The Payment Card Industry Security Standards Council (PCI SSC) has released a draft version of the Payment Card Industry Data Security Standard (PCI DSS) Version 3.0 to Qualified Security Assessor (QSA) companies.  This release was not made available to the general public as PCI SSC is still reviewing feedback from QSA companies and other participating organizations before the final version is released in November 2013.  The new PCI DSS 3.0 compliance requirements will go in to effect for all companies on January 1, 2015 but there are a few requirements defined in PCI DSS 3.0 that will not be required for compliance until July 1, 2015.

Sign: Changes Ahead

PCI SSC has categorized the changes for the standard into three types: Clarifications, Additional guidance and Evolving Requirements.  PCI SSC defines a clarification as a means to make the intent of a particular requirement clear to QSA’s and entities that must comply with PCI DSS.  Additional guidance provides an explanation, definition and/or instructions to increase understanding or provide further information or guidance on a particular topic being assessed.  Evolving requirements are changes to ensure that the standards are up to date with emerging threats and changes in the market and are new requirements for the most part.

In total there are a proposed 99 changes between the three types of changes, which were nicely defined in the document “PCI DSS 3.0 Summary of Changes” provided by the council.  The majority of changes, 71 to be exact, are clarifications followed up by 23 evolving requirements and 5 changes that fall under the “additional guidance” category.  This blog post provides a high-level overview of the proposed changes in the draft PCI DSS V3.0 and this overview is not specific to particular requirements.  Neohapsis will be releasing a series of blog posts dedicated to PCI DSS V3.0 that will explore individual requirement changes in great detail.

So enough setup, here are some key takeaways of high-level changes to PCI DSS Version 3.0.

Scope of PCI DSS Requirements

PCI SSC added some clarification around the responsibilities for defining scope for both the entity seeking compliance and the QSA performing the validation.  PCI SSC did a great job of clarifying the scoping process by providing examples of system components that should be included are part of the scope for a ROC assessment.  In addition to system components, the scoping guidance section contains requirements for capturing all purchased or custom developed applications that are being used within the cardholder data environment (CDE).  Compared to PCI DSS Version 2.0, this section of PCI DSS Version 3.0 has been broken out to be more descriptive as well as to display the details in a clearer manner to help entities better understand the scoping process.

Use of Third-Party Service Providers / Outsourcing

The use of third-party service providers to support an entity’s cardholder data environment (CDE) and the related PCI DSS validation requirements have not change that drastically.  All entities that fall under PCI DSS are still required to validate that each third-party service provider is PCI DSS compliant by obtaining a copy of their attestations of compliance (AOC) or by having their QSA assess the compliance status of each third-party service provider for relevant PCI DSS requirements..  However, the draft of PCI DSS Version 3.0 provides examples such as advising entities seeking PCI compliance to validate the IP addresses for quarterly scans if one or more shared hosting providers are in-scope for their  CDE.  Furthermore, entities seeking compliance are advised to work with service providers’ to ensure that contractual language between the two parties clearly states PCI DSS compliance responsibilities down to the requirement level.

Business-As-Usual (BAU)

The biggest change that I see in PCI DSS 3.0 is the emphasis on making PCI DSS controls part of “business-as-usual” (BAU) as compared to a moment in time assessment. To get this message across, the draft version of PCI DSS 3.0 provides several best practice examples for making PCI are part of BAU. These best practices are not requirements, but the council wants to encourage organizations to make PCI a part of BAI. The goal of this change in thinking is to get businesses to implement PCI DSS as part of their overall security strategy and daily operations.  PCI DSS is stressing that their compliance standard is not a set-it and forget-it mentality.

Some important areas in this new mentality focus on security processes.  For example, entities should be validating on their own that controls are implemented effectively for applicable businesses processes and related technologies.  Some specific examples related to this new mentality focus on antivirus definitions, logging, vulnerability signatures and ensuring that only appropriate services are enabled on systems.  With this new mentality, entities should look to take corrective actions when compliance gaps are identified so that PCI DSS compliance can be maintained at all times and not wait until their QSA comes to validate their compliance. When gaps are identified, implementation of compensating or mitigating controls may be necessary and should not be left open until the start of a QSA assessment.

Lastly in regards to BAU, the company seeking PCI DSS compliance should continue to have open dialog with their QSA throughout the year.  Good QSA companies will work with their clients to help ensure the right choices are being made in between ROC assessments.

Until Next Post

This is just one of multiple blog posts about upcoming changes in PCI DSS version 3.0.  Neohapsis will be releasing additional posts on more specific PCI DSS 3.0 requirements in the near future.  If you are required to be PCI DSS compliant then I would recommend having a talk with your QSA company to start planning and preparing for PCI DSS 3.0.  You are also welcome to reach out to Neohapsis as we have multiple QSA’s who are seasoned professionals who can address your PCI DSS and PCI PA DSS compliance questions.

Security is more than Technology

The security industry can get a bad rap by opinion writers when most of the news making headlines in tech security is about another hack or data breach.  CNet posted “Why the security industry never actually makes us secure” which states there are two hurdles between present day and a purposed security Nirvana.  The article stated “First, there’s the seemingly endless arms race between hackers and defenders, one that shows no sign of slowing anytime soon” and “Second, there’s the fact that attackers are–at least for now–much more motivated to get in than companies are to keep them out”.  I could not agree less with these two statements.

There seems to be a mentality in society that security must eliminate all risks forever and fit into a self managed box that costs next to nothing to make or purchase.  I do not think this is a solution that will be developed and not simply because that would put me out of work.  Society is evolving to a more interconnected web communicating over a public network that introduces new risks based on a shifted or expanding threat spectrum, depending how you look at it.  Security cannot be only evaluated in terms of technology and security can’t be solved by treating all risks the same.

Endless Arms Race

First, there is not an arms race between red and blue as that would imply new sophisticated tools are being created and used in attacks by the masses.  As shown in the recent Imperva report, recent hacks claimed by Anonymous were using open-source and off-the-shelf commercial tools of the trade as well relying on shear people power to turn door knobs in hoping for an opening.  In observing IRC chat forums and social media I see more of an activist movement that is introducing hacking as a form of social disruption around political and economical issues then a call to arms.

Depending on motives of an attacker(s) there may be some digital thieves sneaking into a side door per say but lately most of the real damage has come from hacktivists against what they have deemed evil entities.  Unless the majority of hacks are being hidden, which is possible, I don’t see these digital thieves needing to use advanced weaponry in exploiting web based applications, weak passwords techniques and patch vulnerability exploit.  These hacks make me believe part of the problem today is from companies trying to do more with less and not an endless arms race by hackers.

I do not mean to discount Stuxnet, the sophisticated worm presumably linked with government sponsorship, but the vast majority of the population does not need to worry about such a risk of attack.  Bruce Schneier suggested that Stuxnet took eight to ten individuals working for months to develop such an exploit that took advantage of a zero-day weakness.  For a hacker to create such a complicated espionage or sabotage tool would require advanced understanding in automated manufacturing system components just for development and not taking inconsideration time or expense for deploying the exploit.  These types of attacks are very relevant for some organizations and governments but do not need to be feared by all equally.

There has been advanced persistent threats on major industry and government entitles for some time to date but I can’t remember reading about one since Google and RSA, which evidence points to not be performed by the average hacker.

No Motivations to Defend?

Secondly to say that defenders of security at an organization are not as motivated is a ridiculous statement.  Companies that have sensitive data, whether credit card numbers to intellectual property, are motivated to keep this data secure for reasons from brand tarnish to legal liability.  Security is not only about motivation, although it doesn’t hurt; security is about defending your assets based on risk and implementing sound operations in preventative, development and incident management.  Depending on an attacker’s persistence and sponsoring ability for the hack, anyone can eventually become a victim as after all we are humans and not robots.

Many professionals in the security industry will say that it is not about how but when you will be breached.  People hear this phrase and automatically they believe it is true for their business or organization.  There will probably never be the same level of excitement for stopping an attack in the media as most of the incidents are not even reported or known outside a select group.  Combining a low public attention with false negative rhetoric will put a road block in front of you before even starting the fight.

Even with obstacles in the way companies are seeking to protect their data and brand more today than ten years ago.  I feel that there is plenty of motivation for most businesses to address security before the US politicians start adding to the conversation or maybe it is already too late.

Answer to Security

Many people want to turn security into a cowboy shooting a “rusty revolver” but this is only sensationalizing security more than building on fundamentals and efficient operations to protect assets.  The majority of security consultants I know are not cowboys but nerds and those plug n’ prey devices to block all danger do not nor will not exist.  Security doesn’t have to be rocket science for all cases and sometimes thinking simple with common sense will save you or an organization from being breached.

New risks and threats are always going to be in the future of technology as we build faster than we can secure; just think how long we would had to wait for smartphones in the workplace if security was priority number one.  I tell folks to break down security into the basic building blocks of technology and address security in operations through risk assessment, standard processes, relevant education and automation where appropriate.  I am truly amazed to see companies that span multiple continents but do not have a chief security officer as in the case when Sony was compromised.

There are many companies, some not so reputable, that are making a statement and living through technology that is publicly facing without being taken down or compromised by the Internet pirates.  As with those companies there are security professionals that strive to mitigate risk and know that security is ever changing with no one magic box that is going to protect every aspect of security in a complex international business world.  I am certain that there are many qualified Neohapsis security consultants that would be glad to talk with you about security, risk and helping you take secure ownership of technology.

Two Tasks to Help

IT operations and management need to understand the risk on business technologies based on varying threats which will vary based on industry sector and overall footprints  Gaining a perspective of an environment through a quantitative risk assessment allows for an entity to be proactive, defend strategically and respond swiftly should an incident arise.  I believe that security must come from a top down model with full support to security in environment, tools, accountability and education.

A key part of IT security needs to be a strong patch and vulnerability management process that covers full business model of applications and infrastructure systems.  A successful patch and vulnerability management process should become a route activity to operations where it is performed with little to no downtown; this is achievable I kid you not.  There has been a great focus in secure software methodologies over the last years with Microsoft’s Security Development Lifecycle and Building Security in Maturity Model that are constantly evolving with the culture of attacks to better protect applications from SQL injection and cross side scripting exploits to name some.

There are a few other factors that go into security besides a good patch and vulnerability management process and performing an annual risk assessment.  If you are seek more understanding in security for your business then reach out to our excellent Neohapsis knowledge base on security professionals.

Anonymous Tactics (from the attacks reported on by Imperva)

by J. Schumacher

Security professionals have been following the collective of Internet users calling themselves Anonymous for a few years now as they cause cyber mayhem to understand their tactics.  There were two well written publications in recent weeks that caught my eye, The New York Times “In Attack on Vatican Web Site, a Glimpse of Hackers’ Tactics” and Imperva’s “Hacker Intelligence Summary Report, the Anatomy of an Anonymous Attack”.  These articles shed light on how Anonymous takes a call to arms, recruits members, and searches for action.  After reading these articles I kept thinking about current state of the Internet and wondering about the future of Anonymous’ with the cyber pandemonium it creates.

Taking the Imperva report as factual, the collective group of Anonymous has an approximate 10:1 ratio of laypeople to skilled hackers, which I believe limits the sophistication of attacks. I say “collective”, as targets for attacks are not often given from above, but must be approved or agreed upon by the masses before being launched.  One very interesting note in Imperva’s report was that the attacks Imperva monitored in 2011 were not utilizing bots, malware or phishing techniques for exploit, but end users actively running tools or visiting special web sites to aid in the attack.  There was a high level of public recruitment through social media of Twitter and Facebook, which can also act to inform the victim before the attack hits properly.

The New York Times article mentions that the attack on the Vatican took 18 days to gain enough recruitment and automated scanning tools were used for reconnaissance on the Vatican virtual front during this time.  In this attack Anonymous was seeking to interrupt the International Youth Day by a certain date, but when that failed Anonymous changed tactics to widespread distribution of software for Distributed Denial of Service (DDoS) so they could to hit the Vatican with a thousand person attack.  There were mixed statements from Anonymous and Imperva (who was a contractor for Internet security monitoring) regarding whether any sites across the globe were truly taken offline for any amount of time.

I think that Rob Rachwald, Imperva’s director of security, was quoted best by The New York Times article as saying “who is Anonymous?  Anyone can use the Anonymous umbrella to hack anyone at anytime”.  However, I believe Anonymous has currently reached their collective peak and will never be the same as in its early 4chan or even the 2008 days.  However, by no means has the world heard the last of Anonymous, as people will be claiming affiliation to the collective “group” for a very long to come, and I believe it will also continue to evolve over time.  How this change takes place is going to be exciting to see as Anonymous claims an “ideas without leaders” mentality and relies on general public for consensus of missions.

Recently, an interesting report from Symantec also came out about how Anonymous affiliates were tricked into installing the Zeus Trojan by a Pastebin tutorial covering how to install and use one of the attack tools, the Low Orbit Ion Cannon (LOIC), to support in DDoS attacks.  Established Twitter handles for Anonymous contributors (YourAnonNews, AnonymousIRC, AnonOps) have tweeted that this was not done by Anonymous. But, with no leadership accountable (due to the collective nature of Anonymous), there is nothing to say whether this is a true, whether another entity is sabotaging Anonymous public fanfare, or if it was simply someone taking advantage of free publicity to trick users into installing malware.  Since what many call the start of Anonymous in 2008 (Scientology attacks), there have not been any other large scale compromises of the those supporting attacks through infected tools, but this new activity could hurt the future of Anonymous recruitment and public support.

Depending on whether this recent instance of infected tools was a fluke, I see the future of Anonymous involving with skilled hackers increasing through a Wild West collaborative of honing their talents, while keeping the true base of Anonymous as largely unskilled hackers.  The skilled will, at times, directly and indirectly work for entities (such as large scale crime syndicates as well as private entities) to whom they are lured by big pay for work that will never be reported in any news paper.  The skilled hackers will still participate in Anonymous causes, and they will also enable other Anonymous members (through writing attack tools, scripts or apps), while also keeping knowledge of their well paid exploits limited to a smaller private offshoot group.  These offshoots will put dedication into advanced exploits that require some financial backing to set up (such as servers for social engineering, injection data repository, proxies and bots) but these exploits will most likely never be communicated to the larger Anonymous collective or used for social causes of the masses but rather private gains.

At the same time though, the unskilled hackers, making up the majority of the group, are essential to Anonymous at large for bringing attention and support to causes, identifying weaknesses in networks, performing DDoS attacks and being a overall distraction and crowd to hide in. It seems bots will be unnecessary and replaced by humans where it is simpler.  A large army that is not connected (outside of the odd one-off message to a public forums or social media) provides for a large pool that the authorities must sift through in finding the dedicated Anon.  The collective group of Anonymous has showed support for many social causes, like the occupy movement and free speech outcries from proposed Internet legislation.  At the same time Anonymous seems to have very publicly promoted every hack and breach that has been reported since 2010 whether the data exposed was government, private industry or public citizens.

I like to think of myself as a practical, but at times wishful, person.  As I see it, the core ideology of the Anonymous’ movement is not going away, as their cause is not so much new as is the platform for their disobedience.  There are some basic controls that organizations can implement to protect themselves from a virtual protest, whether the risk is from DDoS attacks or exploits of un-patched public devices.  In the near term, I do not see a high probability of Anonymous becoming a super group of hackers that perform sophisticated attacks in the likes of Stuxnet. Nor do I see the possibility of a large scale take down of critical infrastructure.  There will always be a risk and sometimes possible threats to critical infrastructure through technology but this risk can be largely mitigated through proper assessment and mitigating controls.

Side note –

If the recent instance of infected tools will continue on other causes then I believe we have seen the end of wide support for Anonymous.  Distrust has always been a concern to involved members with very recent arrests across the globe for LulzSec. Anonymous will need to do internal damage control to prevent the collapse of the collective group and a public distrust in support for causes brought up by the Anons.  Even if hacking group Anonymous goes in a different direct the damage has been done and Internet society can never reverse the damage physiologically from the last 5 years.

As writing this post there was news coming out that a prominent member of Anonymous, Sabu, along with 5 others have been arrested by the FBI.  We will have more details once the dust settles a bit and all news sources can be processed, stay tuned.

