!!

======================

“Who” and “what”, you may ask. Well, I joined the Company in November 2004 initially as a Project Manager in the Finance department dealing with projects about payment solutions and exciting stuff like that. However, after a while I began badgering my manager and his Boss about “information security”. So much so that they gave me the Information Security Manager job and maybe they thought that would quieten me down a bit.

I have been interested in Information Security throughout my 22 year career which has mostly been in and around the IT arena. I did a spell in sales (hated that!!) and then got into project management. However, InfoSec has always been a core interest.

What is Information Security all about anyway? Well, the textbook answer is that it is about “ensuring that the confidentiality, integrity and availability of the company’s information assets is maintained”. What that really means is making sure that the company’s information is used in the right way by the right people for the right purpose. And by “right”, I mean whatever the company decides is right. My job is to help the company decide what is “right” and then write the polices to back that up.

The InfoSec programme at [the Company] has yet to get truly off the ground. As is the case with most areas of the company, there is always something else more important, more urgent etc. etc. Currently, my focus is on the PCI DSS Compliance project which [the Project Manager] explains later in this newsletter.

======================

Blog news

As you know, I have recently started this blog and am new to the blogosphere itself. I'm learning a lot, not least of which is that things don't always work as they should.

Blogger does not use trackbacks as most other blog hosting services appear to do. They use "backlinks" but I have been unable to get them to work. So, I've enabled Haloscan and you should now see the Trackback link at the end of every post.

I'm going to spend some time looking into the process of blogging to see what else I should know about. For now, if you feel like it, use the Trackback links if you comment on the drivel posted here, please.

At the moment you'll still see the "Links to this post" at the bottom of posts but this isn't working either. I'm going to look into why this is and if I can't work it out, I'll delete it. If that's the case, the Technorati "Blogs that link here" will still show Technorati links.

Spreading the word

Well, I’ve written the article for the company newsletter about me and what I do. I’ve kept it short and sweet on purpose so as not to:

a) bore people stupid
b) use up all my material at once

I intend to do further articles to elaborate on “what InfoSec is” and “how it works within the company”. That last item should be a short sentence!!!

My PCI DSS Project Manager has produced another article for the newsletter about the PCI DSS Project itself. At three A4 pages (!) I think it’s too much and will suffer from the “TLDR” (Too Long Didn’t Read (thanks Rob !!)) issue for a lot of people but he is adamant that as it contains a lot of pictures people will read it. I am happy for this to go forward as I want to gauge the response to this kind of approach for future “awareness” items.

Also on the awareness front, I’m finishing off a document aimed at the IT bods which summarises the PCI DSS Audit Procedures document into sections related to areas of functionality within the IT arena. (When I'm completely happy with it I might post it over on PCI Answers if it's considered of use) I’ve done this because:

a) To make it easier for people to appreciate the depth and density of the requirements
b) The IT function reckon we’ve “just thrown PCI at them and said get on with it”

"b)" isn't true, of course, but rather than have an argument about it, I've decided to remove the argument completely by giving them what they want, information, or rather, more information.

The danger with this approach which we will have to guard against is that they will read this document and not all the relevant PCI DSS documentation. It’s up to the project team to ensure that the people concerned appreciate that this is meant as an “addition to” rather than the “gospel” top live by.

We're going to present the document to the relevant IT bods together with a (or rather, "another") summary of PCI DSS project. Thereafter, individual areas of responsibility will be reviewed with the specific people to make sure they have understood the requirements, and for us to obtain feedback, questions etc.

It's leg work but necessary to get them on side. Hopefully then, we should be able to make progress.