jump to navigation

A Rant about Risk- Rock Climbing with a 2 year old January 31, 2012

Posted by Chris Mark in Risk & Risk Management.
Tags: , , , , ,
add a comment

Today on NBC Sports there was an article about  woman rock climbing with her 2 year old strapped to her back.  The toddler is not wearing a helmet.  When asked she explained: “I can appreciate if you didn’t realize how safe the environment I was in, it could be worrying, but I was top-roping which means if you fall you don’t fall any further than where you came off.”  She further opined: “It is the safest form of climbing you can do…Health and safety legislation and the sue and blame culture mean so many people are nervous, so afraid of getting into trouble, and taking small risks. Life is all about risks, whether that’s something as simple as getting in your car every day or climbing up a rock face.”  This reminded me of a debate I had several years ago.

I was talking with a company about protecting personally identifiable information (PII) as required by law.  The company’s response was: “It is too expensive to comply.  I will take the risk.”  The problem lies in that the data that they are required to protect is not their information.  While the data itself (bits and bytes) may belong to the company the information represented by the bits and bytes is the property of the person to which it refers.  In short, it is not the company’s risk to assume as it is not their property.  If I want to publish my own personal data on the Internet, I can do so and assume the risk…it is my data.  A third party cannot assume risk for me…without my permission.   This is why companies are required to protect PII, NPI, PHI, and other forms of personal data.

In much the same way this woman can free climb naked (alone) if she chooses.  It is her risk to assume.  Whether her style of climbing is the safest does not mean it is without risk.  It is a less risky than free climbing but any form of rock climbing is an inherently risky activity.  The 2 year old does not have the ability to state whether she wanted to climb or not.  Where I have issue with the woman is her attitude of: “life is all about risks…”  Granted but some peoples’ lives are about taking more risks than others.  As adults we can make the decision to base jump, free climb, skydive, or race motorcycles.  When we include others in our risky behavior without their consent, it becomes problematic.

“These are not the droids you are looking for” – Using “geek speak” to confuse and confound January 31, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,
add a comment

In reading through various companies’ websites, I often take a look at their security statements to see what, if anything, is being said about security.  More often than not these statements are little more than “geek speak” written to give consumers and others a peace of mind yet don’t really provide any information on the security posture of the company.  In the vast majority of cases the statements are ‘marketing fluff’ and provide little value.  Here are some of the more common and interesting statements I have come across:

-”We use industry leading encryption, including SSL, to protect your data as it is transmitted to us.”  Encrypting transmission of credit card data is not only required by the card brands and the PCI DSS, it is also required by a number of laws and is simply good practice!  The fact that a company feels compelled to state that they are using SSL to protect transmitted data leads to more questions.  It doesn’t say anything about how your data is used (privacy discussion) or whether the stored data is adequately protected by encryption or other technologies.  SSL is a very small piece of the puzzle.

-”We use multi-tiered firewall controls to protect sensitive data.” Again, multi-tiered network architectures are required by the Payment Card Industry Data Security Standard (PCI DSS)  and being that we are now in the year 2012, operating without a multi-tiered network would be irresponsible at best.  This statement only states that the company has implemented firewalls between various segments of their network and suggests that they are not operating a ‘flat’ network in which every system can touch every other system (very 2003).  It does not state anything about whether the devices are configured correctly nor does it differentiate between application layer and network layer firewalls. (more geek speak to confuse and confound)

-”All customer data is housed in our secure data centers.” For those unfamiliar with the term, a “data center” is nothing more than a building that is used to house computer servers typically for a number of different clients.  Data centers are designed with safety, physical security, and redundancy in mind.  The fact that data is housed in a 4th generation data ceneter does not provide any information on the technical security controls implemented to protect customer data.  It simply means that if someone wanted to physically steal the computer they would be challenged.

-”we use robust encryption and change the encryption key at least annually.”  The use of ecryption technology is a good step but encryption is only as good as the algorythms used and the key management employed.  This statement simply says that once again, the company is following industry accepted controls.  While changing encryption keys periodically is good practice, it doesn’t say anything about how the keys are managed in the intervening periods nor does it say anything about what data is encrypted or what access controls are in place.

When evaluating a company with which to do business, it is suggested that you take the time to really ask the difficult questions about security.  Simply reading website information will not provide you with the assurance that the company is protecting your data.  In some cases the information provided is not simply irrelevant but may provide a false sense of security the the buyer.  By using ‘geek speak’ it is easy to convince a non-techie that they are doing the right things.  If you are not confident in your own technical skills to evaluate a vendor, it is worth taking the time to find a consultant or some other trusted party to support you in your evaluation.

Completing the Puzzle: Verifying Company Claims & Information January 27, 2012

Posted by Chris Mark in Risk & Risk Management.
Tags: , , , , ,
add a comment

I have received a few emails over the past several weeks on how companies can have assurance that the security provider they are evaluating is on the up and up.  Sometimes a little due diligence goes a long way.  Here is a quick and easy start to your verification.

1) Check business formation dates.   In the US (and I am sure many other countries) business data such as incorporation dates, etc. are public record.  Companies need to be registered in a particular state or states.  If you do a quick Google search on the particular state you can find where the records are kept.  For example, in Utah you simply go the the following website: https://secure.utah.gov/bes/action .  In Nevada you would visit: http://nvsos.gov/sosentitysearch/corpsearch.aspx  in New York you would visit: http://www.dos.ny.gov/corps/bus_entity_search.html   If a company claims to have been doing business since 2001 and there are only records from 2005, you know that they are likely not telling the truth.  Additionally, you can find if the business license was ever revoked, dissolved etc.

2) Check the WayBack Machine.  http://www.archive.org   The Internet archive is very familiar to geeks but many others are not aware it exists.  Here you can see what a company’ website looked like at a very particular point in time.  A word of caution.  Some sites are not archived and some are only periodically archived.  That being said, if there is a snapshot of a company’s website from a particular date you can learn quite a bit.  For example, if a company claims to have provided maritime security services since 2008 and their website snapshot from 2009 shows no indication of such a service it should raise red flags.  Often, companies will ’embellish’ or change information on their website without realizing that the snapshot exists.  Like #1 above, if a company claims to have been in business since 2001 but their snapshot from 2008 shows a founding date of 2004, you have to question the validity of the 2001 date.

3) Google, Google, Google some more.  Google is an extremely powerful search tool.  It can use Boolean logic to conduct searches.  What is Boolean operators to make your searches more precise?  Here is a link to using boolean operators in Google searches.  Boolean operators are things like the use of quotes to have Google search for a complete phrase such as “Chris Mark” instead of Chris Mark which would result in a search for Chris, and Mark, and Chris Mark.  You can also use the AND or a + sign to narrow the searches.  For example:  “Chris Mark” + security will pull up all links to Chris Mark and Security.  You can search within a specific website with the Site:   such as “Chris Mark” Site: NYTimes.com  Within Google don’t forget you can use the advanced search function on the left hand side of the page to search by specific dates.  Again, if a company claims they have been around since 1990, you would expect to see some searches returned for the dates 1990.  Unless told, Google will provide the most relevant links first.  If you tell it to search by date it will provide very specific information on dates.

4) Search blogs, and forums.  Often people with publish their opinions in blogs and forums.  While the information should be taken with a grain of salt it certainly can give you information on companies and the perception within a particular group.  Find forums relevant to the industry and search for the principals of the company or the company.

While this is not an exhaustive list of techniques to verify company information, with some practice these four steps will provide a laundry list of information that can be used to verify whether claims are accurate or not.  Companies that change their claims and contradict themselves should be looked at very carefully.

PCI DSS and Piracy January 12, 2012

Posted by Heather Mark in PCI DSS, Piracy & Maritime Security.
Tags: , , , , , , ,
add a comment

I’ve been reading quite a bit on piracy lately. Not the adventurous, swashbuckling tales of pirates flying down the Spanish Main, but piracy in its present form. From a purely detached perspective, its an interesting exercise in cause and effect. Natural disasters, for example, have an impact on the surge in piratical acts. The Christmas Tsunami left many Somali fishing villages devastated and took the last legal means of sustenance from many families that depended fishing for their survival. As a result, they turned to piracy. Of course, that is not to say that Somali pirates are the Jean val Jean’s of their day, the thief with the heart of gold doing only what is necessary to survive.  These pirates are violent and aggressive and should not be coddled.  The interesting comparison to the PCI DSS, in my mind, derives from the impact of the crime on the industry and the global reaction to the phenomenon.

Impact of the Crime

Piracy is a crime that has an impact on all consumers. Higher insurance rates, security contingents, longer routes and therefore higher fuel costs, and similar circumstances that result from piracy mean higher prices for consumers.  Any costs that cannot (or will not) be absorbed by the manufacturer or the shipping company are passed on to the consumer. Similarly, data thieves have very definitely left their mark on the consumer. Those of us involved in the electronic payment industry recognize better than most the increased cost structure that has resulted from trying to achieve and maintain compliance with the PCI DSS and the countless data security, data breach notification and consumer privacy laws at play in the United States. Ongoing compliance and security monitoring, evaluating the threat landscape and the cost of validating compliance can quickly add up for companies.  Organizations that are already seeing their margins get squeezed are required to spend additional resources on security and compliance to ensure the safety of consumers’ data. Those costs can sometimes be passed along to the consumer.

Global Reaction

Data security and piracy were both issues that “flew under the radar” until high-profile instances brought them to the public awareness. In the world of transoceanic shipping, the issues that brought awareness were a couple of kidnappings for ransom and the hijacking of the Maersk Alabama. It’s important to note, however, that even before these incidents, the shipping industry and governments worldwide were working on standards and regulations that would mitigate the problem. The reaction from the industry should sound very familiar to veterans of the PCI DSS compliance world – “The standards are too prescriptive.”  “The standards were written by people that don’t
really understand the issues.”  “How are you going to ensure that everyone is complying with these standards?’ “The cost of complying with the standards are too burdensome for small companies.” These concerns should resonate with payment security professionals. The same questions and concerns are often raised about the PCI DSS.

For the payment industry, the events that really brought public awareness were a couple of high-profile data breaches at well-known retailers. The question really is, though, “What is the alternative?”  If neither industry had done anything to address these growing issues, the constituents in the industry would have raised the alarm about the apparent lack of concern from the powers that be.  The catch-22 of the creation and enforcement of the standards is that even though these standards achieve their objective of raising industry awareness and attempting to mitigate the risk of adverse events, the companies that suffer piracy attacks or data breaches are still often cast as the villian (as opposed to the victim) in the scenario.

What’s the Answer?

That is the crux of the matter – are the issues of data security and high seas piracy “solvable?” There are a variety of issues that drive the increase in both crimes.  Economic stability, the ability of governments to project their authority into these areas, jurisdictional cooperation and other factors drive the growth of both types of crimes.

While I cannot confidently address permanent solutions to either problem, I can suggest a shift in perspective. In the realm of data security and payment security, practitioners often attempt to solve the problem by layering more and more technology in front of the sensitive data.  Tokenization is one example of how a shift in perspective can provide alternative solutions. Extracting value from the data makes significantly less attractive to thieves. So instead of asking, “How can we keep thieves from accessing the data?” one might ask “What can be done in the transaction processing chain to render the data unusable to thieves?” We are currently retro-fitting security onto a system that has been in place for fifty years. If we were to remove any preconcieved notions of what a payment infrastructure should look like, what would we design?

Roque Wave; Secure Payments Article January 11, 2012

Posted by Chris Mark in InfoSec & Privacy, Laws and Leglslation.
Tags: , , , , , , , , , ,
add a comment

This is an excerpt from an article I wrote a couple of years ago called “The Rogue Wave”.  It discusses a high level overview of Doctrine, Tactics and Strategy and applying PCI DSS as doctrine…You can read the full article here.

“Recent data compromises have continued to illustrate the challenges of securing data in an increasingly hostile environment.  Companies are faced with securing and protecting their valuable information form a growing number of increasingly sophisticated and organized groups determined to steal valuable data.  Historically, the response to data compromises has been to pass and enforce increasingly strict standards, regulations, and laws detailing the specific steps companies must take to protect data and the required disclosure should data be compromised.  Those companies that are the unfortunate victims of data thieves are criticized and vilified for “losing data”.  In spite of the efforts being focused upon compliance with the various laws and standards, data compromises continue in their steep upward trend seemingly unabated…”