Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Coalfire Systems

500 European Business Leaders attend the PCI Security Standards Council Community Meeting

This week business leaders and security professionals gathered in Nice, France to discuss payment based security and especially PCI DSS and P2Pe. 

Jeremy King PCI Security Standards Council International Director said, The new European Commission Payment Services Directive 2 along with the European Banking Authority Guidelines for Securing Internet Payments have clear and detailed requirements for organisations in protecting cardholder data. Add to that the soon to be released General Data Protection Regulation which covers all data security, and you have a massive increase in data security, which when implemented will impact all organisations in Europe and beyond, 

These regulations will force organisations to take security seriously, and PCI provides the most complete set of data security standards available globally. Establishing good data security takes time and effort. Organisations need to know these regulations are coming and put a plan in place now for ongoing security

With 70% of all card fraud coming from Card-Not-Present (CNP), a figure that surpasses the previous 2008 record which was set during the EMV chip migration, it is a critical time for the industry. 

A significant amount of the conference was spent on new and developing technologies including::

  • Cloud – Daniel Fritsche of Coalfire presented on Virtualisation and the Cloud
  • Mobile – several presentations including the Smart Payments Association
  • Point to Point Encryption (P2PE) – Andrew Barratt of Coalfire delivered a panel discussion
  • Tokenisation – A presentation by Lufthansa Systems 

Jeremy King added. PCI is committed to helping organisations globally improve their data security. Our range of standards, and especially our supporting documents, are designed to help all companies improve and protect their data security. The annual Community Meeting is a big part of our efforts to engage with companies from all sectors, sharing and exchanging information to ensure they have the very best level of security 

We must work together to tackle card-not-present fraud with technologies such as point-to-point encryption and tokenisation that devalue data and make it useless if stolen by criminals.

Attendees included experts from Accor Hotels, , British Telecommunications, Capita, Coalfire Systems Limited, Accor Hotels, Lufthansa, Virgin Trains, Vodat International and hundreds of others.

Advertisements

Guest blog: PCI audits and how to recognize a good QSA auditor and partner

Many organizations approach a PCI audit with fear and trepidation. There are a lot of stories out there about how difficult, expensive and disruptive a PCI audit can be, but I want to see if I can add some balance to this view. I believe that when it comes to a PCI auditor it matters a great deal who you are working with. We just completed a PCI audit of our Alliance Key Manager for VMware solution and it gave me a whole new perspective and attitude about the audit process. Our PCI work was conducted by Coalfire, a security company that provides PCI audit services as well as audit services for the health and financial communities. Most of my remarks will reflect on the great experience we had with Coalfire and some of the lessons we learned.

As is true of financial auditors, the QSA auditor has a duty to accurately assess the security of your IT systems to insure that they meet or exceed the PCI Data Security Standards (PCI DSS) as outlined by the PCI Security Standards Council (PCI SSC). They have a professional responsibility to tell you where you meet the PCI DSS standard, and where you fall short. That “falling short” part is the thing most people dread hearing about.

I would suggest that this is exactly where a good security audit can be very helpful. We need to know where our security is weak, and we need to know how to fix the problems. A good QSA auditor will be more than a gatekeeper for the PCI security standards – they will be a trusted advisor on how to get things right from a security perspective. That practical advice is exactly what we need to protect our sensitive data.

Finding problems and fixing them is less expensive than suffering a data breach and then scrambling to fix the problems.

Another often overlooked benefit of having a good QSA auditor is that you get a get a trusted advisor in the process. It is one thing to have an auditor point out the faults in your security strategy, it is another to find an auditor who can advise you on the security strategies and potential solutions that can help you. While there must be an arms-length relationship between an auditor and a solution provider, your QSA auditor should be able to point you to a number of solutions that can help you mitigate security weaknesses. An experienced auditor is going to help you navigate towards a good solution.

It is hard to quantify the benefit of this type of guidance, but I personally think it is invaluable.

The take-away is that you should set high expectations for the relationship you develop with your QSA auditor. You can walk away from the experience with checks in boxes, or you can meet PCI compliance AND achieve a credible security strategy and trusted advisor. I found the latter in my relationship with Coalfire.

Patrick Townsend

Townsend Security

Hospitality Industry alerted by the U.S. Secret Service on the threat of Keyloggers

The U.S. Secret Service has issued an advisory to the hospitality industry to be on alert for keyloggers on the computers in the business center. Whether your hotel received this advice or not, this is something that will undoubtedly affect your business in the near future. We’ve put together this brief guide on reacting to the advisory.

What happened?

  • According to the advisory issued by the Department of Homeland Security/Secret Services, (which can be found on osac.gov) Task force agents arrested a group of suspects that had installed keylogger software on computers in various hotel business centers.

The suspects were able to obtain large amounts of information including other guests’ personally identifiable information (PII), log in credentials to banks, retirement, and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers

What is a keylogger?

How to check if a business center has been compromised

  • Physically inspect your keyboards and computers and their connections to ensure no unknown devices are present
  • Investigate active processes on the machine to determine if they are making malicious outbound communications that would be sending out the data collected by the keylogger
  • Perform a hash analysis of all files on the drive to see if they match any known malicious hash values

What to do if you have a compromised business center?

  • Remove or disconnect the computer from the network but leave the computer on and running
  • Engage a security consultant to determine the scope of the potential compromise to determine the best approach to remediate

What should you tell your compromised customers?

  • In accordance with state and industry breach rules, inform them of the facts
  • Let them know the steps you’ve taken to ensure it won’t happen again

How can you protect your business center?

  • Application and process whitelisting
  • Disable unused USB ports
  • Configure firewalls to block outbound connections to known malicious sites

Overall, the impact of this issue can be devastating to a business. Performing some or all of the proactive actions listed here can be critical to identifying these issues in your environment. In a perfect world, these proactive checks will find no evidence of intrusion or compromise. In that case, your business would be able to prove ‘due diligence’ in the face of this advisory, and could quell any customer concerns before they arose.

Written by Dan Fritsche, Practice Director, Coalfire Labs. The original post is here.

The Top 7 HIPAA Risk Analysis Myths

HIPAA-Risk-Assessment-Infographic-e1406067274883

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: