This title of this post is a security industry axiom. In other words, we can strive for security, and by making this effort we put ourselves on a path to security. But while we may achieve a relative degree of security, we can never be 100% secure. Even Fort Knox is vulnerable.

We can, however, apply strategies that significantly reduce our risk level. One of the best techniques is “layering.” Layers of security make a criminal’s job more difficult by addressing all of the vulnerabilities in your home or office.

A bank, for example, has multiple layers of security. First, consider the perimeter of the building, which is often designed to include large windows, so that passerby or law enforcement can easily see any problems occurring inside. The bank’s doors have locks. Of course, there is an alarm system, which includes panic buttons, glassbreak detectors, and motion sensors. These are all layers, as are security cameras, bulletproof glass, and armed guards. Ideally, tellers and management should have robbery response training. Many banks use dye packs or even GPS to track stolen cash.

Each of these layers is designed to make it harder for a robber to do his job.

All banks have safes, because banks know that a well-constructed safe is the ultimate layer of security. A safe not only makes it extremely difficult for a bank robber to steal the bank’s money, it also protects the cash in the event of a fire.

Consider a layered approach to your home or small business security plan, one that includes a SentrySafe, the last line of defense in your protection strategy.

Robert Siciliano is a Personal and Home Security Expert for SentrySafe.

Who is responsible for financial losses due to fraud? The bank, or the customers whose accounts have been drained?

One Michigan judge recently decided in favor of Comerica Bank customers, holding the bank responsible for approximately $560,000 out of a total of nearly $2 million in unrecovered losses. A copy of the bench decision is available from Pierce Atwood LLP, and the firm also outlines significant highlights and observations regarding this case.

Clearly, the bank’s client, Experi-Metal, made some serious errors, but in the end, the bank paid the price. The court’s decision acknowledges that a vice president of Experi-Metal made the initial mistake of clicking on a link within a phishing email, which appeared to have been sent by Comerica but was in fact sent by a scammer. He then responded to a request for his Comerica account data, despite Comerica’s regular warnings about phishing scams and advice to never provide account information in response to an email. In doing so, the customer offered the scammer immediate online access to his company’s Comerica bank accounts. Naturally, the scammer began transferring money out of the accounts.

I’ll spare you the legalese and get to the nitty-gritty.

“The Court considered several factors as relevant to whether Comerica acted in good faith, including:

• The volume and frequency of the payment orders and the book transfers that enabled the fraudster to fund those orders;
• The $5 million overdraft created by those book transfers in what is regularly a zero balance account;
• Experi-Metal’s limited prior wire activity;
• The destinations (Russia and Estonia) and beneficiaries of the funds; and
• Comerica’s knowledge of prior and current phishing attempts.

It was the Court’s inclination to find that a bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Furthermore, the Court found that Comerica “fails to present evidence from which this Court could find otherwise.”

This case means that Comerica and, by extension, all banks, must adhere more closely to the FFIECs recently released supplement to its previously released guidelines on authentication in an Internet banking environment, by adding multiple layers of security.

In this case, the computer or other device the scammer used to access Comerica’s website could surely have been traced overseas and flagged for: hiding behind a proxy, device anomalies such as a time zone and browser language mismatch, past history of online scams and identity theft, and the list goes on.

Financial institutions could protect users and themselves by incorporating device identification, device reputation, and risk profiling services to keep scammers out. Oregon-based iovation Inc. offers the world’s leading device reputation service, called ReputationManager 360, and is used by leading financial institutions to help mitigate these types of risk in their online channel.

Robert Siciliano, personal security and identity theft expert contributor to iovation.

In 1989 a group of US military analysts including William S. Lind, decided to conveniently ignore the rest of world history and look at evolution in armed conflict starting at a mere 100 years before the inception of the United States. Any biologist worth his salt will tell you that this is too small a sample to take an accurate measurement of such a lengthy ordeal as evolution, but for this article's sake I will digress.

The resultant work of this team was published in the US Marine Corps Gazette and revolved around a 'generational' view to warfare, in which each evolution - dubbed a Generation - had distinct characteristics particular to that generation. In their article they describe four generations. The following definitions were gleaned from Wikipedia:

First Generation: tactics of line and column; which developed in the age of the smoothbore musket. William S. Lind (2004) explains the generations of war as the First Generation beginning after the Peace of Westphalia in 1648 ending the Thirty Years’ War and establishing the state’s need to organize and conduct war. 1GW consisted of tightly ordered soldiers with top-down discipline. These troops would fight in close order and advance slowly. This began to change as the battlefield changed. Old line and column tactics were now suicidal as the bow and arrow/sword morphed into the rifle and machine gun (Lind 2).

Second Generation: tactics of linear fire and movement, with reliance on indirect fire. This type of warfare can be seen the early stages of WWI, where there was still strict adherence to drill and discipline of formation and uniform, but the dependence on artillery and firepower to break the stalemate and move towards a pitched battle.

Third Generation: tactics of infiltration to bypass and collapse the enemy's combat forces rather than seeking to close with and destroy them; and defence in depth. The 3GW military seeks to bypass the enemy, and attack his rear forward, such as the tactics used by German Storm Troopers in WWI against the British and French in order to break the trench warfare stalemate (Lind 2004). These aspects of 3GW bleed into 4GW as it is also warfare of speed and initiative. However, it targets both military forces and home populations.

Fourth Generation:  tactics generally revolve around unconventional warfare, often seen as terrorist activities or Insurgency. The conflict itself is characterized by a blurring of the lines between war and politics, soldier and civilian, often leading to long and drawn out conflicts. In terms of generational modern warfare, the fourth generation signifies the nation states' loss of their near-monopoly on combat forces, returning to modes of conflict common in pre-modern times. The simplest definition includes any war in which one [or more, ed.] of the major participants is not a state but rather a violent non-state actor.

The article was heavily debated on its accuracy, especially when considering the rest of world history. Certain forms of warfare had always existed and seem more dependant on the intelligence of the Generals fighting the war than it does on technology or 'modernity'. For instance it can be argued that Maneuver Warfare -or 3d generation- was used with great success by conquerors such as Alexander the Great (356 – 323 BC) when he deployed his cavalry in a flanking maneuver.  Additionally we can see 4th generation warfare (4GW) in the rise of Spartacus in ancient Rome, where he (a non-state entity) made war with the Romans. Nevertheless the theory made one point that is of particular application to Cyber Warfare: A blurring of the lines between Soldier and Civilian. Everyone can start a war through cyberspace. War is no longer the sole province of Nation States.

In his eye-opening book "Brave New War", author John Robb explains how the internet and other global communication systems have supercharged the individual's capacity to wage war. For virtually every extremist view there is a place on the internet, so its quite easy to find other people who share your cause and build a small army. You can find manuals on how to craft bombs and other weapons from household products, so weapons to fight with are certainly not a problem. Furthermore: terrorists have begun to move away from targetting symbolic places and instead seem to be focussing on weak spots in critical infrastructure. These are far easier targets to hit and this drives down the requirements, making it that much easier for extremist groups or individuals to achieve their goals. These attacks on critical infrastructural weak points have proven to be cheap to execute, with a small chance of getting caught and have an extremely high ROI. Sometimes the cost of repairing the damage is several thousand times more costly than the attack itself. Furthermore it delegitimizes the hosting nation state every time they succeed, and they succeed often because it is nearly impossible to defend everything, all the time. Whats worse: the number of attacks is on the rise precisely because they are so successful.

The chance of another 9/11 happening are slim to none, while cheap and easy attacks on (for instance) oil lines in the middle of the desert are occuring daily. Information on where those weak spots are in our critical infrastructure is freely available on the internet as well, as long as you know what to look for. If you have a degree in Engineering you may not even need such internet access because you can find them on your own. And these are just the kinetic side-effects of global access to global knowledge. Remember: Much of Western critical infrastructure is connected to cyberspace too. As such it is both an excellent method to attack critical infrastructure as well as a target in and of itself.

With this in mind we should expect the same growth in cyber conflicts (cyber terrorism, cyber warfare etc). Cyberspace will become more hostile rather than less hostile, despite any efforts in securing the products and systems we work with, simply because through cyberspace they can hit us where it hurts. As our dependance on cyberspace grows, naturally so must phenomena such as cyber terrorism. It is perfectly in line with that supercharged unconventional warfare so suited for individuals and small groups as described in the article on 4GW, as well as Robb's observed trend towards what he calls Global Guerilla tactics.

The lesson here is that we should prepare our online critical infrastructure for such attacks ahead of time. Assume that attacks will come and that attacks will be successful. This means that critical services should be redundant and capable of providing service even while under attack. Decentralization is your friend. Mr. Robb advocates turning services into independant Open Standard platforms that other companies, groups or even individuals can build onto with greater ease, and I believe he rightly points to the Open Source movement as a prime example. We can still learn much from Eric S. Raymond's Bazaar model. We can, and if we wish to survive: we must.

Total quality management is a management system for a customer focused organization that involves all employee in continual improvement of all aspects of the organization. TQM uses strategy, data, and effective communication to integrate the quality principles into the culture and activities of the organization. 

 Principles Of TQM 

 > Be Customer focused: Whatever you do for quality improvement, remember that ONLY customers determine the level of quality. Whatever you do to foster quality improvement, training employees, integrating quality into processes management, ONLY customers determine whether your efforts were worthwhile. 

 > Ensure Total Employee Involvement: You must remove fear from work place, then empower employee... you provide the proper environment. 

> Process Centered: Fundamental part of TQM is to focus on process thinking. 

 > Integrated system: All employee must know the business mission and vision. An integrated business system may be modeled by MBNQA or ISO 9000 

 > Strategic and systematic approach: Strategic plan must integrate quality as core component. 

 > Continual Improvement: Using analytical, quality tools, and creative thinking to become more efficient and effective. 

 > Fact Based Decision Making: Decision making must be ONLY on data, not personal or situational thinking. 

 > Communication: Communication strategy, method and timeliness must be well defined.

---

ISO Consulting

Hi Everyone,

This is our second PCI 30 sec newsletter. One cannot move through the PCI ecosystem without basic understandings of the payment processing terminology and workflow. So let’s have a look behind the scene.

The payment processing terminology

In a nutshell, the payment transaction could be depicted as follow:

We have cardholders that make payment card purchases from merchants, merchants that send payment transaction data to their acquirers, and acquirers that send payment transaction data through the payment brand network to the issuer.

• The cardholder is the person that actually has the payment card and uses it to purchase goods or services.
• The merchants are the organizations accepting payment.
• The acquirer is the bank the merchant has a contractual relationship with.
• The issuer is the organization that issued the card to the cardholder.
• The payment brands are the credit card organization (Visa, MasterCard, Amex, Discover, JCB).

Note:

Visa and MasterCard never issue cards. Their cards are always issued through a bank (Issuer) or other organization.  American Express, Discover, and JCB International  issue cards directly. They also acquire those transactions.

The payment processing workflow

It encompasses the following operations:

1. Authorization
2. Clearing
3. Settlement

Authorization: At the time of purchase, the merchant requests and receives authorization from the issuer to allow the purchase to be conducted, and an authorization code is provided.

The process includes:

1. The cardholder swipes or dips card at the merchant location.
2. The merchant’s bank (or acquirer) asks processor to determine the cardholder’s bank (or issuer).
3. The processing network determines the cardholder’s bank and requests approval for purchase.
4. The cardholder’s bank approves the purchase.
5. The processor sends approval to merchant’s bank.
6. The merchant’s bank sends approval to the merchant.
7. The cardholder completes the purchase and receives a receipt.

Clearing: In the Clearing process, the acquirer and issuer need to exchange purchase information to complete the transaction.The process includes:

1. The merchant’s bank sends purchase information to the processor network
2. The processor sends purchase information to the cardholder’s bank, which prepares data for the cardholder’s statement
3. The processor provides complete reconciliation to the merchant’s bank

Settlement : The merchant’s bank pays the merchant for the cardholder purchase and the cardholder’s bank bills the cardholder.This process includes:

1. Cardholder’s bank (Issuer) sends payment to the processor.
2. The processor’s settlement bank sends payment to the merchant’s bank (Acquirer).
3. Merchant’s bank pays the merchant for cardholder’s purchase.
4. Cardholder’s bank bills the cardholder.

That’s all for today folks.

Cheers 

Didier Godart
Risk Product Manager
Rapid7
This email address is being protected from spambots. You need JavaScript enabled to view it.
+32498.78.77.44
Moderator PCI ASV voice on LinkedIn

The ever ongoing debate about quality IT staff once again received a nudge, this time by an article of J.Oquendo. In his article he takes another brutally honest stab at the Industry by pointing out that the new Shady RAT attacks aren't that new and would have been easily caught by capable personnel. I agree with that view very strongly and would also like to point out that Shady RAT is really no different than Night Dragon in that both attack waves used techniques that have been known for a decade or more. Oviously someone is asleep at the wheel, but who?

In several articles I've seen about this topic, I have seen in-depth descriptions of the observed failures of the staff itself as well as the certifications that should have tested their skills. These seem to me to be symptoms rather than a cause, and one that I don't see in many other industries. Most industries have some kind of self-correcting function built in. In the Medical profession there is a Medical Board that reviews its members and is able to punish shoddy work. Lawyers can be disbarred by the Bar Association in their district. A bad carpenter may well find himself nailed upside-down to a wall if he doesn't pull his weight during a large construction project. All of these are examples of Peer Review. What makes the IT industry so different?

Two major differences immediately came to mind:

• Cost of mistakes are hard to quantify (or even detect) in IT and;
• Line- and Project management are much less skilled in IT than other industries are in theirs.

Cost of mistakes are hard to detect and quantify
Compared to other industries, mistakes made by IT personnel aren't always obvious. Systems may keep on working and may even work properly when its poorly configured. If a system does crash, its often very hard to quantify exactly how much damage there is and what it has cost the company.  If a surgeon makes a mistake, the effect is often immediate (e.g. a patient keels over). If a construction worker makes a mistake, a building may collapse. In either case a problem is usually clearly visibly detectable and peer review takes place. Lack of visibility and immediate effects inhibit such peer review in the IT industry.  

Line- and Project Management personnel are not sufficiently skilled in IT to manage its staff
The fact that IT is still somewhat of an ethereal topic to most people is reflected in the poor choices made when hiring management personnel. You wouldn't believe how often I've heard it said that 'IT managers don't need to know IT, they just need to manage the people'. This is just plain wrong. Yes they need to be skilled in managing people, but they also have to make regular professional judgement of the quality of work provided by the staff they are managing. Virtually every other profession does this better than we in the IT industry.

I believe this has a lot to do with the fact that there are less IT-savvy managers to begin with and so management accepts second-best as its defacto standard. There also seems to be less promotion from the ranks than in other industries. Maybe the stigma of IT personnel having less social skills (think Geek or Nerd) has its part in this problem, I don't know and wouldn't care to judge its veracity. What is evident is that there aren't nearly as many well-educated (in IT!) CIO's as we should have. We need those proper CIO's to hire proper IT managers, who in turn hire proper personnel instead of the pseudo-specialists that are so often the topic of negative discussion.

Of course you could say that its up to the IT professionals to get themselves skilled, but we've tried that and it doesn't work. And why would they? Many of them skate by excellently with a minimum of effort because of that 'peoplemanager' with the bachelor degree in napkin folding you thought would do just fine (and wasn't he cheap!). As an organization, try the following:

• Stop assuming that 'any bachelor/master degree' will suffice for an IT position. The higher up the manager is going to be, the more skill you can ask for the position. That includes the CIO position! Although their knowledge has to be scoped broader, it must still be present and relevant.
• Promote from the ranks where possible. The pecking order in an IT department is established fairly quickly and its almost always based on skill and knowledge. Leverage that information in getting the right people promoted. If you choose right, they'll be perfectly capable of hiring their own replacement.
• When hiring technical personnel, have each applicant vetted by your best tech(s), even if it is a contractor. Listen to their advice.
• Don't let certifications dazzle you. Many certifications don't mean much anyway. Look to match certifications with practical experience and you'll fare better.
• Remember: If you pay peanuts, you'll get monkeys. If you don't have money, find other ways to entice new personnel such as exciting projects or nice perks.
• Recruiting agencies often play it fast and loose with matching your needs to their staff. Don't assume their personnel is any better - verify! Remember: You're paying a premium and deserve quality. Ask them about the training their staff receives. If they're any good, it should be at least a periodically recurring thing. I know companies that demand an x-amount of study a year per employee.

Back in 2005, the Federal Financial Institutions Examination Council (FFIEC) made security recommendations for banks and financial institutions in response to the increase of cybercrime. Since then, banks have implemented most, if not all, of these guidelines, and cyber criminals have responded by challenging each layer of security, by exploiting different technologies or coming up with new hacking techniques.

The latest security recommendations strongly suggest a layered or “defense-in-depth” approach, which the National Security Agency defines as a practical strategy for achieving Information Assurance in today’s highly networked environments. It is a “best practices” strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy strikes a balance between the protection capability and cost, performance, and operational considerations.

The FFIEC recommends that financial institutions replace simple device identification with complex device identification, which most banks had already implemented long ago. Therefore, the next evolution of security is device reputation management, incorporating geolocation, velocity, anomalies, proxy busting, browser language, associations, fraud histories, and time zone differences. iovation, an Oregon-based security firm, offers this service and more.

The FFIEC also recommends that financial institutions replace challenge questions, which are often fact-based questions, and can be easy to figure out with the use social networking data, with “Out of Wallet” (OOW) questions that don’t rely on publicly available information.

Challenge questions include, “What’s your mother’s maiden name?” “What’s your Social Security Number?” “What are your kids’ names?” or “When were you born?” OOW questions are generally opinion-based, such as, “What is your favorite vacation spot?” “What is your favorite flavor of ice cream?” or “What is your favorite book?”

Keir Breitenfeld, Senior Director of Experian Decision Analytics recently joined Device Reputation pioneer and leader, iovation, for a webinar presentation addressing the FFIEC guidelines.  You can listen to his presentation on applying proportional treatment to risk-based authentication efforts and dynamically managing credit and non-credit data questions to mitigate fraud via the webinar.

Ultimately, financial institutions must implement a layered approach to security. iovation’s device reputation service is a must-have layer that contributes greatly to a defense-in-depth approach, assessing risk throughout multiple points on an institution’s website.

Robert Siciliano, personal security and identity theft expert contributor to iovation.