Branden Williams

• Microsoft releases new tool to defend against DLL attack – SC Magazine US
• ShackF00 » The 13th Requirement
  LOVE this.
  (tags: PCIDSS FAIL)

Possibly Related Posts:

• links for 2010-07-20
• links for 2010-07-19
• links for 2010-07-01
• links for 2010-06-30
• links for 2010-06-15

{ Comments on this entry are closed }

Stay Classy, San Diego!

What was popular in August? I personally closed out the month with a huge milestone, corrective surgery that should hopefully remove my requirement for glasses and contacts. I am in recovery, and can SORTA see this post, so I disclaim any responsibility for the content herein.  Actually, should probably do that for the whole blog.

Here are the five most popular posts from last month:

1. Why QSAs Should Not Be Your Security Partner. That’s right, folks. It’s time to separate your consultants from your assessors. Do you know what motivates QSAs?  Here is an inside scoop on what goes on inside your QSAs head, and why he doesn’t have your best interests in mind.
2. Where’s the Breach? Is this the new way to deal with a breach? Just find someone who has fallen victim in the past and blame him? Maybe.
3. The Council is such a Tease with PCI DSS 2.0. With no payoff, I might add. The Council released a preview of PCI DSS 2.0, but without any real meat to the announcement.  It’s good to see where things are moving, but ultimately, we need to see the exact language to understand the impact.  Read this post to find out why.
4. PCI Security Standards go to Three Year Lifecycle. Still on the top five one month later, this post details some of the pros and cons to the new three year lifecycle that all of the standards will adopt starting with the pending release.
5. 2010 Verizon Business Data Breach Report Released. Amidst the flurry of BlackHat and Defcon last month, Verizon released an updated version of their data breach report. This post outlines some key takeaways.  It’s made buzz in the industry mainly due to the trends (which should not have been reported as is).

Thanks for stopping by, San Diego!

Possibly Related Posts:

• Herding Cats August: Embrace the ISA Program
• July 2010 Roundup
• Herding Cats July: Back to Basics
• June 2010 Roundup
• Herding Cats June: In or Out?

{ Comments on this entry are closed }

It’s been an interesting week in the PCI DSS world. I was a contributor to a Webcast from First Data on scope reduction using Tokenization.  We had the webcasts from the Council about the changes in PCI DSS coming on October 28, and I seem to have gotten a flood of emails reminding me about the community meetings in Orlando and Barcelona.

Y2K, by Nancy Wombat

From a global perspective, PCI DSS is slowly making strides in several locales, to the point where I often adjust my daily schedule to help customers in the pacific rim, middle east, Asia, and Europe. Australian and New Zealand based companies seem to be taking particular interest in PCI DSS, equivalent to the levels we saw in early 2007 prior to the Visa CAP enforcing fines. Some of my favorite discussions around PCI DSS are helping companies that are just starting to explore the complex standard.

Square 1, as it were.

I was on the phone with representatives from a company this week where someone asked me how serious PCI DSS was, and if it would end up being another Y2K¹. I had never thought of it that way, but the parallels between how we solved the Y2K problem and how many companies approach PCI DSS are very interesting.

Those in the industry that lived through the compliance scrambles of 2007-2009 remember that companies often struggled in year two, because they forgot that PCI DSS was a continual process, and not just some one-time project like Y2K was. All the controls that were put into place and validated either disappeared or were neglected. Big examples of this include quarterly scans, daily log reviews, and change control tickets.

For those of you taking on this task today, do yourself a favor and treat it as a journey, not a project.  PCI DSS is a process of continuous improvement and a constant reminder of the war that we face with the bad guys. Celebrate your victory of crossing the first mile marker when initially achieving compliance, but don’t forget there are many more miles to go.

Possibly Related Posts:

• Check me out on the Network Security Podcast!
• Where’s the Breach?
• The Council is Such a Tease with PCI DSS 2.0
• Why your QSA should not be your Security Partner
• PCI Council, How About a Map?

1. Meaning, HYPE HYPE HYPE HYPE HYPE HYPE fizzle.

{ Comments on this entry are closed }

I met up with Martin Mckeay out at BlackHat this year, and we found what we thought was a quiet corner to chat about security.  Go check out the Network Security Podcast here!

Possibly Related Posts:

• Where’s the Breach?
• The Council is Such a Tease with PCI DSS 2.0
• Why your QSA should not be your Security Partner
• 2010 Verizon Business Data Breach Report Released
• A Thought to Take You to the Weekend

{ Comments on this entry are closed }

I recently gave a presentation to a graduate advertising class about social media with ideas on how it might be used as a part of an overall marketing and advertising strategy¹. One of the things I covered was the concept of geo-tagging and how it relates to social media. There are tremendous privacy concerns related to geo-tagging, but also interesting market opportunities as well.

Day 70/365.v2, by Perfecto Insecto

We ignored the unintended geo-tagging that occurs when people use location services in their mobile phones, or use cameras that are location aware and focused on check-in applications.  Some examples of these applications are the popular FourSquare and Gowalla². Well, it seems Facebook has now joined the fun, and added Places. Included in the launch was an updated Facebook application for iPhone that included the new logo, which as Jay Dolan points out, is a perspective view on a square where the roads draw a four.  Is it war?

Maybe.

But with Facebook falling under fire from privacy advocates recently, will Places stoke the smoldering fire into something more substantial?

Of course, you really need to try it to understand how it works. I’ve only begun to experiment with it, but not until I checked the updated privacy settings.  It looks like Facebook did this one right and set the defaults to share, but only with your friends. It should probably default to sharing with nobody, but that’s what we have.

There is another area just below this one, however, that requires you to choose if you want to let your friends check you into places (boy this could be fun).

There are two settings for this one, either enable or disable.  How much do you trust your friends?  How tightly do you control your friend list? I just went through a detailed exercise of limiting and purging based on the settings Facebook provides for us, so having certain friends see my location would not be that big of a deal to me. That said, my ability to limit this to certain groups with the extra granular privacy controls seems a bit broken right now.

Before you go into the weekend, be sure to check your privacy settings and make sure you have it set the way you want, and then give it a shot!

Possibly Related Posts:

• Do Small Service Providers Scare You?
• A Facebook Reality Check
• More Advice when using Public WiFi
• Securing your Social Networking Brand
• The Social Security Office, an Identity Thief’s Heaven!

1. I’ll get this posted soon. I’ve just gotten my templates fixed (Thank you Angry Porcupine!) and will be able to move the material shortly.
2. Also included in this list would be BriteKite and Yelp

{ Comments on this entry are closed }

All we need to top off this post is a little old lady screaming “Where’s the Breach?” God bless 80′s marketing.

A merchant out of Austin, Texas is claiming that a breach in their network came from Heartland Payment Systems (HPS), thus it must be their fault. While I am sure this is not the first merchant to be caught off guard, he’s certainly a creative one. Our culture in America seems to relish deflecting blame from oneself on to others.

Why, it couldn’t be me, it must be that guy over there.

What’s interesting about this particular case is that the quotes in the article are being interpreted in a manner that is inconsistent with these kinds of breaches and the kinds of services that HPS offers. I’ve seen a few blogs proclaiming a second Heartland breach, but I’m not sure what specifically would make someone leap to that conclusion. According to their website, HPS does not offer a managed POS solution today (Integrated POS is another story, but I don’t see this as being the issue here). Typically an independent dealer or Value Added Reseller (VAR) will sell the POS, manage it, and then send the payment processing component to companies like HPS. Unfortunately, that’s where things break down¹.

Restaurants are breached frequently. Restaurateurs rarely hire skilled IT staff to build out the systems that run the kitchen and dining areas (that’s what the VARs are for), but they typically find ways to use the basic on-premise IT components to differentiate themselves from their competition. Maybe they offer a community PC or free Wi-Fi connectivity to patrons so they can work remotely while enjoying the food and service the location provides.  The diagram below depicts a typical restaurant setup:

Typical restaurant setup. Note location of Wi-Fi.

Does anything there seem odd to you? It should. In this case, a Wi-Fi access point is on the SAME NETWORK as the POS devices! The correct placement of a customer-facing Wi-Fi access point is between the firewall and the router².

From the article linked above: “The spokesman is quoted as saying that somebody had hacked into a computer system ‘somewhere between Tinos’ point of sale and their credit card clearinghouse company.’” Kind of looks like that diagram, doesn’t it?

One way credit card breaches are found is something called the Common Point of Purchase (CPP) analysis. This analysis will take known compromised cards and analyze the most common place where they are all used. Once a CPP is identified, notification begins and an investigation ensues.

In the case of the original Heartland breach, multiple CPPs began coming in, all tied to Heartland and the common cards showing up at multiple merchants. This caused the investigation to shift upstream to focus on Heartland, and we know the history behind that now. In this case, it’s a little too early to try and claim another Heartland breach. Maybe bloggers want to this out just to say, “Look! SEE! I got something right for once!”

Based on the information in the article and what I can ascertain from other sources, this looks no different than any other of the thousands of restaurant breaches that occur every year.

Possibly Related Posts:

• The Council is Such a Tease with PCI DSS 2.0
• Why your QSA should not be your Security Partner
• 2010 Verizon Business Data Breach Report Released
• PCI Council, How About a Map?
• Tokenization and Chargebacks

1. Often these companies will install systems with weak remote access passwords (Does Welcome1 sound familiar?), or the users will do things like browse webmail on the back of house systems.
2. Or at least the most common place you might find it. Restaurants with integrated router/firewall devices should use the DMZ functionality that comes with it.

{ Comments on this entry are closed }

They totally are!  Giving us this little tiny preview of upcoming changes without really getting too specific.  It’s like me saying, “Dude, that chick is HOT!” Then when you ask me to describe her I say, “It’s a lady all right!”

Teased, by urbanlatinfemale

OK, back to the real reason you are reading this, the changes to PCI DSS and PA-DSS slated to drop on October 28 are outlined here.

The majority of the document reviews the new lifecycle, how and why changes are made, and the three general types of changes outlined: clarifications, additional guidance (which is just a fancy way to say clarification), and a requirement that is evolving based on new threats or a change in the market. This release represents a positive step by the Council to help key stakeholders understand what is coming, but falters on the execution a bit.

Those that have been working with PCI DSS for any period of time quickly learn that the devil is in the details. While this overview is helpful for us to understand where the Council is moving, most of the actual change will be driven by interpretation. On the surface, a significant amount of the change appears to adjust the wording to reflect the intent of the requirements. This is increasingly important in areas that are seeing increased drive and focus on compliance. As new QSAs are certified, the changes will help make up for interpretation nuances that experience will eventually yield.

One particularly noteworthy change is the note on the scope of an assessment. While we don’t know the ACTUAL change yet, it doesn’t appear that some kind of DLP tool will be required to validate scope. That said, it certainly would play a key component in scope validation in addition to interviews. I don’t believe QSAs could attest and validate scope without tools in conjunction with interviews¹.

Another change that specifically popped out at me was the centralized logging requirement for PA-DSS. It may signify a lack of attention to detail by QSAs assessing companies that deploy products capable of complying with PA-DSS. Many PA-DSS compliant applications can be configured in a non-compliant way, and with downward price pressure on QSAs², sometimes shortcuts happen. I’m not saying that I’ve ever done it, but I’ve walked into a customer that had their entire POS environment ignored because the assessor saw it on the PA-DSS compliant application list³.

