jump to navigation

Chris Mark in September 2013 – SC Magazine (Interview and Article) August 21, 2013

Posted by Chris Mark in cybersecurity, Industry News, PCI DSS.
Tags: , , , , , , ,
add a comment

sclogo_4In the August, 2013 edition of Secure Computing Magazine (SC Magazine), I have an interview and article included.  The interview is for the cover story called “Beyond the Checkbox; PCI DSS” and the article is called “Understanding Parallax and Convergence to Improve Security”.   Below is an excerpt from the article..be sure to check them out!

“To address today’s threats, companies require a high degree of convergent perspective, information expertise, and coordination between personnel and groups. Previously, companies could “make do” with basic security controls such as firewalls, Intrusion Detection System (IDS), and anti-virus. Attempting to understand the threats facing an organization and analyzing risk was often an afterthought, as companies relied upon simple compliance matrices and lists of “best practices” to secure their environment. This is no longer sufficient to address the threats of 2013.  A major mistake in information security implementation is what can be referred to as “security parallax.””

Update on Blogging and New Articles in TransactionWorld March 8, 2013

Posted by Chris Mark in cyberespionage, cybersecurity, Industry News.
Tags: , , , , , , , ,
add a comment

March coverI want to apologize for not blogging as frequently.  My new job has me hopping at the moment and I am writing extensively for AT&T’s Networking Exchange Blog.  You can check out my blog posts at AT&T’s Networking Exchange Blog .  In addition to my own articles, there are a number of other valable posts from other contributors.  Finally, Heather Mark and I both have articles in the March edition of TransactionWorld Magazine.  You can read Heather’s article here and Chris’ article here.

Beating an Old Drum October 27, 2012

Posted by Heather Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

It’s the end of what has already been a tough year for data security.  And the news just got worse.  South Carolina has announced that its Department of Revenue suffered a major breach.  The breach is so massive, in fact that more than 75% of the state’s residents have been affected.  The compromised data consisted of the (unencrypted) social security numbers of more than 3.6 million residents.  Also included in the breach were about 390,000 payment cards.  Most of those were encrypted, though.

This is disturbing on a number of levels.  I find it curious, for example, that while encryption was deployed, it was only deployed on payment cards (and not even on all of those).  Consumers have built in protections on payment cards.  As long as those cards are branded by one of the major card brands, consumers are protected against liability for fraudulent transactions.  The far more sensitive data, the social security numbers, were not encrypted, though.  This defies logic.  Consumers have little to no protection against misuse of SSNs.  Not only can very real financial damage be done, consumers have to spend enormous resources (time, money, emotions) in untangling the identity theft knot that comes with stolen SSNs.

Secondly, in the wake of the breach, Governor Nikki Haley issued an executive order that read: “I hereby direct all cabinet agencies to immediately designate an information technology officer to cooperate with the State Inspector General who is authorized to make recommendations to improve information security policies and procedures in state agencies.”  WHAT?  If I’m inferring correctly, it seems that these agencies didn’t have an information technology officer already?? That is very troubling, particularly considering the types of data that state agencies hold.  After 3.6 million (out of about 4.7 million) residents have had their sensitive data stolen is not a great time to decide that data security and privacy should become priority.

Private sector organizations have been working for years to shore up their data security, and in some cases (PCI DSS, HIPAA/HITECH, GLBA, SOX, state laws) face real consequences for failure to protect that data.  It’s long past time states put forth the same level of protection.  On the plus side, the state did comply nicely with its own data breach notification law.

EMV: Payment Security Endzone? September 29, 2012

Posted by Heather Mark in Industry News, PCI DSS.
Tags: , , , , , , ,
1 comment so far

As I’m buckling down for another fun-filled day of college football, I’m drawn to compare the GameDay set to some of the panels I’ve recently seen.  As Kirk, Lee, and the gang try to determine the best strategies for each team in their respective games, I think about my colleagues and myself sitting at the panel tables, trying to envision the best way to secure payment (and other sensitive) data without crushing our bottom lines.  Okay – maybe it’s a bit of a stretch, but I needed a way to work college football into a post.  Mission accomplished.

On a more serious note, though, I recently attended the Western States Acquiring Association conference in Huntington Beach.  It was well-attended and had a number of interesting sessions.  Not surprisingly, much of the talk centered around EMV, of Chip & PIN.  Some wondered whether EMV meant the end of PCI DSS.  Well, the answer to that question is a resounding “no.” The PCI SSC has already been adamant about the fact that the PCI DSS remains relevant, even in the face of advancing security technologies.  (Insert your own commentary here.) In fact, there is legitimacy in the argument that is put forth here.  Simply adding additional layers of authentication doesn’t change the type of data that is collected.  In many cases, as we’ve seen with international adoption of the standard, it simply chases the fraud to other milieus – whether different geographic regions or different acceptance channels.

Additionally, we’ve seen evidence that Chip & PIN may not be as secure as we’d thought.  Brian Krebs recently wrote an article highlighting research on a security flaw in the EMV technology.  Supposition has it that thieves have been “quietly exploiting” this flaw to “skim” the data.  That’s not to say that EMV is useless, but it’s not the exactly the impenetrable defense that some have made it out to be.  Even the best defensive line sometimes gives up the big play.

So – to the question in the title – does EMV represent the winning score?  My thought is that payment security is more like the 2010 Outback Bowl between Auburn and Northwestern.    After a back and forth game that ended regulation play tied, the teams went on for five overtime periods that finally ended only when Auburn managed to wear their opponent down just shy of the goal-line.  It was a long, brutal game and you really couldn’t tell who was going to win.  You just gotta keep putting your best players on the field and keep those trick plays coming.

What do you think of EMV?  Touchdown, fumble, or forward progress?

Because I Said So September 23, 2012

Posted by Heather Mark in cybersecurity, Industry News, InfoSec & Privacy, Laws and Leglslation, Politics.
Tags: , , , , ,
add a comment

Last week, Democratic leaders made some minor news when they sent a letter to President Obama suggesting that he issue an executive order on Cybersecurity.  Their position is that, since Congress seems to be at loggerheads over the issue, the president should take the opportunity to force action by issuing an Executive Order.  In fact, Secretary of Homeland Security Janet Napolitano told a congressional committee that just such an order was in its final stages.  So what might we see in this forthcoming order?

According to reports, the order will attempt to regulate sixteen “critical” industries.  The guidelines will be voluntary, after a fashion.  Compliance with the standards may determine eligibility for federal contracts.  The White House has not made any secret about its intentions on Cybersecurity.  In fact, the White House website lists  “Ten Near Term Actions to Support Our Cybersecurity Strategy.”  Brevity prevents me from getting into a deep discussion about those actions here, but you can read them and draw your own conclusions.

The questions remain, however – 1) how stringent (read intrusive) will the requirements be?; 2) Will they be relevant to the threats in the landscape?; 3) How will compliance be policed? and 4) How much additional cost are we potentially adding our already stretched budgets?

Another question that merits examination is whether or not the standards will be redundant.  Many industries are already straining under the weight of a variety of infosec requirements – whether industry-regulated or government mandated?  Will another layer of regulation mean increased efficacy of data protection strategies and mandates or will it be just another layer of red tape?

 

 

 

Follow

Get every new post delivered to your Inbox.

Join 232 other followers

%d bloggers like this: