PCI – Going Beyond the Standard: Part 25, Now Do It All Over Again…

…or better still, keep doing what you’ve learned, all day every day.

This is the final post in my ‘Going Beyond the Standard’ series – HURRAH!! – and hopefully despite all of the spelling mistakes, grammatical errors, left-field rants, and miscellaneous off-topic diatribes that you have derived some benefit from it.

Timing is pretty good as well, seeing as the SSC came out with their Information Supplement: Best Practices for Maintaining PCI DSS Compliance, and I will say that I have to agree with the majority of its content. However, reading a book on emergency appendectomies does not make me a doctor, so when it comes to the implementation of the ‘staying compliant’ concepts, have an expert help you.

It takes someone very skilled to make things simple, do not half-arse your security.

There is nothing in PCI that you should not already be doing around all of your sensitive data, and there are no validation requirements that should fall outside of standard practices. In fact, you should be validating EVERY day, not once a year, and the only way to do that is to baseline everything and report against exceptions.

I previously used this ridiculous analogy; If every PCI requirement was a tennis ball, you could very easily carry them all from a weight perspective, but it’s impossible to hold them all together without some kind of container (Tennis ball = DSS Requirements, Container = Security Program). In other words, the requirements themselves are basic, but completely out of context from an ongoing management, business, or even good security practice perspective.

The reason PCI becomes so difficult to maintain is because security in general is too often seen as an IT project and not what it is; a business process. The only time it gets the attention it deserves is when there’s a problem, which is already too late.

When I started my own business, and when I began this blog, it was with the following premise; “Security Is Not Easy, But It Can Be Simple.” Yet every business for whom I have ever provided guidance were basically making a pig’s ear of it, and it always revolves around a lack in at least one, but usually all of the The 4 Foundations of Security.

The way I have always phrased it is; “If my boss does not care about something, guess how much I care about it?”, which is why I have made this statement several times now;

Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities. If the organisation fails to achieve [enter any goal here], it’s the CEOs fault, and no-one else’s.

So if you get nothing out of this series of 25 blogs, take that away and do what you can to help them change the culture to one of accountability and responsibility across the entire organisation. It will pay dividends.

Hope you enjoyed the series, and I would welcome any guest blogs that either expand on the concepts on the subjects on which I am weakest (encryption, coding, charm, spelling etc.) or are better than mine if it’s a subject in which you are an expert.

There is no room for ego in security, everyone has to win.

Apple Pay, This is NOT Innovation!

So Apple have finally adopted NFC, huh?  Big deal, Samsung have partnered with Visa and MasterCard to promote NFC for over a year, and included NFC chips in their devices long before that.

Apple’s wallet provides you options to choose which credit card you want to use. CREDIT CARD?! REALLY?! How is that innovation in payments?! The whole point of mobile payments is that you don’t need a branded card to make a payment, at least it should be the point!

Payments has been, and will always be, just an exchange of stored value for a service or product whose value is, in turn, entirely arbitrary. e.g. I work for an entire week for a value I have agreed with my employer, and I am now going to buy a designer suit for the same ‘price’. The fact that the suit was made for a fraction of the ‘cost’ I paid for it is why its value is arbitrary; because regardless of the price, I agreed to it.

So what have Apple done differently? You can now authenticate the payment with your fingerprint. Seriously? People barely trust the fingerprint to log into their phones, let alone authenticate a payment. And seeing as the value of the contactless transaction is set below £20 (for the UK) and authentication is not required at ALL, why would you add an extra step?

I can tell you now that the credit card brands will not accept biometrics any time soon to replace EMV for higher transaction values when even software PIN (as opposed to hardware) is still rejected. Couple the fact that Apple’s global market share for phones is less than 12%, with the US being their only viable new market (who love their credit cards), and you have a completely empty offering.

But, you may say, Apple has 800 million iTunes users! Irrelevant, because there are nowhere near 800 million iPhones in use. From their initial inception way back in 2007, Apple sold their 500 millionth iPhones in June 2014. That’s total sales, all models, in seven years. Estimates suggest that there are less than 300 million in use globally, compared to a total of 1.75 billion smartphones.

On top of Apple’s minimal – and shrinking – market share, the transition of credit card payments to direct bank account payments through a mobile device has, through necessity, started small. Security is absolutely an issue, which is why the back-end wallets generally consist of credit cards, which handle the fraud / loss liability. With your bank account, it’s YOUR money, and the banks have yet to accept the liability for loss though mobile apps. When they do, the card brands will have no benefit and the transition to mobile will accelerate.

So why DON’T the banks provide this function themselves? Because they make money from credit cards, plain and simple, and it will be a tough sell to charge the fees they do now when accessing your own funds, even if they do provide a ‘fraud resistant’ service. Besides, the money from credit cards is not from the cards themselves, it’s on the interest you pay for your LINE of credit, so the poor banks can still make their squillions. That’s a relief.

Besides, people take their phones for granted, just as they do water coming out of the tap (I know, 1st world problems), and people simply do not see the issue with continuing to use plastic, so how will the mass adoption of mobile payments really take off? Simple; value-add services and guaranteed security.

Value-Add Services: Retailers are the only ones who can make this happen, not phone companies, not card brands, and certainly not the banks, For retailers to make the enormous investment required to change from a credit card infrastructure to mobile / hybrid there needs to be a clear positive effect on the bottom line. Unfortunately, with the ridiculous number of choices related to loyalty schemes, instant coupons, e-wallets and so on, no retailer knows which to back.

Guaranteed Security: The reason credit cards still eclipse mobile payments is because if you use a credit card you are not liable for fraud, the issuer is. The so-called liability shift. If you take out this middle-man, who accepts the risk? The retailers? The bank? The mobile app service providers? Someone has to, because you can be damned sure it won’t be the consumer.

Which brings us to only relevant thing to come out of Apple’s announcement; NFC is now the technology of choice. All we need now is the consolidation of every other service, someone to acceptance the inevitable losses, and mobile payments can come into its own.

Yeah. Right.

PCI – Going Beyond the Standard: Part 24, Disaster Recovery (DR) & Business Continuity Management (BCM)

You may be wondering why I would put this after Governance seeing as that seems to bring everything together, and you may also be wondering why I did not included Disaster Recovery (DR) in the same post as Incident Response (IR) which everyone else always does.

They would be good questions, and my reasoning is relatively simple; You cannot HAVE Business Continuity Management (BCM) without Governance so that must be formalised first, DR represents the detailed processes summarised in the BCM, and IR is the feed INTO the DR/BCM, not the output from it.

To put it another way; the Business Continuity Plan (BCP) details what must be done, in what order, and how quickly to save the business, DR puts that plan into effect, and IR would have uncovered the inciting incident that brought both the BCP and DR plans into play in the first place.

Assuming that made any sense, the question is; What if I don’t HAVE a BCP?

I am surprised every time I ask a client for a BCP and don’t get one. Mostly because I’m not too bright, but partly because it makes absolutely no sense to me that ANY organisation in any industry sector, anywhere in the world would not make such a simple effort to help themselves STAY in business. While both DR and BCP represent what amounts to contingency planning and will hopefully never have to be invoked (assuming your IR is top notch of course), NOT having a plan is nothing short of irresponsible.

There are several well known standards related to Business Continuity, and for obvious reasons they encompass more than just IT systems:

  1. ISO 22301:2012: Societal security — Business continuity management systems – Requirements
    o
  2. ISO 22313:2012: Societal security — Business continuity management systems – Guidance
    o
  3. ISO/IEC 27031:2011: Information security – Security techniques — Guidelines for information and communication technology [ICT] readiness for business continuity
    o
  4. NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems
    o
  5. ANSI/ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems

Unfortunately the ISO stuff will set you back a few hundred quid, so start with the NIST / ANSI stuff to ge yourself familiar enough with the concept to at least ask the right questions.

For DR, start with mapping out all of your business processes and asset dependencies. If you don’t know how things fit together, you’ll have no idea how to put them back in place. Clearly, if your asset management processes are not robust, you can’t even begin the mapping process, so get that done first.

Once you have mapped out your business processes, it’s a relatively simple task to organise all of your procedural documentation into how you reestablish all the moving parts. You have all that, right? So whether you have full redundancy in all things, hot swap, warm spares or a whole host of other DR clichés, how you get your systems back online boils down to a series of easily followed instructions.

From an IT perspective, all the BCP plan does is tell you in which order to bring those systems back online and in what timeframe. It should be needless to say – but it isn’t – the plan and all of its moving parts must be tested on an annual basis or even explicit instructions cannot get the response times to an optimal state.

No aspect of security should be performed half-arsed, DR and BCP processes are no exception. Even within the field of security BCP is a speciality, and making the plan simple and appropriate is a talent more than a skill. Expect to pay a lot for these services but rest assured it is money well spent.

PCI – Going Beyond the Standard: Part 23, Governance

Over the course of the last year the word ‘Governance’ appears in no fewer than 26 of my 130-odd posts, and if you have read any of those posts you know how many times it appears in the PCI DSS v3.0.

Not once

Going beyond the standard therefore is clearly very simple. HAVE governance and you’re way ahead of the game.

It does however get mentioned in the ‘Information Supplement: Best Practices for Maintaining PCI DSS Compliance‘ released August 2014, when they refer to an “overarching security framework”. You’ve all read that right?

They of course mention the usual suspects; CoBIT, ITIL, ISO 2700 series, and NIST, but quite rightly leave the choice and detail up to you, as well as make the most sensible statement I’ve seen yet coming out from the SSC officially;

Integrating PCI DSS controls into a larger, common set of security controls is often the easiest path to ongoing PCI DSS compliance. Overarching security frameworks allow security teams to focus on a single target rather than trying to accommodate multiple (and sometimes conflicting) sets of requirements. It also provides for a common set of terms and metrics that can help avoid confusion when articulating security and compliance strategies to key stakeholders. When PCI DSS is integrated into an organization’s overall risk-based security strategy, it makes it easier to incorporate specific PCI DSS activities into the normal day-to-day operations of the security team. This, in turn, helps to ensure these activities are conducted on a regular, ongoing basis, which can make maintaining PCI DSS compliance a much more manageable task.

But who manages this? There are no governance frameworks that will work without a governance FUNCTION.

The IT Governance Institute’s definition is: “… leadership, organizational structures and processes to ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.

Or to put it my way: “The business side and the IT side having appropriate conversations.” Sounds trite, but this is exactly what is missing in most organisations where the business side dictates the immediate goals while the IT side is left working tactically without any concept of where their actions fit into the whole; i.e. the business’s goals.

But it’s not always the business side’s fault, the IT departments in a lot of organisations start with saying no and work their way up from there. This gives them the reputation of being business-blockers and everyone in their right mind will work around those if they want anything done.

Regardless of fault – there is no room for the blame-game in security – this is easily resolved if both sides place nice and set up some form of governance function. Call it what you will, but it is responsible for the following;

  1. Business Continuity Management / Plan – As representatives of [almost] all departments, the governance function will be responsible for the development and maintenance of the business continuity processes, which will be owned and ratified by the CEO / BoD.
    o
  2. Risk Assessment / Business Impact Analysis – it is up to the governance function to ensure that the frequency, scope, and analysis of the RA / BIA processes are in-line with the business goals as handed down by the CEO / BoD
    o
  3. Vulnerability Management / Risk Register – Unless the function of analysing risk and putting some form of prioritised remediation plan in place is centralised, you can never implement appropriate security.
    o
  4. Change Control – Number 4 on my list, but EXTREMELY important! As I’ve said many times; If nothing in your environment changes, the only way risk can increase is by a change to the external threat landscape. Your vulnerability management process should take care of the external stuff, which, by strange coincidence, is also managed by governance.
    o
  5. Vendor Due Diligence / Technology Purchases – Tack-on requirement, but my OCD doesn’t allow for only 4 bullets. That said, both of these item have critical security implications and should have governance oversight.

The composition of the governance function, their charter, and their ongoing processes cannot be dictated by any framework or standard, and must be entirely suited to the organisation in question. Industry sector, political / geographical region, culture and so on all have influence on the final result, so this is not something I can address in a blog.

As usual, I will end this with an ‘if you don’t have the skill-set in-house, go find it’ comment, but when it comes to the development and maintenance of a good security program, nothing has more overarching influence and benefit than governance done well.

‘Simple and appropriate’ is the mantra here, like it is in all things related to information security.

A Life Without Regrets is a Life Without Mistakes

Or to put it another way; a life without trying much of anything new.

Just to clarify; I’m not saying it’s a bad thing to be content with your lot in life, and not wanting to try new things. In fact, I almost envy those people actually.

Almost.

But if you accept this as the definition;

REGRET
verb
1. feel sad, repentant, or disappointed over (something that one has done or failed to do).

…then it’s fairly clear – to me anyway – that if you don’t have any regrets, then you have either not done much, or you have no remorse for the bad things you did do. And we have ALL done something bad to someone at some point.

So the cliched advice to ‘live your life without regrets’ is frankly impossible if your existence is even remotely eventful. No-one is perfect, no-one gets everything they have ever wanted, and not every failure in life can be tacked up to a mere ‘disappointment’.

Not only have we all done things we wish we hadn’t (even if takes years to realise it), we have also likely had many instances of wishing we HAD done something but now it’s too late. If neither of these are true for you, what the Hell HAVE you been doing with your time? Living a perfect life? Lucky you, but for the other 99.9999…% of the population we are left dealing with consequences.

But here’s the rub; I’m not only glad I have regrets, but I actually look forward to collecting more, because it means I’ve put myself out there and I have been in positions to make decisions I can regret.  I have lived a relatively unspectacular life and have hundreds of regrets, all of which were experiences I would not trade for anything.

I am what I am now because of my mistakes and my successes, and am therefore defined not only by all of the good I’ve done, but by those regrets. Basically they make me human, they make me real.

For example; I’m at this moment happily married (my wife might not be), have a job that is ridiculously cool, loving family / friends, and enough money. But all of this was built on the foundations of countless train-wreck relationships, disastrous career moves, and a great deal of pain. My own, and the pain I’ve caused others.

To have no regrets now, or in the future, suggests that I have everything I want (I don’t), that I’m not sorry for some of the things I’ve done (I am), and that I will make no more mistakes for which I WILL be sorry down the road (I undoubtedly will). It means that I’m moving forward, I’m exercising my ‘…right to life, liberty and security of person.’ and that I will always accept responsibility for my mistakes.

But I’m proud to say that I have NO regrets based on unfulfilled wishes, mine are all based on things I didn’t do, did do, or on goals I have failed to reach [yet]. There is no room for fantasy or ‘if-onlys’ in a life of accountability and one well lived.

On the balance, I have a GREAT life, and I already know what my next regret is going to be; tomorrow’s hangover! :)