InfoSec and PCI from Scratch

I am sooooo behind on my blog / news reading at the moment as I have no time to think let alone post. And believe me, it take me a long time to think about anything.....

I have a lot of catching up to do (Bloglines tells me I have over 1200 items unread!! :-( ) but don't have the time I'm afraid.

This is due to:

Projects at work finally getting traction and being inundated by useful questions from developers and systems architects and the like, this is good news.

I am contributing to a chapter of a security related book and the research is a lot more time consuming than I thought.

I'm studying for CISSP and trying to decide whether I can take the exam before the rule change.

I'm reading the Pragmatic CSO, or at least trying to. I keep getting to chapter 3 and then leaving it for too long so starting again is the only option.

I'm trying to get fit because my wife has been on a fanatical exercise regime lately and now looks gorgeous which is an issue because I look like Wally the Walrus's fatter and uglier brother.

I am still trying to learn Spanish and failing.

So, this “life” thang.... When’s it supposed to get boring?

I’ve seen a trend recently although it’s probably been around for ages but I’ve only just noticed.

In many cases where an organisation’s security has been compromised, either the organisation itself or the investigative body sent in to look into the situation have responded to direct questions with vague, non-committal answers.

This approach first caught my eye with the TJX situation where both the company and investigators have repeatedly said “we’re not sure” when asked questions starting with the words “How”, “Who”, “When” and “What”.

The latest I’ve seen relates to “U.S. Visit”, the IT system intended to keep track of foreigners entering and leaving the United States. Congresswoman Zoe Lofgren asked a simple question:-

“Was the US Visit database hacked?”

And the answer from A Mr. Keith A Rhodes, Director of the Center for Technology and Engineering at the US Government Accountability Office?

"I did not see controls in place that would prevent it and did not see defensive perimeter and detection systems in place to tell whether it had or had not been hacked.”

So basically, the answer is, “don’t know and have no way of knowing”.

I do hope that this does not become the new way of “defending” yourself against the auditors. As in, put fairly useless tracking systems in place so that if something bad does happen, no one can find out how bad it was, for how long it occurred and what was actually affected.

I guess it’s up to the standards themselves to remove this as a defence. Perhaps things like PCI DSS need predefined approaches to the “we don’t know” style of defence. Maybe, a standard fine structure for dealing with a lack of information is required.

I’m not sure but I have a horrible feeling that this could develop into a well used method if instances like this are not stamped on in short order.

I don't understand the lack of focussed PCI DSS related sites on the internet. Considering the depth of the requirements and the coverage area that it can have on organisations' network systems and business processes, I would have thought that there would be a lot more.

There is the following dedicated site:-

PCI Answers

which is a good source of general info. I like it (and contribute when relevant) because it discusses the underlying issues linked to PCI DSS and not just individual aspects. Even so, I wouldn't say that it is heavily used (although it may be heavily read, I guess).

I've found the following forums:-

PCI Answers Forum
PCIFile Forum

which do not have that many members and no where near the traffic I would have expected.

There is also the following Yahoo Group which has very low traffic:-

PCI Standards

However, even all these together don't get anywhere near what I would have expected. I have Googled for others, no dice. I have tried Technorati and although there are many individual posts relating to PCI DSS, no dedicated sites.

Perhaps this is because PCI DSS is considered "just another compliance requirement". I'm not sure about that because then you would expect more chatter on generalised forums and communities like Security Catalyst Community . This is a very good all round community site with some exceptionally talented people on it. However, I posted a question about PCI DSS a while back and got one reply.

I don't get it. Maybe I'm missing something but I think PCI DSS is a bigger deal than this.

WOW!!!! 13 days since I last posted, I can't believe it.

Well, I've been on a few management courses, had a couple of days off and dealt with a few issues with the Acquirer.

No excuse though, I'll pull my finger out over the weekend and post something (providing I have something to say, I don't believe in posting for the sake of it).

Various news outlets are reporting that TJX has now been named in over 20 law suits, some class action. HarborOne Credit Union has apparently billed TJX $590k for costs and damage to brand .

TJX have reported an increase in sales of 5% according to Reuters yesterday. Analysts ere apparently expecting 3.9% so on that basis it has out performed market expectations.

