Payment Card Security & IT Controls Explained

Tyson Kpczynski of NetworkWorld has an article highlighting 6 free tools you shouldn’t live without for the security minded.  He highlights a few of the numerous available tools, but neglects a few foundation security applications.  He suggests the following tools (comments added):

• Metasploit - a superb tool!  Necessary for everyone.  It provides the user with a clear understanding of the true risks of chaining vulnerabilities, provides concrete results, and is lead by one of the most brilliant crews around.  Be aware this tools should be used with caution on pre-production systems, and only on systems that are redundant.
• Splunk - excellent interface and allows for excellent review of large amounts of data.  A great tool if the budget exists - other resources are Zenoss and Nagios systems
• Google - always great for data mining, but check out the data exploration tool below as an addition to your arsenal
• KeePass - centrally locating your passwords is great, so long as you use a secure key - fyi this is not a proper alternative to your enterprises key management process.
• Helix - Knoppix is a great platform to work from and a top tool in my kit.
• Netwox - Never used this particular tool, but the capabilities speak for themselves.

Check out his full article which describes their usage and his thoughts of each tool here.
Personally I would add the following to any individual charged with security responsibilities (who isn’t these days) and to those key individuals tasked with attesting to the state of an environment (so, yes I would expect auditors for PCI DSS and AICPA / PCAOB efforts to leverage such tools):

• WireShark (formerly Ethereal) - network sniffer that is useful for superb network diagnosis and analysis of network traffic (i.e. finding decrypted communications with cardholder data and such things)
• Nessus - of course, great vulnerability scanner to quickly assess the state of an environment (use in conjunction with deeper assessment tools - such as Metasploit)
• BackTrack in lieu of a generic LiveCD this is a great - cheap / free / 0 effort - security environment to get your feet wet and super simple to customize to create your own company / personal security tool environment.
• John the Ripper - test password strength - i.e. truly validate whether passwords are meeting secure settings.  Also check out ophrack which comes as a LiveCD and utilizes Rainbow tables.
• Wireless testing of access point security tools in your kit should include - The Shmoo Group (not a tool, but they lead the way in bluetooth, 802.11, and other channels), Aircrack-ng, Kismet, and you may experiment with wicrawl (here is a video of their preso at Defcon 15)
• Tyson recommends Google as a discovery tool, and it is an excellent tool (check out here where a custom search identifies SSN and credit card data in cached pages), but there are others - in no particular order of preference check out SEAT (Search Engine Assessment Tool) Information collection tool, and Bidiblah by Sensepost ($)
• Extreme packet manipulation (for those with savy technical backgrounds) is ideal for truly testing the resilience and secure coding practices of the systems on your network.  Check out Scapy for such a test.

PCI DSS Requirement 11, FFIEC Information Security booklet and numerous others define the expected level of vigilance that must be taken, as an example.

A long standing universal reference for security professionals has been this list hosted by Insecure.org (developers of NMAP) - Click here for top 100 tools.  This list is based on votes from users of the tools and includes supported platforms, UI, and whether it costs any dough.

Please add comments for the best security tools that address your challenges.  Free is preferred, but products with nominal fees can be worth the expense.  If any of the above are unknown to you - download them and experiment, it truly is the only way to understand your control environment.

Best,

James DeLuccia

Establishing an IT control environment that is agile and appropriate to an organization is a primary objective of IT Compliance and Controls, a recent book I released based on a global effort.  The Institute of Internal Auditors this month in their regular publication, “Internal Auditor“, has a great article “The Right Fit: Auditing ERM Frameworks” by Alexandra Psca defining how auditors within an organization can evaluation an in progress and mature Enterprise Risk Management (ERM) Program.
What is refreshing about this article is the author’s ability to communicate the reality that a full ERM program is unlikely to fully exist in every organization, and the presence of a program may come in different styles and colors.  When implementing and managing the enterprise risks of an organization it is prudent it recognize the following:

• ERM is designed to help the organization maximize risks in the daily course of business, and not a roadblock.  Focus on enhancing the risk environment
• Organizations have organic controls that are established through the natural placement by internal teams, and these work products make up the full Control environment.  Therefore, be sure to be perceptive when forming an ERM, and diligent on leveraging these already present accomplishments.

ERM is designed to reflect on the organization’s operations and risk - therefore one size won’t fit all.
For greater analysis I encourage you to pick up a copy of this periodical from your local Internal Audit department.  As the concerns of PCI DSS, GLBA, FISMA, FFIEC, and EU Directives highlight these program’s importance, managers and executives must be sure to manage the growth and adoption of these programs to achieve the enterprise goals.

Alexandra’s article is republished here too.
Best regards,

James DeLuccia

Sarbanes-Oxley is still of importance to U.S. firms, and is becoming more so as globally similar IT Control government initiatives come due (EU-SOX, J-SOX to name only two).  To that affect, whenever I see some helpful information for firms I like to repost it.  A nice crosswalk was done here that provides a comparison between the stalwart COSO model for Sarbanes-Oxley and ISO 9001:2000.  The table provides a simple down to earth view highlighting what organizations should be considering in their governance programs, and specifically IT Control environments.
The immediate takeaway for readers is that focus on the human side of the business plays a massive role in the achievement of technology safeguards.

Thanks to the author (Sandy) for providing this work, and please add comments to other hidden gems out in the online community.

Best,

James DeLuccia

There are simply too many great conferences in the world to attend each, and keep the lights on at the home office. In April HITB Sec Conference 2008 in Dubai had a few excellent presentations surrounding current issues for PCI DSS corporations (application security), and several insights into other areas of concern for global security. The full presentation files are available here. A few of the presentations I would recommend in your review are listed below: (Title, Summary, and Author are pulled from Conference agenda as the downloads are only referenced by speaker name):

Shreeraj Shah (Director, BlueInfy)
Presentation Title: Securing Next Generation Applications – Scan, Detect and Mitigate
Presentation Details:

McKinsey’s recent global survey suggested that 80% of companies are investing in Web 2.0 technologies. Web 2.0 technologies are no longer restricted to social networking site but forming backend to enterprise level applications. This evolution is giving rise to next generation application hacking and attack vectors. It is imperative to understand these new attacks and scanning methods to detect vulnerabilities. This presentation is going to cover following important aspects of next
generation application security.

- Footprinting, Scanning and Crawling of Web 2.0 applications.
- Ajax and Flash based XSS for Web 2.0 application.
- One-Way and Two-Way Cross Site Request Forgery for XML and JSON streams.
- Threat Model 2.0 for Web 2.0 applications.
- Hacking and Securing Service Oriented Architecture (SOAP, XML-RPC and REST based applications)
- Strategic security controls by leveraging Source code scanning and application layer filtering.

This presentation will be full of real life cases, live demonstrations, new tools and techniques along in-depth coverage on the latest concepts and methodologies.

Raoul Chiesa (Board of Directors Member @Mediaservice.net, ISECOM Group & TSTF)
Presentation Title: Penetration Testing SCADA and National Critical Infrastructure: Real-Life Experiences and Case Studies
Presentation Details:

SCADA acronym stand for “Supervisory Control And Data Acquisition”, and it’s related to industrial automation inside critical infrastructures. This talk will introduce the audience to SCADA environments and its totally different security approaches, outlining the main key differences with typical IT Security best practices.

We will analyze a real world case study related to industry. We will describe the most common security mistakes and some of the direct consequences of such mistakes to a production environment. In addition, attendees will be shown a video of real SCADA machines reacting to these attacks in the most “interesting” of ways!

Petko D. Petkov [pdp] (GNUCITIZEN)
Presentation Title: For My Next Trick… Client-Side Hacking
Presentation Details:

This paper describes numerous techniques for attacking Clients-side technologies. The content of the paper is based the research that has been conducted over the past year by the GNUCITIZEN Ethical Hacker Outfit.

The slides on the new vectors of attack in the Web 2.0 arena (which represents at least one instance where every piece of our data is accessed, managed, and manipulated) are interesting and educational.

Of course, as much fun as the slides are the presenters are really the show, so I do encourage everyone to contact and contribute to the community where you are able.
Client-side software generally refers to a class of computer programs that are executed on the client, by the user’s supporting environment, instead of the server. Both, clients and servers are in constant interaction. In a Web environment, the client is represented by the user’s web browser, while the server is the remote computer which serves dynamic content. In a much broader context, the client-server relationships can be represented by a network client connected to a WiFi network.
All the best,

James DeLuccia