Do not mistake “Levels” for “Types”!

In newsletter #4 we saw that the payment brands classify organizations accepting and processing credit cards into “levels.” Levels are related to the number of transaction processed annually on the payment brand networks and are used to indicate what compliance validation procedures and reporting requirements targeted entities are expected to complete.

So, pay attention: do not mistake “levels” for “types," which is another classification used in the context of PCIco.

What is it all about?

If “levels” are associated with the number of transactions processed annually, “types” are associated with the way organizations handle and process cardholder data. They are used to determine which sections and requirements of the PCI bible are applicable to these organizations.

So to know which sections of PCI DSS apply to your organization, you need to know your type.

Side note: As “types” determine relevant sections and requirements of PCI DSS, they are closely related to the self-assessment questionnaires that organizations are asked to complete as part of the validation procedure.

What are the 5 "types"? 

If “levels” are independently defined by each payment brand, “types” have been defined conjointly by all brands. There are five types namely: A, B, C-VT, C and D.

Type A: Merchants who do not store cardholder data in electronic form and do not process or transmit any cardholder data on their systems or premises. 

Type B: Merchants who process cardholder data only via imprint machines or standalone, dial-out terminals.

Type C-VT: Merchants who process cardholder data only via isolated virtual terminals on personal computers connected to the Internet.

Type C: Merchants whose payment application systems are connected to the Internet.

Type D: All other merchants who do not meet the above descriptions.

Reference:

For more information about the way to determine your type, please review the PCI Data Security Standard Self-Assessment Questionnaire.

If you ever endeavour getting data about the compliance rate from PCIco or the Payment Brands you would know how challenging it is, probably more challenging than finding the Holy Grail. So in this context the release of the Verizon 2011 Payment Card Industry Compliance Report is quite enlightening for the security industry and merchant community. It gives us a good sense of reality of the field.

Compliance versus Security

We already knew that achieving compliance is not a simple matter but Verizon’s findings emphasize that not only companies are struggling getting compliance but it seems even harder for them to keep their compliance status year after year. Achieving compliance definitely doesn’t mean maintaining compliance. There is no direct relationship between passing a point-in-time validation and being able to maintain compliance.

If overconfidence, complacensy and fatigue (or routine) are the common Achille heels generating this situation, the major cause is clearly the lack of aligment between the compliance and security process inside the organizations. “Keeping compliance and security apart doesn’t make sense from either a compliance and security perspective”. According to Verizon’s report organizations in which compliance and security functions are completely separate meet on average 25 percent less results.

Furthermore the report underlines that as time goes by, compliance with the standards gets harder as PCIco gives clarification and guidance on interpreting the standards often narrowing and redefining acceptables practices. 

The report also clearly emphasizes that an organization that has worked security in their daily process can more easily achieve and maintain compliance than one that is performing them merely to meet a validation effort. Organizations that build security into their core processes generaly spend less and achieve more when it comes to validating compliance.  If an organization truly and consistently strives to be secure then it should not require a giant leap to be compiant, they will be compliant as a matter of fact.

The secret to compliance

According to Verizon the secret for maintaining compliance lies largely in treating it as a daily part of conducting business.  Exactly as ones would consider security. So one could reinterprete this statement by “The secret to achieving and staying in compliance with PCI DSS is NOT to look to it from the checklist perspective but rather to consider it as a whole part of your daily security assignments”. This is the only way out. 

These considerations clearly validate and sustain the observations and recommendations expressed in my webcast about  “PCI: A Compliance or Security Program” hosted by ISACA 

The failure areas

According to the report the four sections ofthe PCI DSS mostly failed are: 

Requirement 3 – Protect stored cardholder data - mostly issues related to data retention and key rotation. 

Requirement 10- Track and monitor access - mostly issues related to application log management and file-integrity monitoring on logs

Requirement 11 – Regulary test systems and processes – The difficulties reside in the frequency combined with the expectation that findings are remediated and retested. Lack of time and resource prevent some companies to present four “passing” external and internal scans. The most frequent problem is that organizations procrastinate and perform the pen test or scan at the last possible minute of an assessment.Invariably, the result is that they have between 100 – 200 findings to remediate and no hope of getting it done in time. 

Requirements  12 – Maintain Security policies – Mosty issues are related to the lack of critical content, lack of identification of assets that must be protected, poor risk management framework. 

Rapid7's height recommendations

Rapid7’s height recommendations to achieve and stay in compliance while being prepared to face your risks: 

1. Don’t just rely on compliance guidelines and requirements. Be aware,understand and assess your own risks, specific to your environment.
2. Be ready for the unlikely. Don’t think risk prevention; think impact minimization and response to incident.
3. See and go further than the guidelines and requirements. Consider any compliance program as a subset of your security plan. Not as the plan.
4. Stop being reactive; be proactive. Don’t wait for updates from the compliance body to change your security tactics when necessary. The heaviness of compliance bodies makes them move slowly.
5. Stop asking: Am I secure? Ask “How well prepared am I to face the risks?”
6. Don’t wait for the assessor visits to get a picture of your level of preparation. Establish continuous monitoring of your readiness.
7. Assign the following working statement to your staff: “Keep us prepared to face the risks”
8. Nurture this concept of “preparation” inside your organization.

Didier Godart

Risk Product Manager 

Rapid7

Records posted by the Dutch government reflect that the Armed Forces budget for Dutch cyber operations in 2012 has been estimated at 2 million euro´s. A small sum, but still a considerable one in the face of ongoing budget cuts at the Dutch Ministry of Defence. The money is intended to reenforce the Defence department´s digital defences and to develop the capability to partake in "cyber operations".

According to the published information, Dutch cyber operations capability will be developed in stages. Focal points will be the improvement of defences of its networks, systems and information, and the expansion of capabilities in Cyber Intelligence. The budget is listed at € 2 million in 2012, but the total budget between 2012 and 2015 will be closer to € 50 million. Most of the larger plans for the upcoming years are dependant on the sale of material and real estate, but the monies involved with cyber operations are small enough to have been allocated regardless.

One has to wonder though, with all that has been going on these last few years, what exactly will be done with a mere € 2 million for an entire year. This would pay for roughly 10 people and some hardware. What exactly will they be doing in 2012, and more importantly: How will they be spending the remaining € 48 million over the next 3 years? Sadly, this is not really mentioned in the budget discussions. All that is stated is that effort will be put into the new National Cyber Security Center that was recently stood up, and that there are two JIP´s (Joint Investment Program) of interest: One about Unmanned Aerial Systems (UAS) and one only referred to as ´cyber security´.

Last year, the Dutch military CIO Maj.Gen. Koen Gijsbers held a speech at InfoSecurity.nl, a Dutch conference on information security. While giving only limited information, at least he was there to answer some questions. This year no such opportunity seems to be planned, which leads me to believe that 2012 might be a very uneventful year for actual Dutch cyber operations.

Crossposted from ArgentConsulting.nl

About the author: Don Eijndhoven has a BA in System & Network Engineering with a Minor in Information Security from the Hogeschool van Amsterdam, The Netherlands. Among a long list of professional certifications he obtained are the titles CISSP, Certified Ethical Hacker, MCITPro and MCSE. He has over a decade of professional experience in designing and securing IT infrastructures. He is the CEO of Argent Consulting and often works as a management consultant or Infrastructure/Security architect. In his spare time he works as a Project Manager for CSFI and currently has 2 projects in his portfolio. He also blogs for several tech-focused websites about the state of Cyber Security and is a founding member of Netherlands Cyber Doctrine Institute (NCDI), a Dutch foundation that aims to support the Dutch Ministry of Defense in writing proper Cyber Doctrine.

Retailers can temporarily rejoice (for about a minute) now that six cyber villains have been caught in two different international credit card fraud rings.

The Register reports, “After investigations that began in 2009, the police executed three search warrants in metropolitan Sydney, retrieving EFTPOS terminals, computers, cash, mobile phones, skimming devices, and several Canadian credit cards. Other seizures in the two-year investigation have included 18,000 blank and counterfeit credit cards, stolen EFTPOS terminals, and skimming devices. The men arrested are Malaysian and Sri Lankan nationals, and are accused of coordinating the fraud operation in Australia, North America and Europe.”

Meanwhile, “a Brooklyn man has pleaded guilty to aggravated identity theft for his role in an operation that defrauded credit card issuers of almost $800,000 in bogus charges. FBI and Secret Service agents recovered data for 2,341 stolen accounts on his computer and on the magnetic stripes of cards, according to court documents.”

Cooperation between U.S. law enforcement agencies and international governments can be credited in taking down these thieves. However, studies show there are plenty of other criminals involved in fraudulent acts from countries like China, Nigeria, Vietnam, Ukraine, Malaysia, Thailand, Indonesia, Saudi Arabia and South Korea to take their place.

There is an anti-fraud company in Oregon, called iovation Inc., that helps online businesses connect the devices used in fraud rings across geographies, by associating them with the accounts they access. Whether the device is a PC, smartphone, tablet or other Internet-enabled device, iovation’s device identification technology recognizes new and returning devices touching their client’s sites within multiple industries.

Cyber criminals with a history of fraud or abuse are obviously flagged by iovation’s ReputationManager 360 service, but even more interesting are the real-time checks that happen within a fraction of a section as the user is interacting with the website. This might include assessing risk for activities such as setting up an account, logging in, changing account information, or attempting to make a purchase or transfer funds. Real-time checks differ for each website integration point as businesses customize and continually fine-tune them to detect fraudulent and risky behavior so that they can identify and keep bad actors off their site for good.

Robert Siciliano, personal security and identity theft expert contributor to iovation.

If you use Gmail, Hotmail or Yahoo, you know your email is accessible from any computer or smartphone. That’s because your messages are stored “in the cloud.”

What is iCloud? Apple puts it like this: “iCloud stores your music, photos, apps, calendars, documents, and more. And wirelessly pushes them to all your devices — automatically. It’s the easiest way to manage your content. Because now you don’t have to.”

If you take a picture on your iPhone, it appears on your Mac. If you write a document on your iPad, it appears on your iPhone. If you buy a song on iTunes, it becomes available on all your devices.

The cloud isn’t new, but when Apple pushes out a product, they often find a new and improved way to utilize existing technology.

iCloud was designed with three things in mind: convenience, portability, and consolidation. It allows you to keep your devices in sync, to access your data from anywhere, and do it all within a single, central hub. That last design feature gives Apple a certain degree of control over the user base.

Apple’s iCloud and its consumerization of centralized, cloud-based data and services will undoubtedly result in even more consumers connecting to even more devices.

Better yet, iCloud will spur even more innovation among Apple’s partners and competitors. Soon, we will see more products and services consolidated in “the sky,” which other cloud services will connect to. Consumers will also have more options for creating their own personal clouds, in the form of smarter home-based servers, making it easier to manage all of their devices and keep them secure.

And for all you PC lovers, there will surely be many more offerings to keep your digital life in sync, because, well, not everybody likes apples.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. 

You may have noticed that over the last decade, computers have grown faster and more powerful, with more RAM, bigger hard drives, and improved processors. This is made possible by the development of better, cheaper technology, coupled with a corresponding need on the part of consumers and corporations. It has also come in response to software developers, who have continued to introduce more complex and demanding programs.

Then, “the cloud” came along, and software such as office programs, contact managers, editing programs, and data storage went virtual, no longer requiring local computer space and speed.

As a result, old, slower PCs have a new life, and new devices like mobile phones, netbooks, e-readers, and tablets rely on the cloud to function as fully portable productivity tools and entertainment centers.

One of the cloud’s most significant impacts so far has been in music. Since the digitization of songs, we have seen dramatic changes in devices and hardware for music consumption, as well as in distribution mediums.

Last year, a Gartner report predicted that cloud-related spending would reach $258 billion by 2020. It accounted for $28 billion in 2010. This rapid increase should prompt investments in related technologies, applications, and services to account for 45% of all IT spending.

In the short term, as the cloud grows, more jobs will be created. In the long term, however, it is likely that many of the smaller administrative tasks that are currently performed on local PCs will take place in the cloud, managed by big companies along the lines of Amazon, Microsoft, Google, and even AT&T and Verizon.

The cloud will encourage the development of identification technologies designed to authenticate individuals online and via mobile and card technologies. The advantages and sheer connectedness facilitated by the cloud and our complimentary devices will ultimately allow for a more seamless and secure digital life.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. 

By green, I mean what you might call your cashola, mula, peso, mark, deniro, bread…or just money. I have a few, possibly contradictory philosophies about protecting one’s money. But hear me out.

First and foremost, never, ever fight a burglar, mugger, robber or home invader over money. If some whacko wants your dough, give it to him. I recommend keeping “chump change” on your person, or even at home, which you can easily hand over in the event of a violent demand. Toss it in one direction and run screaming in the other.

Keeping money under a mattress is generally not a good idea. Criminals flip over mattresses and slice them with knives. Often, criminals target a victim who they know has a mattress stuffed with cash, because the target told the wrong person about the mattress’s contents, and that person turned rat for a cut of the loot. Mattresses are also flammable.

A safe deposit box is a good idea, but not entirely practical. It usually costs money to have one. A safe deposit box certainly has its value. It’s generally located in a fire-resistant area of a bank, and is protected by a key. But there are drawbacks. Ask your bank how much your box is insured for, if insurance is even available. Also, keep in mind that safe deposit boxes are often located below ground, in areas that may be prone to flooding.

Banks are the best option for storing your money. Keeping your money in a bank account is the safest, as far as your personal security is concerned. Banks do “go under,” and money has gone missing, like at banks in third world countries, but here in the United States, banks are FDIC insured. And while a total meltdown of the banking system can negatively affect your cash position, you should put your money in the bank.

A safe is great. A SentrySafe Big Bolt is better. If you keep money in the house, it is essential it be stored in a fire-resistant safe. Having money sitting in a drawer or stuffed into a wall makes it vulnerable to thieves and fires. The caveat is that you really shouldn’t keep an excessive amount of money in your home. But I definitely recommend having emergency cash around.

If something like a natural disaster or serious power outage were to hinder your ability to get cash from banks or ATMs, having a smart but not excessive reserve can get you out of a jam.

Robert Siciliano is a Personal and Home Security Expert for SentrySafe.