TJX’s share price dipped by over 2.5% at one point after the two announcements.

What does this all mean?

Well, customers don’t care, revenue is up. I can’t find any details about profit levels and it is possible that TJX slashed their prices to “buy” the customer. However, if that is the case, they it’s simply a case of price compensates for poor security. If TJX did not slash their prices, then the consumer simply doesn’t care .

So, as an organisation, you can be shown to lose over 45 million credit card details, cause at least $8M worth of fraud transactions and still increase sales.

Surely, this means that one of the staple arguments for InfoSec, that of “Brand Protection” is dead and buried. No one cares.

That said, the share price dipped by over 2.5% after the announcements. Was that due to “poor” trading or because of the law suits? The results have outstripped analysts’ expectations so it doesn’t appear to be poor trading. This could suggest that the longer term effects of the law suits and the impact on profit levels from all the associated costs might be playing on shareholder’s minds.

I don’t know but the interesting point this raises is that maybe us Security Professionals have been trying to sell the wrong issue. Perhaps we should be selling “shareholder confidence protection” and not “consumer confidence protection”.

Worth thinking about, I reckon.

Dave Whitelegg raises a point that’s been niggling me for a while. For all the good in the PCI DSS, the whole process gets considerably weakened by the Acquiring banks insistance on the transmission of data from merchant’s system to acquiring bank’s systems in plain text. Sure, the transmission channel is SSL encrypted over a point to point / VPN link but the data is still unencrypted and then transmitted (albeit over an encrypted channel). This is a subtle difference but important nonetheless.

From the title, Dave questions whether this means the “PCI Encryption Practice is flawed”. I say “no”, it isn’t flawed but the implementation of the solution to the requirement may well be. As I said in my comment on his blog, I need (and have been meaning to for ages) to study the PCI DSS with this issue in mind. But, logic dictates that the standard would require the data to be encrypted everywhere.

If this is the case then the Standard isn’t at fault, the implementation of the solution is.

I’ll look into this and give my thoughts in due course.

The Company has organised some management training courses and the first entitled “Personal Leadership Style” was today. Why is this InfoSec relevant? Well, I’ll tell you later.

The day was good, in my opinion. I don’t think I learnt anything new about myself (which was sort of the point) but learnt a lot about “leadership styles”. There were a number of practical exercises and assessment based on the “Myers-Briggs Type Indicator” methodology.

For those that are familiar, I am a ISTJ (Introvert-Sensing-Thinking-Judging) type. The verbal description for type is as follows:-

Serious, quiet, earn success by concentration and thoroughness. Practical, orderly, matter-of-fact, logical, realistic and dependable. See to it that everything is well organised. Take responsibility. Make up their own minds about what should be accomplished and work towards it steadily, regardless of protests or distractions.

This is spot on, I have to say, I describes me to a T.

Now, why is this related to InfoSec? Well, it’s the old “communication” chestnut. In order to communicate with your audience for awareness issues, getting people on side, selling the concept of InfoSec etc. then if you can understand you audience better, you’ll make more headway. So, what I need to do now is assess (without them knowing, I suspect) my colleagues and identify their traits. In that way, I can adjust my approach as necessary and hopefully make progress.

A question I’ve been considering since the type classification was made is “is this the right type for the job?” I think it is, assuming that the job is what I believe it is. I’ve still to agree the job description and will get to that as soon as the PCI DSS Compliance project allows.

As you will know, I have an issue with awareness in my Company. To that end, I agreed to write a short article for the company newsletter on me and InfoSec in general.

I remembered guidance I received from Rob Newby on keeping things short and sweet so as not to scare off the reader so the fir st article is exactly that. I'm going to write some follow up articles on InfoSec in general and PCI DSS in particular over the next few weeks in order to keep chipping away at the ignorance issue.

I've anonomised it somewhat as the original contained names of the innocent(!!), for now, this is the article, don't get too excited!!!

======================

“Who” and “what”, you may ask. Well, I joined the Company in November 2004 initially as a Project Manager in the Finance department dealing with projects about payment solutions and exciting stuff like that. However, after a while I began badgering my manager and his Boss about “information security”. So much so that they gave me the Information Security Manager job and maybe they thought that would quieten me down a bit.

I have been interested in Information Security throughout my 22 year career which has mostly been in and around the IT arena. I did a spell in sales (hated that!!) and then got into project management. However, InfoSec has always been a core interest.

What is Information Security all about anyway? Well, the textbook answer is that it is about “ensuring that the confidentiality, integrity and availability of the company’s information assets is maintained”. What that really means is making sure that the company’s information is used in the right way by the right people for the right purpose. And by “right”, I mean whatever the company decides is right. My job is to help the company decide what is “right” and then write the polices to back that up.

The InfoSec programme at [the Company] has yet to get truly off the ground. As is the case with most areas of the company, there is always something else more important, more urgent etc. etc. Currently, my focus is on the PCI DSS Compliance project which [the Project Manager] explains later in this newsletter.

======================

As you know, I have recently started this blog and am new to the blogosphere itself. I'm learning a lot, not least of which is that things don't always work as they should.

Blogger does not use trackbacks as most other blog hosting services appear to do. They use "backlinks" but I have been unable to get them to work. So, I've enabled Haloscan and you should now see the Trackback link at the end of every post.

I'm going to spend some time looking into the process of blogging to see what else I should know about. For now, if you feel like it, use the Trackback links if you comment on the drivel posted here, please.

At the moment you'll still see the "Links to this post" at the bottom of posts but this isn't working either. I'm going to look into why this is and if I can't work it out, I'll delete it. If that's the case, the Technorati "Blogs that link here" will still show Technorati links.

Well, I’ve written the article for the company newsletter about me and what I do. I’ve kept it short and sweet on purpose so as not to:

a) bore people stupid
b) use up all my material at once

I intend to do further articles to elaborate on “what InfoSec is” and “how it works within the company”. That last item should be a short sentence!!!

My PCI DSS Project Manager has produced another article for the newsletter about the PCI DSS Project itself. At three A4 pages (!) I think it’s too much and will suffer from the “TLDR” (Too Long Didn’t Read (thanks Rob !!)) issue for a lot of people but he is adamant that as it contains a lot of pictures people will read it. I am happy for this to go forward as I want to gauge the response to this kind of approach for future “awareness” items.

Also on the awareness front, I’m finishing off a document aimed at the IT bods which summarises the PCI DSS Audit Procedures document into sections related to areas of functionality within the IT arena. (When I'm completely happy with it I might post it over on PCI Answers if it's considered of use) I’ve done this because:

a) To make it easier for people to appreciate the depth and density of the requirements
b) The IT function reckon we’ve “just thrown PCI at them and said get on with it”

"b)" isn't true, of course, but rather than have an argument about it, I've decided to remove the argument completely by giving them what they want, information, or rather, more information.

The danger with this approach which we will have to guard against is that they will read this document and not all the relevant PCI DSS documentation. It’s up to the project team to ensure that the people concerned appreciate that this is meant as an “addition to” rather than the “gospel” top live by.

We're going to present the document to the relevant IT bods together with a (or rather, "another") summary of PCI DSS project. Thereafter, individual areas of responsibility will be reviewed with the specific people to make sure they have understood the requirements, and for us to obtain feedback, questions etc.

It's leg work but necessary to get them on side. Hopefully then, we should be able to make progress.

Well, well.... Maybe we’re getting somewhere. If you’ve read my previous posts you’ll know that there isn’t much support at my company for InfoSec in general let alone any specific requirements and I’ve been trying to find alternative ways of getting educating people. It looks like some of it has struck home.

The HR bod in charge of the company’s weekly newsletter has asked me to write a piece on “that InfoSec stuff you keep going on about” for the newsletter. I’ve agreed (obviously) and have said I’ll do a personal profile as well. Most of the directors have written profiles in the last few weeks so I’m jumping on that bandwagon!!!

Next, the company recently employed a Service Delivery Manager (SDM) to work within the IT department. This was a major step in the right direction as far as I was concerned as under the previous IT Director, there was no understanding of “service” at all. In the past, the IT department appeared to have an attitude of “we’re allowing you to work” rather than “we’re enabling you to work”. The SDM have been making quite a number of good changes not least of which was the identification (after a little prompting from me) that our corporate data had no owners. Network directories and folders were used and abused by anyone and everyone. People were added to email distribution lists and given access to “restricted” folders etc. etc. without any sort or authorisation process.

