Brian Pennington

A blog about Cyber Security & Compliance


June 2012

PCI Security Standards Council releases Point-to-Point encryption (P2PE) resources

The PCI Security Standards Council (PCI SSC), has announced availability of the Point-to-Point Encryption (P2PE) Program Guide and Self-Assessment Questionnaire (SAQ) to support implementation of hardware-based point-to-point encryption (P2PE) solutions. They are downloadable from the PCI SSC website in an MS Word format.

The resources follow the Council’s release of updated Solution Requirements and Testing Procedures for hardware-based P2PE solutions in April, (find the link in my resources page)which provide a method for vendors to validate their P2PE solutions and for merchants to reduce the scope of their PCI DSS assessments by using a validated P2PE solution for accepting and processing payment card data.

Eligible merchants using these P2PE hardware solutions may be able to reduce the scope of their PCI DSS assessments and validate to a reduced set of PCI DSS requirements. To help with this validation process, the Council has developed a new Self-Assessment Questionnaire (SAQ P2PE-HW).

SAQ P2PE-HW is for merchants who process cardholder data via hardware terminals included in a validated P2PE solution and consists of the following components:

  • Merchant eligibility criteria
  • SAQ completion steps
  • Self-Assessment Questionnaire (validation of PCI DSS Requirements)
  • Attestation of Compliance, including Attestation of PIM Implementation

Merchants should refer to their acquirer and/or payment brand to determine if they are eligible to use this new SAQ.

The Council has also updated the PCI DSS SAQ Instructions and Guidelines document to provide additional guidance on use of the SAQ P2PE-HW.

The PCI P2PE Program Guide is designed to help solution providers, application vendors, and P2PE assessors understand how to complete a P2PE assessment and submit it to the Council for acceptance and listing on the PCI SSC website.

The document includes:

  • Overview of P2PE solution validation processes
  • Considerations for P2PE Solution providers preparing for assessment
  • Reporting considerations for P2PE assessors
  • Considerations for managing validated P2PE Solutions
  • Listing of applications used in P2PE solutions

Solution providers, application vendors, and P2PE assessors can use this document immediately to plan for their P2PE assessments.

The Council will shortly be providing templates and Reporting Instructions for P2PE validation reports, as well as new Attestations of Validation (AOVs) and vendor release agreement (VRA).

P2PE assessors, solution providers and application vendors can then complete their assessments of P2PE Solutions and applications and submit their reports and validation documentation to the Council for acceptance and listing. The Council will list the validated solutions on the PCI SSC website for merchants to use.

“These resources are a critical part of rolling out this program,”

said Bob Russo, general manager, PCI Security Standards Council

“The program guide outlines the submission and listing process for P2PE solution providers and application vendors who want to validate their products, while the SAQ will help simplify PCI DSS validation efforts for merchants taking advantage of this process to minimize the amount of cardholder data in their environments.”


Network Barometer Report 2012 – a Dimension Data’s report

Dimension Data announced the results of its Network Barometer Report for 2012. The findings of the report have been taken from 294Technology Lifecycle Management” (TLM) assessments of enterprise organizations.

TLM review a networks’ readiness to support business by reviewing network device across four distinct areas:-

  1. Security vulnerabilities
  2. Configuration variance from best practice
  3. IOS Version Management
  4. End-of-Life status

The report has a concentrates mainly on Cisco products as they form the largest vendor in the Dimension Data installed support base.

Key finding of the report

  • 75% of network devices are carrying at least one known security vulnerability, in line with the 73% in 2011.
  • A single vulnerability was responsible for this high PSIRT penetration. PSIRT 10944, identified by Cisco in September 2009, was found in 47% of all the devices analysed during 2011 (A PSIRT is a software vulnerability that has been identified by Cisco’s Product Security Incident Response Team)
  • While the number of configuration errors per device increased from 29 to 43, security related configuration errors such as AAA Authentication continue to dominate
  • The percentage of devices that entered the obsolescence phase increased from 38% to 45%
  • Of those devices, the percentage that were End-of-Sale (EoS) jumped from 4.2% in 2011 to 70% in 2012. The percentage of devices that were either EoSW maintenance EoCR dropped a similarly dramatic amount from 86.2% to 20.8%.
  • A third of all Wireless access points discovered during the calendar year 2011 were 802.11n-capable. This is nearly triple the 12% 802n penetration from last year. This adoption will also drive refresh in the underlying routing and switching infrastructure
  • After peaking at 64 new PSIRTS in 2007, the announcements had tapered off in the 45 to 50 range for the past three years, before spiking again to 60 in in 2011
  • On average, 40% of all devices have been past EoS for the past four years. That said, there have been small year–on-year increases over the past three years – 3% from 2010 to 2011 and 7% from 2011 to 2012.

The report states

“While the overall percentage of devices carrying at least one known security vulnerability stayed constant, the data also shows that an increasing number of organisations have been successful in their security vulnerability management.

During 2010, 14% of all the assessments performed showed networks that were completely clear of security vulnerabilities. This figure increased to 25% of all assessments performed during 2011.

Repeat Technology Lifecycle Management Assessment clients fared even better – during 2010, 18% of all assessments showed no security vulnerabilities, a number that doubled to 37% for 2011.

In fact, repeat users of the TLM Assessment performed better than the general population with 59% of all devices carrying at least one known security vulnerability when compared to 75% for the entire sample set. This would seem to confirm that on going network visibility is a crucial component of successful vulnerability management.” 

Dimension Data’s Conclusion of it report is below.

With the on going changes in the way IT services are consumed, in some cases driven by user demand, it has become more important than ever to take an architectural approach to network design. The adoption of enterprise mobility, virtualisation and cloud will place more pressure on an already stretched network and if it is not managed proactively will impact business agility, efficiency and ability to remain competitive.

Effective infrastructure management and network planning ensures that IT is able to meet the needs of the organisation at a tactical and strategic level, with additional benefits in terms of cost, asset optimisation and security. Dimension Data concludes that a technology lifecycle management (TLM) approach will address key architecture, security and configuration issues. We recommend this approach include six stages.

INITIATE: Determine the impact of the network technology lifecycle The first stage involves a business discussion about the network’s technology lifecycle, and the organisation’s existing and best fit longer term network architecture, considering risk, cost and strategic factors.

DISCOVER: Gather network data

Incorporates business and technical reviews with the key stakeholders to ensure the relevant information is collected. An asset list is required at this stage and if the organisation does not have an up to date list, a network scan will be required to create one. Dimension Data recommends a TLM Assessment to help identify lifecycle milestones as well as security and configuration issues.

CONSTRUCT: Perform gap analysis and develop recommendations

Here, the discovery data is analysed against security, configuration and end-of-life databases as well as checked for maintenance coverage status. There are automated tools to perform this task and the TLM Assessment service achieves this for Dimension Data clients. A technology roadmap will be created, based on the prioritised recommendations from the analysis. This will include configuration remediations as well as security and maintenance recommendations.

RECOMMEND: Consult and present the recommendations and roadmap

This consultative stage includes sharing the findings of the work done with key stakeholders and determining how to act on recommendations based on risk, cost and strategic factors. This will include a formal report and a collaborative discussion to develop an action plan.

EXECUTE: Execute on recommendations

IT operations will then execute on the recommendations. These may include allocating resources or working with a third party to address the security and network remediations that are required, reviewing maintenance and support contracts, and/or planning for equipment upgrades. As this is a multi-year planning approach, there are likely to be steps executed in future financial periods as the organisation’s needs dictate.

IMPROVE: Execute this discipline on an ongoing basis

Networks and markets are dynamic. Configurations will drift from best practice standards over time and additional products deployed will enter the manufacturer’s obsolescence lifecycle. In order to ensure the benefits of this approach over time, repeat assessments should be considered.

See my summary of the 2011 Dimension Data Barometer Report here.


The State of Risk-Based Security Management

The Tripwire sponsored Ponemon study called “The State of Risk-Based Security Management: United States” is designed to discover what organizations are doing with respect to Risk-based Security Management (RBSM), where RBSM is defined as the application of rigorous and systematic analytical techniques to the evaluation of the risks that impact an organization’s information assets and IT infrastructure. RBSM can be considered one component of a wider enterprise risk management system.

My summary of the document is below.

  • 77% express significant or very significant commitment to RBSM
  • yet 52% have a formalized approach to it
  • 46% have actually deployed any RBSM program activities

Of those that have a formal function, program or set of activities dedicated to RBSM, 74% have partially or completely deployed some or all RBSM activities. It appears that having a formalized strategy or plan for RBSM is an important precursor for ensuring that RBSM activities are deployed

41% of respondents say that their organizations do not categorize their information according to its importance to the organization. Organizations must take this step to make informed, rational decisions about what data is most critical to protect.

Only 45% have specific metrics for determining RBSM effectiveness. Those responsible for the program need a scorecard that demonstrates its success in order to secure funding and resources.

Few organizations have achieved a balanced approach with their preventive and detective controls. While most (80 to 90%) deploy the majority of necessary and appropriate preventive controls, only around half deploy the majority of necessary detective controls.

30% of organizations have no formal RBSM strategy for the enterprise, and almost a quarter (23%) have only an informal or ad hoc strategy.

The existence of a formal RBSM function, program or set of activities

  • Yes 52%
  • No 48%

The existence of a risk management strategy

  • 30% Do not have a strategy
  • 24% Formal but inconsistently applied strategy
  • 23% Informal or “ad hoc”strategy
  • 23% Formal and consistently applied strategy

The US and UK (25 and 36%, respectively) are less concerned about regulatory non-compliance than Germany and the Netherlands (60 and 58%, respectively). This can be attributed to the strict rules governing the handling of personal and sensitive information in Germany and the Netherlands.

Organizations in Germany and the Netherlands have more concern about the cloud than the US and UK. Specifically, 65%t of German organizations and 59% of organizations in the Netherlands are concerned or very concerned about software as a cloud service.  In contrast, 46% of US and 48% of UK organizations are concerned or very concerned.

US organizations are far more concerned about the human factor risk to their IT infrastructure today and in the immediate future. Specifically, 71% of respondents from US organizations say they are concerned about malicious insiders. In the UK that number drops to 49%.

A larger gap exists between the US and Germany (32%) and the Netherlands (16%). The US and UK are more concerned about employee carelessness (66 and 65%, respectively) than Germany and the Netherlands (34 and 38%, respectively).

Threats to information security faced by organizations

The greatest rise of potential security risk within today’s IT environment

Find the full report here.


RSA’s June Online Fraud Report 2012

In their June Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.

RSA researchers have been following Ransomware campaigns and Ransomware Trojan attack waves and have recently analyzed a new variant that holds infected PCs hostage until their owners make a €100 payment to the botmaster.

Ransomware is the type of malware that can infect a PC and then lock the user’s data most commonly by encrypting files or by injecting a rogue MBR (master boot record) to the system’s start-up routine.

Ransomware can come as standalone malicious code or coupled with other malware. This type of malicious campaign has been on the rise and are ever popular, with many recent cases combining banking Trojans with Ransomware. While the user’s files are typically locked until the ransom is paid, the victim is still free to browse the Internet, thus allowing the banking Trojan to continue collecting information on the victim uninterrupted.

The Trojan involved in the cases studied by RSA is a Ransomware that begins by checking for the future victim’s geo-location and adapting a ransom page to the local language for thirteen different countries. The fact that this malware aims at 13 specific countries may seem targeted enough at first sight, but it is only the case of one variant – if this malware is shared or sold with other criminals, they could easily adapt it to their own targets.

RSA researchers were able to recognize 13 different ransom kits available for this Trojan. All kits are located in the same folder, where some countries have two different types of images that can be downloaded and used by the Ransomware (in cases when more than one language is spoken in that country, such as Belgium).

After the Ransomware kit infected the PC, it was downloaded and unpacked locally. This is the point at which the Trojan begins its primary communication with the botmaster’s remote server.

The communication includes three main purposes:

  1. Inform the botmaster of the addition of a new bot, send infected machine’s IP address (and then used to define the infected PC’s physical location)
  2. Obtain a blacklist of potentially fake prepaid card/voucher numbers defined by the botmaster
  3. Ping the botmaster to use the C&C as a drop for the coming ransom payment (in the shape of a card PIN/voucher number)

This Trojan also makes a few copies of itself and saves them under different names locally on the infected PC.

