User Blogs

After writing the article "Cyberspace and 4th Generation Warfare - A Marriage of Convenience" I received many questions and comments that really stirred the conversation. I'd like to further clarify some points and make some more links based on (among other things) observations stolen directly from John Robb's blog. I hope mr. Robb doesn't mind my poaching his IP too much as I make my way forward in linking his theories to how I see the future of cyber conflict.

"Terrorists won't use cyber..."The first comment I received, and one that is likely to persist for some time, was that terrorists prefer -and will likely continue to prefer- the more kinetic approach to critical system attacks. I agree. However, my article was about the fact that those who wish to disrupt critical systems and services could (also) do so through cyber attacks. I will grant that these are unlikely to be the same people who are now attacking through kinetic means. This does not mean that cyber attacks to critical systems won't happen. It is easily conceivable that online collectives such as Anonymous and LulzSec, who are known to harbour militant types, will eventually get bored with relatively innoccuous attacks and start targetting digital weak points to critical infrastructure to bring their point across. The fact of the matter is that collectives such as Anonymous have, despite the nuisance they have caused thus far, barely scratched the surface of the power they could wield.

The Diginotar attack, that is claimed to have been perpetrated by a single attacker calling himself ComodoHacker, is a prime example of how powerful cyber attacks can be when applied against critical infrastructure. This is asymmetric warfare at its finest. By cracking the security of a Root CA he managed to undermine all the systems (blindly) depending on it. Windows Update -thus bringing all Windows based systems within reach of compromise- and the entire Dutch governments' digital ID system for citizens to name but a few. Whether this was a state-sponsored attack by Iran or the act of a single individual is still a matter of debate. The CEO of Comodo apparently believes that it was state-sponsored, the attacker himself claims that it was retalliation for the Dutch involvement at Srebrenica. Either way, the attack was a massive success and demonstrated the weak points in the CA system.

"How is Open Source a good example?"
I received some comments that made it obvious my reference to the Open Source community missed its mark a little, probably because I had to cut some corners left and right to keep the article from bloating into a whole thesis. I was referring to the underpinning philosophy from Eric S. Raymond's Cathedral and the Bazaar, not to any endproduct, individual, group or community specifically. To be more specific, the following points have served both the Open Source community and the Global Guerilla community very well. Im sure it will do the same for cyber conflicts:

Release early and often. Try new forms of attacks against different types of targets early and often. Don’t wait for a perfect plan.
Given a large enough pool of co-developers, any difficult problem will be seen as obvious by someone, and solved. Eventually some participant of the bazaar will find a way to disrupt a particularly difficult target. All you need to do is copy the process they used.
Your co-developers (beta-testers) are your most valuable resource. The other guerrilla networks in the bazaar are your most valuable allies. They will innovate on your plans, swarm on weaknesses you identify, and protect you by creating system noise.
Recognize good ideas from your co-developers. Simple attacks that have immediate and far-reaching impact should be adopted.
Perfection is achieved when there is nothing left to take away (simplicity). The easier the attack is, the more easily it will be adopted. Complexity prevents swarming that both amplifies and protects.
Tools are often used in unexpected ways. An attack method can often find reuse in unexpected ways.

"But what's with this Bazaar business?"
In his book, mr. Robb points out that you can essentially outsource Terrorism. There is a whole black "Terrorist Market" -or Bazaar- out there where you can buy or hire virtually every individual piece of a terrorism-puzzle, from engineers specializing in crafting IED's to the people willing to plant them at a road or intersection. This has also been the case in cyberspace. You can visit a carder website to get yourself set up with a whole batch of stolen creditcard and/or social security numbers, attend 0-day auctions to get the latest hacks or approach hacking groups to outsource the entire attack; everything is possible online in the Cyber Bazaar.

"Exactly what are our problems in Cyber Security?"
This paragraph was surprisingly hard to come up with, because for the most part "Cyber Security" is just a fancy way of saying "IT Security". In other words: Most issues we see now are not new. They've been around for a long time: IT-clueless managers, poorly trained technical staff, snake oil security vendors, misconfigured systems, lack of insightful security strategy et cetera. Most of these topics have been debated on and written about ad nauseam -I've written quite a few myself- so I won't be addressing these in this article. The trouble for me was to define what the difference really is between IT Security and Cyber Security, and to pluck out the issues specifically related to the Cyber part of Security. Surprisingly, not many remain. Because most 'cyber issues' are arguably just IT Security issues and a matter of scale, it is my belief that the remaining issues specific to Cyber are Societal or Organizational. In fact I couldn't think of any particular IT issue that wasn't an issue when we still called it IT Security.

Societal Cyber Issues
When I speak of Societal Cyber Issues, I refer to the effects on society when certain critical cyber systems go down. For instance: What happens in society when a hacker brings down the powergrid? Im strictly limiting this section to the philosophical side, not the resolution of detected issues because these are Organizational issues (next paragraph). There are Master degree programmes specifically for writing scenario's such as these and hiring these specialists will probably yield very valuable results. Of course, running (multi)nation-wide cyber scenario's are a great method for uncovering the societal and organizational issues too.

Organizational Cyber Issues
The organizational cyber issues are essentially the resultant "how do we fix this" issues derived from the aforementioned scenario's. Many organizations are -for instance- not at all prepared to respond to major, prolonged power outages. It is my belief that many companies will go belly-up entirely in such an event. Furthermore, these kind of issues tend to stack so multiple major problems can arise from one root cause. Good examples of relevant Organizational Cyber Issues can be found in environmental disasters such as Hurricane Katrina hitting New Orleans. Due to organizational failures, this major US city still hasn't fully recovered.

Looking for solutions
Essentially we need to start thinking more in the terms of individual platforms. In his book mr. Robb uses power generation and power distribution as an example. Currently we see "the power grid" as one big piece of critical infrastructure. In reality this can be separated into two concepts: Power Generation (powerplants) and Power Distribution (power cables, transformer substations etc). Right now the system is heavily centralized, with power being generated at large concentrated plants and distributed one-way over the power distribution network. This system contains multiple weak points that can bring down large parts of the grid when attacked because of its centralized nature. Take down a major power plant or simply cut the right cable and you may black out an entire city.

In this scenario, major weaknesses can be eliminated by allowing individual homes to power the grid with their surplus energy generated from solar panels and windmills. This decentralizes the powergrid by creating thousands of miniature power plants. This is only possible if you redesign the current power distribution network to accept two-way distribution. This is further eased by using Open Standards that enable everyone to 'plug in' their home's power generator(s) using easily obtainable, non-proprietary hardware. This idea is not new. You can actually find several places that already have such a powergrid, and citizens get paid for power they deliver to the grid (their meter simply spins backwards).

It is ideas such as these that we must explore if we wish to become more resilient against attacks on our critical cyber infrastructure. I would love to hear of examples, so if you know of any please contact me.

About the author: Don Eijndhoven has a BA in System & Network Engineering with a Minor in Information Security from the Hogeschool van Amsterdam, The Netherlands. Among a long list of professional certifications he obtained are the titles CISSP, Certified Ethical Hacker, MCITPro and MCSE. He has over a decade of professional experience in designing and securing IT infrastructures. He is the CEO of Argent Consulting and often works as a management consultant or Infrastructure/Security architect. In his spare time he works as a Project Manager for CSFI and currently has 2 projects in his portfolio. He also blogs for several tech-focused websites about the state of Cyber Security and is a founding member of Netherlands Cyber Doctrine Institute (NCDI), a Dutch foundation that aims to support the Dutch Ministry of Defense in writing proper Cyber Doctrine.

What is a level?

“Levels” is a classification of organizations accepting and processing credit cards. They are defined and used by the payment brands to indicate what compliance validation procedures and reporting requirements targeted entities are expected to complete.

There is no consensus in this area between payment brands (this would be too easyJ). There are as much levels definition than payment brands

They are mainly defined based on the number of transaction processed annually on the payment brand networks.

Who determines the level applicable for a merchant?

Since acquirers are responsible for merchants’ compliance they are the ones who determine the level applicable to a merchant.

So if a merchant accepts multiple brands and those brands utilize different acquirers, the merchant could be subjected to multiple levels according to the acquirers.

How to determine the applicable level?

Acquirers qualifies the applicable level mainly based on the number of transaction processed annually as well as any account compromised experienced by the merchant.

Merchant levels definition per payment brands and transaction volume

Notes:

· No Level 4 merchant for American Express

· No Level 3 and Level 4 merchants for JCB International

· Payment brands reserve the right to escalate a merchant’s level dependent on risk such as previous compromise where PCI requirements were not in place.

References:

American Express:

https://www260.americanexpress.com/merchant/singlevoice/dsw/FrontServlet?request_type=dsw&pg_nm=merchinfo&ln=en&frm=US&tabbed=merchantLevel

Discover:

http://www.discovernetwork.com/fraudsecurity/disc.html

JCB:

http://www.jcb-global.com/english/jdsp/index.html

Mastercard:

http://www.mastercard.com/us/company/en/whatwedo/determine_merchant.html

Visa:

http://usa.visa.com/merchants/risk_management/cisp_merchants.html

Find all PCI 30 seconds newsletters on community.rapid7.com section Information security.

