It’s Monday morning, time to write up a quick cluster of notes from some of the reading I’ve accumulated over the last week or so. My reading continues in its normal PCI-related theme, though there are a couple additional articles to review. Pay special attention to Catching the Unicorn by Jennifer Jabbusch!
- Prepare Ye List of PCI Grievances – I don’t agree with many of David Taylor’s criticisms. His first request, asking for more guidance from the PCI Council, is a double-edged sword; merchants are going to complain if the guidance is too prescriptive as well. In fact, many already are. One thing I agree with David on, I’d like to see the whole PCI chain of information under the same or very similar rules.
- Infotec 2010 – April 13-14, 2010, Omaha’s annual security convention
- Catching the Unicorn: A technical exploration of why NAC is failing – I’m still working my way through this paper. It’s technical enough to be challenging for me, but not so dry as to put me to sleep.
- Rescue CD 3.11 – F-Secure’s latest bootable recovery CD (or USB key)
- Free backup and recovery for Windows – I’m testing this out but haven’t been terribly impressed so far; it’s backup is not quite as automatic or as easy as I’d like and the synchronization options are minimal.
- First Data, RSA push tokenization for payment processing – I’m glad to see more players are getting into this space, I’d like to see a few good products come to market.
- 5 tips to protect your business from online banking fraud – These are all good ideas, whether your talking about your company’s banking or your own.
- PCI Virtualization SIG closer to proposing changes to standard – If these can get put in the proposed changes for PCI 1.3/2.0 early next year, we could see them incorporated next August or so when we’re due for a new revision of the PCI standards.
- Drudge, other sites flooded with malicious ads – Why go after the big companies that have some experience at protecting their networks when you can go after a secondary provider and have even better reach?
- Microsoft: Google Chrome Frame makes IE less secure – In the grand scheme of things, the Chrome Frame probably does introduce additional attack vectors, but not enough to draw the picture Microsoft is trying to make.
A new survey has been released by Imperva and the Ponemon Institute concerning the effectiveness of PCI; despite the best intent and efforts of many security professionals, this survey points out that PCI is only having a limited effect in stopping digital thieves from stealing credit card information. One of the most telling statistics from the survey is that the majority of companies, 71%, treat PCI as a tactical maneuver rather than strategic initiative. In other words, too many companies treat PCI as a check list of requirements rather than using it as an overarching plan. And in the end, the check list approach is always going to be less secure and leave more vulnerabilities than viewing PCI as something to be incorporated into long term thinking on security.
It’s not that PCI is ineffective in and of itself; there’s few who can still argue that the PCI requirements aren’t basic security measures that should be implemented by almost every business. You can argue that PCI doesn’t go far enough or that there’s too much left open to interpretation, but the majority of the PCI requirements are logical and make sense to implement. The Ponemon survey does point out one of the major flaws of the system is that merchants are only looking at credit card numbers, leaving large amounts of other information such as Social Security numbers and bank account details. And as much as I wish PCI could address this data as well, it’s going to remain outside of the purview of the credit card industry for the foreseeable future.
What’s ineffective is how we use PCI to secure our enterprises. Only 27% of all companies are using PCI as a lever to raise awareness of security in their enterprises. And by ‘raise awareness’ I mean ‘get the money to implement needed security measures’. Security is always a fight for the budget needed to implement, in large part because preventative measures are a hard sell when you can’t point to direct consequences or benefits. I’ve always argued that the greatest benefit of PCI is to be had by using it to garner support for security initiatives and gain the resources needed to implement security measures. However, it requires thinking about security strategically, which can be very hard if you view PCI as just another set of requirements that are getting in the way of doing your job.
And that is the crux of an effective implementation of PCI versus an ineffective one; if you view PCI as a part of your security program and something that can be used to implement security, then the chances of it positively impacting your enterprise are pretty good. But if you view PCI as just another annoyance that’s distracting you from your real security job, the chances are it will have little or no positive influence on your security posture. Like so many things in life, the effectiveness of PCI is going to be based on how you look at it and how you choose to incorporate it into your strategies. Funny how that works, isn’t it?
If you haven’t read it yet, you owe it to yourself to download and read the 2009 Data Breach Investigation Report from Verizon Business. It backs up much of what the Ponemon Institute has discovered and should be required reading for every serious security professional. You can also listen to my interview with one of the authors, Wade Baker, from this year’s RSA Conference.
