Payment Card Security & IT Controls Explained

Back in Atlanta after a week in San Francisco for RSA’s annual conference on security.  This being my first year in attendance I have no comparison from prior years, but have heard that the crowds were a bit lighter than usual.  I spent a great deal of time enjoying the sessions, speaking privately with the incredible roster of speakers in the “speakers lounge”, and engaging the vendors in the expo.  Overall I would definitely say it was worth the time and expense.  Anyone looking at shortlisting their conference list should include RSA next year.  Of course, you make your own conference - I actively sought and engaged experts in areas, and methodically evaluated each solution offered by the vendors.  As in any good project I attended with several objectives and action items that proved extremely valuable:

• First, I vetted the speakers and the sessions prior to arriving.  This is key to determine the type of presenter and their prior experience (i.e.  I prefer to avoid “sales” people giving presentations on areas where their product “happens” to address).  I prefer to seek out either the founders (engineers) of companies who play in a space, in-field practitioners, or those who have such a broad range of experience they can speak on a specific topic.
• Second, I set three objectives for attending - any more and you are stretching yourself to thin and won’t enjoy the experience.  Mine for RSA this year were to:
  • Identify and map each vendor solution into a solutions matrix based on architecture and core controls for the top 50 regulation / standards.
  • Seek out practitioners who have successfully established frameworks or governance structures in global corporations
  • Identify trends from the strategic perspective.

My takeaways from the conference were a disproportionate focus of vendors on DLP, a lack of comfort in practitioners dealing with multiple regulations, and a steady and unexpected level of confusion in addressing PCI.

This year RSA is posting the recordings of the sessions online for post-conference viewing.  Now other conferences in the past year have made these available for the public and hopefully they will follow suit.  In any case, be sure to watch for detailed postings on research and notes from the speakers (if you could not attend or are unable to view the archived recordings), and personal / company recaps.

Bottom line - I enjoyed tremendously being an invited speaker on a topic that engaged a capacity room and required the organizers to drag us out of our room to continue it in the halls.  My post takeaway is that I have not sufficiently communicated my research, and I hope over the coming months I can provide greater value to the industry at large.

Kind regards,

James DeLuccia

There have been recent attacks that threaten the physical integrity of systems, but can be mitigated through the adherence to PCI DSS, and increased vigilance.  The recent news stories on Firewire exploits, RAM downloads, Full Disk Encryption weaknesses, and magnetic access card vulnerabilities highlight the necessity of a review of the PCI physical and monitoring safeguard requirements that mitigate these risks.  There is plenty of technical discussion and Proof of Concepts on these attacks, and it is important that we understand how they threaten our card holder data and enterprise viability.

Requirement 9 states “Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. ” (PCI DSS v1.1)

• Section 9.1.1 (video monitor sensitive areas) would detect attackers accessing your sensitive servers and secured workstation areas that contain cardholder data - a good detective control for the Firewire, Disk Encryption, RAM, and Magnetic Card reader attacks
• Section 9.2 (Identification) control would contribute to detecting someone bypassing the access control doors if the office was small, or the identification used color codes that signified what employees have access to what areas.  (The need for unique identification for employee access levels is that visual access and duplication of one badge is easy, but having the correct type of badge in the right area is more challenging and raises the likelihood of detecting an unwanted guest).

Requirement 10 states “Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.”

• Section 10.2.1 and 10.2.4 require use to maintain audit logs of events for all users and on systems that contain sensitive data.  This would provide rapid identification of unauthorized attempts due to the magnetic card attack.  Usage of triggers would ensure that actions may be taken promptly and through regular review as required under 10.6.

I further investigate this topic of controls and hardware based attacks at IT Compliance and Controls.  In addition I spend a great deal of time analyzing these vectors and the necessity of proper controls under Principle 3 Access and Authorization and starting on page 173 of IT Compliance and Controls - Best Practices for Implementation (my newly released book).

Please feel free to add comments, additional controls thoughts, and any other approaches that these safeguards manage the risks to our organizations.

Best,

James DeLuccia IV

Upcoming Speaking Engagements:

• Please join me at RSA 2008 for my session on: Emergence of international regulatory synergies
• Please join me in Boston, for the Association of Certified Fraud Examiner’s Conference with my session on:  Worst and Best IT Management Practices

A client of mine recently updated their rich corporate governance program, and beyond obvious extensions to include recent State laws (introduced in the last 6 months) governing data usage and some International legislation there was particular attention towards the Federal government use of the FSG (Federal Sentencing Guidelines).  A recent increase in DOJ attention has raised this mandates requirements above the normal baseline within the organization, and now carries equal weight with such initiatives as SOX, PCI DSS, and NASD listing requirements.

Two nice sources for FSG are the full guidelines themselves - of particular interest may be section 8B2.1 Effective Compliance and Ethics Program“, and a nice text published by Theodore L. Banks and Frederick Z. Banks entitled, “Corporate Legal Compliance Handbook”.  Here is a link to Google Book Search with some interesting content already highlighted.

As a best practice, always review your responsibilities to stakeholders (whether they be investors, employees, industry watch groups, government agencies, or international treaty conditions) on a regular basis.  These periods of review vary depending on the growth and change of your particular industry, but should not exceed an annual inspection.  Reviews should focus on the business impacts these mandates impose and the controls established to satisfy each.  An executive session should be included in this process to ensure that strategic direction is captured, and that any shifts are embraced by management and all divisions of a company.

Best,

James DeLuccia

Update: Book Release is now March 19th 2008!! Pre-Order Today

A short piece in the Wall Street Journal the other day focused on the challenges that firms face with the introduction of new technology, and how these new gadgets can complicate an organization’s controls.  The article highlights the difficulties faced by investment firms as there are specific regulations to capture all traffic relating to financial transactions.  In the context of this mandate, the article raises the issue when employees purchase iPhones and other smartphones, and the resulting difficulty in meeting regulatory mandates.
This issue is not reserved only for financial firms, but is applicable to any firm.  New technologies - such as smart phones, Instant Messenger, Peer to Peer, Torrents, and VOIP are all initially resisted by firms until an ROI and business case justifies the added management expense.  Beyond the adoption of these technologies organizations that adhere to standards, such as PCI DSS, must be aware of the implications regarding these tools:

• Sensitive Data may be transferred to these devices increasing the scope of an audit
• Transmission, Storage, or processing of sensitive data through these newer technologies requires a re-evaluation of the risks, controls, and procedures
• Deployment and enhanced control environments are required as the technology expands the platform, geography, and dimension of the data itself
• Management direction must be re-evaluated to ensure that extended operations resulting from newer technologies are aligned and consistent with the strategic efforts of the organization
• Updates to policies and procedures are necessary
• Modifications to disaster recovery and backup systems must include these newly introduced technologies that emerge as part of the business processes.

Avoidance of technology leaps and enhancements can damage a firms competitiveness, but blind adoption can result in far greater financial and legal penalties.

Best,

James DeLuccia

Update: Book Release is now March 19th 2008!!  Pre-Order Today 

Is your ASV really getting the job done? I spent several years working with organizations building their Automated Remote Scanning systems and fought the good fight as prices for remote PCI DSS scans plummeted. It became very evident within the first 6 months that vendors who fully automate their systems were winning the battle. What always baffled my teams was that we ALWAYS found weaknesses in customer systems when they switched over to our services - even after being “compliant” by these automated companies.

So the recent news of ScanAlert customers being hacked - while being “compliant” (no disclosure has been presented to indicate if they were compliant at the exact moment the breach occurred… updates will be added when available), and several posts highlighting similar inconsistencies is not news to me or my colleagues (Jeremiah has a nice write up on this) . The fact is we left that market due to economics - I couldn’t cover my costs of the scans. Over the past few years I have enjoyed the other side of the coin and have been supporting companies in an advisory fashion. Meaning, I help them understand their business needs, the risks involved, and work through solutions that are best for the company. Usually the cheapest vendor is NOT the best solution.

The one fact I want to pass along given all these unfortunate Merchants who have suffered a breach is that you must evaluate your own security precautions. It is the duty of the executives in every corporation to ensure there are proper safeguards that protect the company and it’s stakeholders. This includes ensuring that if a service provider is providing a service:

• That service is of sufficient quality
• The service is implemented and operational as required (these remote scans must be given complete and direct access to your online properties, and should not be molested by load balancers / IPS / firewalls / etc…)
• Regular quality checks by the staff (i.e. Conduct your own web application assessment and compare the results, if they are not identifying threats and only providing a check box then it is the best interest of everyone that you find another provider).

The end result of this flight from ineffective scanning providers is a stampede to quality and a return of balance in the necessary delivery of skilled assessments. Challenge your perceptions and question the assumptions of your security program for the good of your company and my sensitive information.

Thanks to Jeremiah for a great post on this topic.

Update: May I recommend alternative Approved Scanning Vendors for your reference.

Kind regards,

James DeLuccia