Payment Card Security & IT Controls Explained

I have been fortunate to work directly on product development of software, widgets, and service businesses and the end result is a intense appreciation for project management techniques.  Projects have failed (lack of culture appreciation, scope creep) and others have succeeded (senior executive support, cost reduction ~ grid computing metrics, short term returns) for varying reasons, but all have provided valuable lessons to everyone involved.
The American Bankers Association Banking Journal exists to help managers and executives succeed in the competitive financial services market - now more important than ever with financial market values dropping about 22% over the past 12 months.  There most recent published journal features an article that I contributed on the complexity and opportunity that exists for project management for technology groups that seek to provide true business value.  Check out the article, The Case for e-Project Management here!

Projects can only succeed when the right information, people, and culture are in place… some good self evaluation questions that you need to consider include:

• Is the technology environment capable of meeting the business objectives?
• How is the costs of these projects and the existing technology resources allocated and linked to business revenue generation?
• How are current projects measured?  (To that point  - How are past projects measured?)
• How have the project goals been communicated, and is the messaging understandable for each party involved?

Management and practitioners must consider the importance of technology environment projects - such as achieving PCI DSS compliance within 6 months or revamping your technology control environment to reflect the global threat of fraud, and establish a successful roadmap that appreciates the culture of each organization.

Other thoughts?  Favorite lessons?  Please share…

Best regards,

James DeLuccia

** Join me at the ACFE 19th Annual Conference in Boston, July 14th!!

The cost of fraud to an organization is approximately 6% of an organizations revenues each year.  This is an astounding figure calculated by the Association of Certified Fraud Examiners using a global survey, and supported by several other international and independent authorities.  A great means of reducing the damage of known and unknown damages to an organization is through the establishment of a preventive health-check system.
The establishment of clear accountability, responsibility, upper management support, and clear awareness of areas of high risk are fundamental to every organization.  In IT Compliance and Controls this is discussed in detail under Principle 1 - Tone at the Top and Principle 3 - Human Resources.  A great supplemental to the book’s In Practice guidances - the ACFE has available an excellent Prevention Check List for business leaders.
The document is very simple and has immediate benefits.  There are careful guidelines recommended when conducting such efforts that should be embraced.  The need for such checklists exists separate from PCI and such regulations, as this is present around the world - consider SocGen (Reports 1-3 detail the fraud!) and WorldCom.

Check out the checklist here today, bring your general council on board, and determine how you can increase your revenues by 6% today.

Best,

James DeLuccia

A special thanks to the ACFE for making this freely available without registration.

“Medicine rarely tastes good. The introduction of Sarbanes Oxley was, for many, accompanied by significant distaste for the idea. In the longer term, it does appear that those institutions exposed to the rigours of more exacting compliance regimes have made more progress with developing integrated governance and controls frameworks.
Financial institutions in the western hemisphere are ahead of their eastern colleagues. Our analysis shows only a quarter of financial firms operating worldwide have a reasonably integrated compliance and controls framework – all of these firms are from the west. These results suggest there is much to do in the Asia Pacific region both in continuing to create regulatory regimes and continuing to raise the quality of internal governance and control systems. “

A published research study by Deloitte, quoted above, highlights the importance of integrating compliance, governance, security controls, and risk management into a enterprise control environment.  The economies of scale translate to approximately 2.5% difference in expenses incurred, and at current $78 billion in expense that is a material impact on any companies bottom line.  In addition, “Banks, insurers and investment banks have all seen the costs for governance and control rise by around a third between
2003 and 2006.”
Check out the article here, and consider how integrated is your control environment?  Have you eliminated the silos that manifest themselves over time?  Are you leveraging the full value of your technology infrastructure, your licenses, your power consumption?

Always Curious,

James DeLuccia

Structuring and maintaining a risk management process that is integrated can be daunting, and despite the tremendous amount of documentation surrounding the topic most organizations are still in the early years of maturity.  A common challenge that organizations face is the identification of roles.  The assignment of roles depends greatly on the structure and culture of your business, and therefore any method you adopt must respect these unique attributes.  While developing a structure for a client I came across ENISA’s efforts and found them to be quite practical.

Classic roles for integrating risk management with operations must include:

• Senior Management/Board of Directors
  • This role is accountable for inventing Risk Management in the organization, defining the basic participating roles, creating and communicating risk awareness, as well as deciding on the degree of risk tolerance of the organization. The Senior Management will not be directly responsible for any of the Risk Management processes (since it does not execute them) and hence does not appear as a role in any of the swimlanes in the model.
• Risk Manager
  • The Risk Manager is chiefly responsible for the definition, structuring, implementation, and coordination of Risk Management in the organization. The Risk Manager can be an individual or a group, which may be hierarchically organized (local, global Risk Manager).
• Risk Owner
  • The Risk Owner is usually an officer in a business unit/functional unit. The Risk Owner is responsible for dealing with risks in his business unit. The maintask of this role is to implement Risk Management processes according to the guidelines defined by the Senior Management and the Risk Manager. Often the role is assigned to the same person as the role Domain Expert (especially in smaller organizations), due to a flat organizational hierarchy.
• Internal Audit
  • Internal Audit is responsible for monitoring the Risk Management processes. Events are being tracked and the processes are being evaluated towards the background of the previously created Risk Management plans.
• Domain Expert
  • The role Domain Expert is responsible for assisting the management of risks by delivering input from a specific domain perspective (consulting role). His special knowledge about a particular domain in the organisation serves as a basis for identifying and treating the specific risks in that area. Additionally, the role participates in the process of monitoring the risks. The Domain Expert may be an internal or external (consultant) person. Due to his role specification he will not be responsible for any of the Risk Management processes and hence not appear as a role in any of the swimlanes in the model. Often the Domain Expert role is assigned to the same person as the Risk Owner role (especially in smaller organisations), due to a flat organisational hierarchy.

The ENISA RM/RA Framework is presented using the outputted HTML files from ADOit.  This allows users to navigate but not edit the contents.  Check out ENISA’s site to see the output.  Organizations should consider the steps that must be taken in order to properly construct such a visualization - Identifying the processes, determining the flow of information between the activities, and finally relating data to activities.  This simple process will rapidly mature your organization’s understanding of cross dependencies and criticality, while providing a method of communication.

Best,

James DeLuccia

Tyson Kpczynski of NetworkWorld has an article highlighting 6 free tools you shouldn’t live without for the security minded.  He highlights a few of the numerous available tools, but neglects a few foundation security applications.  He suggests the following tools (comments added):

• Metasploit - a superb tool!  Necessary for everyone.  It provides the user with a clear understanding of the true risks of chaining vulnerabilities, provides concrete results, and is lead by one of the most brilliant crews around.  Be aware this tools should be used with caution on pre-production systems, and only on systems that are redundant.
• Splunk - excellent interface and allows for excellent review of large amounts of data.  A great tool if the budget exists - other resources are Zenoss and Nagios systems
• Google - always great for data mining, but check out the data exploration tool below as an addition to your arsenal
• KeePass - centrally locating your passwords is great, so long as you use a secure key - fyi this is not a proper alternative to your enterprises key management process.
• Helix - Knoppix is a great platform to work from and a top tool in my kit.
• Netwox - Never used this particular tool, but the capabilities speak for themselves.

Check out his full article which describes their usage and his thoughts of each tool here.
Personally I would add the following to any individual charged with security responsibilities (who isn’t these days) and to those key individuals tasked with attesting to the state of an environment (so, yes I would expect auditors for PCI DSS and AICPA / PCAOB efforts to leverage such tools):

• WireShark (formerly Ethereal) - network sniffer that is useful for superb network diagnosis and analysis of network traffic (i.e. finding decrypted communications with cardholder data and such things)
• Nessus - of course, great vulnerability scanner to quickly assess the state of an environment (use in conjunction with deeper assessment tools - such as Metasploit)
• BackTrack in lieu of a generic LiveCD this is a great - cheap / free / 0 effort - security environment to get your feet wet and super simple to customize to create your own company / personal security tool environment.
• John the Ripper - test password strength - i.e. truly validate whether passwords are meeting secure settings.  Also check out ophrack which comes as a LiveCD and utilizes Rainbow tables.
• Wireless testing of access point security tools in your kit should include - The Shmoo Group (not a tool, but they lead the way in bluetooth, 802.11, and other channels), Aircrack-ng, Kismet, and you may experiment with wicrawl (here is a video of their preso at Defcon 15)
• Tyson recommends Google as a discovery tool, and it is an excellent tool (check out here where a custom search identifies SSN and credit card data in cached pages), but there are others - in no particular order of preference check out SEAT (Search Engine Assessment Tool) Information collection tool, and Bidiblah by Sensepost ($)
• Extreme packet manipulation (for those with savy technical backgrounds) is ideal for truly testing the resilience and secure coding practices of the systems on your network.  Check out Scapy for such a test.

PCI DSS Requirement 11, FFIEC Information Security booklet and numerous others define the expected level of vigilance that must be taken, as an example.

A long standing universal reference for security professionals has been this list hosted by Insecure.org (developers of NMAP) - Click here for top 100 tools.  This list is based on votes from users of the tools and includes supported platforms, UI, and whether it costs any dough.

Please add comments for the best security tools that address your challenges.  Free is preferred, but products with nominal fees can be worth the expense.  If any of the above are unknown to you - download them and experiment, it truly is the only way to understand your control environment.

Best,

James DeLuccia