Before we dig into this week’s security news, we diverge (slightly) to talk about Emergency- This Book Will Save Your Life and disaster planning. I (Rich) read the book last week and found it to be a ton of fun; it’s the story of a journalist who slowly descends into the rabbit hole of the survivalist community. Well written, with plenty of good advice and stories. It’s not really a survival guide, more of a personal story and lessons learned.
I had a bit of a shock as I realized that most of my disaster plans aren’t relevant anymore as my life status has changed. I used to be single, in Colorado, and part of the response infrastructure (which means access to a ton of resources). Now I’m married, with a child and pets. I can’t really run off with a backpack and play hero if something bad hits.
We also delve into some IT related disaster planning, so this isn’t a complete non-sequiter.
Network Security Podcast, Episode 167
To get $300 off Hacker Halted 2009 in Miami, Florida from September 23-25, click on the banner below, select VIP Pass under Conference Pass and and enter code “HHUSA-MM-AP999“
I’ve had a few opportunities to install Firefox lately, first on a new netbook, then again on the netbook when I installed Windows 7, and a third time while setting up a new work laptop. It’s given me a good chance to figure out what’s really important to me in Firefox and how to get the most real estate on my desktop in the Firefox window. The first thing I always install in Firefox is the NoScript plugin, which is probably the same first step most security professionals take. I follow that up with AdBlock Plus, Tab Mix Plus and finally Scribefire. But the real gain in screen space came yesterday when I discovered a Lifehacker article, Maximize Firefox 3.5’s viewing area for you netbook. I strongly suggest you think about trying some of these modifications to your Firefox configuration even if you’re on a desktop, the additional space is definitely worth it.
One caveat to the Lifehacker article is that I couldn’t find the userChrome.css file in Windows 7. Thanks to Twitter I found out later in the day that the file doesn’t necessarily exist by default, it’s something you may have to create by copying an example file. Of course, by the time I found this out, I’d already figured out ways to perform several of the same tricks in the Lifehacker post using Tab Mix Plus and tweaking the about:config settings in Firefox. You can remove the new tab button in Tab Mix Plus by unselecting “New tab button” in the Tab Bar tab of the Display options. If you type ‘about:config‘ in an empty tab, you can control a number of Firefox configuration elements you wouldn’t have access to otherwise. My favorites are disabling the delay in installing new plugins and making search bar results open in a new tab. I now return you to your regular security conversations.
Bill Brenner’s recent article, 4 ways to get the most from your PCI QSAs, hits the nail on the head. His very first point is especially germane in my experience; merchants and service providers need to be sure they’re picking a QSA company that can successfully evaluate their particular environment and is not just the lowest bidder. Too many companies treat PCI and their QSA as a nuisance that they have too put up with for several weeks a year and can ignore the rest of the time.
My best assessment experiences have been with companies that treat PCI and their QSA as a way to effect change in their environment and are honest with themselves and the QSA. I’ve often asked the security manager of a company what they need to do to secure their corporation and what I can do as their consultant to help affect those changes. It’s often surprising how many security measures have been resisted by management when the request is coming from internal security but will be okay’d the moment an external consultant or assessor mentions how the measure will help make compliance easier. I’m sure I’m not the only one who’s ever used an external authority figure, like a QSA, to push for a new tool or policy I needed to secure my enterprise.
Another point in Bill’s article to be especially aware of is that your QSA is going to find weaknesses in your enterprise if they dig. It’s a fact of life that mistakes happen, configurations get changed, policies aren’t written as tightly as they could and that we’re all human. I have yet to discover an enterprise that I couldn’t find some system misconfigured or a minor point of the PCI requirements misinterpreted. The secret is to build a relationship with your assessor before that point so that you feel comfortable with this discovery, that it is taken as a positive event that allows you to learn and that the assessor isn’t a bad guy trying tear down your hard work. Every QSA I’ve ever talked to about it is trying their hardest to help you secure your enterprise and leave you in a better security stance than when they arrived.
The worst experiences I’ve had as a QSA are with companies that thought I was their enemy or that the best way to get through their assessment was to try to distract me from what’s really happening in their enterprise. The best you can hope for under those circumstances is that you’ll pass your assessment, but you won’t actually gain anything from the experience the QSA brings to the table and your enterprise. You may have gotten certified for another year, but it undermines your own security and the effectiveness of the PCI process. In a worst case scenario, you won’t pass your assessment because of what the QSA ends up finding despite your best efforts or you’ll pass your assessment by covering up insecurities and end up being compromised through one of the systems you hid during the assessment.