So, the SDM has kicked off a process to review the way access permissions are requested, authorised and granted and has invited me and the Support Manager to a meeting to discuss it.

This is progress. Hurrahh!!

I just wonder why people have accepted his statements that such measure are necessary but rejected my previous statements along the same lines. I’m not going to complain about it, it just interests me why the difference in response.

I suspect it’s a question of him being on the “inside” of IT and me being on the “outside”. If that’s the case, I just have to find other “insiders” to educate with a view to them raising issues for me, without them realising it, of course.

I’ve been invited to contribute to the PCI Answers postings on their site which is quite an ego boost. The only thing is, this means I’m going to have to think of decent things to say!!!!

Oh well, bang goes the instantaneous ramblings approach to writing comments. I guess I had better engage that part of my brain that rarely sees daylight and actually consider what I’m writing beforehand.

Oh, and use a spell checker more often!!! :-)

There’s an interesting discussion over on PCI Compliance Demystified about maintaining compliance after you have initially achieved the “tick in the box”. The discussion is primarily about PCI DSS compliance but could be had about any compliance requirement.

To paraphrase, the question was raised: “how is compliance maintained?” which has developed into a “what’s being done about maintaining compliance?” question.

I find this interesting because when we first started looking at PCI DSS Compliance at my company I made more emphasis of the “maintaining compliance” requirement than the “achieving compliance” requirement. It was a hard sell, and not fully accepted as yet.

PCI DSS requires that you achieve compliance and continue to remain compliant from then on. If your company suffers a security breach and the investigators are sent in by the card schemes, they will not just assess your compliance when they turn up. What they will do is investigate the state of compliance for as long as the security breach occurred and even prior to that to identify whether a failure in maintaining compliance contributed to the breach. If it did, big money fines are on their way.

Take the TJX situation for example. Initially TJX reported that the security breach happened “over a period of a few months at the end of 2006”. After the investigators went in they found that the hack had been on going for a period of a couple of years. This being the case, the investigators will be assessing whether TJX was compliant for the whole of that time. From reports it appears they were not.

My company has accepted the “maintaining compliance” requirement to the extent where they have agreed to completely redesign the payment processing platform from the old legacy system (which was difficult to support and maintain) to a nice shiny new compliant and maintainable platform. Good news. However, the question of compliance management thereafter is still being discussed.

Without the compliance management process existing, the initial achievement of compliance is fairly pointless. 2 days after you tick the box, a new member of staff joins and unwittingly blows your achievements away by introducing a new business practice that ignores some fundamental PCI DSS requirement. Worse still are the creeping changes which in isolation are perfectly fine and compliant. However, over time, one thing leads to another and bang, a vulnerability slides in which “no one could possibly have foreseen….”

Compliance management is a functional process and requires not only resources but also an agreed corporate approach. Perhaps this is the issue, no one wants the responsibility monkey on their back.

OK, so TJX’s Q1 results apparently show “no noticeable decline in customer numbers” since the data breach. In this article an analyst from Avondale Partners is quoted as saying:-

"It still looks like there has been no meaningful fallout from the data systems breach as it relates to customer traffic," said Patrick McKeever, an analyst with Avondale Partners. "They did pretty well, all things considered."

The “they did pretty well” approach is a real problem in the InfoSec arena in my opinion. Short sighted and blinkered views of the “hear and now” are the domain of business people. They look at “today’s” results with “today’s” profits and “today’s” performance. InfoSec looks at “tomorrow’s” vulnerabilities, “tomorrow’s” threats and “tomorrow’s” attacks.

Basically, business people look at what IS happening, InfoSec people look at what MIGHT happen.

Maybe this is one of the fundamental reasons why business and InfoSec rarely see eye to eye without a very enlightened business person and a very enlightened InfoSec person at either end.

I read Rob Newby's post about "data classification" with interest as the implementation of such a process has been on my "to do" list for a while. To paraphase my comment to him, "I think Data Classification is one of the fundamental first steps in a good InfoSec programme". The point is, until you know how important the data is, how long it needs protecting for and who should have access to it it is impossible to get the data security environment set up correctly.

