Sep 01 2009

Audit of security control and scoping

Category: Risk Assessment,Security ComplianceDISC @ 3:53 pm

scope

Information Technology Control and Audit

The audit is utilized as a tool to check compliance control based on standards such as ISO 27002 or NIST 800-53 etc. Some other terms which are not sometime rigorous audit have been used to asses controls are gap analysis, benchmarking and control review.

Scoping sets the boundaries of the audit, where dependencies are marked and exclusions are sorted out.

The consultant/team lead that has a thorough understanding of security risk management ought to carry out these reviews. The quality of the work depends on correct scoping, fieldwork assignment, and appropriately reporting the findings to management.

Team lead should have a clear understanding of audit scope before the initial briefing to client. Basically what exactly the client wants and who are the target audiences in the final report and presentation. Clear understanding of the scope includes making sure that the whole organization is included in the audit or just part of it. Before starting an audit, the auditor should have a complete list of assets included in the scope. Sort the assets list into different group of infrastructure which could be handed over to technical consultant for validation of the controls. At this point team lead should point out to technical consultant, the minimum number of assets which are required to be validated to satisfy sampling requirement.

Scope of final report/presentation should be clear regarding the list of non-compliance, prioritized recommendation or action plans which needs to be included in the report. During presentation of the findings, and to keep C level folks interested in the presentation, presenter needs to relate the findings to business risk and avoid using security acronym.

Scoping will take into account the length of the time available for field work, analysis, reporting and size and competence of the team to perform a successful audit. Especially if limited time is available for field work, the competence of the team matter to cover various infrastructure, to validate and document the controls effectively.


Tags: assessment profile, assessment scope, iso 27002, NIST 800-53, security audit, security control, security review, Security Risk Assessment

Aug 24 2009

Vulnerability management and regulatory compliance

Category: Security ComplianceDISC @ 8:09 pm

Threat and Vulnerability Management in the Ent...
Image by Michele Mondora via Flickr

Information security requirements are growing for financial, healthcare and government sectors. Especially a new ARRA and HITECH provision for HIPAA mandates compliance for business providers/vendors.
The business owners have seen growing number of government and industry specific regulations for protecting the confidentiality, integrity and availability of data from ever growing threat landscape. Now most of the regulatory compliance has some teeth, organizations who may not fully comply shall face serious penalties which include but not limited with fines, civil and criminal penalties.

Those days are gone when manual vulnerability management use to be sufficed to satisfy the auditors. Vulnerability management can assist management in operational compliance. Most of vulnerability management organizes vulnerabilities by severity level. Severity level is determined by business impact and how easily the attacker can exploit the vulnerability. Remediation can be prioritized based on the asset categorization. Asset categorization is based on company scale (L,M,H) which is associated with overall business impact of an asset to the company.
The best way to automate vulnerability management is to use software as a service (SAAS). SAAS vendor run their application on a secure server (web, database), which user operate with a web browser on a secure SSL connection. SAAS provider handles all the maintenance of SAAS infrastructure. Organization security staff can spend most of their time on remediation rather than running manual vulnerability management. Automated vulnerability management shows ongoing compliance with standards and regulations and provides documentation for audits.


Reblog this post [with Zemanta]

Tags: Security, Security Scanners, vulnerability

Aug 18 2009

Control selection and cost savings

Category: Security Risk AssessmentDISC @ 3:53 pm

rm-process

Information Security Risk Analysis

In risk management, risk treatment process begins after completion of a comprehensive risk assessment.
Once risks have been assessed, risk manager utilize the following techniques to manage the risks

• Avoidance (eliminate)
• Reduction (mitigate)
• Transfer (outsource or insure)
• Retention (accept and budget)

Now the question is how to select an appropriate control to avoid or reduce risk. While selecting appropriate control to mitigate and avoid risk we need to consider compensating control to cut cost and supplemental control to increase protection for sensitive or classified assets.

Compensating control is a safeguard or countermeasure is employed by an organization in lieu of recommended security control from standards such as ISO 27002 or NIST 800-53. Compensating control provides an equivalent or comparable protection for information system to the original control requirement form standard. For example, even though most standards recommend separation of duties, but for a small operation it might be an unacceptable cost to separate the duties of system administration and system auditing. In that case system owner can utilize compensating control such as strengthening the audit and personnel security.

On the other hand with supplemental control, the system owner may decide to supplement the control to achieve more protection for sensitive and classified assets. If there is high likelihood or magnitude of impact is high should a threat exploit a given vulnerability you might want to consider a supplemental control because overall risk is high. For example you might want to utilize defense in depth method to safeguard your crown jewel.

Implementing and monitoring security control can be expensive, system owner are pressured by management to look for cost savings without any reduction in the security posture of an organization. The system owner can either inherit the common controls or segment the system exposure to reduce cost and risks.
Common controls are the security controls which have been implemented by another information system that your system can utilize. Basically working with another system owner who has utilized some of the security controls need to be implemented in your system. For example utilize the corporate office base line hardening configuration for Windows and Unix system instead of developing your own. This will significantly reduce the cost of developing, testing and maintaining a secure baseline configuration.

Best and cheapest method of cost reduction is to segment the information system into multiple systems which will add different layers and levels of security into each system. Basically you put your crown jewel in multiple layers of security if one control breaks there is another control in place to monitor and protect your assets. This will allow the system owner to focus implementing higher security controls to the segment with most sensitive or classified information instead of entire system


Reblog this post [with Zemanta]

Tags: common control, iso 27002, iso assessment, ISO audit, NIST 800-53, NIST audit, risk analysis, Risk Assessment, Risk management

Aug 10 2009

Managing Risks and NIST 800-53

Category: Security Risk AssessmentDISC @ 5:48 pm

logo of en:National Institute of Standards and...
Image via Wikipedia

FISMA Certification & Accreditation Handbook

The organizations need to establish security program to manage their day to day risks. Before selecting the controls from standards such as (NIST 800-53 or ISO 27002), organizations need to have complete inventory of the assets involved in the scope. Assets involved in the scope would require a comprehensive risk assessment to determine the sensitivity/criticality of these assets. Depending on the categorization of these assets will determine an appropriate control from standard to mitigate relevant risk. In some cases supplemental controls may be required.

Management of risks involves the risks to the organization with the operation of an information system or information security management system. Risk management is an effective frame work for selecting appropriate security controls for an information system and assist in selecting of appropriate security controls to protect assets.

Both ISO and NIST standards follow the similar path in control selections. NIST 800-53 has 163 high level controls and 154 medium level controls which have around 95% mapping with ISO 27002 which has 133 controls. While NIST SP 800-53 is required for federal (unclassified) information system, NIST encourages its use in commercial space. Commercial organizations can utilize the NIST standard to create their security program, which will provide a road map to their security strategy and assist in making informed decisions for securing their information assets.

The management of day to day risks is a key element in an organization’s information security program and both NIST and ISO provide an effective framework for selecting and managing the appropriate security controls for information system. ISO utilize PDCA (Plan, Do Check, and Act) Deming model for selecting the appropriate security controls and managing its information security management system. NIST on the other hand utilize the similar framework for selecting and managing appropriate controls for information system and is called risk management framework security life cycle. Copy of the NIST risk management framework security life cycle is available to see an eerie resemblance with PDCA model.

nist_rmf1

Around 80% of critical infrastructure resides in private sectors which required to be protected by various regulations. Both NIST and ISO can be utilized to protect assets, however in some cases one standard might fit better in your environment then the other or perhaps you are able to manage one standard better then the other. Both standards required their information system to be audited or reviewed by authorized organizations to achieve apporpriate certifications.

Related articles by Zemanta

Reblog this post [with Zemanta]

Tags: iso 27001, iso 27002, NIST 800-53, PDCA, Risk management

Jul 28 2009

PCI DSS Law and State of Nevada

Category: Information Security,pci dssDISC @ 12:09 am

Information Security Wordle: PCI DSS v1.2 (try #2)
Image by purpleslog via Flickr

45 States followed California when they introduced “SB1386”, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.

Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!

From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.

Not only does this effect Navada-based organisations, it affects EVERY organisation that collect or transmit payment card information about any person who lives in Nevada.

Where One leads – others WILL follow!


Related articles by Zemanta

Reblog this post [with Zemanta]

Tags: california, Credit card, Nevada, Payment card, pci dss, privacy, Security, Texas

Jul 16 2009

Common Information Security lapses

Category: Information SecurityDISC @ 4:36 pm

Information Security Wordle: RFC2196 - Site Se...
Image by purpleslog via Flickr
User Security
  • Opening email attachments with integrated email clients

  • Not updating client software

  • Downloading untrusted software

  • Not creating or testing backups

  • Using wireless router connected inside the LAN

    • Strategic Security

  • Not providing training to security personnel

  • Only addressing physical security, neglecting data security

  • Not validating security fixes

  • Relying on firewall for all security needs

  • Not evaluating impact on reputation and data of security breach

  • Not implementing long term security decisions, relying on hot fixes to put out fires

  • Not addressing issues, neglecting security as policy

    • Operational Security

  • Not hardening internet connected host

  • Connecting test systems to the internet

  • Not updating systems on a regular and emergency basis

  • Using unencrypted protocols for management, reporting

  • Choosing bad default user passwords, changing passwords in insecure manner, or notifying users in insecure manners

  • Not testing or maintaining backups, not understanding the intricacies of backup software and procedures


    • Tags: Backup, Information Security, poor security, Security, security mistakes

    Jul 08 2009

    Cyber attacks on US Government websites

    Category: CybercrimeDISC @ 4:51 pm

    cyberattack
    Image by Boyce Duprey via Flickr
    Associated Press reported by Hyung-jin Kim, Wed Jul 8 “South Korean intelligence officials believe North Korea or pro-Pyongyang forces committed cyber attacks that paralyzed major South Korean and U.S. government Web sites, aides to two lawmakers said Wednesday.”

    See the details at the link below:
    Cyber attacks on South Korean and U.S. government Web sites

    Information Warfare: How to Survive Cyber Attacks

    Cyber Threat

    Cyber Security


    Tags: cyber attack, cyber attacks, cyber crime, cyber criminals, cyber security, cyber terrorism, cyber threats, Cyber-warfare, cybergeddon

    Jul 07 2009

    Cloud Computing Pros and Cons

    Category: Cloud computingDISC @ 6:19 pm

    Cloud Application Architectures: Building Applications and Infrastructure in the Cloud

    Cloud computing is the future of the computing, which happens to provide common business applications online that run from web browser and is comprised of virtual servers located over the internet. Basic idea behind cloud computing is the accessibility of application and data from any location as long as you are connected to the internet. Cloud computing makes the laptop the most essential tool to get the job done.

    For example Hosted Email (SaaS) Security provides safeguards at the Internet level, eliminating spam and malware before they reach your internal network infrastructure. The hosted email provides centralized security with built-in redundancy, failover, and business continuity, while easing network and security administration. In the hosted email software as a service the security controls are at work at the internet level. It’s about time to expand the corporate perimeter beyond firewall and one of the major benefit of cloud computing is to give organizations capability to implement security controls at internet level and eliminate threats before they reach the internal network.

    An online backup service is another example of software as a service (SaaS) which provides users with an online system for backing up and storing computer files.

    Cloud computing incorporates several different types of computing, including:
     software as a service (SaaS)
     platform as a service (PaaS)
     infrastructure as a service (IaaS)

    It is a range of technologies that have come together to deliver scalable, tailored and virtualized IT resources and applications over the Internet.

    Cloud Computing have several benefits and potential risks which you may want to know before signing a contract with a cloud vendor.



    Cloud Computing benefits

  • Users can avoid capital expenditure on hardware, software, and other peripheral services, when they only pay a provider for those utilities they use;

  • Consumption is billed as a utility or subscription with little or no upfront cost;

  • Immediate access to a broad range of applications, that may otherwise be out of reach, due to:

  • The lowering barriers to entry;

  • Shared infrastructure, and therefore lower costs;

  • Lower management overhead.

  • Users will have the option to terminate a contract at any time, avoiding return on investment risk and uncertainty.

  • Greater flexibility and availability of ‘shared’ information, enabling collaboration from anywhere in the world – with an internet connection.


    • Cloud computing associated risks

  • Cloud computing does not allow users to physically possess the storage of their data which leaves responsibility of data storage and control in the hands of their provider;

  • Cloud Computing could limit the freedom of users and make them dependent on the cloud computing provider;

  • Privileged user access – how do you control who has access to what information?

  • Security of sensitive and personal information lay with the vendor. How do you explain this to your customers when their data is compromised without sounding like you’re ‘passing the buck’?

  • From a business continuity stand point, can you rely on each vendor to have adequate resilience arrangements in place?

  • Long-term viability — ask what will happen to data if the company goes out of business; how will data be returned and in what format?



    • Complexities of cloud computing will introduce new risks and complexity is the enemy of security. The organizations and end users should be mindful of this security principle before introducing this new variable into their risk equation. As a consumer you need to watch out and research your potential risks before buying this service and consider getting a comprehensive security assessment from a neutral third party before committing to a cloud vendor.

    Recomended books on cloud computing

    Reblog this post [with Zemanta]

    Tags: Cloud computing, cloud computing article, cloud computing benefits, cloud computing concerns, cloud computing email, cloud computing hosting, cloud computing information, cloud computing network, cloud computing platform, cloud computing risks, cloud computing security, cloud computing services, cloud computing solutions, cloud security, cloud services, Infrastructure as a service, Platform as a service

    Jun 30 2009

    Security controls and ISO 27002

    Category: Information Security,ISO 27kDISC @ 1:56 pm

    seeyourdataUsually security breach occurs due to lack of basic security controls or lack of effective control which is not relevant over the time. Security controls also disintegrate over the time due to lack of maintenance and monitoring.
    According to Privacy Rights Clearinghouse survey, the top three breaches resulted from laptop theft, software or human error, and hackers. Most of these breaches could have been prevented by procedural, management and technical security controls. Most of the security breaches happen during the state of non-compliance. The most famous TJX security breach happens in 2007, at the time of the breach TJX complied with only 3 out of 12 PCI-DSS requirements.

    Small organizations sometimes don’t have enough resources to comply with all the requirements of regulations and standards like HIPAA and PCI. But that is not an excuse of not understanding the relevant regulations and standards requirements to your business and having a clear security strategy which explains how to achieve the compliance down the road. Also your security strategy will be an evidence of your due diligence to secure your critical assets. On the other hand big organizations have enough resources to implement security controls, but for whatever reason they often do not have clear strategy how to establish security controls.

    Information security is not a onetime static process but an ongoing assessment of risks in your business, where you need to understand the your critical assets, classification of those assets based on CIA, sensitive data and its access, policies, standards, procedures , training, security reviews and continuous monitoring.

    One of the most popular baseline for security controls is the international standard ISO 27002 – Code of Practice for Information Security management. ISO 27002 have 11 security clauses and 133 security controls are high level which provides a reasonable guidance for implementing an Information Security Management System (ISMS). Due to ISO 27002 broad scope, it’s relevant to every industry and size of business.

    Organization should have a baseline of security controls before barging onto complying with PCI or HIPAA regulation. ISO assessment will help you to understand what controls are in place and assist you with security strategy and later will become a measuring stick for your ISMS.

    Ongoing compliance is achieved by monitoring the relevant controls. Ongoing compliance will depend on the quality of your information security management system (ISMS). ISMS would include thorough monitoring, logging and reviewing controls to maintain and improve system security over time. You can develop an automated monitoring process to achieve consistent results and sustain compliance by continuously monitoring your system. ISMS (based on ISO 27001) certainly can be a great value to manage ongoing monitoring, maintenance and improvement cycle.

    Related articles by Zemanta

    [TABLE=2]


    Reblog this post [with Zemanta]

    Tags: Computer security, Health Insurance Portability and Accountability Act, Information Security, Information Security Management System, ISO/IEC 27001, pci dss, Privacy Rights Clearinghouse

    Jun 22 2009

    Access to computers on sale

    Category: CybercrimeDISC @ 3:09 pm

    Cybercrime

    According to SF chronicle article by Deborah Gage (June 17, 2009, c1) a troublesome online network for buying and selling access to infected computers has been discovered by security researchers. The name of the group is GoldenCashWorld which sell access to online infected computers such as web server, mail server, database server etc. Infected computers are utilized to send spam, SQL injections, XSS attacks, buffer overflow attacks and spread viruses and worms.

    According to the article this underground network already have access to more than 100,000 websites and 40% of these compromised computers reside in the United States. This is a growing threat to individuals and business assets in United States which should be taken seriously by National Cyber security Divisions.
    GoldenCashWorld is a global underground ring which requires an international law to crack this nut.

    Online Secure Remote Backup solution
    Online crime ring detected
    Guide to Computer Forensics and Investigations

    Cyber Crime Growing Global Threat
    httpv://www.youtube.com/watch?v=ZHmFiueQm5A


    Reblog this post [with Zemanta]

    Tags: buffer overflow, cyber crime, GoldenCashWorld, NCD, online infected computer, San Francisco Chronicle, Spam, SQL injection, xss

    Jun 17 2009

    Credit card authorization process weakness

    Category: Information Security,pci dssDISC @ 3:09 pm

    A diagram showing the front side of a typical ...
    Image via Wikipedia

    Credit Repair Kit For Dummies (For Dummies (Business & Personal Finance))

    Credit card authorization sequence:

    1) Creditholder swipes card at merchant. A request is sent to merchants bank
    2) Merchants bank “asks” processor to determine the cardholder bank
    3) Processing network finds cardholders bank and request approval for purchase
    4) Cardholders bank approves purchase and generates a approval code
    5) Processor sends an approval code merchants bank
    6) Merchants bank sends approval code to merchant
    7) Purchase is complete and cardholder receives a receipt

    “Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.”

    Weak security enables credit card hacks

    Credit Card Fraud Made Easy
    httpv://www.youtube.com/watch?v=m5UE5fXRyKs

    Related articles by Zemanta


    Reblog this post [with Zemanta]

    Tags: Credit card, credit card privacy, credit card secure, credit card security, credit card theft, secured card, visa card

    Jun 10 2009

    How ARRA and HITECH provisions affect HIPAA compliance

    Category: hipaaDISC @ 4:02 pm
    HIPAA Compliant Seal

    Image by Kestelnon via Flickr

    HIPAA Plain and Simple

    How ARRA and HITECH provisions will affect HIPAA compliance. We will highlight the changes to HIPAA due to these new provisions and discuss a possible solution, how to comply with these new HIPAA security and privacy requirements. American Recovery and Reinvestment Act of 2009 (ARRA) was signed into a law on February 17, 2009. The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA include important changes in Health Insurance Portability & Accountability Act (HIPAA).

    2/17/210 applies to business associate – Covered Entity (CE) can apply the HIPAA provisions to Business Associates (BA) through business associate agreement. The HIPAA Administrative Simplification Security Rule “shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. With the change in the HITECH privacy provisions of ARRA, the business associate now has responsibility and liability directly for a breach. CE should revise their business associate contracts to reflect the changes before the deadline.

    Civil Action & Penalties – State Attorney General can prosecute neglect and individual can receive monetary compensation. HIPAA now have teeth with monetary, civil and criminal prosecution.

    Breach Notification – Notification to individual, HHS and media – Notification become more formal if the affected residents are more than 500. Use appropriate public media for cases involving more than 500 individuals. A breach requires notification, which is activated when there is an incident of “unsecured protected health information”.

    Accounting for disclosure – CE is accountable for its BA disclosure of Protected Health Information (PHI)

    Sale of Protected health Information – CE and BA cannot receive payment in exchange of PHI without an individual authorization. CE and BA are required to tell patients about disclosure of PHI for payment, treatment and administrative operation.

    HIPAA compliance and how to manage your risks to healthcare assets:

    HIPAA requires CE to have appropriate administrative, technical and physical safeguards to protect the privacy of health information. However HIPAA did not provide specific guidance as to what measure and controls will be appropriate.

    ISO 27001 provides the basis to build an Information Security management System (ISMS), where organization can develop its own ISMS by applying controls from ISO 27002 code of practice. Only those controls apply which relate to its business objectives and the potential risks to the business. One document which is required to build ISMS is the Statement of Applicability (SoA) which explains why each of the 133 controls from ISO27002 is included in SoA and justification of the remaining controls which are not included. You can build ISMS suitable to your HIPAA needs, a healthcare organization could use its ISMS to ensure that HIPAA security standards required controls were selected from ISO 27002 and appropriately implemented. You need to certify ISMS (ISO 27001) to provide an ongoing assurance to HHS and healthcare business associates which can provide an edge in this downturn economy and more opportunities to enhance business worldwide.

    5 HIPAA Rules Regarding Text Messaging

    Resources:
    CMS audit checklist
    NIST guide for implementing HIPAA

    Reblog this post [with Zemanta]

    Tags: American Recovery and Reinvestment Act of 2009, arra, Health Insurance Portability and Accountability Act, hipaa, hipaa laws, hipaa privacy, hipaa security, hippa compliance, hitech, Protected Health Information

    Jun 04 2009

    Virtualization and compliance

    Category: Cloud computing,VirtualizationDISC @ 1:04 am

    Virtualization madness
    Image by lodev via Flickr

    The core technology utilized in the cloud computing is virtualization. Some organization may not want to jump into cloud computing because of inherent risks can take a shot at virtualization in their data centers. Virtualization can be utilized to reduce hardware cost and utility cost. Organization that might have 100 servers can consolidate into 10, where each physical machine will support 10 virtual systems will not only reduce the size of data center, but also hardware cost, and huge utility bill savings.

    Virtualization was being utilized to increase efficiency and cost saving, which is now turning into centralized management initiative for many organizations. In centralized management patches, viruses and spam filter and new policies can be pushed to end points from central management console. Policies can be utilized to impose lock out period, USB filtering and initiate backup routines, where policies can take effect immediately or next time when user check in with the server.

    The way virtualization works is OS sits on an open source hypervisor which provides 100% hardware abstractions where drivers become irrelevant. With OS image backed up at management console, which allows virtualization technology a seamless failover and high availability for desktop and servers.

    As I mentioned earlier, virtualization allows enforcing of policies on end points (desktops). As we know compliance drive security agenda. If these policies are granular enough which can be map to existing regulations and standards (SOX, PCI and HIPAA) then virtualization solution can be utilized to implement compliance controls to endpoints. It is quite alright if the mapping is not 100% that is where the compensating controls come into play. The compliance to these various regulations and standards is not a onetime process. As a matter of fact standard and regulation change over time due to different threats and requirements. True security requires nonstop assessment, remediation’s and policy changes as needed.

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: Cloud computing, Data center, Health Insurance Portability and Accountability Act, hipaa, Hypervisor, Open source, PCI, Security, sox, Virtualization

    May 28 2009

    PCI compliance is essential and why you have to

    Category: pci dssDISC @ 3:18 pm
    Image result for pci dss compliance

     

    During this down turn economy organized cyber crime is a booming underground business these days. Most of the security expert and FBI agree that cybercrimes are on the rise and pose a biggest threat to US vital infrastructure. Cybercriminals are thieves in cyberspace who will swipe the sensitive data and sell to other criminals in their community, who might turn around and ask for ransom to keep the data private or perhaps resell to the highest bidder again in the black market. The risk of getting caught is minimized by legal jurisdiction and neglected by huge monetary gains. Motivated by potential gains, cybercriminals are determined to exploit the vulnerabilities of the target rich environment. Another issue to this problem is that our personal and private information has potential to be exploited at various locations such as banks, credit card companies, credit debit card processor, credit report companies and merchants etc…

    Level 1, 2 and 3 merchants usually follow security best practice, allocate enough resources and try to maintain PCI compliance. On the other hand level 4 merchant are usually not compliant and have security vulnerabilities which are easy picking for cybercriminals, which is a primary reason why more security breaches happens to level 4 merchants. PCI was apparently created to safeguard the credit card and debit card data. PCI DSS standard are managed by PCI Security Standard Council.

    The most significant reason to comply with PCI is because you have to.

     

    PCI DSS address the baseline security for payment card infrastructure and ROI is a total cost of ownership. PCI DSS cannot guarantee absolute security but making organization to adhere to due care security justify its cost and use. As far as liability goes the security breach will be very detrimental in the state of non compliance which will include fines, legal fee and possibly lose the credit card processing ability. To motivate themselves, merchants should also remember that their customer’s data is worth a lot of money to cyber criminals.

    The trick is keeping the state of compliance – true security of credit card holder data requires nonstop assessment and remediation to ensure that likelihood and impact of the security breach is kept as low as possible. PCI compliance is not a project; it’s an ongoing process of assessment. PCI assessor utilized defined set of controls objectives to assess the state of compliance. PCI provides an option of doing internal assessment with an officer sign off.
    Merchants should monitor and assess to keep compliance on ongoing basis. Implement defense in depth mechanism and apply security control at every layer (network, application, operating system, and data). The idea is to make their job hard enough so the attacker moves on to easier target.

    Check my previous posts regarding PCI DSS.
    pci-dss-misconceptions-and-facts
    pci-dss-significance-and-contractual-agreement

    Vulnerability Scanner that scans your machine, reports back on vulnerabilities, and provides solutions to fix them

     

    Recommended books to implement PCI DSS compliance process

     

    Tags: Credit card, defense in depth, level 4 merchant, Merchant Services, pci dss, PCI Security Standard Council, roi, Security, Total cost of ownership

    May 18 2009

    Security breach and notification

    Category: Security BreachDISC @ 1:05 am

    California Flag
    Image by victoriabernal via Flickr

    California was the first state in the nation to pass a data breach notification law in 2003, and it’s now planning to broaden the notification for companies doing business in the state. Notification will require specific information about the breach to the consumer and send notices to the state authorities at the same time.

    The notices which consumers currently receive are basically too little too late, meaning they might say that your information may have been compromised and these notices may be released several months after the incident.

    notice

    California’s new legislation will force the organization to admit the extent of the compromise, so consumers can assess their own risks in a timely manner. Heartland, the credit card processor, has been sued by the banks to recover the breach notification cost. Should the credit card processing company which had a security breach be responsible for the cost of the notification?

    Current notification does not inform you where and how your credit card information was compromised so that at least you can stop shopping from that merchant. When consumers ask specific questions regarding the breach to the credit card company customer service representative, they will deny any knowledge of the breach and will say something along the lines of, when all the legal information has been taken care the credit card company will send you a detailed letter about the breach.
    Now in case of a processor security breach, the credit card company might issue notices to several hundred thousand people. Without specifics, that particular notice might have “crying wolf” effect and consumers might not take any action.

    Last week a well publicized security breach at UC Berkeley exposed the records of 160,000 people. The hackers had access to the vulnerable system for more than six months before they were discovered, which clearly shows lack of monitoring control and due care.
    When a young college student affected by the breach receives a “may have been breached” notice he or she immediately will worry about his/her credit and possibility of identity theft. Now the question is why a student has to bear the burden of the negligence by the merchant or campus and lack of reasonable security safeguards. After issuing such notice that the private information “may have been compromised,” the responsibility of keeping an eye on your credit is transferred to you. The problem is some fraudulent transactions might not be noticed for at least a year.



    Reblog this post [with Zemanta]




    Tags: Computer security, Credit card, due care, Identity Theft, Law, privacy, sb 1386, University of California Berkeley

    May 06 2009

    Rise of cybercrime and management responsibility

    Category: Information Security,Information WarfareDISC @ 5:08 pm

    ITIL Security Management
    Image via Wikipedia
    According to SF Chronicle article by Deborah Gage (May 8, 2009, c2) consumer reports magazine’s annual “State of the Net” survey finds that cybercrimes has held steady since 2004, with one out of five consumers becoming victims in last two years at a cost to economy of $8 billion. Consumer report can be found on at www.consumerreports.org

    Uncertain economic time brings new threats and scams and most of the security experts agree that there’s a possibility of increase in cybercrime for this year. Survey also found that around 1.7 million people were victims of identity theft and 1.2 million had replaced their computers because of infected software.

    First why all the signs are showing uptick in cybercrimes and second what are we going to do about it.

    Management should start considering security as total cost of ownership instead of wasting time on what is ROI of information security. If there is a security breach, somebody in the management should be held accountable not an IT or security personnel. Management will keep demonstrating lax attitude toward data protection and security in general unless there are serious consequences like spending time in jail for lack of security controls (basic due diligence) and not taking appropriate actions for the risks that posed a significant threat to the organization.

    PCI, HIPAA and SOX compliance are a good start in a right direction for management to take information security into consideration, but these compliance initiatives don’t address the security of a whole organization. They address security risks of a business unit in an organization. If management is really serious about security then ISO 27002 code of practice is one of the option which should be considered to address the security of the whole organization and ultimately organization should achieve ISO 27001 certification which will build a comprehensive information security management system to manage ongoing risks.

    [TABLE=2]

    Related articles by Zemanta

    Reblog this post [with Zemanta]




    Tags: Information Security, International Organization for Standardization, isms, iso 27001, iso 27002, Operating system, Policy, Security

    Apr 28 2009

    PCI DSS Misconceptions and Facts

    Category: pci dssDISC @ 7:13 pm

    Information Security Wordle: PCI Data Security...

    M1 – We are relatively small company so we don’t have to worry about PCI compliance
    F1 – The PCI DSS must be met by all organizations that transmit, process or store payment card data

    M2 – PCI DSS is either a regulation or a standard
    F2 – It‘s a neither a standard nor a regulation. It is a contractual agreement between card associations, the merchant banks and merchants

    M3 – We neither understand PCI and nor have in house expertise to address compliance
    F3 – PCI document clarify most of the questions in business terms but get help to interpret technical questions. Due care imply to understand your requirements to comply and protect your data

    M4 – PCI has no ROI and simply too much for a small business
    F4 – PCI address a baseline security for payment card infrastructure and its ROI is a total cost of ownership

    M5 – Why bother when some companies get breached even though they were compliant
    F5 – PCI DSS compliance is not a onetime process it is an ongoing process to maintain it

    M6 – PCI compliance cannot be that hard, all we have to do is fill out the questionnaires
    F6 – Yes, on the questionnaires has to be validated through scan. Vulnerabilities need to be resolved before submitting the report to merchant bank

    M7 – My application and POS equipment are PCI compliant
    F7 – PCI DSS compliance apply to an organization neither to an application nor an equipment

    M8 – PCI compliance addresses the security of the whole organization
    F8 – PCI DSS does not addresses the CIA for the whole organization but only card holder data security

    M9 – Data breach will not affect the business revenue
    F9 – Become level 1 (cost of monitoring), lose card acquiring ability, forensic charges and fines

    M10 – We don’t need to scan PCI assets
    F10 – Quarterly scanning is mandatory for all merchants (Level 1-4)

    M11 – Merchants can use any application to transmit, process and store PCI data
    F11 – Not really, beginning 2010, merchants can only use payment applications validated under the payment application data security standard (PA-DSS)

    M12 – We have compensating control in place so we are covered
    F12 – You still have to prove how well compensating control covers the PCI requirement. Compensating controls are harder to do and cost more money in the long run











    Documentation Compliance Toolkit



    PCI Compliance



    Practical guide to implementation (Soft Cover)



    Practical guide to implementation (Download)



    Reblog this post [with Zemanta]




    Tags: Company, Financial services, Merchant Services, Payment card industry, pci dss, Security

    Apr 22 2009

    RSA and cybersecurity

    Category: Information SecurityDISC @ 6:52 pm

    SAN FRANCISCO - FEBRUARY 6: Art Coviello, Exe...
    Image by Getty Images via Daylife
    This week I was in attendance with thousands of people from all over the globe at RSA conference in Moscone Center San Francisco. The conference offers variety of training tracks and this year included two new tracks physical security & governance and risk & compliance. Since Novell CNE was one of my first professional certification, I was glad to see Novell making some headway’s in information security arena, especially Deloitte was promoting Novell identity management solution in the conference.

    The cloud computing is the buzz word for this year conference. As far as virtual environment boundaries are concerned , it’s hard to say where it start and where it ends which complicate the matters and complexity of the cloud will introduce new threats and risks. With that in mind cyber security appears to be worse than last year. Attendance might be bit low this year due to budget cut but the conference floor was packed with vendors and enthusiastic audiences.

    Most of the security expert understand that companies are cutting budgets and might be decreasing their investment in security. Having a proactive security strategy and spending the security dollars wisely is the key to success of a business in this downturn economy. One thing to understand about information security, there is no ROI (return on investment) in security. ROI is a total cost of ownership.

    Another concern in the conference is that the threats and fraud goes up during downturn economy. Companies should have comprehensive policies to tackle insider threats regarding disgruntled employees who might be at verge of getting laid off to prevent them from stealing intellectual property.

    There is an outstanding line of keynote speakers like Melissa Hathaway, federal acting senior director of cyberspace. She advised the current (Obama) administration. She will be discussing issues like how much federal government should be involved in protecting critical assets like power grids. The conference like RSA helps security professionals to sharpen their skills and work in collaborative manners to successfully defend their organizations from attackers.

    Related articles by Zemanta

    RSA Conference 2009 Highlights
    httpv://www.youtube.com/watch?v=BAxAagvmu6w

    Reblog this post [with Zemanta]




    Tags: Cloud computing, Consultants, Information Security, Melissa Hathaway, Moscone Center, Obama, RSA Conference, San Francisco, Security

    Apr 15 2009

    Growing social networks and widening threats

    Category: Information Privacy,MalwareDISC @ 2:08 am

    Jump on the social media bandwagon
    Image by Matt Hamm via Flickr
    The worm targeted a social network Twitter with four attacks and created havoc for couple of days. This worm happens to self replicated itself when clicked on but didn’t steal 6 million users personal information.
    According to SF chronicle article by Michael Liedtke (Apr. 14 2009, c2) Twitter deleted 10,000 tweets after a worm makes a squirm.

    “The worm was intended to promote a Twitter knock off, StalkDaily.com. It displayed unwanted messages on infected Twitter accounts, urging people to visit the website.”

    With all the resources of a big company Twitter was unable to quarantine the worm and the only way to get rid of the worm was to delete 10,000 Twitter messages, known tweets. The social network growth is widening the threats and making an inviting target for hackers and scam artist with a treasure trove of personal information. People personal and in some cases private information is up for grab unless we enact policy protections against these scam artists to pursue legal action.

    How to clean Twitter worm “StalkDaily” aka “Mikeyy”

    Reblog this post [with Zemanta]




    Tags: facebook, San Francisco Chronicle, Social network, Twitter

    « Previous PageNext Page »