Author Archives: Darryl MacLeod

PCI-DSS 3.0: Translating new credit card data security rules

Merchants that process, store, or transmit credit card data are now required to be compliant with version 3.0 of the PCI Data Security Standard (PCI-DSS).

There are a small number of requirements that are considered best practice until July 1, 2015. After which, they become mandatory.

Now you could search through the rather substantial standard to find the requirements in question, but I’ve saved you the trouble.

The PCI-DSS says:

“8.5.1 Additional requirement for service providers: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.

To prevent the compromise of multiple customers through the use of a single set of credentials, vendors with remote access accounts to customer environments should use a different authentication credential for each customer.”

In short: Merchants need to hold their service providers accountable!

The PCI-DSS says:

“9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

Criminals attempt to steal cardholder data by stealing and/or manipulating card-reading devices and terminals. For example, they will try to steal devices so they can learn how to break into them, and they often try to replace legitimate devices with fraudulent devices that send them payment card information every time a card is entered. Criminals will also try to add ‘skimming’ components to the outside of devices, which are designed to capture payment card details before they even enter the device.”

In short: Make sure your physical POS hardware is secure!

The PCI-DSS says:

“11.3 Implement a methodology for penetration testing that includes the following:

  • Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115)
  • Includes coverage for the entire CDE perimeter and critical systems
  • Includes testing from both inside and outside the network
  • Includes testing to validate any segmentation and scope-reduction controls
  • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5
  • Defines network-layer penetration tests to include components that support network functions as well as operating systems
  • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months
  • Specifies retention of penetration testing results and remediation activities results

The intent of a penetration test is to simulate a real-world attack situation with a goal of identifying how far an attacker would be able to penetrate into an environment. This allows an entity to gain a better understanding of their potential exposure and develop a strategy to defend against attacks.”

In short: Test and verify the effectiveness of your network segmentation!

The PCI-DSS says:

“12.9 Additional requirement for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

This requirement applies when the entity being assessed is a service provider. It is intended to promote a consistent level of understanding between service providers and their customers about their applicable PCI DSS responsibilities. The acknowledgement of the service providers evidences their commitment to maintaining proper security of cardholder data that it obtains from its clients. The method by which the service provider provides written acknowledgment should be agreed between the provider and their customers.”

In short: Update your contracts to include this acknowledgement!

If you need to implement any or all of these requirements, do it now. Do you really want to wait until June 30, 2015?

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

RFID Skimming Hits Close To Home

January is typically the time of year when most of us are scared to look at our bank and credit card statements. It doesn’t help that when we do, we find fraudulent transactions or, even worse, our accounts are maxed out or drained completely of funds.

This happened to some 400 people in Nova Scotia, Canada this past December. It is believed they were victims of RFID Skimming.

RFID security breaches are nothing new, but it has typically happened in bigger cities. Atlantic Canadians were caught completely off-guard, including a close family member of yours truly.

That being said, I am not accusing any organization of failing to notify customers of RFID skimming.

What is RFID Skimming?

RFID Skimming is a form of digital theft, which enables information from RFID based smart cards, also known as “tap” cards, to be read and duplicated. It works by reading the RFID chip at a distance using an RFID scanner, which downloads the card information. It can then be written to a new blank card, which then operates in the same manner as the original legitimate card. Because the data is identical on both cards, and the information is only copied, it makes no difference if the original data is encrypted or not.

How can you protect yourself?

  • RFID blocking sleeves, pouches, or wallets which are lined to protect RFID-enabled cards. Unfortunately, like any other wallet, these will most likely wear out in time.
  • Aluminum foil is a simple, low-tech approach that creates a sleeve with a limited useful lifetime. On the other hand there may be limits as to how well this works. It may simply make transmission more difficult (but not impossible).
  • An Altoids tin or duct tape wallet (seriously).
  • Disable the RFID functionality on the card. This can be accomplished in a few ways. You could microwave or drill a hole through the chip, but your card issuer might frown upon that. You could also call your bank or card issuer to see if they can disable the functionality from their end.

These measures will increase the security of your RFID-enabled cards, but they are far from being foolproof. The best way to stay protected against rogue RFID scanners is to minimize your reliance on RFID-enabled tools; quitting cold turkey really is the only guaranteed protection. But if you can’t find a way around it, then you can safeguard your cards with the methods listed above.

For the record, I am now the proud owner of an RFID blocking wallet.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Threat Risk Assessment: A Quick Primer

‘Tis the season for data breaches!

From an information security perspective, the news has been downright depressing lately. In the wake of recent career-halting data breaches, it couldn’t hurt to start thinking about threat risk assessments for your organization.

While there are numerous types of threat risk assessment methods, they all try to answer the same questions in regards to organizational assets:

  •      What needs to be protected?
  •      Who and/or what are the threats and vulnerabilities?
  •      What are the implications if they were damaged or lost?
  •      What is the value to the organization?
  •      What can be done to minimize exposure to the loss or damage?

The objective of a threat risk assessment is to provide recommendations that can maximize the organizational protection of confidentiality, integrity, and availability while still allowing functionality and usability.

The primary phases of a threat risk assessment are:

  • Scope: This phase identifies what needs to be protected, the sensitivity of what is being protected, and what systems and applications are included in the assessment.
  • Data Collection and Analysis: This step involves collecting and analyzing all policies and procedures that are in place to determine any applicable gaps in documentation. Systems and applications identified in the scope are audited to determine their current state. Key personnel are normally interviewed during this stage as well.
  • Vulnerability Analysis: This step takes what was identified in the data collection/analysis and determines the current exposure, and whether current safe guards are sufficient in terms of confidentiality, integrity, or availability. It will also indicate whether the proposed safe guards will be sufficient. The vulnerabilities are graded according to the level of risk that they pose to the organization.
  • Threat Analysis: Threats are described as anything that would contribute to the tampering, destruction, or interruption of any service or item of value. This analysis will look at every element of risk that could conceivably happen. Threats must be looked at as they relate to the business environment and how they can affect that environment. These threats are graded in a similar manner as vulnerabilities.
  • Determination of Acceptable Risk: This step involves the analysis of the findings to help determine, with the help of key stakeholders, what level of risk is acceptable to the organization.

A threat risk assessment should be a continual process that is reviewed regularly to determine if current safe guards are still effective.

If you don’t perform some form of a threat/risk analysis, you leave your organization open to a world of hurt that could destroy your ability to conduct business.

For further information, please see Dell’s whitepaper on the current and future state of IT security.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Compliance: Hard core Dell users get it!

I arrived at Dell World in Austin Texas on November 4. For the record, I was not a Dell customer attending a Dell customer event—an outsider of sorts, not to say that I didn’t feel welcome. The famous Texas hospitality was more than evident!

Luckily I was able to select conference sessions ahead of time, as the selection was massive. Naturally, I gravitated towards any sessions that revolved around information security.

I attended a session which discussed compliance from a user’s perspective… how to effectively achieve it on your own, or as I like to call it “How to make the auditor happy.”

Data breaches are rampant… almost commonplace in this day and age. A week rarely goes by without at least one large corporation in the news for losing personally identifiable information due to inadequate security controls. Information security awareness is higher than it’s ever been, but understanding complex compliance requirements is an intimidating endeavour to say the least. Many users are starting to self-assess (even if not officially required to), but eventually get bogged down by the technical details and jargon. Hiring a security auditor is always an option, but many lack the financial resources to do so. Being able to attend sessions like these at Dell World is a great benefit to both its users and partners.

Here are some of the key takeaways from the discussion:

1. How to manage by automation

  • Administer and revoke access rights and permissions
  • Implement best-practice compliance reporting
  • Protect, retain and retrieve data for on-the-fly investigations
  • Enforce compliance with company policies across desktops, laptops, etc.

2. How to remediate by changing the way you operate

  • Implement preventative controls
  • Establish policy over accounts, privileges and resources
  • Establish perimeter boundaries through application control and visibility

 3. How to think like an auditor

  • Track security and performance indicators
  • Audit and report on user activity
  • Perform checks for segregation of duties
  • Enable real-time alerts
  • Establish Security and Compliance awareness training
  • Analyze access rights and permissions to critical data
  • Determine configuration settings and set baselines

There were numerous opportunities for me to reveal myself as a PCI Qualified Security Assessor during the session, but I decided to stay quiet in order to hear unbiased opinions from the attendees.

I wasn’t disappointed. The questions from the audience were thoughtful and challenging. They know too well that the real world often gets in the way when it comes to implementing adequate security controls, but at the same time they are taking compliance seriously.

It warms this auditor’s heart. Well done Dell.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.

Infosec Isn’t The Gated Community You Think It Is

Years ago I saw an online ad for the Security B-Sides Halifax conference in Halifax, Nova Scotia, Canada. I was working as an information security professional at the time, but I had never attended any “Infosec” conferences. The introvert in me didn’t like the idea.. “I wouldn’t fit in.”

Then I started thinking..

“If you want to get anywhere in this industry, you need to get yourself out there.”

So I did.

Upon further research, I discovered that Security B-Sides Halifax was happening the day after the first annual Atlantic Security Conference. I logged into LinkedIn, found the Atlantic Security Conference organizer, and connected with him via a mutual connection.

To make a very long story short, I now sit on the Board of Directors for the Atlantic Security Conference. I organize my own Security B-Sides event and other local technology user groups in my area. I’m working in a field that I only dreamed of a few short years ago.

Infosec professionals are actually a very sociable group once you take the time to reach out. The community is very welcoming, which is surprising because the majority of us are introverts.

Follow these simple steps to break into the community.

1. Twitter

If you don’t have a Twitter account, get one. Seriously, get one now! There’s a very large Infosec community on Twitter. Follow #infosec. Take part in the discussions. Follow the users who also take part in those discussions. Post relevant information, a link to a personal blog post, or just a link to an interesting Infosec story you found. If you have an Infosec question, ask it! You may be pleasantly surprised at the response time and quality of the answer(s).

The next thing you know, you will be sitting next to someone at an Infosec conference that you follow on Twitter. This still happens to me on a regular basis.

2. Network

We have all heard about networking over and over, but it actually does work!

Find local tech user groups in your area. If there are none, start one! The user groups don’t have to necessarily revolve around Infosec. Just get out and meet new people with an interest in tech.

If you can, volunteer at a conference. If you can’t volunteer, attend one, like DellWorld for example. Either way, you will meet industry professionals who may be willing to help you later on in your career. 

3. Present at conferences and user groups

If someone told me three years ago that I would be presenting at conferences, I would have said they were nuts.

I presented at a conference a few weeks ago.. my sixth in the last three years.

I actually hate presenting, but it gets easier each time. The more I push myself, the better I feel when the talk is done. I know plenty of speakers who feel the way I do, but they put on some awesome talks!

It doesn’t take much to get started. Start small with a lightning talk (5-15 minutes in length).

So get out there and push through that locked gate. You can thank me later when we meet in person at DellWorld.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.