I wouldn’t rush to download and read the five page release, but put it in your “to read sometime” pile. Your best bet may be to register for the webcast on August 24th, but unless Russo get’s something more than a prepared statement based on this document, that’s probably not even worth attending (except to see if someone torpedos his notes like the last one).

Possibly Related Posts:

• Why your QSA should not be your Security Partner
• PCI Council, How About a Map?
• Tokenization and Chargebacks
• Level 2 Merchants, Are Your Folks Trained?
• PCI Security Standards go to Three Year Lifecycle

1. At least not in good conscious.
2. And arguably, the commoditization of the service.
3. Hint, it was storing PANs in an area that it was not supposed to be…

{ Comments on this entry are closed }

kitten, by Clevergrrl

Have you checked out ISSA Connect yet? The next issue is up there with my column, Embrace the ISA Program. Some industry folks fear the empowerment that the Internal Security Assessor program from the Council brings to the table.  I, for one, see it as an opportunity to more accurately assess PCI compliance. Oh, and the Hoffacino makes a cameo

If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today!

Possibly Related Posts:

• July 2010 Roundup
• Herding Cats July: Back to Basics
• June 2010 Roundup
• Herding Cats June: In or Out?
• May 2010 Roundup

{ Comments on this entry are closed }

This one is link-laden folks.  Enjoy

SeparatedEggs, by YoAmes

It’s just mere weeks before we’ll see the FOURTH iteration of the PCI DSS, and companies inside the US seem to be getting better at it as we go. PCI continues to be a driving force in information security, and as the standard changes, your business environment will undoubtedly change as well.

Many merchants and service providers mistakenly depend on their QSAs to find all security and PCI compliance issues. Considering the downward market pressure on assessment prices, many security professionals are discussing how QSAs are pressured to get a complete and compliant ROC in the cheapest way possible.  QSA companies are motivated by three main things:

1. Scope and price the deal in a manner that will win the business,
2. Make (or beat) the margin, and
3. Stay of the remediation list.

If you enter into a contract expecting your QSA to find everything, or to be some form of liability transfer, you are misleading yourself into a false sense of security¹. QSAs are indirectly trained to create great reports, but in order to gain the efficiency required to compete, much of the ROC is complete before the engagement even starts.  The executive summary and details in each requirement still need to be written, but you can’t do much more for 10-20K.

This is not to say that you should start spending hundreds of thousands of dollars on QSA assessments, but when you consider that many assessments are performed with only one assessor for a short period of time, shouldn’t you ensure that you are not just going through the motions of fooling a hurried QSA?

Let’s assume that your QSA is better than most and is helping you work through security AND compliance issues. Why would you let your QSA design your controls as well as assess against them? Gartner published an opinion in 2007 that the Payment Card Industry has much to learn from the financial auditing industry—in particular the notion that the firm providing validation services should not be the same firm to provide consulting solutions around security and PCI DSS².

Sure, it’s easier to deal with one firm instead of two, but are you really getting what your management is (at least in spirit) asking for?  It should be validation that you are in fact compliant with PCI DSS to lower the chances of a breach and ensure that if one occurs, you won’t be subject to the same fines as an entity that was found to non-compliant.

That is why you need to use a different firm for consulting around security and PCI than you do for assessment or audit work.  It’s the same generally accepted principal that you would use in other audit scenarios, and it will lead to a better overall result:

You will gain confidence³ that you are both more secure and compliant after spending ridiculous sums of money to meet that end state.

It may not be the easiest way to go, but it certainly makes for a generally better outcome.

Possibly Related Posts:

• 2010 Verizon Business Data Breach Report Released
• A Thought to Take You to the Weekend
• PCI Council, How About a Map?
• Tokenization and Chargebacks
• Level 2 Merchants, Are Your Folks Trained?

1. baZING!
2. See the above linked research report for many more details.  It’s written by Avivah Litan and Joe Pescatore.
3. Both yours and senior management’s

{ Comments on this entry are closed }