Payment Card Security & IT Controls Explained

I am a strong believer in group “live” training experiences where I am in a room with individuals who have different perspectives, challenges, and questions.  Unfortunately, the real world keeps spinning and constant training is not always possible, so the web (yes… that which gives and takes) has online training.  For those unaware there are several very good online free training seminars for PCI DSS.  In fact, the one I am highlighting is “sponsored” by MasterCard.

After free registration - the simplest I have yet to see, you are provided with a list of sessions to listen to or you can download the PDFs!  You can find nearly currently a dozen sessions here.  They cover the following topics:

• Maximize Internal Preparation for PCI DSS New!, by Mathieu Gorge – CEO Vigitrust
• Network Segmentation New!, Mark Lippman – Senior Partner, Arsenal Security Group
• Data Encryption: Understanding Encryption and PCI DSS New!, by Gerard Onorato and Jeffrey Foresman
• An Introduction to the PCI Security Standards Council, by Bob Russo – General Manager, PCI Security Standards Council
• A Detailed Look at PCI DSS Requirements, by Andrew Henwood - Director of Operations, One-SEC/Trustwave
• A look into the new Self Assessment Questionnaire, by Jennifer Mack – Vice President, MasterCard Worldwide
• A Merchant’s Journey towards PCI Compliance, by Alexander Grant, General Manager British Airways
• Understanding Account Data Compromise, by A. Bryan Sartin - Vice President Investigative Response, Verizon Business
• Preparing for a Successful PCI Assessment, Lessons from the Field, by Michael Walter – Senior Partner, Arsenal Security Group
• Reducing Your Risk: A Look Into PCI Vulnerability Scanning, by John Bartholomew – Vice President, Security Metrics
• Security and the Payments Systems, By John Verdeschi – Vice President, MasterCard Worldwide and Jeremy King – Vice President, MasterCard Worldwide
• Compliance Validation & Beyond, by Sally Ramadan - MasterCardWorldwide

I have gone through several thus far, and my comments on a few are as follows:

• Maximize Internal Preparation - Helpful.  Core Message:  Setup a diverse team with senior management, and leverage your QSA’s experience
• Understanding Account Data Compromise - Educational.  Great walk through!  Check out Michael Dahn’s excellent ongoing articles on the carder market

Check out the online webinars here.   I am sure there are many others, so please add them below in the comments to help everyone!
Best,

James DeLuccia

Business ebbs and flows in most industries and unless you are demonstrating true value it is hard to respond positively when management must make hard decisions.  If technology services are not demonstrating value - i.e, they are not in alignment with what the business needs or there is waste throughout the system perhaps a healthy dose of self evaluation is in order.  To that point I want to elaborate on an INC. magazine article I contributed entitled, “Instituting Security Metrics” by Lora Shinn.

There are two lines of thought I want to explore, the first is how Security Metrics *can* enhance the value of the technology environment and the other is how they can save the business.

Enhance Value:
Security Metrics are any measure of the organization’s efforts to safeguard the assets of the corporation.  These may be sensitive information databases, actual hardware devices, the staff, or any number of categories depending on your business.  It is important to recognize that these are “a part of” a greater measurement effort within your business.  It is 100% certain that your business is currently calculating ROI, ROA, ROE, and hundreds of other metrics relating to finance, employee turnover, customer satisfaction, competitive industry scorecards, and even compensation baselines.  These existing performance, governance, and business metrics can provide the technology group with a sufficient methodology and format when preparing similar security metrics.

In order to enhance value to an organization, technologists must be able to:

1. Justify the technology deployed
2. Identify important assets within the architecture
3. Measure what the business requires of these assets.

Only at this point can action be taken.  The “action” referred to here may include decommissioning unnecessary hardware, eliminating specific redundant architectures, insourcing or outsourcing specific functions, or transforming the operations to a fully distributed platform.

The end result is a technology services group that achieves optimal balance between mission and cost thereby providing meaningful impacts to both the top and bottom line of the financial statements.

Saving the Business:
Loss of sensitive data, downtime due to forensic / virii, government and industry partner fines, loss of customers, and loss of confidence with business partners are the results of security failing.  Security metrics must consider the inputs into these risks for the business and appropriately mitigate each as necessary.  In future postings and in a recent research briefing I will elaborate on these important points.

Check out the article here, and please post your comments on how you feel security metrics should be positioned, and which are your favorite?

Best,

James DeLuccia

Tyson Kpczynski of NetworkWorld has an article highlighting 6 free tools you shouldn’t live without for the security minded.  He highlights a few of the numerous available tools, but neglects a few foundation security applications.  He suggests the following tools (comments added):

• Metasploit - a superb tool!  Necessary for everyone.  It provides the user with a clear understanding of the true risks of chaining vulnerabilities, provides concrete results, and is lead by one of the most brilliant crews around.  Be aware this tools should be used with caution on pre-production systems, and only on systems that are redundant.
• Splunk - excellent interface and allows for excellent review of large amounts of data.  A great tool if the budget exists - other resources are Zenoss and Nagios systems
• Google - always great for data mining, but check out the data exploration tool below as an addition to your arsenal
• KeePass - centrally locating your passwords is great, so long as you use a secure key - fyi this is not a proper alternative to your enterprises key management process.
• Helix - Knoppix is a great platform to work from and a top tool in my kit.
• Netwox - Never used this particular tool, but the capabilities speak for themselves.

Check out his full article which describes their usage and his thoughts of each tool here.
Personally I would add the following to any individual charged with security responsibilities (who isn’t these days) and to those key individuals tasked with attesting to the state of an environment (so, yes I would expect auditors for PCI DSS and AICPA / PCAOB efforts to leverage such tools):

• WireShark (formerly Ethereal) - network sniffer that is useful for superb network diagnosis and analysis of network traffic (i.e. finding decrypted communications with cardholder data and such things)
• Nessus - of course, great vulnerability scanner to quickly assess the state of an environment (use in conjunction with deeper assessment tools - such as Metasploit)
• BackTrack in lieu of a generic LiveCD this is a great - cheap / free / 0 effort - security environment to get your feet wet and super simple to customize to create your own company / personal security tool environment.
• John the Ripper - test password strength - i.e. truly validate whether passwords are meeting secure settings.  Also check out ophrack which comes as a LiveCD and utilizes Rainbow tables.
• Wireless testing of access point security tools in your kit should include - The Shmoo Group (not a tool, but they lead the way in bluetooth, 802.11, and other channels), Aircrack-ng, Kismet, and you may experiment with wicrawl (here is a video of their preso at Defcon 15)
• Tyson recommends Google as a discovery tool, and it is an excellent tool (check out here where a custom search identifies SSN and credit card data in cached pages), but there are others - in no particular order of preference check out SEAT (Search Engine Assessment Tool) Information collection tool, and Bidiblah by Sensepost ($)
• Extreme packet manipulation (for those with savy technical backgrounds) is ideal for truly testing the resilience and secure coding practices of the systems on your network.  Check out Scapy for such a test.

PCI DSS Requirement 11, FFIEC Information Security booklet and numerous others define the expected level of vigilance that must be taken, as an example.

A long standing universal reference for security professionals has been this list hosted by Insecure.org (developers of NMAP) - Click here for top 100 tools.  This list is based on votes from users of the tools and includes supported platforms, UI, and whether it costs any dough.

Please add comments for the best security tools that address your challenges.  Free is preferred, but products with nominal fees can be worth the expense.  If any of the above are unknown to you - download them and experiment, it truly is the only way to understand your control environment.

Best,

James DeLuccia

There are simply too many great conferences in the world to attend each, and keep the lights on at the home office. In April HITB Sec Conference 2008 in Dubai had a few excellent presentations surrounding current issues for PCI DSS corporations (application security), and several insights into other areas of concern for global security. The full presentation files are available here. A few of the presentations I would recommend in your review are listed below: (Title, Summary, and Author are pulled from Conference agenda as the downloads are only referenced by speaker name):

Shreeraj Shah (Director, BlueInfy)
Presentation Title: Securing Next Generation Applications – Scan, Detect and Mitigate
Presentation Details:

McKinsey’s recent global survey suggested that 80% of companies are investing in Web 2.0 technologies. Web 2.0 technologies are no longer restricted to social networking site but forming backend to enterprise level applications. This evolution is giving rise to next generation application hacking and attack vectors. It is imperative to understand these new attacks and scanning methods to detect vulnerabilities. This presentation is going to cover following important aspects of next
generation application security.

- Footprinting, Scanning and Crawling of Web 2.0 applications.
- Ajax and Flash based XSS for Web 2.0 application.
- One-Way and Two-Way Cross Site Request Forgery for XML and JSON streams.
- Threat Model 2.0 for Web 2.0 applications.
- Hacking and Securing Service Oriented Architecture (SOAP, XML-RPC and REST based applications)
- Strategic security controls by leveraging Source code scanning and application layer filtering.

This presentation will be full of real life cases, live demonstrations, new tools and techniques along in-depth coverage on the latest concepts and methodologies.

Raoul Chiesa (Board of Directors Member @Mediaservice.net, ISECOM Group & TSTF)
Presentation Title: Penetration Testing SCADA and National Critical Infrastructure: Real-Life Experiences and Case Studies
Presentation Details:

SCADA acronym stand for “Supervisory Control And Data Acquisition”, and it’s related to industrial automation inside critical infrastructures. This talk will introduce the audience to SCADA environments and its totally different security approaches, outlining the main key differences with typical IT Security best practices.

We will analyze a real world case study related to industry. We will describe the most common security mistakes and some of the direct consequences of such mistakes to a production environment. In addition, attendees will be shown a video of real SCADA machines reacting to these attacks in the most “interesting” of ways!

Petko D. Petkov [pdp] (GNUCITIZEN)
Presentation Title: For My Next Trick… Client-Side Hacking
Presentation Details:

This paper describes numerous techniques for attacking Clients-side technologies. The content of the paper is based the research that has been conducted over the past year by the GNUCITIZEN Ethical Hacker Outfit.

The slides on the new vectors of attack in the Web 2.0 arena (which represents at least one instance where every piece of our data is accessed, managed, and manipulated) are interesting and educational.

Of course, as much fun as the slides are the presenters are really the show, so I do encourage everyone to contact and contribute to the community where you are able.
Client-side software generally refers to a class of computer programs that are executed on the client, by the user’s supporting environment, instead of the server. Both, clients and servers are in constant interaction. In a Web environment, the client is represented by the user’s web browser, while the server is the remote computer which serves dynamic content. In a much broader context, the client-server relationships can be represented by a network client connected to a WiFi network.
All the best,

James DeLuccia

Back in Atlanta after a week in San Francisco for RSA’s annual conference on security.  This being my first year in attendance I have no comparison from prior years, but have heard that the crowds were a bit lighter than usual.  I spent a great deal of time enjoying the sessions, speaking privately with the incredible roster of speakers in the “speakers lounge”, and engaging the vendors in the expo.  Overall I would definitely say it was worth the time and expense.  Anyone looking at shortlisting their conference list should include RSA next year.  Of course, you make your own conference - I actively sought and engaged experts in areas, and methodically evaluated each solution offered by the vendors.  As in any good project I attended with several objectives and action items that proved extremely valuable:

• First, I vetted the speakers and the sessions prior to arriving.  This is key to determine the type of presenter and their prior experience (i.e.  I prefer to avoid “sales” people giving presentations on areas where their product “happens” to address).  I prefer to seek out either the founders (engineers) of companies who play in a space, in-field practitioners, or those who have such a broad range of experience they can speak on a specific topic.
• Second, I set three objectives for attending - any more and you are stretching yourself to thin and won’t enjoy the experience.  Mine for RSA this year were to:
  • Identify and map each vendor solution into a solutions matrix based on architecture and core controls for the top 50 regulation / standards.
  • Seek out practitioners who have successfully established frameworks or governance structures in global corporations
  • Identify trends from the strategic perspective.

My takeaways from the conference were a disproportionate focus of vendors on DLP, a lack of comfort in practitioners dealing with multiple regulations, and a steady and unexpected level of confusion in addressing PCI.

This year RSA is posting the recordings of the sessions online for post-conference viewing.  Now other conferences in the past year have made these available for the public and hopefully they will follow suit.  In any case, be sure to watch for detailed postings on research and notes from the speakers (if you could not attend or are unable to view the archived recordings), and personal / company recaps.

Bottom line - I enjoyed tremendously being an invited speaker on a topic that engaged a capacity room and required the organizers to drag us out of our room to continue it in the halls.  My post takeaway is that I have not sufficiently communicated my research, and I hope over the coming months I can provide greater value to the industry at large.

Kind regards,

James DeLuccia