Much like other Trojans, this Ransomware is managed via server side scripts on the botmaster’s resources. The variant analyzed in this case used four resources, all of which were located on the same physical server, using two different IP addresses held with a Russian-based ISP – typical for the vast majority of Ransomware.

RSA was able to deduce that the Ransomware analyzed is actually part of a larger cybercrime operation. The botmasters behind this malware variant are clearly bot-herding and monetizing their botnets using a loader Trojan, banking Trojans and Ransomware variants. The server hosting the Ransomware has proven to also be a drop zone for stolen credentials amounting to well over €80,000.

RSA Conclusion

Ransomware has been gaining speed among cybercriminals and bot-herders, likely because this extortion method works and keeps paying off, as victims believe that if they pay, their system will be unlocked.

With ransom amounts averaging €100, it seems as though botmasters behind these scams keep the fee relatively low, possibly so that the victim may prefer to pay it in hopes of releasing the hold on their PC rather than contact a support professional. Another factor keeping victims quiet are typical Ransomware accusations, including things such as software and music infringement. It is very possible that users do not know they were infected by malware and are not keen on contacting someone about it, thus allowing this type of malware to enjoy its continued popularity.

Phishing Attacks per Month

In May 2012, phishing volume increased by 7%, with a total of 37,878 global attacks identified by RSA. The bulk of the increase observed in the past two months is a result of highly targeted phishing campaigns launched against a small number of financial institutions.

Number of Brands Attacked

The number of brands targeted by phishing attacks throughout May increased by 4%, and 50% endured less than five attacks.

Types Attacked

Phishing attacks against U.S. nationwide bank brands decreased by 20% while credit unions saw a 13% increase in phishing volume in May.

Top Countries by Attack Volume

After being targeted by 28% of worldwide attacks in April, Canada saw a huge drop in attack volume in May to just 3%. The UK remains the most heavily targeted country for the third consecutive month, enduring more than 60% of global phishing volume in May.

Top Countries by Attacked Brands

The countries with the most attacked brands in May were the U.S., UK, and Australia, accounting for 47% of all phishing attacks. Brands in Brazil, India, Canada, China, France and Italy also continue to remain highly targeted by phishing.

Top Hosting Countries

The U.S. saw an increase of10% in the number of phishing attacks it hosted in May – increasing to 66%, or two out of every three attacks. Brazil also remained a top host with 9% and Germany with 4%.

Previous RSA Online Fraud Report Summaries:

  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

Consumers express their opinions of Data Breach Notifications

Ponemon Institute have released an Experian® Data Breach Resolution sponsored survey into what consumer think about Data Breach Notifications, titled 2012 Consumer Study on Data Breach Notifications.

I have made a summary of the survey below.

Consumers in the Ponemon and Experian joint study believe data breach notification is important under certain conditions

  • 85% believe notification about data breach and the loss or theft of their personal information is relevant to them
  • 57% say that they want to be informed only if the organization is certain that they are at risk
  • 58% say that if they remembered the notification it failed to explain all the facts and “sugar coated” the message

The trustworthiness of an organization is linked to the efforts it makes to protect personal information

  • 83% of respondents believe organizations that fail to protect their personal information are untrustworthy
  • 82% believe the privacy and security of their personal information is important

Following a data breach, consumers believe organizations have obligations to provide compensation and protect them from identity theft

  • 63% say organizations should be obligated to compensate data breach victims with cash, their products or services
  • 59% believe a data breach notification means there is a high probability they will become an identity theft victim. As a result, 58% say the organization has an obligation to provide identity protection services and 55% say they should provide credit-monitoring services.

Most consumers recall receiving a form letter and more than one notification

  • 65% of consumers say they have received at least one notification
  • 35% recall receiving at least three In 2005, 91% said they received only one
  • 62% of consumers say the notification was a form letter 19% who say it was a personal letter.

Most consumers do not believe the organizations that sent them notifications did a good job in communicating and handling the data breach

  • 72% of consumers were disappointed in the way the notification was handled
  • 28% say the organization did a good job in communicating and handling the data breach

A key reason for the disappointment is respondents’ belief that the notification did not increase their understanding about the data breach. In fact, since 2005 respondents are more in the dark about what happened with their data.

  • 41% of respondent say their data was most likely stolen
  • 37% say they have no idea what the data breach incident was about
  • This is an increase from 37% in 2005 who said their data was most likely stolen and 28% of consumers who said they had no idea what the data breach incident was about
  • 51% say their customer or consumer information was stolen
  • 21% who say it was their financial information such as credit card/debit card account numbers
  • In 2005 86% said it was their customer or consumer information 10% said it was employee records
  • 44% of consumers do not know the specific data that was lost or stolen which makes it more difficult for them to take steps to protect themselves from further harm. Those who do know say the following were most likely to have been lost or stolen: name, credit card or bank payment information and Social Security number.

Personal data respondents worry most about if lost or stolen

  • 48% Email address
  • 48% Health plan provider account number
  • 48% Taxpayer ID number/Employer ID number
  • 52% Telephone or mobile number
  • 53% Driver’s license number
  • 57% Credit or payment history
  • 65% Credit card or bank payment information
  • 65% Prescriptions
  • 68% Social media accounts/handles
  • 89% Social Security number
  • 92% Password/PIN

Consumers say key facts about the breach are missing in most communications. 67% say the notification did not provide enough details about data breach.

The majority of consumers (51%) would like to have more information about how the organization will protect them to minimize the harm to them and their family. This is consistent with the 2005 study.

How the data breach may affect them and their family decreased significantly from 40% of respondents in 2005 to 24% this year. Identity protection or credit monitoring services and steps to take to protect their personal information were included for the first time in this year’s study and were significantly lower than the first choice about protections to minimize the possible negative consequences of a data breach.

Notification letters are increasingly perceived to be junk mail, according to many consumers

  • 36% say they thought the data breach notification letter looked like junk mail This is an increase from 15% in 2005
  • 34% say it was an important communication, this is a significant decrease from 51% in 2005

If they thought it looked like junk mail

  • 63% of respondents recommend that the notification provide the names of individuals they can contact if they have questions or concerns
  • 54% say the notification should be personalized
  • 50% suggest making a phone call or email alerting them to the notification

Customer loyalty is at risk following notification. In response to being notified by an organization

  • 15% say they will terminate their relationship
  • 39% say they will consider ending the relationship
  • 35% say their relationship and loyalty is dependent upon the organization not having another data breach

Only a small percentage of respondents in both studies do not blame the organization reporting the data breach. Further, respondents’ reactions to a breach have not changed significantly in the past seven years.

As in the previous finding, data breaches diminish customer loyalty and trust and this has not changed much since 2005. The study reveals that 62% say the notification decreased their trust and confidence in the organization Only 30% say it had no affect on their trust and confidence.

Since 2005, data breach notifications have not become easier to understand with 61% of consumers have problems understanding the notification An increase from 52% in 2005.

The biggest improvements that could be made would be to explain the risks or harms that they are most likely to experience as a result of the breach and to disclose all the facts.

The believability of data breach notifications has declined

  • In 2005, 61% say the message was believable
  • This has decreased to 55% in 2012

Scepticism about the content of the notification has increased since 2005. Of the 45% who say it was not believable, 51% say the message did not tell them about the harms or risks they will likely experience. This is an increase from 37% who believed this in 2005. In addition, perceptions that the organization is hiding key facts about the data breach have increased from 37% to 44%,

Respondents are just as worried today as they were in 2005 about the security of their personal information

  • 63% are more worried about the security of their personal information
  • 44% say they have had to spend time resolving problems as a result of the breach
  • Despite concerns about identity theft and other harms, almost half (49%) are doing nothing to protect themselves

Consumers are, however, more cautious about sharing personal information with the organization that had the breach (45%) and 35% are more cautious about sharing information with all organizations.

