Screen Shot 2015-09-01 at 13.59.12

Continuous Vulnerability Management: Security as a Baseline

Ask 100 security ‘professionals’ what vulnerability management is and at least half of them will begin with patching, another 25% will focus on vulnerability scanning and penetration testing, and the majority of the rest will start quoting the gamut of Risk Assessment to Business Continuity. I’m not saying they are wrong, but most will not be right enough.

If you accept this description as standard; “Vulnerability Management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities, especially in software and firmware. Vulnerability Management is integral to computer security and network security.“, it’s no wonder that actually performing appropriate vulnerability management is a concept rife with misinterpretation and bad decisions.

The old adage; “You can’t manage what you can’t measure.”, while often incorrectly interpreted from the original work of W. Edwards Deming, is actually completely relevant in information security. Security is series of baselines / whitelists /  known-goods, and is only ever effective if it’s simple and repeatable. In other words, if you don’t have a point to measure security from, how can you possibly know if it’s enough, or too much?

Like every process in security, vulnerability management  is only as good as the context in which you place it, and ANY security process out of context from the underlying business goals is doomed to failure. Rightfully so. The vulnerability management controls you put in place relevant to your environment therefore go through the exact same process as every other control, from firewalls to outsourcing.

Step 1: Determine your business goals – in order to conduct an appropriate Risk Assessment (RA) and Business Impact Analysis (BIA)

Step 2: Conduct a gap analysis – to determine the shortfalls or over-extensions between current security capability and desired capability

Step 3: Fill the gaps – to the capability level determined by the BIA (accept residual risk)

Step 4: Determine appropriate baselines – for the management, maintenance and monitoring of the ‘new’ infrastructure/processes

Step 5: Place appropriate ISMS-esque controls – around the ongoing management, maintenance and monitoring of the new infrastructure/processes

Step 6: Develop appropriate mechanism for the decision making process – from responsibility / function, to scoring / rating, to mitigation, everything must be in-line with Step 1 in order to be effective and sustainable

Step 7: Determine all control inputs to the process – including – and certainly not limited to – patching, vulnerability scanning, penetration testing, code review (if applicable), logging, FIM, and so on…

Step 8: Determine all appropriate internal and external sources of threat intelligence  – from relevant vendors to paid-for services.

Step 9: Bring everything together into a Management capability – one with a specific charter and report structure.

Step 10: Re-examine every step for continued relevant and effectiveness – on a regular basis

If this sounds complicated, it’s likely that you don’t understand one or several of the steps. All aspects of security are simple, they have to be, and while is can be difficult to implement, that’s almost always because you are not asking the right questions. In any endeavour outside of your business’s core competencies, the trick is not to ask for what you think you need, it’s to ask for help from someone who KNOWS what you need.

You don’t tell your doctor you have a brain tumour, you tell them you have a headache a leave the diagnosis up to the expert.

[Ed. Written in collaboration with Voodoo Technology, Ltd.]

Screen Shot 2015-08-18 at 10.01.19

The Next Best Thing to Innovation?

…is the appearance of innovation.

Well, it certainly seems that way; Can’t sell services over the Internet? Call them The Cloud. Can’t sell Risk Assessments and Vulnerability Management? Call it Operational Resilience. Can’t sell data management and access control on mobile? Call it BYOD.

When it becomes clear that there is no-where left to go with your existing product or service, the appearance of innovation seems to be the go-to place for institutions staring down the barrel of obsolescence. Instead of working on their customer service, value-adds, or – God forbid – actually improving their offerings, too many organisations resort to smoke and mirrors to stay competitive.

And the worst part? We let them.

The payments sector is perfect target for this blog, especially given the fact that I know little else. Take these two examples from the last few month; There’s a New Way to Pay With a Selfie, and TD, MasterCard and Nymi Pilot Heartbeat-Authenticated Contactless Payments.

Where is the innovation here, we’ve had biometrics for years? The only thing new is the ability to actually bring the biometrics to bear, which is an advance in mobile technology, not payments. The payment itself  hasn’t changed, we’re still stuck with the same primary account number (PAN) being used by the same intermediaries (Acquirer, Issuer & Card Scheme), over the same systems we’ve had for decades. Even if you build in tokenisation with these systems they’re still mapped to a PAN in the back-end somewhere.

If you accept that a payment is just a transfer of value from one place to another, true innovation must involve the complete disintermediation of almost every player in the current ecosystem except the banks. Sure, there can be service provider intermediaries, but they will be providing true benefits to consumers and banks alike in the fields of identity management / authentication, anti-fraud, customer service, loyalty and reward programs, ratings and reviews, big data analytics and host of others services of which I can barely conceive.

To be worthy of the term ‘innovative’, any service or product offering must have the following attributes:

  1. Be of practical use, and not just theoretical
  2. Provide long-lasting benefit to all stakeholders
  3. Cannot knowingly stifle or exclude competition

For payments, there are a few more:

  1. Be available to the largest portion of the population possible (including those with disabilities)
  2. Be frictionless to the average consumer, or better yet, invisible
  3. Maintain appropriate confidentiality, integrity and availability of all underlying sensitive data, to meet – or exceed – all current legislation, regulation and best practices

Not one, or even ALL of these things at once should be too much to ask, but it’s never that simple. There will always be those existing players whose power and position can make some of these requirements all but impossible for newcomers. And the newcomers themselves rarely do themselves any favours; disruptive innovation, competitive advantage, and blatant greed all prevent true innovation from reaching the mainstream.

In payments, like most industry sectors, collaboration is the key to significant and beneficial change, and in a market worth tens of TRILLIONS of £/€/$, I would have thought there was enough to go around.

 

Screen Shot 2015-08-13 at 10.44.13

The Changing Face of Payment Card Fraud

According to the most recent Nilsen Report, in 2014 card fraud losses reached $16.31 Billion globally, up 19% over 2013. However, to put this into a better perspective, the average losses to fraudsters per $100 spent went up from $5.5c in 2013 to $5.7c, which in turn is up from $4.5c just 5 years ago.

This may not sound like a lot, but when the total payments volume driven by the major card brands was $23.78 TRILLION, the loss of tiny fractions of a percent per transactions translates to billions; $16.31 billion to be precise.

The biggest victim? That’s right, the US, who accounted for 48.2% of the gross fraud losses, but only generated 21.4% of the global purchase volume, giving them a loss ratio more than double that of the rest of the world (at $12.75 lost / $100 spent).

The causative factors are numerous, some of which are being addressed, some of which will only get worse BECAUSE the first ones are addressed;

  1. By far the biggest cause is the lack of EMV adoption in the US, where card counterfeiting accounted for almost 1/4 of all losses globally ($23.9%). This is particularly frustrating for regions where they have full EMV implementations, but fraudsters can just put transactions through US-based mag stripe terminals
  2. The US’s over reliance on predictive analysis anti-fraud techniques, which given its ‘back-office’ nature, is too little, too late. Besides, it’s only the larger merchants who can afford such measures
  3. US merchants have not embraced 3-D Secure to protect e-commerce transactions as they “care less about merchandise lost than they do shopping cart abandonment”. And it’s not just the loss of a single transaction, as an angry customer is unlikely to hurry back

Not that the rest of the world have anything to boast about, and seeing as the payment card industry will only expand over the next 5 years – which in itself quite ridiculous give the numerous alternatives-, the criminal gangs can be expected to double and re-double their efforts until unsecurable legacy transaction processes are finally replaced.

The only highlight in the entire Nilsen report – if you can call a loss a highlight – is that PIN-based ATM debit transactions were the lowest risk of all transaction types at only $1.3c lost / $100 spent. Which begs the question; Why on earth is the US implementing their EMV rollout with ‘chip & choice’, not ‘chip & PIN’? Why rely on just a more-secure-than-mag-stripe technology when 2-factor authentication is rapdily become a industry standard AND regulation?

The number of solutions to the challenges that are available today make the continued losses all the more frustrating; from mobile devices capable of multi-factor AND multi-mode (multiple instances of a factor) authentication, ‘enhanced positive data’ available from contextualised big data, to identity management techniques capable of adding reputational decisions to a given transaction, are all established products.

Seeing as over 2/3 of all Americans have a smartphone, even the simple and ubiquitous PIN has the capability of vastly reducing the continued fraud associated with magnetic stripe transactions. Integrate an out-of-band PIN authentication within existing acquirer transaction processes and the card data becomes almost meaningless.

Payment innovation will eventually make the current vulnerabilities a thing of the past, but why wait?

Screen Shot 2015-08-10 at 14.11.33

Biometrics vs. Passwords: A Fight No-One Can Win

Thanks to Apple Pay, then Samsung Pay, biometrics companies have seen a tremendous surge in consumer interest, to the point where they are now falling over themselves trying to be seen as the authentication standard that replaces the password.

No doubt the numerous breaches that were apparently the result of weak password authentication will have these same companies in a feeding-frenzy of finger-pointing and I-told-you-sos. This is more than a little inappropriate, as biometrics not only has some of the same weaknesses, it adds layers of complexity and risk far above those to which passwords are exposed: at least you can change a password.

If you take 1800s transportation as an analogy, the answer was not to breed faster and stronger horses. You repurposed what you had (including the horses), coordinated a huge array of other industries and innovations, and worked TOGETHER to build something exponentially better.

Authentication now finds itself at a crossroads, and like most things in the Digital Age, there is no one right answer. The only certainty is that it will be the mobile devices that will be at the center of taking payments and authentication innovations to the mainstream. If you can’t put your authentication mechanism on a smartphone it simply won’t be adopted.

One answer which is simple, and brings the benefit of using both passwords (in the form of customer PIN) AND biometrics (in all its forms) is now available. No single factor of authentication is enough, and each one has its strengths and weaknesses. By combining multiple factors, you not only negate the limitations of each, you ensure that security is significantly more robust. The whole, in this case, is much greater than the sum of the parts.

The longer the password is, and the more of them you have, the more difficult it becomes to keep track. But the simpler the password, the easier it is to crack. Biometrics is relatively more convenient, but is prone to false positives, and once known from a physical perspective, can never be changed. So each factor is not ideal by itself, but combining a simple password, like a PIN, with biometrics, device registration and geo-location, presents a much more resilient hurdle.

We believe that poor design can lead to overly complicated solutions, and authentication mechanisms are no exception. Making a payment should actually be simple, as it’s just a transfer of value from one place to another, it’s the fact that we have MADE them complicated that makes them unsecure.

The average consumer is used to entering a PIN or a password and their smartphones should now be able to take care of the rest in a way that they hardly even notice it happening. Only in this way can we achieve the security we need, with the convenience required to make implementation practical.

For the payments sector to build the next generation of consumer solutions, individual vendors need to stop focusing on themselves and be more collaborative.

[Ed. Written in collaboration with www.myPINpad.com]

Screen Shot 2015-07-20 at 10.45.37

Invisible Payments, Are They Real?

In short, yes, they WILL be, but like everything worthwhile there is a significant cost involved. In this case, the currency will be your identity, and the more invisible you want payments – or any transaction for that matter – to become, the more of your identity you will have to spend. In this case, there is a direct correlation between your identity, and your privacy.

First, what is an invisible payment? Seeing as Wikipedia hasn’t even got a listing yet, I’ll take a stab at defining what invisible payments are to me;

A payment can effectively be called invisible when there is limited to no interaction required by the payment initiator (consumer) to complete the authorisation and settlement of a transaction.”

Any fan of Star Trek has seen this in play for decades. When was the last time you saw Captain Kirk reach into his pocket for a 10 spot or a credit card? Did he have to use biometrics or a swipe card to get onto the bridge? Maybe, but we saw none of it, and that’s the point.

Imagine this scenario; You walk into Sainbury’s and pick up a basket, then walk up and down the isles choosing your items. Once you have finished shopping, you walk out to your car [optionally] without any further interaction whatsoever.

What was the process?

  1. As you walked in, any number of authentication mechanisms were at play; from smartphone proximity (NFC), to facial and/or gait recognition, to whatever biometric innovation comes next.
  2. Both the shopping carts and the baskets could be easily be fitted with fingerprint, vein, hand geometry recognition sensors in order to assign the subsequent basket contents to you.
  3. As you place items in the basket, they are scanned and optionally listed on your mobile device for a running total / loyalty benefits / instant coupons and the like.
  4. Walk through a final scanner into a bagging area, or just go straight to your car, either way your final tally is calculated and the funds directly charged to the payment option of choice. It’s up to you if you want to authorise the final payment with a PIN number and/or biometric on your smartphone.
  5. Everything you just purchased is now available on your home database for tracking of ingredients for a meal, expiration dates and so on.

While the majority of the technology behind this transaction is more in the realm of the Internet of Things (IoT), the payments aspect is an extremely simple form of Identity Management on smartphones. What’s more, all of this technology is available today, the only thing missing is the demand.

There will be 2 extreme camps to the above scenario; 1) Where do I sign-up!? and 2) Never in a million years!

Most of us will be somewhere nearer the middle, and it should be clear that the further you get in to the ‘sign-up’ camp the more of yourself you have had to share. When it comes to invisible payments – and IoT for that matter – the convenience described above came at a cost to your privacy. And until security catches up with technological innovation, that cost is seen by most to be too high.

That’s the demand I mentioned above, and while scenarios like this will be common place one day, we’re not quite there yet.