Aug
09
2009
I wander away from computer for a day or two and see what breaks out, an argument about PCI that I didn’t even take part in. I’m insulted that Nick Selby and Mike Dahn had fun without me! Actually, Nick’s rant on how compliance is the downfall of humanity, or at least security, is amusing, even if it’s a little over the top, but it’s the fact that Alex Hutton admitted he’s come around to appreciating Compliance in the comments that made the whole post worth reading for me. I like Mike’s response and especially appreciate his point that security professionals have to stop using compliance as a scape goat for not securing their data. “I couldn’t secure my company because I was spending too much time worrying about being compliant!”, is the excuse too many security professionals are using. If you’re not close to being compliant through the security efforts you already have in place, your fooling yourself into thinking you were anywhere near secure in the first place!
Nick’s orginal article was interesting and amusing. Mike does a pretty good job of picking it apart and reminding us that the ultimate responsibility for securing the data lies with the security professional, not with PCI or any other compliance structure. But what really makes this whole discussion worth reading is Alex’s comments as well as several of the other comments in the stream. If you don’t read Alex’s blog, take the moment or two needed to add it to your RSS feeds.
I’m one of the first to admit, PCI isn’t perfect. It’s a one-size-fits-all structure that doesn’t really fit any business. It’s a bunch of guidelines and ‘best practices’ that have been thrown together and are slowly evolving into something that might actually be cohesive in another five to ten years. But the point people keep missing is that PCI should not be driving your security philosophy, your security philosophy should be driving you to a position where compliance is just a series of check boxes. If you’re secure, if you’re really taking the steps needed to secure your environment, compliance should just be about validating those controls, not something that’s driving you to distraction and taking up all your time.
Branden Williams recently wrote about this as well. “PCI is easy“ PCI is a series of prescriptive controls you need to have in place around your cardholder data. If you’re securing your data properly, then it shouldn’t be a big stretch to become PCI complaint. But if you want an idea of how secure a company would be without PCI, take a few minutes and review there cardholder data environment after they’ve had a good QSA on-site and compare it to the rest of their environment; if all, or even most, of the same controls are in place around the rest of their network, chances are they were secure in the first place and didn’t need to do a lot to be compliant. On the other hand, if you look at a company who’s non-PCI network is much looser and less secure than their PCI network, you have a pretty good idea of how insecure their environment would be without compliance. How does your own PCI environment differ from the rest of your production environment? If you can’t say that your non-PCI environment is as secure as your PCI environment, you’ve already lost the argument of against compliance.
![[Slashdot]](http://slashdot.org/favicon.ico)
![[Digg]](http://digg.com/favicon.ico)
![[Reddit]](http://reddit.com/favicon.ico)
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif)
![[Facebook]](http://www.facebook.com/favicon.ico)
![[Technorati]](http://technorati.com/favicon.ico)
![[Google]](http://www.google.com/favicon.ico)
![[StumbleUpon]](http://www.stumbleupon.com/favicon.ico)
Aug
04
2009
This week we wrap up our coverage of Defcon and Chris Hoff to provide his psychic reviews. That’s right, Chris couldn’t make the even but he was there with us in spirit, and on tonight’s show he proves it. Chris also debuts his first single, “I Want to be a Security Rock Star”. Your ears will never be the same.
Network Security Podcast, Episode 161
Time: 41:22
Show Notes:
Aug
03
2009
When heading to Las Vegas for Black Hat and Defcon, there are a number of basic security measures many of us take. Phone wireless off:check. Phone bluetooth off: check. Laptop wireless and bluetooth off: check. Use an ATM that’s no where near either Caesar’s or the Riviera: check. Which turned out to be a very good decision as a fake ATM showed up at the Riviera and the machines at the Rio Hotel were debiting accounts but not dispensing money. And people were wondering why the ATM’s on the conference floor at the Riviera were all unplugged from power when we arrived. Of course the network cables for the ATM’s were still in place, but I hope the hotel was proactive enough to disable those ports on the switch as well. The fact that I saw one hotel information machine with an error message about network connectivity tends to support that possibility.
It’s not a joke when the networks at Black Hat and Defcon are called some of the most dangerous networks in the world. Attendees take the safety of their computers into their own hands when they connect to either network. The best answer is to not connect to the network at all if you can avoid it, but if you have to connect, encrypt every packet and every connection and use a computer with a new, patched image that you wipe as soon as you get back from the event. These aren’t the only steps you should have taken over the last week, but it’s a good start.
Along the same lines, it was a good idea to take out the money you thought you’d need before you ever got to Las Vegas for last week’s events. I have to admit I didn’t take this precaution myself, I was busy and forgot to hit an ATM before boarding the plane for Vegas. I had to take my chance with an ATM in my hotel, which luckily was not Caesar’s, the Riviera or Rio. I chose a machine that was in a heavily monitored and travelled area, looked for anything suspicious and crossed my fingers. So far it looks like my luck has held.
It’s no joke that ATM’s are not secure. Many of them run on a Windows OS and have all the vulnerabilities associated with Windows, especially since I highly doubt many ATM’s are configured to patch themselves with any regularity. Plus there are little things like the software my coworkers at SpiderLabs found on ATM machines in Europe earlier this year. The fact is, the entire ATM infrastructure is under attack on both a physical and virtual level. And if someone like Chris Paget, a professional who specializes in credit card and hardware security can’t recognize a compromised machine on sight, the rest of us don’t have much of a chance.
It’ll be interesting to see how this plays out. The fake ATM that was placed in the Riviera lobby will likely have a fair amount of interesting forensics evidence, not the least of which will be potential for fingerprints inside the machine. The attackers might have thought it was a fairly harmless joke to show how stupid other security professionals can be, but I doubt the FBI will show much of a sense of humor. The Riviera staff likely took the most prudent route in disabling their ATM’s in the conference center, but this sort of antic has to be trying the patience of a hotel who needs the business that Defcon brings.