Ponemon’s Conclusion

Consumers in our study believe the privacy and security of their personal information is important. Organizations that do not provide adequate safeguards are considered untrustworthy. Further, typical responses to a data breach notification are to immediately discontinue the relationship with the organization that had the breach, to consider discontinuing the relationship or to continue the relationship only as long as another breach does not occur.

One of the goals of this research is to determine if consumers’ perceptions about data breach notification have changed since 2005 when we conducted the first study about this topic. Based on the findings, improvements need to be made to both how the notifications are delivered and the information that is communicated to victims of the data breach.

These include

  • Making the notification easier to understand by making it shorter with less legalese
  • Eliminating the perception that the notification is junk mail by providing names that can be contacted if there are questions or concerns, personalizing the message and making a phone call or sending an email in advance of sending the notification
  • Providing specifics about the incident that explain the cause of the breach and the type of data that was lost or stolen so the victim understands what the data breach is all about
  • Assuring the victims that the organization will take steps to protect them from identity theft and other negative consequences

Most of the consumers who responded to the survey cannot recall if they received notification. We conclude that despite their concern about privacy and security, consumers are not paying attention to the notices. They also are not being proactive about preventing identity theft following notification. Instead, they believe it is the obligation of the organization to fully explain the potential harms they are likely to experience and to take steps to reduce the risk of identity theft.

In many instances, when organizations have a data breach the notification process is a matter of sending out a form letter. As shown in this study, communicating the circumstances of the data breach can influence customer loyalty, trustworthiness and reputation. Resources spent on personalizing the message, offering assistance to reduce the likelihood of identity theft and future harms and providing specific information about the incident may help organizations avoid the risk of losing customer trust and loyalty in the aftermath of the data breach.

Read the full report by registering here.

With Breach Notifications to be mandatory in the not so distant future it would be worth reading my review of the proposed European Data Protection Act here.

Latest NHS Fine for breaching the Data Protection Act is close to the “current” limit at £325,000

After a series of breaches where the NHS organisation involved received nothing more than a slap on the wrist the Information Commissioner is finally ratcheting up the pressure on public sector organisations, especially the NHS for breaching the Data Protection Act.

In the latest breach Brighton and Sussex University Hospitals NHS Trust has been fines £320,000 after a serious breach and is the highest ever issued.

The maximum fine was raised to £500,000 in April 2010

It is worth noting that fines under the proposed European Data Protection Act will be considerably higher with numbers in the order of €1 million or 2% of turnover been discussed, see Proposed European wide Data Protection Act – a review.

The Brighton and Sussex University Hospitals NHS Trust involved highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of:

  • Patients’ medical conditions
  • Treatments
  • Disability living allowance forms
  • Children’s reports

It also included documents containing staff details including:

  • National Insurance numbers
  • Home addresses
  • Ward
  • Hospital IDs
  • Information referring to criminal convictions and suspected offences

The data breach occurred when an individual engaged by the Trust’s IT service provider, Sussex Health Informatics Service (HIS), was tasked to destroy approximately 1000 hard drives held in a room accessed by key code at Brighton General Hospital in September and October 2010. A data recovery company bought four hard drives from a seller on an Internet auction site in December 2010, who had purchased them from the individual.

Although the ICO was assured in our initial investigation following this discovery that only these four hard drives were affected, a university contacted us in April 2011 to advise that one of their students had purchased hard drives via an Internet auction site. An examination of the drives established that they contained data which belonged to the Trust.

The Trust has been unable to explain how the individual removed at least 252 of the approximate 1000 hard drives they were supposed to destroy from the hospital during their five days on site. They are not believed to have known the key code needed to access the room where the drives were stored, and were usually supervised by staff working for HIS. However, the Trust has acknowledged that the individual would have left the building for breaks, and that the hospital is publicly accessible.

The ICO’s Deputy Commissioner and Director of Data Protection David Smith said:

“The amount of the CMP issued in this case reflects the gravity and scale of the data breach. It sets an example for all organisations – both public and private – of the importance of keeping personal information secure. That said, patients of the NHS in particular rely on the service to keep their sensitive personal details secure. In this case, the Trust failed significantly in its duty to its patients, and also to its staff.”

See previous ICO monetary fines for the NHS


Blog at

Up ↑

%d bloggers like this: