[SecurityRatty] tag: okemo

PCI compliance, building the base

Thu, 12 Jun 2008 07:54:22 +0000

Blogger: Randall Gamby

An alarming trend is beginning to surface within SMB “PCI compliant” companies, like Hannaford Brothers (http://www.networkworld.com/news/2008/031708-hannaford-data-breach.html), Okemo Mountain Resort (http://www.okemo.com/okemowinter/security_update.asp), etc. Credit data is being stolen! While this is exceedingly bad, I have a theory on why this is happening.

Before I get into my theory I’d first like to talk about military bases. As we all know, the military contains a lot of top secret information. So how does, say the U.S. Army, protect it? First, they classify what information needs to be protected. Next they find a piece of property that they can physically secure. Once the property has been thoroughly checked (no listening devices or mines buried in the ground) they construct a series of secure buildings to house the data. They then put up a fence with a limited number of gates with guard houses and guards to protect it. Then, most importantly, after certifying the security of the base, they use sentries to periodically patrol the perimeter of the grounds to ensure unauthorized access is not gained by spies sneaking in under the fence.

So what does this have to do with PCI compliance for SMBs? Well the process of PCI certification is similar to what a military branch would do to secure their information. Enterprises identify and classify what data falls under PCI compliance. They validate that the systems that contain the information are controlled properly and are locked down through processes and technologies. Then they build a fence of security around the systems to ensure only properly authorized personnel have access to them. Finally they certify that the protections meet PCI compliance requirements. But unlike the military, I theorize that a lot of SMBs, short on personnel and resources, quit here. In exploring the topic I’ve found that there’s an attitude by some executives that PCI compliance is a gate. Once SMB organizations achieve PCI compliance, some move on to the next pressing security problem. But this is the wrong attitude. Just as the military found out eons ago, they must be constantly on guard because spies are always looking for kinks in the defense perimeter in order to slip in and gain access to information without authorization.

It seems that SMBs are the most at risk of not having “guard patrols” constantly patrolling the perimeter due to the cost and resources needed to monitor and report on the security’s on-going effectiveness and the bad guys are now sneaking in stealing the very data they created these defenses to protect.

So what’s the warning? Whether you’re a SMB or Global Enterprise, PCI compliance is a gate, that’s pretty much a fact, but it can’t be left unguarded. Time, money and resources must be allocated on an on-going basis else the bad guys will sneak in undetected and you may find yourself making a breach disclosure that wasn’t detected until it was too late.

PCI compliance, building the base

Thu, 12 Jun 2008 07:54:22 +0000

Blogger: Randall Gamby

An alarming trend is beginning to surface within SMB ???PCI compliant??? companies, like Hannaford Brothers (http://www.networkworld.com/news/2008/031708-hannaford-data-breach.html), Okemo Mountain Resort (http://www.okemo.com/okemowinter/security_update.asp), etc. Credit data is being stolen! While this is exceedingly bad, I have a theory on why this is happening.

Before I get into my theory I???d first like to talk about military bases. As we all know, the military contains a lot of top secret information. So how does, say the U.S. Army, protect it? First, they classify what information needs to be protected. Next they find a piece of property that they can physically secure. Once the property has been thoroughly checked (no listening devices or mines buried in the ground) they construct a series of secure buildings to house the data. They then put up a fence with a limited number of gates with guard houses and guards to protect it. Then, most importantly, after certifying the security of the base, they use sentries to periodically patrol the perimeter of the grounds to ensure unauthorized access is not gained by spies sneaking in under the fence.

So what does this have to do with PCI compliance for SMBs? Well the process of PCI certification is similar to what a military branch would do to secure their information. Enterprises identify and classify what data falls under PCI compliance. They validate that the systems that contain the information are controlled properly and are locked down through processes and technologies. Then they build a fence of security around the systems to ensure only properly authorized personnel have access to them. Finally they certify that the protections meet PCI compliance requirements. But unlike the military, I theorize that a lot of SMBs, short on personnel and resources, quit here. In exploring the topic I???ve found that there???s an attitude by some executives that PCI compliance is a gate. Once SMB organizations achieve PCI compliance, some move on to the next pressing security problem. But this is the wrong attitude. Just as the military found out eons ago, they must be constantly on guard because spies are always looking for kinks in the defense perimeter in order to slip in and gain access to information without authorization.

It seems that SMBs are the most at risk of not having ???guard patrols??? constantly patrolling the perimeter due to the cost and resources needed to monitor and report on the security???s on-going effectiveness and the bad guys are now sneaking in stealing the very data they created these defenses to protect.

So what???s the warning? Whether you???re a SMB or Global Enterprise, PCI compliance is a gate, that???s pretty much a fact, but it can???t be left unguarded. Time, money and resources must be allocated on an on-going basis else the bad guys will sneak in undetected and you may find yourself making a breach disclosure that wasn???t detected until it was too late.

Q&A: Bob Russo talks about the PCI Council

Wed, 16 Apr 2008 07:16:23 +0000

Bob Russo, the general manager of the PCI Security Standards Council, spoke with Computerworld's Jaikumar Vijayan about the organization's current thinking on the PCI standard, what's changed since he took the helm in 2007, and what he makes so far of the Hannaford and Okemo Ski Resort data breaches.

Vermont ski area reports Hannaford-like theft of payment card data

Wed, 02 Apr 2008 09:00:00 +0000

The Okemo Mountain Resort in Vermont said that credit card data may have been stolen during a system intrusion, with at least some of the information being taken as cards were being swiped.

Ski area reports Hannaford-like theft of payment card data

Tue, 01 Apr 2008 20:00:00 +0000

In a security breach that sounds similar to the one disclosed by Hannaford Bros. Co. last month, the Okemo Mountain Resort ski area in Vermont announced this week that data from more than 46,000 credit and debit card transactions may have been compromised during a system intrusion over a 16-day period in February.

Intrusion at Okemo Mountain Resort exposes customers

Tue, 01 Apr 2008 16:44:59 +0000

Technorati Tag: Security Breach

Date Reported:
3/31/08

Organization:
Okemo Mountain Resort

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
46,569

Types of Data:
"credit card data including cardholder names, account numbers and expiration dates"

Breach Description:
"Okemo Mountain Resort said Monday that hackers broke into its computer network and potentially gained access to credit card data from 28,168 transactions between Feb. 7 and Feb. 22 and 18,401 credit cards between January and March 2006."

Reference URL:
Okemo Mountain Resort News Release
Barre-Montpelier Times Argus
BusinessWeek
WTNH Channel 8 News

Report Credit:
Okemo Mountain Resort

Response:
From the online sources cited above:

Okemo Mountain Resort today announced that it has been a recent target of criminal efforts to gain access to credit data by infiltration of its computer network at Okemo Mountain Ski Area.

Okemo believes the intruder gained potential access to credit card data including cardholder names, account numbers and expiration dates.

An expert in data security and forensics hired by Okemo to assist in the investigation and response to the incident has informed Okemo that its computer system was improperly accessed by an outside party for a 16 day period between February 7, 2008 and February 22, 2008.

Affected consumers potentially include those who used their credit cards at Okemo during such dates as well as those who did so from January through March of 2006.

The forensic review determined that the intruder may have accessed credit card data from up to 28,168 credit card transactions processed at Okemo during the 16 day period in February. The actual number of credit cards holders involved in the transactions is likely to be smaller because multiple transactions may have been processed on a single card.

In addition, there may have been access to 18,401 individual credit cards used at Okemo from January through March 2006, many of which are believed to have expired.

Okemo spokeswoman Bonnie MacPherson said Monday the company has not heard of any customers subjected to fraud as a result of the breach.

Upon discovery of this intrusion, Okemo promptly initiated security measures to block the infiltration and protect any personal information transmitted through its system from any further unauthorized access.
[Evan] How do you suppose Okemo discovered this intrusion? Did a customer report unauthorized charges? Was the incident stumbled upon or detected during information security reviews of critical systems?

Okemo has provided notice to Visa, MasterCard and American Express and is cooperating fully with the credit card companies to notify potentially affected cardholders.

Okemo does not have sufficient information to directly contact cardholders.

Okemo has been informed that the banks, which issued the credit cards, will be provided with information necessary to notify their cardholders.

Okemo has also notified law enforcement and is providing notice to State Attorneys General and appropriate regulatory agencies.

Okemo will continue to carefully monitor the security of its systems moving forward.
[Evan] Okemo (and all organizations) should "carefully monitor the security of its systems" continually. This "should" go without saying. Especially systems that are used in the collection, creation, storage, or transmission of confidential information.

Okemo has been advised by Federal law enforcement officials that the matter is currently under investigation.

Okemo will provide updates on this incident on its website: www.okemo.com. For further information or assistance, cardholders are encouraged to call the following Toll Free Number, 1-866-756-5366. Okemo can also be contacted at Okemo Mountain Resort, 77 Okemo Ridge Road, Ludlow, VT 05149.

"As a result of this, we've increased the firewall capability and added some software and taken some additional precautions," she said. (Okemo spokeswoman Bonnie MacPherson)
[Evan] Huh?

Commentary:
I appreciate Okemo's news release. Some of the things that I didn't notice were an apology to the affected consumers, any words from Okemo leadership or any details about how this breach occurred.

Intrusions are coming in bunches lately.

Past Breaches:
Unknown