Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

PCI

how-do-we-stop-the-widening-cybersecurity-gap-infographic

110 million Americans hacked in the last 12 months

In a CNNMoney commissioned study Ponemon Institute researchers found:;-

  • 110 million Americans — roughly half of the nation’s adults — in the last 12 months alone.
  • 432 million accounts were hacked accounts

It’s becoming more acute,” said Ponemon Institute head Larry Ponemon. “If you’re not a data breach victim, you’re not paying attention

The CNNMoney article points to recent examples of large hack attacks:-

  • 70 million Target customers’ personal information, plus 40 million credit and debit cards
  • 33 million Adobe user credentials, plus 3.2 million stolen credit and debit cards
  • 4.6 million Snapchat users’ account data 3 million payment cards used at Michaels
  • 1.1 million cards from Neiman Marcus “A significant number” of AOL’s
  • 120 million account holders
  • Potentially all of eBay’s 148 million customers’ credentials 

Full article here.

The Aftermath of a Mega Data Breach

A Ponemon Study sponsored by Experian® explores consumers’ sentiments about data breaches. The goal was to learn the affect data breaches had on consumers’ privacy and data security concerns. A similar study was conducted in 2012 and reveals some interesting trends in consumers’ perceptions.

The study asked consumers who were victims of a data breach questions about their experience. It may not come as a surprise that individuals who have had their personal information lost or stolen increased 100% since the 2012 study when only 25% of individuals surveyed were victims of a data breach.

For purposes of the research, they define a data breach as

the loss or theft of information that can be used to uniquely identify, contact or locate you. This includes, but is not limited to, such information as Social Security number, IP address, driver’s license number, credit card numbers and medical records

797 individuals were surveyed and approximately 400 of these respondents say they were the victims of a data breach. By far, the primary consequence of a data breach is suffering from stress (76% of respondents) followed by having to spend time resolving problems caused by the data breach (39% of respondents).

The most significant findings of the research:-

What companies should do following a data breach

  • 63% of consumers continue to believe that organizations should be obligated to provide identity theft protection
  • 58% believe credit monitoring services should be offered
  • 67% believe compensation such as cash, products or services should be offered

–       These findings are similar to the findings in the 2012 study.

Credit card companies and retail stores sent the most notifications

  • 62% of respondents say they received two data breach notifications involving separate incidents. These notifications can be in the form of a letter, telephone call, email or public notice.

Becoming a victim of a data breach increases fears about becoming an identity theft victim.

  • Prior to having their personal information lost or stolen, 24% say they were extremely or very concerned about becoming a victim of identity theft.
  • Following the data breach, this concern increased significantly to 45%.
  • 48% of respondents say their identity is at risk for years or forever.

How important is media coverage of data breaches?

  • The majority of respondents believe it is important for the media to report details about data breaches. Mainly because it requires companies to be more responsive to victims followed by the creation of greater awareness about how the data breach could affect individuals and alerts potential victims to take action to protect their personal information from identity theft.

Other findings:-

  • 25% of data breach notifications offered identity theft protection such as credit monitoring or fraud resolution services. This is a slight decrease from 2012 when 29% of respondents received such an offer
  • 67% of those receiving a notification wanted the organisation to “Explain the risks or harms that I will experience”
  • 32% said “I ignored the notification(s) and did nothing”
  • 78% were most worried about their Social Security number followed by Password/PIN at 71% and Credit card or bank payment information with 65%
  • 81% of respondents who were victims of a data breach did not have any out of pocket costs. If they did, it averaged about $38
  • 34% say they were able to resolve the consequences of the breach in one day
  • 55% say they have done nothing to protect themselves and their family from identity theft

The full report can be found here.

EMV – The perspective of a QSA who has worked on both sides of the Atlantic

With the spate of cyber attackers on US retailers recently Coalfire’s European MD, Andrew Barratt considers how the attacks on retailers differ outside the US and what the potential impact of similar attacks is in a world where Chip and Pin technology is more widely deployed.

Working in both the US and Europe gives us a good perspective on the payment security landscape.  The US has a much higher rate of credit card usage than most European countries, loyalty schemes and reward incentives are much more mature and embedded in consumer culture.  In Europe card usage is increasing but the type of card varies by country.  In the UK credit card use is moving in a similar direction to the US and includes a high rate of debit card usage; cards are quickly replacing cash. The UK now has lots of innovative mobile tech trying to disrupt the card market as well.   Germany is very different, credit card usage is very low (consumer culture is quite averse to borrowing) and the debit scheme is a closed system.  However both of Europe’s large economies moved away from using the magnetic stripe years ago.

EMV or Chip and Pin as it is more commonly referred to in the UK has been in heavy use since 2006 which has helped lower the impact of brick and mortar retail breaches significantly.  It doesn’t rely on sending the full track information to the payment processor meaning that the data is easier to secure.

With retailers adopting more of the security controls detailed in the Payment card industry data security standard and with widespread adoption of Chip and Pin for authenticating customers huge losses from face to face retailers are less common.

Large US retailers are being targeted for smash and grab style payment card data breaches because the data is easier to use fraudulently.  If a cyber-attack steals a lot of magnetic stripe data, this can be used to clone cards, which can then be used in stores to make fraudulent purchases.

Where transactions are authenticated using EMV’s Chip and Pin verification method less data is transmitted to the processor.  If this data is stolen it is harder to be used fraudulently.  It’s not impossible but a lot harder.  EMV is not without its flaws and a number of attacks have been demonstrated by Professor Ross Anderson’s research team at Cambridge University.  These typically attack the card reader and try to grab the Pin as it is sent to the smart card on the Chip for verification.

For US retailers minimizing exfiltration possibilities should be a high priority, lock down and monitor the outbound connections.

The fraud bubble has been squeezed attackers focus on e-commerce operations in the UK, service providers and other businesses that handle lots of cardholder not present transactions.  As the cost of implementing attacks against the smart card declines Europe serves to be a good learning ground for the US.  If the US adopts a future EMV model adoption can be considered with lessons learned overseas for more consumer protection.

Article written by Andrew Barratt

Twitter:     @Andrew_barratt

LinkedIn:  http://www.linkedin.com/in/andrewbarratt

Employees and Companies Not Taking BYOD Security Seriously

For the second year in a row, Coalfire examined the BYOD trend for interconnected employees and what it means for companies and the protection of their corporate data. Most organizations want the increase in productivity that mobile devices offer, but the majority do not provide company-owned tablets or mobile phones as a cost-saving measure. Employees who want to use these devices must buy their own and are all too often left to secure potentially private information themselves.

The five cloud personas

NTT Integralis have produced a report highlighting the acceptance of Cloud Solutions.  The full report can be found here.  

The report characterises organisations as fitting five cloud ‘personas’ defined by their level of enthusiasm for cloud computing and maturity of adoption.

Ranging from Embracers at one end of the scale (very active in new technologies for over three years) to ‘Controllers’ at the other (characterized by their lack of cloud deployments), the personas also include Accepters, Experimenters and Believers.

The five cloud personas

  1. The Embracer – using cloud for 3+ years, very active in seeking out new technologies, dedicates over half budget and is very likely to see an increase in revenues and profits from cloud
  2. The Believer – very likely to actively seek out new technologies and to have moved the majority of services into the cloud over the next year. Critical to the deployment of services with a third of budget allocated
  3. The Experimenter – likely to experiment with new technologies and to move the majority of services into the cloud in the next year. Used in half or more departments with a quarter of budget dedicated to cloud
  4. The Accepter – adopted cloud in the past two years and most likely to adopt technology when there is a clear business case. Cloud is not central to IT strategy
  5. The Controller – least likely to be using cloud and emerging technologies, more reliant on data centres. Cloud is not currently part of their IT strategy

For them to have completed the survey the respondents must have at least understood the concept of the “Cloud” which is a step in the right direction.

PCI Security Standards Council publishes card production security requirements

The PCI Security Standards Council (PCI SSC), has announced the publication of a standard for secure payment card production.

The standard consists of two sets of requirements:

  1. PCI Card Production Physical Security Requirements
  2. PCI Card Production Logical Security Requirements

Together, these documents provide card vendors with a comprehensive source of information describing the security requirements to follow for card production activities including card manufacture, chip embedding, magnet-stripe encoding, embossing, card personalization, chip initialization, chip personalization.

Formerly managed as separate requirements by each payment card brand, the Council aligned these requirements and solicited feedback from the PCI community to produce one set of criteria recognized across the industry. The resulting standard is designed to secure the components and sensitive data involved in the production of payment cards and protect against the fraudulent use of card materials.

It’s broken down into two core areas:

  1. Physical security requirements – for all card vendors, these requirements address the presence, movement, and accountability of a card, including tangible features such as the security of the premises, personnel access to secure areas, and CCTV surveillance.
  2. Logical security requirements – for card personalization vendors, these requirements address threats to the confidentiality of personalization data during data transfer, access, storage, and destruction; and all aspects associated with cryptographic key management, including the protection of issuer keys used in the personalization process.

The security requirements are available for immediate download here. Vendors should work with the individual card brands to confirm timing for when future security reviews must be performed against the new PCI Card Production Security Requirements.

In line with other PCI Standards, the requirements will be updated on a three-year lifecycle, based on feedback from the PCI community.

There are a lot of pieces involved in securely producing payment cards, from design all the way through delivery,” said Bob Russo, general manager, PCI Security Standards Council. “The publication of these requirements gives card vendors one set of criteria to follow, and as we’ve seen with our other standards, will help drive improved security across the payments chain

Criminal logic; follow the money and find easy targets

Acceptance marks displayed on top left of this...Anecdotal information shows that small businesses are just as likely to become victims of an attack as large businesses.

Why?

  1. Criminals do not discriminate, a dollar is a dollar, a credit card is a credit card, no matter where it is stolen from.
  2. Small businesses cannot invest as much in protection, management, procedures and processes as larger businesses.
  3. Smaller businesses are often the last to discover, understand and therefore achieve compliance, for example PCI DSS. Compliance is described as a painful process but PCI DSS offers a detailed and defined set of requirements which will allow a business to secure all types of information and not just credit cards.
  4. Malware (Viruses, Trojan’s, etc.) does not know the difference between small and large business, in an automated attack malware tools just look for weaknesses.
  5. The hospitality industry is frequently targeted by criminals because they know there is a high level of staff attrition in an industry with a high proportion of smaller or franchised businesses. Read my article Fraud could be costing UK hotels over £2 billion a year.

Avivah Litan in her recent Gartner Blog recounts the story of a small restaurant in Winchester, Kentucky which had a data breach involving credit cards.

The story so far looks like the criminals gained access to the store’s systems remotely and siphoned off the cards’ magnetic stripe data and then creating counterfeit cloned cards which resulted in thousands of dollars in fraud and affected a high percentage of the town’s population, and significantly almost 25% of the local Police force.

The sad thing is from my own experience of running a small business it is customer loyalty that often makes the difference between being profitable and going bust and incidents like this always affect a customer’s perception of the business.

Large business can employ a PR Agency, send lots of letters, offer discounts and let a branch ride out the storm until people have forgotten about the breach, all of which a small business could not afford to do.

So what can small businesses do?

  • The first thing is to assume that you may become a target because the criminals use tools which try to find vulnerable business every minute and hour of the day.
  • Ensure that your payment devices; terminals, tills, e-commerce solution, etc. are all Payment Application Data Security Standard (PA DSS) approved. The PCI website has a list of approved products and version, find the link here.
  • Ensure you have the IT Security basics in place, Firewall, Anti-Virus, etc. and use the auto updates for the technology.
  • Make sure all your IT devices, not just your desktops and laptops but your tills and EPOS devices all have their software updated/patched regularly, if it is available turn on auto-updates.
  • Train your staff to understand what their responsibilities are and how to report issues and suspicions. A reward scheme might help.
  • I know it is difficult for small business owners to find the time but read the PCI DSS guidelines and the Self Assessment Questionnaire (SAQ) but it is an excellent start to a secure business. If you have any questions about which SAQ is needed or any other questions ask your bank they are as concerned about your security as you are.

.

Network Barometer Report 2012 – a Dimension Data’s report

Dimension Data announced the results of its Network Barometer Report for 2012. The findings of the report have been taken from 294Technology Lifecycle Management” (TLM) assessments of enterprise organizations.

TLM review a networks’ readiness to support business by reviewing network device across four distinct areas:-

  1. Security vulnerabilities
  2. Configuration variance from best practice
  3. IOS Version Management
  4. End-of-Life status

The report has a concentrates mainly on Cisco products as they form the largest vendor in the Dimension Data installed support base.

Key finding of the report

  • 75% of network devices are carrying at least one known security vulnerability, in line with the 73% in 2011.
  • A single vulnerability was responsible for this high PSIRT penetration. PSIRT 10944, identified by Cisco in September 2009, was found in 47% of all the devices analysed during 2011 (A PSIRT is a software vulnerability that has been identified by Cisco’s Product Security Incident Response Team)
  • While the number of configuration errors per device increased from 29 to 43, security related configuration errors such as AAA Authentication continue to dominate
  • The percentage of devices that entered the obsolescence phase increased from 38% to 45%
  • Of those devices, the percentage that were End-of-Sale (EoS) jumped from 4.2% in 2011 to 70% in 2012. The percentage of devices that were either EoSW maintenance EoCR dropped a similarly dramatic amount from 86.2% to 20.8%.
  • A third of all Wireless access points discovered during the calendar year 2011 were 802.11n-capable. This is nearly triple the 12% 802n penetration from last year. This adoption will also drive refresh in the underlying routing and switching infrastructure
  • After peaking at 64 new PSIRTS in 2007, the announcements had tapered off in the 45 to 50 range for the past three years, before spiking again to 60 in in 2011
  • On average, 40% of all devices have been past EoS for the past four years. That said, there have been small year–on-year increases over the past three years – 3% from 2010 to 2011 and 7% from 2011 to 2012.

The report states

“While the overall percentage of devices carrying at least one known security vulnerability stayed constant, the data also shows that an increasing number of organisations have been successful in their security vulnerability management.

During 2010, 14% of all the assessments performed showed networks that were completely clear of security vulnerabilities. This figure increased to 25% of all assessments performed during 2011.

Repeat Technology Lifecycle Management Assessment clients fared even better – during 2010, 18% of all assessments showed no security vulnerabilities, a number that doubled to 37% for 2011.

In fact, repeat users of the TLM Assessment performed better than the general population with 59% of all devices carrying at least one known security vulnerability when compared to 75% for the entire sample set. This would seem to confirm that on going network visibility is a crucial component of successful vulnerability management.” 

Dimension Data’s Conclusion of it report is below.

With the on going changes in the way IT services are consumed, in some cases driven by user demand, it has become more important than ever to take an architectural approach to network design. The adoption of enterprise mobility, virtualisation and cloud will place more pressure on an already stretched network and if it is not managed proactively will impact business agility, efficiency and ability to remain competitive.

Effective infrastructure management and network planning ensures that IT is able to meet the needs of the organisation at a tactical and strategic level, with additional benefits in terms of cost, asset optimisation and security. Dimension Data concludes that a technology lifecycle management (TLM) approach will address key architecture, security and configuration issues. We recommend this approach include six stages.

INITIATE: Determine the impact of the network technology lifecycle The first stage involves a business discussion about the network’s technology lifecycle, and the organisation’s existing and best fit longer term network architecture, considering risk, cost and strategic factors.

DISCOVER: Gather network data

Incorporates business and technical reviews with the key stakeholders to ensure the relevant information is collected. An asset list is required at this stage and if the organisation does not have an up to date list, a network scan will be required to create one. Dimension Data recommends a TLM Assessment to help identify lifecycle milestones as well as security and configuration issues.

CONSTRUCT: Perform gap analysis and develop recommendations

Here, the discovery data is analysed against security, configuration and end-of-life databases as well as checked for maintenance coverage status. There are automated tools to perform this task and the TLM Assessment service achieves this for Dimension Data clients. A technology roadmap will be created, based on the prioritised recommendations from the analysis. This will include configuration remediations as well as security and maintenance recommendations.

RECOMMEND: Consult and present the recommendations and roadmap

This consultative stage includes sharing the findings of the work done with key stakeholders and determining how to act on recommendations based on risk, cost and strategic factors. This will include a formal report and a collaborative discussion to develop an action plan.

EXECUTE: Execute on recommendations

IT operations will then execute on the recommendations. These may include allocating resources or working with a third party to address the security and network remediations that are required, reviewing maintenance and support contracts, and/or planning for equipment upgrades. As this is a multi-year planning approach, there are likely to be steps executed in future financial periods as the organisation’s needs dictate.

IMPROVE: Execute this discipline on an ongoing basis

Networks and markets are dynamic. Configurations will drift from best practice standards over time and additional products deployed will enter the manufacturer’s obsolescence lifecycle. In order to ensure the benefits of this approach over time, repeat assessments should be considered.

See my summary of the 2011 Dimension Data Barometer Report here.

.

PCI Security Standards Council announces winners of Special Interest Group elections

The PCI PCI SSC today announced the results of the PCI Council election for Special Interest Groups (SIGS).

Special Interest Groups (SIG) leverage the expertise of more than 600 PCI SSC Participating Organizations and provide a vehicle for incorporating their ideas and input into the work of the Council.

Almost 500 votes were cast by merchants, financial institutions, service providers and associations for the initiatives they want to prioritize in 2012.

The three elected groups will focus on:

  • Cloud
  • eCommerce Security
  • Risk Assessment

Participating Organizations were allowed three votes on a shortlist of seven topics that were the result of 13 proposals by the community.

Successful project proposals represent a cross section of the PCI SSC community from around the globe and include active participants from CyberSource, HyTrust, Sense of Security Pty Ltd., SISA Information Security, The UK Cards Association, Trend Micro and TSYS.

This is our first SIG election and I’m really pleased with the turnout, with a quarter of all of our Participating Organizations voting. Most impressively, a third of our votes came from outside North America showing that involvement in the Council’s activity and development of PCI Standards and resources to help secure the payment chain is truly a global endeavor,” said Jeremy King, European director, PCI Security Standards Council.

I’m looking forward to close collaboration between the Council and SIG membership.”

Special Interest Groups are a critical forum for industry participation in Council initiatives to increase payment card security. SIGs focus on providing recommendations to the Council which often results in guidance for interpreting and implementing the PCI Standards. To date SIG participants have made significant contributions to Council resources on topics such as wireless security, EMV chip, point-to-point encryption and virtualized environments.

The Council invites any members of the PCI SSC community interested in participating in one of these SIG projects to indicate their interest by emailing sigs@pcisecuritystandards.org before November 30th. Following this, Council SIG leads will convene each group to formalize the group charter and precise scope of work project. This will be shared with the Community by the end of the year, with SIGs anticipated to start work in the beginning of 2012.

We’re delighted that risk assessment has been selected by our peers to move forward as a 2012 SIG project. I’d like to encourage anyone with expertise or interest in this topic area or the other final selections to get involved,” said Dharshan Shanthamurthy, chief consultant at SISA Information Security.

 “Council SIGs are a great opportunity for professional development, networking, and contributing to something that will benefit the entire industry.”

.

How to Choose a QSA – SANS

The Quality Security Assessor (QSA) a Merchant chooses will dramatically impact on how the Merchant achieves compliance.

In simple terms the right advice and guidance saves time and money whilst reducing risk and achieving compliance. The wrong advice or guidance could prove extremely costly.

SANS: “The independent white paper in this security KnowledgeVault is just one of the resources to help you make the right decision. It details the top 5 questions to ask a prospective QSA firm and offers guidelines on everything from making sure they adequately handle compensating controls to assessing their expertise with virtualization”.

The 5 questions are

  1. For what types of organizations have you performed PCI DSS assessments?
  2. What is your background?
  3. Who will be performing the work?
  4. How do you validate and assess compensating controls?
  5. Are there examples of your assessments being used to improve security for clients?

Reading the white paper and asking these question could prove vital to the succesful completion of a PCI DSS project.

Download the white paper here. Registration is required.

Source: Dell and SANS

Blog at WordPress.com.

Up ↑

%d bloggers like this: