By itself, this seems to be a bit damning toward the technical sector essentially stating that they aren’t any good at detecting fraud. Or at least their tools aren’t any good. But technology has always played a catch-up role when compared to human intuition. It could be simple things like highlighting the right statistical inconsistencies for analysts or complex things like playing chess against the world’s best, but we’re all still trying to mimic a human (with scale) by building intelligence into systems.

Stop!, by Qfamily

So this really begs the question, whether you are in the information security business or the fraud prevention business, where is your first line of defense? I’m willing to bet it falls in line with the observations from the roundtable and it is entirely human focused. But I’m also willing to bet that your company realizes this plan isn’t scalable and is trying to find ways to build human intelligence artificially into our infrastructure to aid the humans. For example, humans cannot read millions of logs manually, they have systems that triage mountains of work into molehills of actions for further analysis.

So the question becomes, how do we accelerate this so we can get to the point of more front-line defenses being built into artificial intelligence instead of relying almost solely on human intuition?

Companies require comprehensive visibility into events into their network with the ability to incorporate both internal and external sources of intelligence to create actionable intelligence that can feed an automated, agile control set. Sure, it sounds a little like the beginnings of Skynet, but those that fear the rise of the machines may choose to build the intelligence without the capacity to act, thus still requiring human interaction but theoretically with better information. The goal still needs to be furthering our ability to transfer human intelligence into systems to help us do more with less (and reliably!).

Possibly Related Posts:

• Why the Public Cloud Shuns Security
• Big Data vs Social Engineering
• Sir, Put Down the Loaded Weapon
• What’s your Maturity?
• There Are No BYOD Absolutes (You’re Doing It Wrong)

The PCI (Payment Card Industry) Council (PCICo) has pointed their elbow in the direction of those responsible for installing payment applications. PCICo issued a press release yesterday announcing the PCI Qualified Integrators and Resellers (QIR) program. The QIR program is designed to improve the quality of the integrator/reseller community often tasked with installing and maintaining payment systems. Is this the silver bullet we’ve been waiting for?

Bang!, by ToastyKen

According to the release, the PCI Council is in the process of rolling out this program to train and certify software resellers and system integrators. The Council will list those certified organizations and individual employees on their web site, similar to how they list QSAs (Qualified Security Assessors).

The lack of accountability for POS installers to set up systems in a compliant manner is a known issue in the PCI community. While performing PCI assessments, I’ve come across merchants who own applications on the PA-DSS (Payment Application Data Security Standard) compliant list who are at risk (i.e. NOT PCI compliant) because their payment applications were not implemented properly or on a secure platform. A common cause of this issue is that the installer of the POS system was a third party who was only interested in getting the POS up and running but did not consider implementing it in accordance with security Best Practices, PCI DSS, or the implementation guide.

This program will focus on both the installation of POS systems and also focus on the maintenance of said systems. The installation portion is a good start, since it is not uncommon for POS systems to be implemented with default settings and with weak or commonly-known passwords. This program will also address the proper care and feeding of POS systems (patching, anti-malware, scanning, etc.). It is important that someone has the responsibility for maintaining these systems. Note: to be PCI compliant, this (updating/maintaining POS systems) should have been happening all along. If it has not been happening, additional cost/effort may be needed.

A large percentage of larger merchant clients install and maintain their own POS systems, so this program will most likely not benefit many larger merchants. That said, this program will be good for smaller merchants—especially those in the hospitality industry—many of whom do not have the time, knowledge, or wherewithal to implement/manage POS systems. It will also raise the bar for the installers of POS systems and potentially weed out the ones who are incompetent.

Troop Inspection (Explored), by pasukaru76

Will this be beneficial for merchants who use a third party to install or maintain their POS systems? It will potentially increase security since there will be a better chance that the POS systems have been implemented in a PCI compliant manner. When a system is installed improperly or insecurely, the merchant pays the price—especially if they are breached. This increased security will come at some cost since the QIR companies will need to pay for QIR training for their employees and most likely those costs will be passed to the merchants, but those costs should be negligible.

Let’s kick a few numbers around. According to the Ponemon Institute, 41% of breaches were caused by “negligence”. Trustwave’s 2012 Global Security Report claimed that 76% of the breaches were caused by a third party’s vulnerabilities. While the QIR program may not be a cure-all for these risks, it can certainly play a significant role in reducing that number. I think this is a move in a positive direction and will ultimately reduce finger-pointing between merchants, installers, and payment application vendors. What do you think?