And therefore, protect your data adequately.

So, on to my particular issue. I have discussed data classification schemes in the past within The Company and not had much interest. Despite using the obvious scare mongering tactics and some pretty internally high profile snafus, no one really gave a preverbial.

So, how do I make people take notice?

Well, a while ago, I found out that our directory access control settings were all over the place. People had access to stuff they didn't need and in some cases, didn't even know about. After investigation, it appears that to be given access permissions to a certain directory, you just had to "fill in a form". The process of authorisation didn't really exist.

Although strictly speaking this isn't "data classification", it is linked.

It sparked a debate where I suggested that the IT department should review the process of assiging access permissions and improve it. They misunderstood and said it was not their responsibility to decide who has access to what. Of course it isn't, but they have a responsibility to ensure that the requests are properly authorised and that the environment is maintained correctly.

So, where are we now? Well, The Service Delivery Manager is involved and we have agreed to raise it at the next IT User Group Meeting with a view to getting buy-in from the business.

Here lies the core issue. In previous discussions, it's been a case of "it's not my responsibility" from both IT and the business units. The process of breaking that down is one of enlightenment. Once both "sides" understand where they fit into the whole picture, they "should" agree to take ownership a lot easier.

Now to the link between "data classification" and "access control". Once the business units have accepted responsibility for specifying who can access what directories / folders, it should be a far easier "sell" to get them to accept responsibility for determining who should see what specific data. That being true, the subject of "data classification" springs up, as if by magic!!!!

OK, so enough of bleating about how bad things are, on to some more topical issues.

This news item on Security Focus amused me. Basically, if true, it appears that a wireless network secured with WEP only encryption was the access channel for the TJX hackers.

The thing is, I have had a discussion with people here about wireless and the levels of protection used and suffice to say, I think they could be improved. The arguments against it have ranged from the “it’s good enough as it is” and “we haven’t got enough resources to change it” through to “well, even if they crack the code they can’t do anything anyway”.

From my previous posts, you will see a theme developing here.

OK, so, how do I use the TJX case to convince the naysayers that improvements are necessary? Well, in the past I would have sent the link with a summary and expected them to understand. That doesn’t work.

So, after a few more days to allow for any further information to come out on this particular aspect I will send the link, but with a far more descriptive summary and also liken it to our own situation. I will also then schedule a meeting with relevant parties to discuss.

I also need to have my arguments ready for the “yes but if they get in, they still can’t log on” response which will inevitably come.

As I said, it’s hard to work at this level where absolutely everything needs to be explained but if it’s necessary to make progress, so be it.

I'll let you know how it goes.

OK, the previous post said that it was the last (for now) in the “Things I’ve done wrong” series. It wasn’t, this one is.

There are other things I have learned but those are a good starter for 10. For now, I think it is safe to say that having learned the lessons I'm better equipped to start making the sort of progress I want and the company needs.

From the above experiences, I looked for a publication that could provide guidance on the "from scratch" aspect of the role. I read "A Practical Guide To Managing Information Security" by Steve Purser which was a little vague in places but had a lot of good ideas. I've also bought a copy of "The Pragmatic CSO" by Mike Rothman of Security Incite (http://securityincite.com/blog/mike-rothman/the-pragmatic-cso-is-here) and having read the first section, it seems promising. I'm not sure it's going to teach me anything I hadn't already thought of but it is definitely reinforcing some ideas I have regarding getting buy-in and cooperation from others in the company. This can only be a good thing!!

In the previous post I said that it was demoralising to think that EVERYTHING needed to be explained. I have to get over this. I need to start thinking about this as a battle between good ideas and bad ideas. Like all battles, the side who is better prepared usually wins. So, I need to improve my preparedness and deliver the relevant information in a way that helps the opposition select the best way forward.

Basically, I’ve got to stop being lazy and start doing my job.

Last (currently) in the “Things I’ve done wrong” process.

To a certain extent, this is linked to expecting people to understand “why”.

In the past, I have explained the details of an Info Sec related issue and then the possible remedial actions available to the company and then assumed that the correct decision would be made. How naïve can you be?!?!?!

Unfortunately, it would appear that the "correct" decision is not reached based on sound assessment and analysis. Mostly, it is made against a "what's cheapest / quickest / most like what we do currently” process and this is not sound decision making.

I’ve underestimated the human ability to take the easy option and this means that when faced with the “right” decision versus the “cheap / quick / less resource consuming / more like we do currently” decision, one of the latter is opted for.

You’ll notice the second “option” is in fact a list of options. Realising this has enlightened me. I always knew that there were infinitely more ways to do something wrong than to do it right. However, I hadn’t appreciated how easy it was to choose to do something wrong.

So, the remedy? Interesting question. I might expand on this in future blogs but for now, these are my thoughts. It’s necessary to do the hard work on everything, every decision that needs making has to be supported by argument. All possible decisions related to a particular issue need analysis and “pros” and “cons” debated. Then a recommendation needs to be made.

This is hard work and demoralising. I mean, as an example, imagine having to explain that WEP only encryption is a bad idea. And I mean really explain it. Explain about the ability to set up rogue APs, then explain about the ability to intercept traffic, then explain about the ability to capture user IDs and passwords, then explain about the ability to create rogue user accounts, then explain about the ability to log in as a rogue user and download data.

Oh…. Erm…. Hang on…. I seem to remember that this may have been covered in a recent TJX related article……..

Continuing "Things I've done wrong".

After designing and agreeing an Info Sec Management approach with the board another element of “Getting Distracted” happened and I never went back and followed it up. I could bleat about how “it wasn’t my fault because…” or “I meant to but this or that stopped me” but basically I should have persevered but didn’t. I allowed myself to get involved in other stuff that just wasn’t productive for the InfoSec environment. It was incredibly constructive for the company but that doesn’t improve InfoSec or earn me a bonus.

A point learned is that the executives will say "yes" to whatever you ask them and then do nothing about it thereafter. That is, unless you keep shoving it under their noses at every opportunity.

The trick is to get the “yes” from them, then continuously hit them with actions. Keep the work visible, report regularly (but bare in mind the format must fit the target audience).

It’s also necessary to identify what makes people tick, what are they interested in? It may not be as obvious as you think. So, some donkey work in the offing for me is to get a better understanding of what they ultimately want from the job. Only when I understand how to talk to them can I start to increase awareness.

Repetition is key, but it must be productive repetition, not just shoving inane data at them and expecting them to take it in and understand it.

More on the “Things I’ve done wrong”

Within the first week after being given the job, I sent a draft job description to my boss (the Group FD) and scheduled a meeting to discuss. Then, an element of “distraction” came along and we never had the meeting. Due to numerous “distraction” issues thereafter, it just got sidelined.

This has led to little to no authority within the company to actually get anything done. People have not understood what the Info Sec Manager's job is all about and have largely ignored it. Therefore, I've been playing catch up ever since, fighting for recognition and acceptance. This has to stop. I need to be proactive and I need to get people coming to me with issues and not me having to track them down.

So what to do? Well, I’ve kicked the process off again, sent the job description to the boss and had an initial meeting to discuss. He and I have also agreed to meet with the IS Director (who has been reluctant to accept anything I say) and discuss the JD with him as well.

The latest point is an important aspect. I’m not sure why the IS Director has a problem with me (or with the job I’m trying to do) but it needs to be thrashed out. No progress will be made if he ignores the work I’m doing. I’ll let you know how the discussion goes.

Wednesday, 11 July 2007

Tuesday, 26 June 2007

Sunday, 24 June 2007

Thursday, 21 June 2007

Friday, 8 June 2007

Wednesday, 6 June 2007

Tuesday, 5 June 2007

Monday, 4 June 2007

Saturday, 2 June 2007

Friday, 1 June 2007

Thursday, 31 May 2007

Friday, 25 May 2007

Thursday, 24 May 2007

Wednesday, 16 May 2007

Thursday, 10 May 2007

Tuesday, 8 May 2007

Monday, 7 May 2007

Saturday, 5 May 2007

Blogs / Fora I monitor

Things of interest

Contact

Blog Archive

Subscribe: