PCI – Going Beyond the Standard: Part 25, Now Do It All Over Again…

…or better still, keep doing what you’ve learned, all day every day.

This is the final post in my ‘Going Beyond the Standard’ series – HURRAH!! – and hopefully despite all of the spelling mistakes, grammatical errors, left-field rants, and miscellaneous off-topic diatribes that you have derived some benefit from it.

Timing is pretty good as well, seeing as the SSC came out with their Information Supplement: Best Practices for Maintaining PCI DSS Compliance, and I will say that I have to agree with the majority of its content. However, reading a book on emergency appendectomies does not make me a doctor, so when it comes to the implementation of the ‘staying compliant’ concepts, have an expert help you.

It takes someone very skilled to make things simple, do not half-arse your security.

There is nothing in PCI that you should not already be doing around all of your sensitive data, and there are no validation requirements that should fall outside of standard practices. In fact, you should be validating EVERY day, not once a year, and the only way to do that is to baseline everything and report against exceptions.

I previously used this ridiculous analogy; If every PCI requirement was a tennis ball, you could very easily carry them all from a weight perspective, but it’s impossible to hold them all together without some kind of container (Tennis ball = DSS Requirements, Container = Security Program). In other words, the requirements themselves are basic, but completely out of context from an ongoing management, business, or even good security practice perspective.

The reason PCI becomes so difficult to maintain is because security in general is too often seen as an IT project and not what it is; a business process. The only time it gets the attention it deserves is when there’s a problem, which is already too late.

When I started my own business, and when I began this blog, it was with the following premise; “Security Is Not Easy, But It Can Be Simple.” Yet every business for whom I have ever provided guidance were basically making a pig’s ear of it, and it always revolves around a lack in at least one, but usually all of the The 4 Foundations of Security.

The way I have always phrased it is; “If my boss does not care about something, guess how much I care about it?”, which is why I have made this statement several times now;

Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities. If the organisation fails to achieve [enter any goal here], it’s the CEOs fault, and no-one else’s.

So if you get nothing out of this series of 25 blogs, take that away and do what you can to help them change the culture to one of accountability and responsibility across the entire organisation. It will pay dividends.

Hope you enjoyed the series, and I would welcome any guest blogs that either expand on the concepts on the subjects on which I am weakest (encryption, coding, charm, spelling etc.) or are better than mine if it’s a subject in which you are an expert.

There is no room for ego in security, everyone has to win.

PCI – Going Beyond the Standard: Part 24, Disaster Recovery (DR) & Business Continuity Management (BCM)

You may be wondering why I would put this after Governance seeing as that seems to bring everything together, and you may also be wondering why I did not included Disaster Recovery (DR) in the same post as Incident Response (IR) which everyone else always does.

They would be good questions, and my reasoning is relatively simple; You cannot HAVE Business Continuity Management (BCM) without Governance so that must be formalised first, DR represents the detailed processes summarised in the BCM, and IR is the feed INTO the DR/BCM, not the output from it.

To put it another way; the Business Continuity Plan (BCP) details what must be done, in what order, and how quickly to save the business, DR puts that plan into effect, and IR would have uncovered the inciting incident that brought both the BCP and DR plans into play in the first place.

Assuming that made any sense, the question is; What if I don’t HAVE a BCP?

I am surprised every time I ask a client for a BCP and don’t get one. Mostly because I’m not too bright, but partly because it makes absolutely no sense to me that ANY organisation in any industry sector, anywhere in the world would not make such a simple effort to help themselves STAY in business. While both DR and BCP represent what amounts to contingency planning and will hopefully never have to be invoked (assuming your IR is top notch of course), NOT having a plan is nothing short of irresponsible.

There are several well known standards related to Business Continuity, and for obvious reasons they encompass more than just IT systems:

  1. ISO 22301:2012: Societal security — Business continuity management systems – Requirements
  2. ISO 22313:2012: Societal security — Business continuity management systems – Guidance
  3. ISO/IEC 27031:2011: Information security – Security techniques — Guidelines for information and communication technology [ICT] readiness for business continuity
  4. NIST Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems
  5. ANSI/ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems

Unfortunately the ISO stuff will set you back a few hundred quid, so start with the NIST / ANSI stuff to ge yourself familiar enough with the concept to at least ask the right questions.

For DR, start with mapping out all of your business processes and asset dependencies. If you don’t know how things fit together, you’ll have no idea how to put them back in place. Clearly, if your asset management processes are not robust, you can’t even begin the mapping process, so get that done first.

Once you have mapped out your business processes, it’s a relatively simple task to organise all of your procedural documentation into how you reestablish all the moving parts. You have all that, right? So whether you have full redundancy in all things, hot swap, warm spares or a whole host of other DR clichés, how you get your systems back online boils down to a series of easily followed instructions.

From an IT perspective, all the BCP plan does is tell you in which order to bring those systems back online and in what timeframe. It should be needless to say – but it isn’t – the plan and all of its moving parts must be tested on an annual basis or even explicit instructions cannot get the response times to an optimal state.

No aspect of security should be performed half-arsed, DR and BCP processes are no exception. Even within the field of security BCP is a speciality, and making the plan simple and appropriate is a talent more than a skill. Expect to pay a lot for these services but rest assured it is money well spent.

PCI – Going Beyond the Standard: Part 23, Governance

Over the course of the last year the word ‘Governance’ appears in no fewer than 26 of my 130-odd posts, and if you have read any of those posts you know how many times it appears in the PCI DSS v3.0.

Not once

Going beyond the standard therefore is clearly very simple. HAVE governance and you’re way ahead of the game.

It does however get mentioned in the ‘Information Supplement: Best Practices for Maintaining PCI DSS Compliance‘ released August 2014, when they refer to an “overarching security framework”. You’ve all read that right?

They of course mention the usual suspects; CoBIT, ITIL, ISO 2700 series, and NIST, but quite rightly leave the choice and detail up to you, as well as make the most sensible statement I’ve seen yet coming out from the SSC officially;

Integrating PCI DSS controls into a larger, common set of security controls is often the easiest path to ongoing PCI DSS compliance. Overarching security frameworks allow security teams to focus on a single target rather than trying to accommodate multiple (and sometimes conflicting) sets of requirements. It also provides for a common set of terms and metrics that can help avoid confusion when articulating security and compliance strategies to key stakeholders. When PCI DSS is integrated into an organization’s overall risk-based security strategy, it makes it easier to incorporate specific PCI DSS activities into the normal day-to-day operations of the security team. This, in turn, helps to ensure these activities are conducted on a regular, ongoing basis, which can make maintaining PCI DSS compliance a much more manageable task.

But who manages this? There are no governance frameworks that will work without a governance FUNCTION.

The IT Governance Institute’s definition is: “… leadership, organizational structures and processes to ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.

Or to put it my way: “The business side and the IT side having appropriate conversations.” Sounds trite, but this is exactly what is missing in most organisations where the business side dictates the immediate goals while the IT side is left working tactically without any concept of where their actions fit into the whole; i.e. the business’s goals.

But it’s not always the business side’s fault, the IT departments in a lot of organisations start with saying no and work their way up from there. This gives them the reputation of being business-blockers and everyone in their right mind will work around those if they want anything done.

Regardless of fault – there is no room for the blame-game in security – this is easily resolved if both sides place nice and set up some form of governance function. Call it what you will, but it is responsible for the following;

  1. Business Continuity Management / Plan – As representatives of [almost] all departments, the governance function will be responsible for the development and maintenance of the business continuity processes, which will be owned and ratified by the CEO / BoD.
  2. Risk Assessment / Business Impact Analysis – it is up to the governance function to ensure that the frequency, scope, and analysis of the RA / BIA processes are in-line with the business goals as handed down by the CEO / BoD
  3. Vulnerability Management / Risk Register – Unless the function of analysing risk and putting some form of prioritised remediation plan in place is centralised, you can never implement appropriate security.
  4. Change Control – Number 4 on my list, but EXTREMELY important! As I’ve said many times; If nothing in your environment changes, the only way risk can increase is by a change to the external threat landscape. Your vulnerability management process should take care of the external stuff, which, by strange coincidence, is also managed by governance.
  5. Vendor Due Diligence / Technology Purchases – Tack-on requirement, but my OCD doesn’t allow for only 4 bullets. That said, both of these item have critical security implications and should have governance oversight.

The composition of the governance function, their charter, and their ongoing processes cannot be dictated by any framework or standard, and must be entirely suited to the organisation in question. Industry sector, political / geographical region, culture and so on all have influence on the final result, so this is not something I can address in a blog.

As usual, I will end this with an ‘if you don’t have the skill-set in-house, go find it’ comment, but when it comes to the development and maintenance of a good security program, nothing has more overarching influence and benefit than governance done well.

‘Simple and appropriate’ is the mantra here, like it is in all things related to information security.

PCI – Going Beyond the Standard: Part 22, Compliance Validation

This is often where an assessment starts going truly pear-shaped. Mostly because of assumptions, but a large chunk of what makes validation of compliance so difficult is the lack of mechanisms to make it anything other than a manual process. There is no requirement for automation in PCI, so going beyond the standard is very simple.

First, let’s start out with the worst assumption; that sampling is a right. It’s not, it’s a privilege, and one you have to earn. Until you can show your assessor that you have ALL of the following in place, sampling isn’t even an option:

  1. Formalised, and Robust Configuration Management – Unless you can show that you have a VERY good handle on configuring ‘like systems’ in an identical fashion, sampling cannot be performed. All web servers, app servers, DB servers etc must start out exactly the same. From installation from a known-good base image, to configuration of applications, to testing through change control prior to promotion into production, there is no room for ad hoc here.
  2. Centralised Management and Maintenance –  You must be able to show your QSA that you have the ability to KEEP your like-systems identical, so if you have a centralised console where this can be displayed, so much the better. WSUS for Windows, or CiscoWorks for Cisco network devices for example, can centrally display pretty much all you need to know about the systems. OS, version, patches and so on.
  3. Centralised Logging and Monitoring – An extension to management, log baselines, like-system thresholds, and incident response etc. must be centralised or every different monitoring process must be examined individually.

Of the three facets above, PCI does not require any of them to be centralised, not even logging, so if none of these things are in place, there is no sampling.

An operating system has 12 validation points (access control, password setting, logging and so), applications have 9, and a DB has 7. In theory, a single system could require 28 separate pieces of evidence to validate its compliance.

What if you had a 100 of these systems?

I have expounded many times the concept of security being simple, not easy, but simple. Well, there is no simple without centralisation, and it’s VERY difficult to achieve simple without some form of automation.

For PCI, a screen shot of the AV [for example] settings will suffice, but this can involved the collection of MANY screenshots. How much better to have a centralised management station that shows these settings against all systems in one place? The same applies to logging, access control mechanisms, FIM, running services / listening ports (i.e. configuration standards) and almost every other validation requirement at the system level.

In the hundreds of assessment with which I have in some way been involved, I would estimate that between 25% and 40% of an assessment’s effort is related to gathering of validation evidence. That’s in year one, it’s actually greater in subsequent years, but the effort to get to the point of validation SHOULD have been less.

But that’s really the point here, and the point of the SSC’s recent supplemental on staying compliant; if you treat validation of compliance as a project, you are wasting a significant amount of resources AND you are no closer to actually being secure.

Compliance requires no automation, but without it you have no continuous compliance validation. PCI requires no centralisation, but without that you simply cannot manage what you have efficiently and effectively.

Validation is easy when your security program is simple, because the management of your program is simple. Spending weeks collecting evidence for compliance could not be a more ridiculous use of your time.

Simple is cheaper, more efficient, easier to manage and measure, and above all, more secure. Validation of compliance falls out of the back of a security program done well, so work on that first.



PCI – Going Beyond the Standard: Part 21, Third Party Due Diligence

[Apologies for the blank post yesterday, here is the real one]

The timing for this part of the Going Beyond the Standard series is almost perfect given the SSC’s release of their ‘Information Supplement: Third-Party Security Assurance‘. Which, despite it’s gratuitous use of the word ‘may’, and the ongoing generic-ness of the SSC supplements, is actually pretty good.

It has always irritated me that the phrase ‘third parties’ is now the established norm in these scenarios, when it’s actually SECOND parties that create the most challenges;

third party
1. a person or group besides the two primarily involved in a situation

So third parties are the service providers that YOUR service provider hires to do [part of] the work for which you (the first party) hired the original provider. Third parties are fairly common, but not as common as second parties, and while third parties ARE an issue, they should be addressed in the same way as any other outsourced service; with proper due diligence.

Unfortunately, this due diligence is almost universally performed badly, or there would be no need for the SSC to issue an information supplement in the first place. Or course, if the requirements in the PCI DSS were written better perhaps there would be less confusion, but it’s too late now.

Because the supplement is quite good, I’ll not go into the nitty gritty of vendor management, but it is important to realise that the choice of an outsourced service does not start with vendor due diligence, it starts with a business need that has been PROPERLY analysed, and a risk assessment performed.

PCI itself has driven an enormous growth in outsourcing, and not because there was suddenly a need for more services, but because so many organisation wanted PCI to just go away. The thought was if you outsourced, you could just point at them and shirk all further responsibility.

In reality, you can outsource almost every function relevant to PCI, but you can NEVER outsource the responsibility for the protection of the cardholder data. Yes, you can throw financial liabilities into the contract, you can buy cyber-insurance, you can even drag your service provider down with you if things go horribly wrong, but it’s going to be YOUR name in the papers.

The other big mistake organisations make at the beginning phases of outsourcing is, as always, asking the wrong questions. While a service provider does not have to BE PCI compliant for the service they are providing, their services have to SUPPORT yours. Not only that, if they do not have a Report on Compliance backing up their services, they will have to be fully assessed and validated against yours.

I’ve had small clients whose PCI assessment costs and effort increased FIVE fold because they had not performed the correct due diligence.

Even if I assumed you are outsourcing for the right reasons, CHOOSING vendors is next step where things go wrong. DSS v3.0 has built in the requirement for  ‘third parties’ to qualify their services with detailed analysis of EXACTLY what is being provided against the requirements themselves. This was always a requirement in my mind, but rarely followed, and has led to significant gaps based on assumptions.

However, if if your chosen service provider is PCI compliant for the services, there is surprisingly little they can do in terms of reducing your effort;

1. DSS Requirement 1.x – You can outsource management, but you will always own the policies, the final configuration standard(s), and of course, the ruleset(s). About the only things that can be 100% outsourced is stageful packet inspection.

2. DSS Requirement 2.x – Again, you can have a service provider put together configuration standards for you, but you will always own them, the business justifications for every available service and listening port is yours to document, and insecure protocols are yours to fix or compensate for.

3. DSS Requirement 6.x – Outsourced development is great, but unless their SDLC supports your compliance, YOU won’t be.

4. DSS Requirement 10.x – The most egregiously overstated service provider coverage of them all. The issue is rarely in the collection of the events, it’s what events should be logged in the first place and how. And how ANY service provider dares to say they can cover a daily review without establishing a baseling is beyond me.

5. …and so on.

I’m already ay 700 words and I’ve barely starched the surface, but that should be an indication of just how messy this topic can be. It deserves a white paper, but that will have to wait.

Bottom line; If you don’t have a program for vendor selection and vendor management, get one, and make it retroactive. Get help if you need it, but in the end, if your service providers fail, YOU fail, and deservedly so.

Read the SSC supplement, implement what it says, they have not missed much.