Possibly Related Posts:

• Top 10 PCI Requirements for Interpretation
• Sir, Put Down the Loaded Weapon
• Top Five PCI DSS Mistakes that Lead to a Breach
• Top 3-5 Things to Remove from PCI DSS
• PCI Compliance for….

I spoke at the North Texas Cloud Security Alliance chapter last Friday, and I had a great question from the back of the room. Paraphrasing, if security is a requirement for certain use cases, why do public cloud providers sell services without security controls?

the breach!, by finna dat

Man, that is a question I wish more people would ask. There are two main reasons for this.

1. The economics of cloud computing break down a bit when you add lots of security controls (significantly if it is poorly designed).
2. Because cloud providers can compete just fine without them.

Let’s unpack number one first. If we are just leasing capacity, we can do that relatively cheaply because we don’t need to spend tons of money on controls, auditing, or logs. In fact, the onus should be on the consumer of the service to build some level of control into the application to protect workloads. That doesn’t always work because administrators of cloud providers could manipulate resources in ways that would compromise the security of the workload. To fully realize the level of security built into these systems, we need to add a number of controls that can be audited and reported. Unfortunately, those controls cost money and require additional resources to effectively deploy in a manner they can be audited. Now what once was $0.05/compute-hour becomes $0.50/compute-hour, and the finances derail (understand those numbers are fictional, but you get the point).

To explain the second point, I want to reference some great insight by O’Toole and Vogel (2011) as they compare companies that focus on sustainability and conscious capitalism with those that do not. As long as it is not the only business model, both will exist (p. 66). If we apply that same concept to cloud providers, as long as they can make money without security controls, they will continue to pursue a non-security friendly business model. So why do they shun security?

Because they can!

Will a small business owner be able to move Google away from their  unbelievably favorable contract terms? Probably not, but larger companies that make demands of cloud providers will end up creating a market where security controls are valued, and not considered a one-off. Security should be consumed transparently. Business users typically don’t know when they need certain controls for their applications, so they will focus on the economics instead of the audit-ability. A better option would be for companies to build a suite of options for their business users by sole sourcing with one cloud provider. They could easily dictate the controls needed for any service, and build that into the price. With some other information security controls like DLP or deep packet inspection, security departments can bolster their ability to rein in unauthorized cloud usage while providing a valuable service to their business users.

References (I’ve been writing a bit in APA style lately, so figured I’d practice it here):

O’Toole, J., & Vogel, D. (2011). Two and a half cheers for conscious capitalism. California Management Review, 53(3), 60-76.

Possibly Related Posts:

• Where is your first line of defense?
• Big Data vs Social Engineering
• Sir, Put Down the Loaded Weapon
• What’s your Maturity?
• There Are No BYOD Absolutes (You’re Doing It Wrong)

Prepare, by Photo Monkey

OK folks, here’s an opportunity for you all! In advance of the third edition of our book slated for a July release, PCI Compliance, I wanted to offer up a free service to those of you dealing with PCI DSS on a daily basis. I’m going to do a detailed analysis of ten requirements for you! Here’s the best part…

You get to pick the ten I analyze!

Which requirements give you the most trouble? Which ones do you think are getting a bad rap, or are being interpreted too harshly? Tell me! I’ll take the top 10 that people want interpreted and put a series together over the next few weeks with detailed analysis.

Throw your suggestions down in the comments below!

Possibly Related Posts:

• Guest Post: Will the new QIR Program Move the Needle?
• Sir, Put Down the Loaded Weapon
• Top Five PCI DSS Mistakes that Lead to a Breach
• Top 3-5 Things to Remove from PCI DSS
• PCI Compliance for….

Enter Apple’s Keychain! Hooray! I’m now able to store these things relatively securely and make them quickly available for me if I need to log in somewhere. In some cases, I memorize the passwords if I have to use them frequently, but in most cases, I just grab it from Keychain. Every time someone asks me to create a new account, I simply open Keychain, enter in some basic data, have it generate a password (and sometimes dumb that down for sites with stupid password restrictions), and I’m off to the races. One quick note, doing it this way caused a major limitation for me in migrating; more on that soon.

Spoon, by felixtsao

This has a major limitation though: I have more than one device that I access sites from which means I am constantly syncing up versions of my passwords. Ugh, what a mess. Furthering the problem, there is no iOS version of Keychain, so I have to find other ways to get passwords on to those devices for quick access. NOT ideal.

Research time! I started looking around for password managers that would seamlessly integrate with multiple devices. I wasn’t crazy about using a cloud service for syncing as my entire life was dependent on their security. I am sure that Box, DropBox, Google, and iCloud are all super secure, but I’d rather take that variable out of the picture. I found a dozen or so that looked decent, but one (rather expensive) tool started coming up time and time again: 1Password. They have a free trial you can get from their website, so I started playing around with it to see how it would work.

First step, import old passwords. And this is where things completely fell apart. There is no really easy way to get passwords out of Keychain. 1Password has a process that you can try, but it only works on Safari Web passwords. Meaning, if I had not been saving site passwords in Safari, I wouldn’t be able to import them. Part of the reason is that in order for 1Password to properly work, it needs to know more about the site than just a name and user/pass combo. It needs things like the login URL so that it knows when and where to match that password with its built-in browser plugins (which are pretty sweet). So I backed myself into a technological corner by not integrating with the web browser. Temporarily that is.

I’m pretty much sold on 1Password. It has the ability to sync over WiFi (only natively for iOS devices, but they list other methods including WiFi here) so I don’t have to rely on a cloud service, and my initial tests show that usability is fantastic. I’ll be able to get things converted over slowly, but as I use them. So my most popular sites will go very quickly, with the rest migrating over time as I enter them. I don’t mind supporting these guys, but really think Apple needs to consider this type of functionality (to the degree that 1Password does it) for Mountain Lion and iOS 6.

By the way, there are many other options out there. The guys at 1Password were absolutely fantastic to work with. It’s very rare that you can have a discussion down to the line of code in someone else’s Ruby import script with email support. I’ve made my choice, but how do you handle yours? Drop them in the comments below!

Possibly Related Posts:

• Mystery Shopper Scams Getting Aggressive
• Facebook isn’t Professional Networking
• Implementation is Everything
• Cracking iOS Privacy
• Hardware Security, the New Frontier?

Stay Classy, San Diego!

What was popular in April? We had Facebook all over the news with its billion dollar purchase of Instagram (do the math, $1B with 23 employees = some rich dudes) and IPO announcement, the Call for Papers for RSA Europe opened, and the security conversation seems to be continuing its momentum from RSA US!

Here are the five (ignore the first one) most popular posts from last month:

0. RSA Conference 2012, Are You Ready? OK, you guys, for real. I finally figured out why this was the most popular post. Barney Stinson is the reason. Go look at it and you will know why (and the search term that is somehow leading all kinds of unsuspecting people here). So I’m going to call it out for what it is, but drop it from future top fives.
1. Visa Kills PCI Assessments and Wants Your Processor to Support EMV. Is this the end of PCI Assessments? Visa threw out some timelines and program details last year that you need to know about. I reposted this one on Twitter and Christofer Hoff picked it up. Squirrel power means lots of hits!
2. Top Five PCI DSS Mistakes that Lead to a Breach. For the second month in a row, this one is on the top five! I wrote this blog post after speaking to several insiders about the challenges small companies face when it comes to complying with PCI DSS. Many of them look at the various SAQs and panic! So while I won’t endorse not complying with the standard, what are the top five things that cause a compromise? Read this to find out!
3. Mystery Shopper Scams Getting Aggressive! So apparently, I’m one of the last ones on the block to be targeted for this kind of scam because when I brought it up to several folks in the industry, they all shrugged at me. It was the equivalent of showing a NASCAR driver that steering wheels detach in their cars. Anyway, it still made the top five and included are links to the redacted documents I received.
4. Why QSAs Should Not Be Your Security Partner. Here’s another one from the past, but it seemed to strike a nerve on Twitter when I reposted it last week. It’s time to separate your consultants from your assessors. Do you know what motivates QSAs?  Here is an inside scoop on what goes on inside your QSAs head, and why he doesn’t have your best interests in mind.
5. There are no BYOD Absolutes (You’re Doing It Wrong). This was a response to a post by VPN Haus that refuted cost savings associated with BYOD. I took a different approach, and hope you enjoy!

Thanks for stopping by!

Possibly Related Posts:

• Links from 2012-03-23 through 2012-04-30
• Herding Cats: A Curmudgeon’s Party Line (April 2012)
• March 2012 Roundup
• Links from 2012-03-21 through 2012-03-22
• Herding Cats: Hunt (March 2012)

• Do I Really Need to Worry About Security When I’m Using Public Wi-Fi? –
• Facebook Tells Users Not to Give Passwords to Employers As Senate Prepares Anti-Snooping Bill –

Possibly Related Posts:

• April 2012 Roundup
• Herding Cats: A Curmudgeon’s Party Line (April 2012)
• March 2012 Roundup
• Links from 2012-03-21 through 2012-03-22
• Herding Cats: Hunt (March 2012)

Blow up ATM, by laverrue

One of the first lessons I learned in high school economics was TINSTAAFL. And while I’m pretty far removed from high school at this point, that one came roaring back when I was mailed a check for almost $2,000 without any warning or advanced knowledge. This type of scam is pretty common and takes many different forms, but let’s analyze some of the things that illustrate what is going on. The quality of the scan is somewhat low to keep file sizes down, so the actual copy does not look like a fax and has more gray-scale in it. Some of these things are highlighted in the documents, some are not.

1. The first thing I noticed was the postage (actually @FancyPantsMama noticed it). Not from this country. OK, maybe someone has a job stuffing envelopes, let’s see what else.
2. The letter was folded poorly and the text was of poor quality. No full color letterhead, just a gray-scale, forgettable letter with poorly reproduced logos at the bottom.
3. The logos at the bottom of prominent, household name companies like IBM, Gap, McDonalds, Best Buy, Walmart, Starbucks, Sony, and Office Depot were poorly reproduced. Many of them were obviously pulled from websites due to the dark backgrounds or borders, and the dimensions are wrong. Do you think the branding people behind these powerful brands would sponsor someone who can’t reproduce their logo correctly? Oh, and the best example of this is the logo for Costco.com (not Costco the store).
4. Next was the rather large sum of the check. The letter said I was getting a $350 salary, why was the check so high? This smelled like an eBay buyer offering to send me a cashiers check for 3x the amount of the item to have me wire it back.
5. My first survey assignment was to do a funds transfer at Western Union, a method used for money laundering or to defraud individuals, but not for $10 or $20 which should be sufficient as a mystery shopper. I was asked to transfer nearly $1,500 plus fees! One of two outcomes happen here… I’m out the money when the check finally bounces or I’m a money mule in a larger money laundering scam (although this seems less likely after reading this).
6. Next was to shop at one of the companies listed, two of which don’t have their logos represented below (albeit Sears is listed and they do own K-Mart).
7. A request to call in to “activate the check” for payroll. The check as it stands would have been processed by my bank regardless, but I suspect if I would have called, they would have asked for standard payroll information (like a social security number) to steal my identity.
8. The terms “Secret Shopper” and “Mystery Shopper” are used interchangeably and in quotes or parenthesis signifying that you might not be doing those things.
9. There are a few typos and grammatical mistakes made in the letter, which strikes me as odd (even though our ability to communicate as a society in written form is degrading at an alarming rate).
10. The signature at the bottom doesn’t match the redacted name below.
11. The address and logo on the check does not match what is on the letter.
12. The “Administrative Office” address is actually an apartment building in Midtown Manhattan.
13. Their international head office is associated with fraud already.
14. The phone numbers are tied to a Canadian interchange (which actually matches the postage).
15. Most importantly, Google has never heard of this marketing company, which seems odd if they have the customers they claim to at the bottom of the letter.
16. And speaking of that, is there anything more generic than terms like “Midland Marketing Research” and “Consumer Survey Specialists”?

Unfortunately for these scammers, I didn’t fall victim and neither should you. The Internet gives you too many resources to research companies so don’t let the promise of free money fool you. Remember, TINSTAAFL!

Possibly Related Posts:

• Fun with Password Managers
• Facebook isn’t Professional Networking
• Implementation is Everything
• Cracking iOS Privacy
• Hardware Security, the New Frontier?

1. Using big data as an enabler for predictive security analytics (i.e., deriving security information powered by analytics across big data)
2. Securing the output of big data analytics on the business side (and possibly in infosec too)

After talking about some of the uses of Greenplum Chorus, it occurred to me that there was a third area that needs to be addressed: the security problem of using independent but diverse big data sets to arrive at the same conclusion (especially when that conclusion could be part of a larger corporate strategy). Let’s paint a picture to see if we can make this problem more concrete.

One Month in Singapore, by Enygmatic-Halycon

If you have ever seen social engineering in action (go read this book if you haven’t), you know that social engineers don’t directly ask you for all the information they need. If they did, you would be suspicious. Imagine for a moment if someone randomly on the street asked for your bank account number. Pretty suspicious, right? So instead, they build rapport, earn your trust (or the trust of others that you interact with), and ask for seemingly innocuous pieces of data that only when assembled gives them the information they were looking for.

I see Big Data analytics as being similar in that regard whereby missing data sets could be filled in to arrive at similar outputs. Depending on the data set(s) it’s reasonable to assume that macro trends will be represented in multiple, independent sets of data. So let’s say that you are using predictive analytics to determine where you will be investing in the next six months. The output would be pretty valuable to a competitor or an insider looking to make a quick buck by selling this information. You realize that someone might want to steal this information, so you protect certain data sets that allow you to arrive at your conclusions. But what if someone could fill in those protected data sets with other data sets and arrive at the same conclusion? Just like a social engineer, he could fill in the gaps with reconstructed data and maybe get close enough to know exactly where your investments are going to respond accordingly. This is especially true with data sets that are free (presumably lower quality) and ones that can be purchased or even leased.

Companies dipping their toes into the world of Big Data analytics are getting to the point where they know just enough to be dangerous. They don’t have the Data Scientist DNA built in to their companies, so they hire experts to analyze data. But the experts just see data, they don’t necessarily know (or care) about the value of the data or the conclusions derived from it. As companies start to tackle the use of predictive analytics across diverse data sets, they must understand the process of deriving value from big data and how to protect all aspects of the analysis. What’s especially important is understanding the other possible ways that conclusions can be reached in order to know where your exposure might be.

Possibly Related Posts:

• Where is your first line of defense?
• Why the Public Cloud Shuns Security
• Sir, Put Down the Loaded Weapon
• What’s your Maturity?
• There Are No BYOD Absolutes (You’re Doing It Wrong)

Until one goes off.

Prepare, by Photo Monkey

Then everyone flips their lid and its utter chaos. Questions like, “How did this happen?” and “Why isn’t the government protecting us?” start to pop up in daily discussions. Then when the newness wears off and no other incidents happen, people stop talking about it and go back to doing things the way they did living with the assumption that it was a black swan.

Until it happens again. Then we lather, rinse, and repeat.

Rob Sadowski has a great blog post entitled “Time to Push the Reset Button” that discusses recent events in our industry (go give it a read). There is one really great point that I’ve touched on before which is, “Why do you still feel the need to handle payment card (or other sensitive) data?” I remember one meeting sitting in front of a CIO from a very large company saying, “What business do you have operating a payment processor? You are a retailer! Your core competencies are marketing and supply chain!”

“B-b-b-but… we’ve always done it that way!” This post (same as above) details why that mentality doesn’t work anymore.

Most companies don’t handle risk management very well when it comes to information security because they can’t agree on a way to value data. It’s not entirely their fault, this process isn’t easy at all. Here in the US, some elements of breach recovery is public knowledge through regular SEC filings, but in many places it simply isn’t public. But here’s where risk managers screw up: they equate bits to dollars (somehow), therefore, they will make decisions and set policy using unreliable data.

Instead, risk managers should add a new variable to their formula: C, somewhere in the denominator of their formula (confidence). Large values of C mean we are supremely confident in our estimation of risk, therefore we reduce the unknown element to our formulas. Small values of C mean we really have no idea what we are doing, and it’s time to make it someone else’s problem (outsource). There are too many options available that are both cost-effective, and largely transparent to current business operations (with minor changes in nearly every case) that allow you to handle a plastic facsimile of the loaded weapon instead of the weapon itself.

Possibly Related Posts:

• Where is your first line of defense?
• Guest Post: Will the new QIR Program Move the Needle?
• Why the Public Cloud Shuns Security
• Top 10 PCI Requirements for Interpretation
• Big Data vs Social Engineering