Brian Pennington

A blog about Cyber Security & Compliance



Guest blog: PCI audits and how to recognize a good QSA auditor and partner

Many organizations approach a PCI audit with fear and trepidation. There are a lot of stories out there about how difficult, expensive and disruptive a PCI audit can be, but I want to see if I can add some balance to this view. I believe that when it comes to a PCI auditor it matters a great deal who you are working with. We just completed a PCI audit of our Alliance Key Manager for VMware solution and it gave me a whole new perspective and attitude about the audit process. Our PCI work was conducted by Coalfire, a security company that provides PCI audit services as well as audit services for the health and financial communities. Most of my remarks will reflect on the great experience we had with Coalfire and some of the lessons we learned.

As is true of financial auditors, the QSA auditor has a duty to accurately assess the security of your IT systems to insure that they meet or exceed the PCI Data Security Standards (PCI DSS) as outlined by the PCI Security Standards Council (PCI SSC). They have a professional responsibility to tell you where you meet the PCI DSS standard, and where you fall short. That “falling short” part is the thing most people dread hearing about.

I would suggest that this is exactly where a good security audit can be very helpful. We need to know where our security is weak, and we need to know how to fix the problems. A good QSA auditor will be more than a gatekeeper for the PCI security standards – they will be a trusted advisor on how to get things right from a security perspective. That practical advice is exactly what we need to protect our sensitive data.

Finding problems and fixing them is less expensive than suffering a data breach and then scrambling to fix the problems.

Another often overlooked benefit of having a good QSA auditor is that you get a get a trusted advisor in the process. It is one thing to have an auditor point out the faults in your security strategy, it is another to find an auditor who can advise you on the security strategies and potential solutions that can help you. While there must be an arms-length relationship between an auditor and a solution provider, your QSA auditor should be able to point you to a number of solutions that can help you mitigate security weaknesses. An experienced auditor is going to help you navigate towards a good solution.

It is hard to quantify the benefit of this type of guidance, but I personally think it is invaluable.

The take-away is that you should set high expectations for the relationship you develop with your QSA auditor. You can walk away from the experience with checks in boxes, or you can meet PCI compliance AND achieve a credible security strategy and trusted advisor. I found the latter in my relationship with Coalfire.

Patrick Townsend

Townsend Security

Role of the Board of Directors in Information Security and Compliance

Guest Blogger Barry Schrager.

I recently read a posting “Where’s the Compliance Experience on Corporate Boards?” [i] which showed some disturbing results describing the backgrounds of the Fortune 500 Board Members in terms of Compliance.  Here are the results: 

Background No. of Board Members No. of Companies
Finance 1,583 473
Legal 391 225
Accounting 201 165
Compliance 9 9

Add to this, in the recent speech given by Security and Exchange Commissioner Luis Aguilar at the New York Stock Exchange Conference “Cyber Risks and the Boardroom”,[ii] he emphasized the importance of cybersecurity and how fast the need for cybersecurity has grown in such a short time period, pointing out that U.S. companies experienced a 42% increase between 2011 and 2012 in the number of successful cyber-attacks they incurred per week.  He cautioned,

Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril 

Mr. Aguilar recommends that Boards institute structural changes to focus on appropriate Cyber-Risk Management. 

Companies must have someone on the board that is able to adequately understand and implement cybersecurity procedures.  Many boards lack the necessary technical expertise to be able to evaluate whether management is taking appropriate steps to address cybersecurity issues.  This responsibility often falls to the audit committee, but they may not have the expertise or skills to add cyber-risk oversight to their long list of duties.  Commissioner Aguilar recommends that boards create a separate enterprise risk committee that can provide improved risk reporting and monitoring, as well as push necessary resources and overall support to company executives responsible for risk management

Navy Admiral Michael S. Rogers, director of the National Security Agency and head of U.S. Cyber Command stated

Military commanders must ‘own’ cyber.  Networks and cyber [should be] the commanders’ business.”  Commanders operate under the “flawed” notion that they can turn over network responsibilities to the unit’s information technology experts, said Rogers. “Commanders have to own this mission and integrate it into operations.” Senior officers ought to be as knowledgeable about a unit’s network capabilities and potential vulnerabilities as they would be about its fuel and ammunition supplies, he added. “The challenge to that is as much cultural as it is technical [iii]

There is a definite pattern here.   It is clear from the survey results and statements presented above that the proper disciplines and backgrounds are not present on the Boards nor the military leadership.  This lack of knowledge and background represents a risk for these companies and investors that should not exist and can be addressed.   Additionally, these organizations have an obligation to protect the information gathered from their customers, partners and those individuals who interact with them.

If someone on the Board was knowledgeable and asked questions of the senior executives on cybersecurity and compliance then the senior management would be sure to have someone in their group who was capable of seriously addressing these issues.  This would cascade down the organization and the employees would be more focused on security and, more importantly, feel free to raise their perceived security issues up the management chain and receive appreciation for their input, and more importantly, the organization would obtain more effective cyber controls and compliance controls.

This is not just an IT problem and executives cannot just assume that this will be handled by the IT people because it usually involves budget, procedural changes that affect other departments, etc.  If the executives do not listen and understand what the IT Security and Compliance people are asking for, they will not fund the requested programs and projects until there is a data breach and then they will finally provide whatever funding is requested.  This is not the way to operate.  Organizations and people will be hurt.  

Barry Schrager 

Barry Schrager is credited as one of the people who started the concept of data security when he founded and was the first Manager of the SHARE Security Project in 1972.  The project delivered a series of requirements to IBM in 1974 including data protection by default and algorithmic grouping of users and resources.  When IBM delivered its security product, RACF, in 1976, it did not meet the requirements and IBM told him they were not achievable.  So, Barry developed his own security product, ACF2, which met the requirements and was used by customers such as General Motors, the Central Intelligence Agency, the National Security Agency, Britain’s MI-5, the Federal Reserve System and the Executive Office of the President of the United States.  When Barry sold the company, SKK, Inc., it had a 60 percent market share against IBM’s RACF and CA’s Top Secret.  Under Barry’s leadership, SKK developed the first VM operating system security product, ACF2-VM, and the first automated Operating System auditing product, Examine-MVS, now known as CA-Auditor. 

In addition to that, Barry has a variety of experiences in mainframe software development, including the Neon Systems Shadow (now Rocket Software’s Shadow z/Direct), the EKC E-SRF Access Analysis product, JME Software’s Deadbolt product, the Vanguard Integrity Professionals line of RACF security products and Xbridge Systems’ DataSniff product. Additionally, Barry has done security reviews at institutions such as the FDIC and Morgan Stanley. 

Barry’s experience covers everything from software designer/developer to executive management to consulting services. 

Barry is honored to be selected as a member of the Enterprise Executive Magazine’s Mainframe Hall of Fame. 

Barry’s contact information is: / (970) 479-9377 




The Cost Of Insecurity

It is simple, your investment in securing your data will be considerably less than the potential cost of a breach and the subsequent clean up.

Security should not be viewed as an isolated activity

In IP EXPO’s 2011 security index survey which was conducted among IT professionals from businesses of all sizes and sectors on behalf of Imago Techmedia and the IP EXPO show organisers.

Respondents to our survey overwhelmingly agreed that IT security should not be viewed as an isolated activity, but would best be treated as an integrated part of businesses’ entire technology reviews and processes,”

said Mike England, Social Business & Content Director at IP EXPO event organiser Imago Techmedia

The key findings include:

  • 70% said they believed security would be best considered collaboratively and routinely across all aspects of ICT
  • 47% said they believed their own organisations needed more security-related collaboration between different ICT disciplines
  • 44% of respondents stated that at least a quarter of their jobs involved IT security.  For 23%, security took up more than half their time
  • 23% of respondents said that their approaches to compliance compromised their security
  • 26% said mobile devices such as smartphones and laptops posed the highest risk of data loss to their businesses.
  • 18% said memory sticks being used for data theft posed the highest risk to their businesses
  • 18% of IT pros say their businesses may not survive the consequences of a major security breach
  • Nearly one-fifth of IT professionals fear their businesses may never re-open for business or would fail shortly after a major security breach
  • 68% said they viewed IT security as “a necessary evil”

CSA UK & Ireland President Des Ward commented on the results of the survey:

Lack of collaboration and a perceived disconnect between security and business would explain the view of security being deemed ‘a necessary evil’, or even a cost of doing business online and consequently having little real business value. Businesses need to evolve beyond compliance risk management to information risk management in order to implement strategies that reduce the likelihood of breaches occurring, while at the same time affording a level of business agility fitting today’s interconnected society,” he suggested.

Of the main findings, Nigel Stanley, security practice leader at Bloor Research and IT Security Pathfinder at IP EXPO, said:

What’s clear is that even if someone’s job doesn’t directly involve security per se, everyone needs to be actively engaged in dealing with the problem.  And the way that businesses are going about it is encouraging, because security management needs to be a two-way process with the users actively engaged in the process.  Generally, taking compliance steps should enhance an organisation’s security – unless of course it is doing just enough to tick the boxes but failing to see the broader benefits of building a compliant business.  However, reducing security posture to achieve compliance is bonkers.

The IT security industry has been left wanting in respect of the consumerisation of IT that’s been fuelled by smartphone adoption.  Only now are we starting to see management tools for these devices, so it’s no surprise that these have been identified by respondents as the biggest risk area,” he commented.

IP Expo will be in london on the 19th and 20th October 2011.


Risk of identity theft in hotel declines –

Hotels are no longer the No. 1 target of hackers in their quest to steal credit card information but your data still has a higher chance of being stolen inside a hotel, a veteran cybersleuth tells Hotel Check-In.

Last year, hotels became a top priority for online criminals seeking to steal travelers’ credit-card information and other data.

But this year, online thieves are now focusing on restaurants, Nicholas Percoco, senior vice president and head of SpiderLabs at data security firm Trustwave, told me. That means they might target a posh hotel restaurant with a sommelier, a fast-food joint or anything else in between.

Thieves started to ease up on hotel computer systems in mid-2010, about 18 months after attacking Wyndham hotel computers and computers of other chains.

I asked Percoco if hotels moved down a notch because the industry spent more money to protect their computer systems, if travelers got smarter or if thieves just decided to move on.

It’s a mix, he told me. Many of the big chains – like Marriott, Hilton and InterContinental Hotels Group, though he wouldn’t name names – have thrown resources to shore up their computer security, he told me.

Furthermore, all the media reports about hotels being at risk for cybercrimes made the thieves fearful that they could get caught.

As they did with hotels, these cybercriminals look for a weak link in a restaurant or fast-food chain and enter their computer system to steal credit-card information and other data

Risk of identity theft in hotel declines –

The majority of stolen Credit Cards stop being used after 24 hours

Ethoca in their report “Fraud Attacks Cross Industries” (Jan 2011) have established that in 86% of cases, fraudsters stopped using a credit card in less than 1 day (24 hours) either because the card was cancelled by the issuer or because the fraudster began using another card.

They also found that 10% of stolen cards were used at multiple merchants.

In only 29% of the cases did the fraudster stay within the same industry sector. In other words the fraudsters try to spread their fraud across as wide a field as possible. Probably to avoid the credit card issuers anti fraud procedures which can spot buying patterns – how many mobile phones does one person need?

The report established that the number one target for cross industry fraud was Mobile Phones followed by pre-paid Gift Cards. This means that in almost all case of organised fraud the fraudster will have a Mobile Phone and a Gift Card on their shopping list.

About the report

Ethoca’s data came from credit card issuers and online merchants. The 95 merchants studied in their program represent 61% of the top 500 Internet merchants as measured by revenue*.

Issuers had identified the fraud with their own risk management systems and then confirmed with the cardholder that the order was indeed fraudulent before providing the transaction details to Ethoca. As a result, Ethoca was able to study a total of 25,188 confirmed cases of fraudulent transactions from June 2010 through October 2010.

*Source: Internet Retailer Magazine for 2009

Create a free website or blog at

Up ↑

%d bloggers like this: