The largely accepted view and standard is that the protection of information assets is a technology function and hence in many organizations all “controls” are within the area of Information Technology.

While technology is an important aspect of any information security program strategy, it is at best only one of three legs of the footstool. Many information compromises start with threats that arise from weak procedures, and may include intentional or unintentional human acts.

Social engineering is the act of obtaining confidential information through the “art of deception”.  Most people have heard of or experienced phishing attacks through email.  The email entices the recipient to visit a website that downloads malicious software to the user PC or tricks the individual into providing sensitive information such as login credentials to business or personal accounts.

Vishing attacks, which are social engineering exploits delivered by phone, are frequently launched against customer service departments, help desks, and other business functions within corporations.  With caller identification easily spoofed and displaying the desired inbound number on the recipient’s display, the attacker poses as someone they are not in attempt to extract sensitive information.    The goal of the attacker may be to gain access to the company’s infrastructure, bank accounts, personal and private information or a variety of other reasons.  It is hard to image how technology can prevent such attacks if the employee is unaware and untrained.

Organizations that fail to look at risk to their information assets from a global perspective by analyzing business processes, identifying potential exposures, and determining the necessary controls to protect their information assets run a high risk of repeat and long-term compromise by both insiders and external attackers.

A well-balanced plan integrates risk management principles and focuses on a blend of preventative, detective and response measures across people, process and technology.   Establishing a plan starts with awareness at the business leadership level, analysis of the threats, and the development robust business-centric mitigation strategies.    While all compromises cannot be prevented, an organization that prepares will detect malicious activity sooner, limit exposure, protect its brand, and recover in a precise preplanned manner

The attack also targeted two other entities, at least one of which is a government agency.  The attack was discovered over the summer, but could have taken place as much as a year earlier.  The case is being investigated by the FBI with assistance from the NSA, the Department of Homeland Security and Citigroup which is partially owned by the US Government.

Citigroup denies that the hack took place and there has been no comment from any government agency, but the report further details that the hack was discovered when officials noticed suspicious internet traffic coming from email addresses known to be owned by the Russian Business Network, a gang that has sold software used to access US government systems.  The gang had been silent for two years, but is suspected in other recent attacks.

Beyond the stolen money, a major concern is that the hackers could destroy information, wreaking havoc on the banking system or that once they have infiltrated one bank that they could use that access to get into other banks.

This further illustrates the point that I was making in the previous article that cyber terrorism is a very real threat and that our banking, communications, government and military systems are currently under assault from gangs and even the governments of other countries.

Protecting these systems must be a priority, and the efforts to do so must be coordinated, not a variety of independent efforts directed my multiple agencies.

By Juval Aviv, President & CEO of Interfor Inc, Strategic Partner of Info Defense

Mr. Schmidt is an industry veteran who previously served the Bush White House.  He was formerly the chief information security officer at Ebay, the chief information officer at Microsoft and worked in computer security for the Air Force, the Army and the FBI.  The Obama administration is the first to promote this position to the level of a White House Director.

Cyber security has increasingly become a priority in the wake of a growing number of cyber attacks and reports of vulnerabilities in business and military computing systems.  Obama was brought face to face with the issue during his campaign for the presidency when his campaign’s computer security was breached exposing critical information ranging from policy positions to travel plans.

Mr. Schmidt will be facing long running turf wars being waged among the Pentagon, the National Security Agency, the Department of Homeland Security and other agencies over the conduct of defensive cyberoperations.

He and others serving in cyber security positions will also be trying to work out how to conduct offensive cyberoperations, and what the rules and tactics should be.  One of the biggest fears in carrying out offensive attacks on computer systems is unintended consequences that damage civilian infrastructure.

In 2003 for example, the Bush administration had the technology to launch a cyber attack that would freeze the bank accounts of Saddam Hussein and cripple Iraq’s economy, giving Hussein no money for war supplies or to pay troops.  The attack never happened though because of the fear that the effects of the attack would not be limited to Iraq and would create world-wide financial havoc.  Attacks were carried out on Iraq’s military and government communications system, which resulted in cellular and satellite telephone service being shut off on the countries surrounding Iraq for several days.

I am heartened to see that the issue of cyber security is being taken more seriously by this administration and that attempts are finally being made to coordinate the efforts to protect our nation’s computer systems.  Cyber warfare has become a very clear and present danger, one that could have deadly consequences leading to a further destabilization of our country’s economy and even the loss of lives without one terrorist ever stepping foot on our soil.

The vulnerabilities of our banking, government and military computer systems, the Federal Aviation Administration systems as well as the systems that are used for general communication and e-commerce have not been addressed sufficiently to this point and those vulnerabilities have led to dangerous security breaches.

In my opinion, the one issue that must be addressed immediately, particularly for the military, is that only about 1/5 of computer chips are produced in secure American facilities.  Most computer chips, even those that are produced by American companies are produced overseas.

In fact only about 2% of the computer chips that are used in our military’s communications systems and weaponry are being produced in America.  This is a major cause for concern as chips produced in unsecured plants can be infected with malicious software or Trojan horses that allow computer criminals to pilfer information or to even take over control of the machine that is being powered by the infected chip.  Retired Army General Wesley Clark has referred to these types of infected chips as “the ultimate sleeper cell” and I agree.  Domestic production must be supported and encouraged if we are to make a serious effort at protecting vulnerable systems.

Clearly, Mr. Schmidt has his work cut out for him.  I wish him luck.

By Juval Aviv, President & CEO of Interfor Inc, Stategic Partner of Info Defense

The thought started as I watched in amazement as each passenger on my flight readily handed over his or her credit card to purchase a snack. Many didn’t need it, certainly not the person next to me, but that’s off the point. Those who tried to pay in greenbacks were told the airline does not accept cash.

Does this trouble you? It does me; on many levels.  Forget for a moment the technical aspects, and the information security of credit card data.  What is happening to data privacy and what does it ultimately mean?  Does the average person think about privacy as they readily hand over their cards?

You may answer that I have nothing to hide and that’s great but do you know what fingerprints you are leaving, where, and how they might be ultimately used against you without your permission and or knowledge? What other items exist in our lives that intrude on our privacy and how might they be utilized to create the ultimate compromise?

In my mind privacy clearly has been compromised by technology.  That compromise is ultimately leading to our collective demise.

As individuals we espouse to love our freedom as it slowly sails out of sight.  At what point do we reach what author Malcolm Gladwell refers to as “The Tipping Point”, and how might that affect your life?  Putting back on my Information Defense hat, what unforeseen event(s) might occur as information continues to be collected at alarming rates and it is used for ill will?

Clearly fraud has been around since the beginning of time.  The manner in which it is perpetrated continues to morph and information technology has been a great enabler.  Misuse by officials, unintended mistakes, or deliberate actions might damage our lives irreparably.

Every step we take on a journey is tracked. A simple vacation or business trip may lead to hundreds of data points collected about you including locations, photographs, purchases, meals, beverages, conversations, entertainment sources, etc.  The more technology expands the less that goes untracked and the less privacy we have.

What I am concerned about is how might your person be compromised?  What about your business and its assets, or your clients?

I’d like to pose more questions but I’ve got to run my airline carrier just emailed me with new offers knowing I have returned home from my recent trip.

Find out how to Prepare, Prevent and Respond, contact us.

Now being a technologist you might answer that it is at the forefront of your activities and that’s great but for the business people at what point does it enter the business discussion?  Chances are it doesn’t.

The reason I raise the question is simple.  Effective security should be core to business operations and culture, not a bolt on application, or a retrofit but rather part of the business process itself.  I think it is in our human nature to look at the upside when discussing anything new whether a business opportunity, investment, or other venture.  Far too often we forget the downside perhaps choosing to ignore it and without consideration we create situations that are emotionally charged and highly reactive when the unforeseen arises.

The same is true for information security.  While organizations and business leaders seek the advantages of implementing technology based solutions to create competitive advantage, the downside and potential risks associated with exposing electronic forms of critical business assets are generally not given appropriate consideration.  Without consideration the threat of electronic asset theft is left unmitigated and the cost of such an event never considered.

Too often information security is seen as a purely technical function that adapts to the needs of the business.   However such an approach leaves huge gaps in business process and procedure for which technology is not an effective stopgap.  Without clearly architected and documented business process, and technology solutions that support the business process, technology solutions have no hope of keeping a check on unwanted activity.

We see repetitive disconnects in organizations that have suffered information compromise, are seeking to become compliant, or in general looking to improve their overall security posture.    Information security is not effective operating as a disconnected organization that builds perimeters of firewalls, intrusion detection systems, log analysis devices and jumps to the call of some alarm.   Too often broken process can be a root cause that reactive security measures will never stop and a security breach goes on unnoticed for months and beyond.  Once identified the organization’s approach to the information breach is emotionally charged and highly reactive.  The lack of preparation can cost the affected organization dearly between brand degradation, costs of cleanup, loss of customers, and legal proceedings.

Effective information security programs are tightly integrated into the businesses they serve across people, process and technology.  Highly effective, high profile organizations get this.  You can see it in the manner in which the organizations themselves are structured, how new ideas are discussed, vetted, and implemented.  Sound risk management principals prevail in the organizations that get it.

A highly integrated approach applies business centric risk management principles that evaluates risk, identifies compensating controls, and implements the appropriate structures to prepare, prevent and respond in protecting sensitive business assets from information compromise.

A well-constructed information security program should bridge the gap between business operations and its processes, to standards based security measures such as those developed by NIST, SANS, ISO or others.

To find out how your information security programs measure up contact us.

I am amazed at the number of organizations that continue to take either a lax, or too narrow approach in protecting information assets. I am certain that those of our legislators who understand the threats against our corporate assets and the individual’s identity would agree. Just look at some of the regulations that currently exist, Sarbanes Oxley, PCI DSS, Red Flags Rule, HIPAA, GLBA and you will begin to get where I’m going. Throw in the regulatory bodies FTC, SEC, FFIEC, and so on.

There are armies of resources now and a growing attitude for more legislation and governing bodies. This is purely reactionary and misguided when it comes to securing information assets. What is really missing in the equation is focus by the companies themselves who hold the intellectual property, sensitive consumer information, or infrastructures of national concern.

In general executive leadership does not understand the real and growing threats that their businesses face. There are literally thousands of attempts at their organization’s assets on a daily basis from, internal hackers, and externally sophisticated organized crime and espionage groups. Still none of this is on the average executives’ radar screen. Too often the media when they do speak on the topic doesn’t get it right as they are going for the sensational as opposed to the facts. We need to focus on the facts, as this is not a Sci-Fi drama, its real world.

Perhaps the government has gotten the attention of corporations in only the way it believes it can through regulation. However regulators don’t always do their job so various frauds and information thefts of identity, healthcare, credit, and other crimes continue to grow. In large part the regulation has pressed companies to focus on passing audits and not securing information assets. The two require markedly different approaches and levels of commitment. A complaint organization is not necessarily a secure one.

So when do most corporate leadership, principals, partners and other executives focus on information security? The all to often answer is, after the compromise. The approach then is ad hoc, reactionary, and an ill focused response to an information compromise. The loss occurred, the organization not prepared, preventative measures failed, the compromise not detected for an extended period of time, and now chances are there is little opportunity to fully recover at any cost. Information security breaches can cost an organization millions and high-profile public cases can run into the hundreds of millions of dollars.

Information Defense is often called in on incident response and forensic investigations. Many times long after the breach has occurred. We have seen “compliant” organizations suffer significant information losses. Again I want to stress that securing information assets and being complaint are not one and the same. Piecing together the facts in an investigation where a theft has occurred is difficult, costly and a lengthy process. Results are highly dependant on evidence that may no longer exist and are out of the control of the incident response and forensics team. While comprehensive information security programs, across people, process, and technology often form the basis for solid compliance solutions the converse is not true.

While security awareness can often arise from comprehensive steps taken to become compliant, without understanding at the most senior levels, and a corporate mandate accompanied by the resources to drive the necessary steps for information security the organization will be largely unsuccessful.

Engaging expert external resources such as Information Defense can bring the critical comprehensive experience and balance to the organization. Experts can help to balance compliance and security initiatives while help define and drive priorities and timelines to manage what can be enormous investments. Often outside resources can assist in engaging the executive team for sponsorship and drive the importance of following strong risk management practices and principles to support today’s information rich, connected, online present organizations.

We are seeing increased losses from having insufficient detective resources and data loss prevention strategies in place to stop such action.

Often evidence is either wiped (cleaned) by perpetrators, overwritten by continued use of resources insufficient backup procedures, misdiagnosed by first responders, or action delayed due to many reasons.  Overtaxed IT organizations and insufficient preparations are at the core of much of what we are seeing.

We are seeing losses within both large and small organizations from external attacks, employee theft, business partners and disgruntled former employees.

Information Defense continues to help organizations prepare, prevent and respond to cyber crime.  We offer a variety of solutions such as risk assessments, vulnerability and penetration testing, compliance advisement, incident response, and forensic investigations.

It is critical that organizations prepare for the potential of secure data and information compromise and remain ready to respond with comprehensive information security incident response teams that include a broad representation and participation from the organization.

Contact us to understand more how our expert team can assist your organization.

We have been helping a variety of Bay Area organizations prepare for PCI compliance initiatives, strengthen the security of their applications and networks, as well as to implement various risk mitigation strategies including comprehensive threat assessments against the organization’s digital assets.

We are seeing Silicon Valley companies begin to take steps to address internal network and application vulnerabilities and a growing comprehension of the negative consequences that can stem from these internal issues.

Information Defense offers a variety of solutions such as risk assessments, vulnerability and penetration testing, compliance advisement, incident response, and forensic investigations.

Organizations must not underestimate the threats that exist from both internal and external vectors and must ensure that they continue to build on the organization’s ability to prepare, prevent and respond to theft of information assets.

Contact us to understand more how our expert team can assist your organization.

See here for Managing your PCI Audit & Compliance blog part 1

By now your organization has chosen a Qualified Security Assessor (QSA) who will be performing PCI compliance assessments, but now when do you schedule the on site visit for the QSA? The answer is simple; once the organization is prepared. As discussed prior in Managing Your PCI Audit (Part 1), without appropriate preparation the PCI audit process can rapidly deteriorate.

Now this may seem shocking, but it is not unusual for some very large organizations, and smaller ones too, to not understand or have documented all of the ways in which the company accepts and processes credit card information.  For the purpose of this blog lets assume your company does know and has documented comprehensive credit card information flows throughout the network.  We will detail these requirements in a later blog.

From the large organization and data center to the mid level business, assigning the key participants for the PCI audit is crucial and must occur before scheduling the onsite review with your QSA.   Key stakeholders depending on the size and complexity of the company may include among others:

• Management
• Infrastructure Engineering
• Systems Administration
• Applications Development
• Information Security

Coordinating with the appropriate resources from the participating departments and discussing the upcoming PCI audit is key.  This includes making certain participants are informed of their roles, time requirements and availability requirements.  Once complete, it is time to reach out and schedule the QSA.

Request that your QSA send an itinerary and schedule one-week prior to arrival. This will help set schedules and necessary arrangements for your key personnel.  Depending on your company size and complexity the QSA may be onsite for a week or more.

Once onsite the QSA will want to schedule a meeting to coordinate activities, meet the key participants, layout the schedule, establish management rapport, and answer any questions.   It is important that your key participants are effective communicators and clear on their roles.  As the main point of contact for the organization you should plan on dedicating your time to participate in all QSA meetings and interviews.

I would like to point out that almost all QSA firms (an auditor) also offer PCI consulting (advisor).  This is however a very fine line to have one firm in both the role of advisor and auditor.  It is best to separate these functions obtaining a PCI consultant to advise your company on identifying the necessary actions to achieve compliance and a QSA to measure the organizations compliance.

A typical QSA itinerary might be as follows:

• Project kickoff meeting
• Network Diagram and CDE review
• Credit card flow review
• Key Personnel Interviews
• Supporting documentation review
• Remediation review

Always remember that while the QSA is providing the itinerary you the customer need to maintain control. Participating in all meetings and interviews will eliminate audits going off track and insure that each key participant is focused on their area of responsibility and expertise and maintain the scope as defined in the organizations pre-assessment meetings. I cannot stress enough that preparation, knowledge and management oversight are key to an effective and efficient audit.

In my next blog I will go into details an exactly what needs to be done around Network Diagrams, Credit Card Flow, and Documentation. Until then contact us here to see how we can advise your organization on reaching PCI Compliance.  See you soon!

PCI DSS compliance has now become a household name for security and IT departments worldwide, potentially having significant impact on those organizations that store or process credit cards. According to the PCI Security Standards Council “All merchants, whether small or large, need to be PCI compliant.”

While the security requirements are the same for all covered organizations, the method of proving compliance depends on the number and value of annual credit card transactions. For merchants processing more than 6 million transactions a year, this means an on-site audit by a Qualified Security Assessor (QSA). For more information on PCI DSS please visit https://www.pcisecuritystandards.org.

For many organizations the term “PCI Audit” seems to be shrouded in mystery. Having facilitated many PCI audits for large organizations, I have probably been asked every question imaginable in regards to PCI. What exactly is involved? What is my Cardholder Data Environment? How much information must I provide?

As an adviser I have always tried to impress upon my clients the need to understand and proactively manage the PCI Audit process, and in particular to be prepared for onsite interviews by the QSAs. Many of the staff members that the auditor will be interviewing (e.g. office PC users, call center operators, systems administrators) may view the auditor; either as an adversary, from whom as much information should be withheld as possible, or as a friend, to whom all information should be provided when requested. In fact, neither of these positions is appropriate and both can lead to trouble for the organization being audited.

Proactive PCI Audit management is the cornerstone to a successful audit process. While many businesses simply do not have the time, staff, or trained personnel to prepare for all aspects of a PCI audit, I recommend finding qualified external resources to help the organization down this path. It is important to remember that while most QSAs are reasonable and professional organizations they are not employees and maintain significantly different roles, responsibilities, and organizational insight.

Managing the PCI audit carefully will help reduce time, costs, and operational impacts to the organization. At a minimum audit management will refine the scope and keep answers to audit questions on point. Keys to a successful audit and meaningful results are to appropriately prepare staff, set expectations, and sharpen scope. Expert resources to manage the process can add significant benefit to the organization and potentially reduce the cost of compliance.

The PCI audit process consists of many areas, however we will be focusing on the “on-site Interview” portion. The first step in the onsite interview is preparation. Once you have chosen your QSA find out exactly when the auditor will be on site, what activities the auditor will be conducting, and what documentation they will require. Knowing all of this will help you to understand exactly what level of detail the auditor is looking for, as well as which team members will be asked to take part in onsite interviews. Make sure to schedule the auditor’s on-site presence when there is the minimum impact on your business operations.

PCI audits may become less effective and minimally productive due to a lack of preparation on the client side. Inappropriate preparations may lead to a host of issues including the over exposure of information, withholding or attempts to hide information by well intended but ill advised staff, or as well as inaccurate and or inconsistent answers.   Theses issues among others can cause significant problems and expense down the road for the organization under audit. Preparing each staff member before the onsite meeting is vital to a successful, efficient, and effective audit.

Some examples of staff interview preparation includes understanding exactly what is meant by “Cardholder Data Environment” and what this actually means to the organization. The organization and the auditor must agree on the scope prior to the commencement of the audit. Only information directly related to the CDE should be provided in interviews. Auditors should be expected to provide their interview questions for review beforehand, comply with an interview schedule, and should not interview additional staff members who may confuse the issues or provide inappropriate answers. It is the responsibility of the individual managing the audit process to ensure the interview is on topic, within scope, and with the appropriate staff.

My next blog I will cover actual questions that have been asked as well as the proper way to answer them. I will also dive deeper into the audit process.  Until then please contact us here to learn more about how we can assist your organization to manage the compliance process.

See my next blog post here – Managing Your PCI Audit & Compliance part 2 – preparing for the QSA visit.