[SecurityRatty] tag: compliant

Links for 2008-12-02 [del.icio.us]

Tue, 02 Dec 2008 21:00:00 +0000

Fun PCI FAQ - Good Reading

Wed, 26 Nov 2008 17:30:00 +0000

Check out this cool PCI FAQ here, created by Andrew Plato. He reminds people about a few of the common "PCI misconceptions" (like, "when is the PCI deadline? - Yesterday") and key facts (like, "Do organizations using third-party processors have to be PCI-compliant? - Yes")

Finally, I also love, love, love his reminder that there are no "PCI -compliant products" (unlike some assclowns here think)

"Q: What technologies are considered PCI-compliant?

A: There is no such thing as a PCI-compliant product. The PCI standard does not certify products. Some products will help with PCI compliance, but there is no single product or group of products that will ensure complete PCI compliance. "

Read it!

Interesting ... On Compliance

Mon, 03 Nov 2008 12:57:00 +0000

Treat this as a prequel for my upcoming blog post called "Tales From 'A Compliance-First' World" (link TBA).

I am learning that many people really, really, really hate to be told that "they are not compliant" (when they are not, of course!) and such hatred goes down to a very curious level indeed ... almost all the way down to the good ole "scanless PCI" joke level.

So, here is an ultimate "how to make enemies and alienate people?" tip: tell them "YOU ARE NOT COMPLIANT!"

CLOUD COMPUTING - STORMY WEATHER?

Mon, 27 Oct 2008 12:46:17 +0000

Lots being written about the Cloud, most of it quite dark and gloomy. In fact I’m surprised, that Hoff hasn’t got a preso spooled up called “The Toxic Cloud” or something similarly ominous for his next speaking tour.
That said, the Economist does a great job distilling the issue into a simple statement -

Cloud computing is a trade-off between sovereignty and efficiency.

Let me ask you - if you had to put your money on one of those horses, considering your average profit-preoccupied business, which would it be? I’d put my bottom dollar on the thoroughbred named “Cost Center Reduction”, to place.

WHO ARE WE TO STAND IN THE WAY OF “PROGRESS”?

I’m always fond of Jack’s rule that the role of information risk management boils down to three deceptively simple premises:

Reduce Risk.
Reduce Loss.
Create Operational Efficiencies.

So it would seem antithetical to the charter of the Chief Security Officer to stand in the way of progress as embodied by “cloud computing” (not to mention dangerous to long-term job security). And I think that this presents opportunities to discuss strategies for managing risk, strategies that aren’t too theoretical and have practical application (though actual “cloud” use by enterprises may be rare at this point).

ON RISK REDUCTION IN THE CLOUD (or, How To Learn From the Shortcomings of PCI DSS)

The good news is, there’s already a well-established model for managing the risk around outsourcing the processing of “confidential” information. The bad news is, that model kinda sucks it.

The Payment Card Industry, known as the “PCI” or “meal ticket” to many in the industry, faced a similar problem with the introduction of GLBA. As I see it (and I’m not at all close to the PCI, at all, so this is all just abstract soliloquy) the PCI had one of two choices when faced with the prospect of other people managing their sensitive information:

Accept the *massive* amount of GLBA risk their business creates and spend a TON of money to build out the infrastructure (both process and IT) to manage the consumer data themselves (in conjunction with the banks, of course) and never have it grace the computing systems of the retailer. Or,
Transfer the GLBA risk down to the retailer and have them bear the majority of the risk (and cost of reducing risk to a level that might be tolerable to the US Government).

(Martin, you may recall our Twittering about PCI a while back. This is the crux of my view on the subj.)

Now fortunately, the CSO’s of the world are going to be a little more “invested” in protecting the information they are stewards over, and unlike the PCI, will remain primarily responsible for the C, I, & A of the data in the Cloud. The cool thing is, this actually presents a great opportunity to start building a meaningful model for co-management of risk! In fact, we can take the PCI model of contractual risk transference but modify where it goes all wrong, and start working to create something better. And we can start by euthanizing some faulty assumptions.

JUST HOW INFORMATIVE IS PCI DSS?

What might be the.greatest.mistake of the standards compliance mentality is the assumption of value for the past-state measurement. That is, I believe that the CSO needs more than some “past-state” assurance in order to understand their risk. If you look at the concept of “PCI compliance” it really is an examination of a past state of nature that is assumed to be relevant to current and future states. Many people (myself included) are not at all convinced that this past-state is nearly as informative as those who mandate it’s measurement believe it to be.

That’s not to condemn past-state measurements as completely non-informative, they most certainly are useful. It’s just that no self-respecting CSO sleeps well because they were deemed “PCI compliant” 10 months ago. They sleep well because they have good visibility into current-state information and confidence in their strategy concerning future-state (based on that visibility and the outcomes of sound IRM models).

MOVING PAST THE VULNERABILITY SCANNER INTO INTELLIGENCE AND WISDOM

So realizing this new importance (to me, at least) concerning visibility and IRM models, I’m lead to the conclusion that if we are to manage risk in the Cloud, we’ll have to move beyond “PCI Compliance” or the concept that some regular “audit” of controls in place at the host is all we need to understand our ability to manage risk. No, the CSO must have good information concerning current and probable future states. This is that “visibility” I spoke of above. In fact, we’ll need significant amounts of piercing, transparent visibility. And in order to gain that visibility, our insight into Cloud Risk Management must include significant provisions for understanding a joint ability to Prevent/Detect/Respond as well as provisions for managing the risk that one of the participants won’t provide that visibility or ability via SLA’s and penalties . These SLA’s must be expressed in measurable terms (more visibility), and those metrics must have their roots in the things that help understand how we manage risk (those aforementioned IRM models).

THE CLOUD COMPUTING SECURITY SILVER LINING (sorry couldn’t resist)

As I mentioned earlier, I do see an opportunity to create insight. The need for visibility and IRM models would allow us to create a “guidance” if you’ll allow me to use the term. Not a standard or a “best practice” to audit by, but simply a reference document that says “if you’re going to put information on somebody else’s systems and still hold some significant responsibility for that information, here’s the considerations, why they are considerations, and how you might go about collaborating on the management of risk”.

And I think that if we undertake this journey, there is going to be a lot of growth and risk management innovation along the way. But keen insights into what it means to manage risk will be necessary, and secure and forthright collaboration will be of absolute importance.

I say that last bit because, if these pundits are right about the utility of a hosted computing model - the Cloud will happen regardless of the CSO’s ability or desire to manage it.

Study: Only 4.13% of the Web is Standards-Compliant

Thu, 16 Oct 2008 10:40:02 +0000

Opera has developed a new indexing system that analyzes the structure of web content and it found that only 4.13 percent of the 3.5 million pages indexed by the system actually pass the W3C's validator.

Study: Only 4.13% of the Web is Standards-Compliant

Thu, 16 Oct 2008 10:40:02 +0000

Compliant, Not Compliance OR "Thought to Be Compliance:

Thu, 09 Oct 2008 10:33:00 +0000

Here is a fun bit of PCI trivia. I thought that one can be "compliant" or "not compliant."

Turns out there is a third choice: "thought to be compliant."

The quote is: 'The news is that Forever 21 (a clothing chain) which has been maintaining it was PCI compliant was, er, not. Seems their assessor missed databases containing cardholder data, and the bad guys found them. Those databases got breached. So it looks like their claim to be PCI compliant translates into a big "never mind."'

Links for 2008-10-01 [del.icio.us]

Wed, 01 Oct 2008 20:00:00 +0000

Hype Alert: Internet Shopping Carts Are Secure

Fri, 26 Sep 2008 11:00:00 +0000

My blog reader fed me a nugget today that set off my hype monitor, specifically a post entitled Internet Shopping Carts are Secure.
OMG...really?
To be fair, I realize the author is speaking from the eCommerce perspective, rather than that of an information security practitioner, but here's where the trouble begins:
"Shopping cart service providers have developed secure ecommerce shopping cart solutions for any business owner looking to enhance their current online store, or create a new one. Some ecommerce shopping cart solution providers are even receiving PABP (Payment Application Best Practice) certification which supports PCI compliance requirements for all businesses accepting credit card payments online."
This may be true in part, but it is by no means an all-inclusive claim. Shopping carts continue to be sieve-like, even when apparently reviewed per PCI standards.
Allow me to elaborate.
We'll kick off our hype eliminating effort with a simple Google dork: inurl:"cart.cfm" (picking on ColdFusion again, but man, they make it easy)
GM Parts Direct: Your Shopping Cart jumped right out at me for a number of reasons.
First, I sensed XSS vulns lurking like a Geiger counter senses radiation. Sound effect for edification. :-)
Second, the page contained one of the growing number of aforementioned conversion-driving website security seals.

Tick, tick, click...the Gieger counter is getting louder.
Trustwave claims that the site operator "is enrolled in Trustwave's Trusted Commerce™ program to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) mandated by all the major credit card associations including: American Express, Diners Club, Discover, JCB, MasterCard Worldwide, Visa, Inc. and Visa Europe."
Methinks that Trustwave's Trusted Commerce program is missing a few fundamental security checks. Remember, XSS in PCI regulated sites, according to the PCI DSS, indicates that a site is not compliant (see section 6.5.4) if vulnerable to XSS.
Uh-oh.

All it takes is a fake login page, as opposed to our friends at XSSED.com, and...well, you get the point.
Simply, this is one of an endless number of shopping cart not secure, and not PCI compliant. For shame. You need only browse the Holisticinfosec.org Advisories page to find multiple ecommerce platforms and shopping carts that are missing the mark. Trust me, these are a fraction of the problem.
ecommerce<>security
ecommerce<>SDL
ecommerce<>PCI
website security seal<>security
Sigh.

Links for 2008-09-23 [del.icio.us]

Tue, 23 Sep 2008 20:00:00 +0000

Rational Survivability: VMWare's VirtSec Vision...Virtual Validation?
Security and Risk Management Strategies Blog: PCI V1.2, a good start but still not enough
Monitoring and audit – while the PCI DSS recommends minimum timeframes for scanning, doing pen tests, etc. what are the real levels of monitoring and audit needed for ensuring security? With the Hannaford and Okemo breaches that occurred (both where PCI compliant), neither discovered the problem until months after the breaches had happened. So identifying what should be scanned and tested and if some of this should be on a continuous basis still requires refinement.
PCI Compliance - dispelling some common myths (Stuart King's Security and Risk Management Blog)