The Federal Financial Institutions Examination Council recently released a supplement to the guide it issued in 2005, on authentication in an Internet banking environment. One of the FFIEC’s key recommendations for eliminating fraud is consumer awareness and education.

At some level, you may be aware that financial institutions have a layered security approach in place. Those layers include multi-authentication, which may mean requiring users to punch in a second security code or carry a key fob, as well as due diligence in identifying customers as real people whose identities haven’t been stolen, and consumer education.

Consumers are largely oblivious to the multiple layers of security put in place by financial institutions in order to protect them and their bank accounts. All consumers really care about are ease and convenience. However, a better understanding of what goes on behind the scenes can help consumers adapt to new technologies that affect their lives.

I recently came across a blog post written by a financial institution’s bank manager, “Nerdy Nate,” attempting to educate the bank’s customers in response to the FFIEC’s guidance. Nate’s message is useful for all bank customers, and should be a model for other financial institutions.

“Currently, [this institution] employs a combination of a secure browser connection, customer number, password, and our enhanced login security system. We recently added the ability for you to use email, voice and text to receive a one-time passcode needed when we do not recognize your computer. We do realize that having to use a one-time passcode is inconvenient at times. Please be assured that SIS will research other options to make this more convenient. However, at this time, using a one-time passcode is considered the best practice in authenticating you as a user when you login into SIS Online Banking. This method is also compliant with the FFIEC guidance issued to SIS.

We are also working with our Online Banking provider on other security efforts in response to the FFIEC guidance.

· Enhanced Device Identification – We will enhance the security of the multifactor authentication enrollment cookie, where it is in use, by adding device fingerprinting. This means that if the cookie is present on a system whose device fingerprint differs from what is on record, the cookie will not be honored and an additional authentication step will be required.

· Removal of Challenge Questions – In the near future, we will no longer allow the use of a Challenge Question to authenticate you. Instead you will need to use one of the three passcode methods available; text, voice call and email.

· Web Fraud Detection, Behavior Monitoring – We are evaluating different options to monitor your online access for fraud. Once we have a solution in place, we will notify you on how it might affect you as a user.

· Malware Prevention & Detection – We are evaluating different options to monitor the use of malware to “hack” your online access. Once we have a solution in place, we will notify you on how it might affect you as a user.

We remain committed to providing you with the best and most secure Online Banking experience possible. With the ever-changing landscape of online fraud, this is proving to be more difficult every day. We are confident that with your help and some hard work on our side, we can achieve our goal.”

Great stuff. Nowadays, education on the “threatscape” is essential. Enhanced device identification is also essential. The FFIEC suggests complex device identification. While complex device identification is more sophisticated than previous techniques, take one step instead of two and incorporate device reputation management.

This proven strategy not only has advanced methods to identify devices connecting to your bank, but also incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and much more to protect your financial institution against cyber fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation.

Is your data in the cloud? Right now as we speak billions are being invested my major corporations to store and back up data in the cloud. It’s cheaper and it’s safer.

When you think of a cloud, do you picture fluffy white pillow-things that float in the sky without a care in the world? “The cloud,” as it relates to technology, actually refers to millions of servers, which may be owned and operated by either corporations or private individuals, sitting in homes and offices. We can only hope that they are under tight security.

Data stored on your computer is kept together, in one nice little controlled place. Whereas data stored in the cloud is spread out, all over the world. But what’s more secure, your local PC or a server in a dark room in Des Moines?

The reality is that all cloud-based data, just like local PC-based data, is vulnerable to physical theft if the building isn’t properly protected, power outages if there aren’t redundant power backups, natural disasters if Mother Nature decides to have a bad day, and criminal hacking through system weaknesses, phishing, and social engineering.

Then there is Murphy, of Murphy’s Law: what can go wrong will go wrong. And with technology, there is much that can go wrong. CNET recently reported that Amazon’s cloud was down for almost two days. “In April, the cloud storage service experienced a two-day outage that brought many Web site operations to a halt. When a cloud-computing provider has trouble, of course, it raises worries about the dangers of outsourcing operations to another company.”

Cloud-based data is vulnerable both in the cloud, where it’s stored, if it is not properly protected and encrypted, and in transit, via your own Internet connection.

Most cloud service providers won’t explicitly outline what they do to protect your data because it could offer potential hackers information on how to compromise their networks. But one provider for example promises “strict security policies, military-grade encryption, and world-class data centers for optimal data protection of your business’ computers and servers.”

Some providers offer two-factor authentication which is another good way to protect the integrity of cloud-based data, making hacking more difficult than obtaining a simple username and password. To remind, two factor authentication means you have to use two different things to prove your identity. Typically this is something you have, like an ATM card, and something you know like a PIN code.

Computer users are responsible for the security of locally stored data, and data that is transmitted via their Internet connection. They can avoid phishing and social engineering scams. But beyond that, they are reliant on the cloud provider to adequately secure their data. Have you checked with your cloud provider yet on their security measures?

Robert Siciliano, personal security expert contributor to Just Ask Gemalto.

In this newsletter we will distribute the roles for the PCI play.

Regulators (scenarists and directors)

They are writing the scenarios and direct the play.

The PCI council whose main responsibilities are:

Maintain the standards and supporting documentation.
Qualify assessors and perform quality assurance checks of their work
Maintain a list of validated payment applications and approved PIN transaction security devices.
Educate the community
Promote PCI on a global basis.

Payment Brands responsible for:

Development and enforcement of their own compliance program.
Fines and penalties for non-compliance.
Forensic investigations in case of breaches.

Targeted entities (leading roles)

They hold the leading role by following the director’s instructions.

Merchants: Business entities directly involved in the processing, storage, transmission, or switching of transaction data or cardholder data

Service Providers: Same as above but on behalf of merchants.

They must ensure and maintain compliance on an ongoing basis as well as validate and report compliance.

Assessors (supporting roles)

In this category, the nominated are:

Qualified Security Assessor (QSA): They are qualified by the Council to assess compliance to the PCI DSS standard of merchants and service providers. They go on-site. There are to date 267 QSA’s.

List of QSA https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php

Approved Scanning Vendors (ASVs): They are approved by the Council to perform external vulnerability scans for the targeted entities. There are to date 152 approved companies of which: Rapid7.

List of ASV

https://www.pcisecuritystandards.org/approved_companies_providers/pfi_companies.phphttps://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php

Payment Application Qualified Security Assessor (PA-QSA): They have been qualified by the Council to have their employees assess compliance to the PCI PA-DSS standard. There are to date 62 qualified companies.

List of PA-QSA

https://www.pcisecuritystandards.org/approved_companies_providers/payment_application_qsas.php

Internal Security Auditor (ISA): Individual security auditor staff of targeted entities qualified by the Council to perform the role of assessor for their organization. Companies using ISA do not need to be assessed by QSA.

Extra roles

The keyword “PCI compliance” on google generates more than 9 millions of hits.

PCI is definitely considered as a business driver for hundreds security companies that provide a diversity of services to the targeted entities in the preparation and maintenance of their compliance.

With any project as complex as the implementation of ISO 27001 there are some things to avoid. Here are two quick things you shouldn't do:

1. Don't focus on information security. Although it sounds counter-intuitive it is only the "content" of ISO 27001 that is about information security. What's more is that if you achieve this and focus on the ISO 27001 process, it will ensure that information security is taken care of properly in your organization.
ISO 27001 is a management system standard. It is a standard that describes requirements for a system for managing information security. It does not include information security itself – merely the processes through which you will manage information security. If you set the processes in place effectively they will (you will) effectively manage your information security. The management system processes fall into two categories. The "primary" processes in the standard are about the processes to understand your current information security perspective, quantify the risk to your organization and plan actions to accept or reduce the risk to make it acceptable. It is implicit that senior management will be involved in accepting poor security... or pay to lower the risk. There is no requirement in the standard that the risk has to be addressed or lowered, merely that management acknowledge it and accept it. Other primary processes include a process to react to security incidents (or near incidents), contingency planning covering information security and a process to have access to information security contacts and information security legal requirements.

In addition to the primary processes, "support" processes include document control, records management, training, internal auditing, management and corrective and preventive action. All of these processes must be formally defined in written procedures that describe a coherent and comprehensive system of processes that help understand and control information security.

It has to be said that although ISO 27001 is not "about" information security, it does make specific reference to information security technologies. In an appendix it lists a number of general categories including physical access, human resources, communications, operations, etc. These categories are expanded in some detail in ISO 27002 and ISO 27001 requires that these controls are considered when reviewing risks in the organization and that their non-applicability is formally justified in a "statement of applicability". Thus the pair of standards do actually require and cover information security but as mentioned earlier none of the requirements are mandatory. Further, certification is about having a formal management system to ensure information security is consistently and continually addressed to ensure it is and remains effective. If you focus on the security issues you are not contributing towards ISO 27001 certification and you are not assuring the consistency and sustainability of information security management. Don't ignore the security issues but deliberately address the management system issues. That is the long term solution.

2. Don't over-complicate your risk assessment method. Risk is a calculation derived from probability and consequence. To make it objective it needs to be quantified as a numeric value so that it can be compared to what management says it will accept. This can be quite complex. Ultimately risk usually includes subjective assessments of what the probability is and what value the consequence might affect. There is a tendency to attempt to formalize each step and even break steps into multiple stages so the subjectivity can be limited. However, truth is that when you add all the stages together the subjectivity still exists. Keep the risk assessment methodology simple. What is the max value of the information asset that may be compromised? How serious is the threat? How serious is the vulnerability? (avoid breaking it down too far). And when assigning numbers try 1-5 rather than 1-10.
The key factor to a good risk assessment is to identify the risks. Most people in your organization will understand what that means when the risk and consequence is described and they will know how serious they are. So long as you do a good job of identifying risk the numbers assigned and range they exist within are lest important.
If this is your first attempt at a risk assessment then keep it simple. You can always make it more complex next time around.

Cavendish Scott, Inc. is experienced at implementing ISO 27001 management systems. We guarantee successful ISO certification and design and implement practical and easy to maintain systems. We also provide ISO 27001 training and conduct ISO 27001 audits including gap assessments.

ISO 31000:2009 sets out principles, a framework and a process for the management of risk that are applicable to any type of organization in public or private sector. It does not mandate a "one size fits all" approach, but rather emphasises the fact that the management of risk must be tailored to the specific needs and structure of the particular organization.

ISO 31000 is designed to help organizations:

Increase the likelihood of achieving objectives
Encourage proactive management
Be aware of the need to identify and treat risk throughout the organization
Improve the identification of opportunities and threats
Comply with relevant legal and regulatory requirements and international norms
Improve financial reporting
Improve governance
Improve stakeholder confidence and trust
Establish a reliable basis for decision making and planning
Improve controls
Effectively allocate and use resources for risk treatment
Improve operational effectiveness and efficiency
Enhance health and safety performance, as well as environmental protection
Improve loss prevention and incident management
Minimize losses
Improve organizational learning
Improve organizational resilience.

ISO 31000 and ISO Guide 73 can be applied to any public, private or community enterprise, association, group or individual. The documents will be useful to:

>Those responsible for implementing risk management within their organizations
>Those who need to ensure that an organization manages risk
>Those needing to evaluate an organization' practices in managing risk
>Developers of standards, guides procedures and codes of practice relating to the management of risk.

ISO Training

The International Standard ISO 27001 (previously BS-7799) for Information Security Management has been designed to help organisations of all types and sizes to implement simple and relevant practices that will secure not just their computer and communications services, but also their offices, their valuable organisational information and the efficiency and well-being of their staff.

What are the Benefits of ISO 27001?

ISO27001 was designed for high-pressure, information-driven, information-dependent environments.

ISO27001 was developed by 'real life' organisations including Marks & Spencer, Unilever, Lloyds TSB, and Nationwide Building Society to name just few. All these are organisations that are under commercial pressure: they have to deliver results to share holders or stakeholders, and retain high levels of security and motivated workforces. Their input to the original British Standard and determination to ensure that it was appropriate and supportive in a high-pressure environment means that the controls and recommendations actually enhance efficient working practices.

ISO27001 provides an independent, recognized way of measuring the state of your information security. The standard provides an easy-to-follow framework for measuring and assessing the status of an organisations Information Security at any given time: this means that it is possible to take snapshots of your progress as we enhance your systems and implement new procedures. ISO27001 helps you put in place some of the procedures you are legally required to have in place.

Employment law is increasing in complexity at all time and it is a wise employer who documents and covers all eventualities for staff reference and agreement. In addition, other legislation, such as the Data Protection Act, the Computer Misuse Act and the Human Rights Act, provide a set of veritable minefield for the unwary. ISO27001 urges implementers to consider and design good information privacy and human resources procedures.

ISO27001 provides a way of showing partners, suppliers and staff that your are taking information security seriously.

ISO27001 recommends best practice for all types of information storage, communication and movement. As more and more companies exchange information using technology as the underlying transport system, the efficiency grows – but the risk increases. It is likely that, to facilitate secure inter organisation information exchange in future, sharing agreements will stipulate that partners work in accordance with, or formally comply with, ISO27001. So ISO27001 will increasingly become the requirement for secure information exchange
between all organizations.

In conclusion, ISO 27001 gives you a best practice management framework for implementing and maintaining sound information security. It also gives you a baseline against which to you can either show compliance against or undergo external certification.

ISO 27001 certification communicates to customers and suppliers alike that your organisation is managing and responding to information risk.

ISO 27001 Training