Who owns and regulates MY Facebook data?

My previous post briefly described the data that makes up a user’s Facebook data and this post will try to shed light on who owns and regulates this data.

I am probably not going out on a limb here to say that the majority of Facebook’s registered users have not read the privacy statement. I was like the majority of users myself, in that I did not fully read Facebook’s privacy statement upon signing up for the service. Facebook created a social media network online, and there were few requirements previously defined for such types of business in America or the world. A lack of rules, combined with users constantly uploading more data, has allowed Facebook to maximize the use of your data and create a behemoth of a social media networking business.

Over time, Facebook has added features to allow users to self regulate their data by limiting others (whether Facebook users or general Internet public) from viewing certain data that one might want to share with only family or specific friends. This provided a user with the sense of ownership and privacy as the creator of the data could block or restrict friends and search providers from viewing their data. Zuckerberg is even quoted by WSJ as saying “The power here is that people have information they don’t want to share with everyone. If you give people very tight control over what information they are sharing or who they are sharing with they will actually share more. One example is that one third of our users share their cell phone number on the site”.

In addition to privacy controls, Facebook gave users more insight into their data through a feature that allowed a user to download ‘all’ their data through a button in the account settings. I placed ‘all’ in quotes because, while you could download your Facebook profile data, this did not include data including wall comments, links, information tagged by other Facebook users or any other data that you created during your Facebook experience. Combined, privacy controls and data export are the main forms of control that Facebook gives to their users for ownership of profile, pictures, notes, links, tags and comment data since Facebook went live in 2004.

So now you might be thinking problem solved; restricting your privacy settings on the viewing of information and downloading ‘all’ your information fixes everything for you. Well, I wish that was the case with Facebook business operations. An open letter by 10 Security professionals to the US Congress highlighted that this was not simply the way things worked with Facebook and third party Facebook developer’s operations. Facebook has reserved the right to change their privacy statement at any time with no notice to the user and Facebook has done this a few times, to an uproar from their user base. As Facebook has grown in popularity and company footprint, security professionals along with media outlets have started publishing security studies painting Facebook in a darker light.

As highlighted by US Congress in December 2011, Facebook was not respecting user’s privacy when sharing information to advertisers or when automatically enabling contradicting privacy settings on new services to their users.  Facebook settled with the US Congress on seven charges of deceiving the user by telling them they could keep their data private.  From my perspective it appears that Facebook is willing to contradict their user’s privacy to suit their best interest for shareholders and business revenue.

In additional privacy mishaps, Facebook was found by an Austrian student to be storing user details even after a user deactivates the service. This started an EU versus Facebook initiative over the Internet that put heat on Facebook to give more details on length of time data was being retained for current and deactivated users.  Holding on to user data is lucrative for Facebook as this allows them to claim more users in selling to advertising subscribers as well as promoting the total user base for private investor bottom lines.

So the next step one might ask is “who regulates my data held by social media companies?” Summed up quickly today, no one outside Facebook is regulating your data and little insight is given to users on this process. The governments of the US, along with the European Union, are looking at means of regulating Facebook’s operations using things such as data privacy regulations and the US/EU Safe Harbor Act.  With Facebook announcing their initial public offering of five billion USD there is soon to be more regulations, at least financially, to hit Facebook in the future.

As an outcome of the December 2011 investigation by the United States Congress, Facebook has agreed to independent audits by third parties, presumably of their choosing. I have not been able to identify details regarding the subject of these audits or ramifications for findings from an audit. Facebook has also updated the public statement and communication to developers and now states that deactivated users will have accounts deleted after 30 days. I have yet to see a change in Facebook’s operations for respecting their user’s privacy settings when pertaining to third parties and other outside entities – in fairness they insist data is not directly shared for advertising; although some British folks may disagree with Facebook claims of advertising privacy.

From an information security perspective, my ‘free’ advice to businesses, developers and end users, do not accesses or give more data than necessary for your user experience as this only brings trouble in the long run. While I would like to give Facebook the benefit of the doubt in their operations, I personally only give data that I am comfortable sharing with the world even though it is limited to friends.  In global business data privacy regulations vary significantly between countries, with regulations come requirements and everyone knows that failing requirements results to fines so business need to think about only access appropriate information and accordingly restricting access.  For the end user, or Facebook’s product, remember that Facebook can change their privacy statement at their leisure and Facebook is ultimately a business with stakeholders that are eager to see quarter after quarter growth.

I hope this post has been insightful to you; please check back soon for my future post on how your Facebook data is being used and the different entities that want to access your data.

Anonymous Releases FBI and UK Conference Call Recording

This past Friday (February 3, 2012) Anonymous released a call recording regarding an assumed confidential conference call between two FBI field offices and a official UK investigation office regarding status on Anonymous, AntiSec, Lulzsec and other splinter cyber groups.  It was released on ThePirateBay, YouTube and Pastebin, and  from the Pastebin posts, the conference call appears to have been related to a meeting invite for a call on January 17, 2012 that was sent on January 13, 2012 to nearly 50 people from France, UK, Netherlands, Ireland, Germany, Sweden and hosted by US to coordinate internationally.  The posts were made by anonymous as part of their #FFF (F@$K FBI Friday) releases which has been going on almost regularly for over a year now.

It is unclear through YouTube audio if the call was from January 20, or a more recent conference call between the governments.  I think that this was probably only released because the hacking groups found no more use in that bridge number.  In listening to the call, one can gain insight into the global workings of the fight against cyber crime, as two current cases were lightly discussed. Insight was also sought regarding other persons of interest concerning breaches reported to government authorities.  I found the lack of care around people joining the call interesting as I could hear the extra beep that was missed by the call parties and I assume it was ‘Anonymous’ recording the call.

Few facts can be gathered around how anonymous gained the electronic invitation for the meeting.  After the Pastebin post with conference bridge call number and password, it does not seem that the conference system or software was hacked to gain access for the call.  One might assume that an email account or system on the distribution list could have been compromised to gain the conference details or some form of social engineering was used in the attack.  Either way, anonymous has again provided a reason for government and private industry to rethink their communication processes for distributing sensitive call meetings.  In future calls, I would think that every time the system beeps for a new attendee on the call there will be a stop to ask who had just joined the conference, especially when discussing active investigations or sensitive information.

While there is a need to share passwords for conference calls it is important to mitigate any risk in the process to overcome the shared password.  Typically this is done on conference calls by paying a very close attention to people joining the call and stopping conversation when the system makes a beep for a new participant joining the call.  If the conference call is of sensitive or classified information then the call should be halted or stopped if all parties are not able to be identified on the conference system.

Also, all parties need to read The New York Times article about board rooms being open up to hackers through weak implementation security as it has some relevance here.

What Makes Up Facebook Data?

This is the first post in our  Social Networking series.

My guess is that you would not simply give a person that knocked on your front door or approached you in the street most of the data Facebook collects in your profile. Facebook profile data consists of many things, including your birth date, email, physical address, current location, work history, education history and additional information you input for activities, interests and music (interestingly much of this can be used for identity theft…) In addition to your profile data, any installed or authenticated Facebook applications have access to your wall posts and list of friends as well as any other data that is shared with “Everyone”.

As Facebook adds new features, the data included in your face book profile has probably crept to include other data of uploaded pictures, application usage and history, tags in posts or pictures. Facebook will always be looking for ways to collect more of your data as YOU are their product. Your data, data of friends and data of everyone else on Facebook is where Facebook collects their profit and, as with most businesses, profits need to increase through expanding markets and giving access to their product.

The data collected by Facebook on you can also include cookie tracking by Facebook even when you are not explicitly on their website.  Facebook heard much uproar from the user community when a security researcher in September 2011 [link] discovered Facebook was even tracking users that had gone as far as deactivating their accounts! Facebook could then track all web history even through web sites that are not related to Facebook activities in any way.

You do have the ability to limit data on Facebook and make sound decisions on what personal data you do decide to submit to Facebook (friends are another matter). Inherently by using Facebook for the ‘free’ services, you are going to lose some control of your information you share with friends. There are a few important factors that you should think about in dealing with social media and my next post will shine some light on who actually owns and regulates your data within Facebook; stayed tuned and feed back is always welcome.