Entries from March 2008
I woke up this morning and was encouraged to see the FTC continue on its efforts to monitor the technology safeguards of companies in at least a consistent and security-risk minded approach. Now, while I am not a fan of unnecessary regulations and always feel a healthy bit of regular evaluation and expiration is necessary, it is suitable for companies that clearly do not abide by best practices are more closely supervised. This ruling by the FTC is consistent with that which was ruled for ChoicePoint in Georgia.
An interesting point is the scope of the required audit (physical safeguards through digital) and basic controls referenced under PCI. Specifically the FTC charged that TJX:
- “Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text;
- Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
- Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers, and networks;
- Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
- Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.” Press Release by FTC
The additional news, and expected given PCI DSS policies, on the release was that the company would undergo regular future audits separate from the government audit that will extend for 20 years.
Catch the full press release here, the Choicepoint ruling here, and the WSJ article here.
Please post any other articles that expand on this… or your thoughts if the FTC is the right body to do this type of monitoring, as it has been a twist on their established authority.
Best regards,
James DeLuccia
Categories: Compliance · PCI DSS · Payment Card Industry Data Security Standard · audit · information security
There have been recent attacks that threaten the physical integrity of systems, but can be mitigated through the adherence to PCI DSS, and increased vigilance. The recent news stories on Firewire exploits, RAM downloads, Full Disk Encryption weaknesses, and magnetic access card vulnerabilities highlight the necessity of a review of the PCI physical and monitoring safeguard requirements that mitigate these risks. There is plenty of technical discussion and Proof of Concepts on these attacks, and it is important that we understand how they threaten our card holder data and enterprise viability.
Requirement 9 states “Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. ” (PCI DSS v1.1)
- Section 9.1.1 (video monitor sensitive areas) would detect attackers accessing your sensitive servers and secured workstation areas that contain cardholder data - a good detective control for the Firewire, Disk Encryption, RAM, and Magnetic Card reader attacks
- Section 9.2 (Identification) control would contribute to detecting someone bypassing the access control doors if the office was small, or the identification used color codes that signified what employees have access to what areas. (The need for unique identification for employee access levels is that visual access and duplication of one badge is easy, but having the correct type of badge in the right area is more challenging and raises the likelihood of detecting an unwanted guest).
Requirement 10 states “Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.”
- Section 10.2.1 and 10.2.4 require use to maintain audit logs of events for all users and on systems that contain sensitive data. This would provide rapid identification of unauthorized attempts due to the magnetic card attack. Usage of triggers would ensure that actions may be taken promptly and through regular review as required under 10.6.
I further investigate this topic of controls and hardware based attacks at IT Compliance and Controls. In addition I spend a great deal of time analyzing these vectors and the necessity of proper controls under Principle 3 Access and Authorization and starting on page 173 of IT Compliance and Controls - Best Practices for Implementation (my newly released book).
Please feel free to add comments, additional controls thoughts, and any other approaches that these safeguards manage the risks to our organizations.
Best,
James DeLuccia IV
Upcoming Speaking Engagements:
Categories: Compliance · Governance · IT Controls · PCI DSS · Security · audit · information security
A recent article was published that proffered that companies need not hire expensive consultants to meet PCI compliance. The author goes on to detail the best approach is to first - walk through the documents internally, and second - document your controls. I whole heartedly agree that self reflection and properly recording controls is absolutely pivotal to reaching compliance with PCI, and in fact you could apply it to any mandate or legal burden.
I feel however the author has left a few rocks unturned, and wanted to highlight additional practices (demonstrated by clients in the U.S.) that can maximize your efforts in demonstrating, maintaining, and operating a compliant control environment.
Align control environments and produce a single repository:
Organizations should consider how their existing control environments are deployed, and whether other attestation events will examine the same systems. It is very likely that the identity management system, firewall, logging servers, anti-virus, etc that are identified as core controls for PCI are also applicable to SOX, FERC/NERC, and many others. So, identifying what controls are in place, and then producing a single set of audit documentation can maximize the audit engagement and remove duplication.
Consider having more than one audit at a time:
Audits are done to examine a period of time in the past to validate that the controls are operating correctly. If audit events are stretched out over several months then the test period in question shifts with the audits, and while it is good for the organization to maintain an optimal level of compliance due to these long audit windows it is also extremely wasteful. Similar to the alignment savings, having to provide the logs of your LDAP server once instead of six times has obvious benefits and results in clear savings.
Assign an internal resource to conduct your PCI audit:
Merchants required to produce a report on compliance to VISA and the other card associations may hire an assessor, OR through an “internal audit if signed by an Officer of the company“. That can translate to very large savings both in audit fees and the fact that internal audit departments (or assigned persons) will have greater knowledge of the business than an outsider. A note of caution to this saving recommendation - third parties come with experience of multiple environments (likely areas of weakness), and without assumptions made and accepted by being part of a culture within a company. Extreme diligence must be taken when internal resources are relied upon - especially if those assigned are those running the environments (fox watching hen house).
There are many other areas of savings that can be achieved for PCI, and a larger amount of practices for SOX, and others… but another time. I welcome any additional areas of savings people have seen!!
Best regards,
James DeLuccia IV
IT Compliance and Controls Book Release is March 19th 2008!! Pre-Order Today
Upcoming Speaking Engagements:
Categories: Compliance · PCI DSS · Payment Card Industry Data Security Standard · ROI · audit
