The largely accepted view and standard is that the protection of information assets is a technology function and hence in many organizations all “controls” are within the area of Information Technology.

While technology is an important aspect of any information security program strategy, it is at best only one of three legs of the footstool. Many information compromises start with threats that arise from weak procedures, and may include intentional or unintentional human acts.

Social engineering is the act of obtaining confidential information through the “art of deception”.  Most people have heard of or experienced phishing attacks through email.  The email entices the recipient to visit a website that downloads malicious software to the user PC or tricks the individual into providing sensitive information such as login credentials to business or personal accounts.

Vishing attacks, which are social engineering exploits delivered by phone, are frequently launched against customer service departments, help desks, and other business functions within corporations.  With caller identification easily spoofed and displaying the desired inbound number on the recipient’s display, the attacker poses as someone they are not in attempt to extract sensitive information.    The goal of the attacker may be to gain access to the company’s infrastructure, bank accounts, personal and private information or a variety of other reasons.  It is hard to image how technology can prevent such attacks if the employee is unaware and untrained.

Organizations that fail to look at risk to their information assets from a global perspective by analyzing business processes, identifying potential exposures, and determining the necessary controls to protect their information assets run a high risk of repeat and long-term compromise by both insiders and external attackers.

A well-balanced plan integrates risk management principles and focuses on a blend of preventative, detective and response measures across people, process and technology.   Establishing a plan starts with awareness at the business leadership level, analysis of the threats, and the development robust business-centric mitigation strategies.    While all compromises cannot be prevented, an organization that prepares will detect malicious activity sooner, limit exposure, protect its brand, and recover in a precise preplanned manner

The attacks, which originated in Europe and China, targeted major corporations and government agencies including pharmaceutical giants Merck & Co. and Cardinal Health.  The operation has affected some 75,000 computers in 196 countries.

Now is the time to examine your company’s business practices to make sure that your critical data and intellectual property are safe from complex electronic and socially initiated thefts.  Lapses in appropriate security measures can expose your company to major financial losses, both from theft and from civil lawsuits filed on behalf of clients or customers affected by the breach.

To protect your company and your shareholders from such losses or litigation, your company’s security practices must be up to date and in compliance with state and federal regulations.  Your IT security practices should also be part of your overall corporate governance, led by your general counsel so that this information is protected by attorney client privilege.

Information Defense Corporation and Interfor Inc. a leading global due diligence and investigations firm are partnered to offer our clients unique and comprehensive security solutions.  From physical security, asset recovery and crisis management to risk based and technical assessments of electronic assets and controls, the team is positioned to work with your company’s legal and combined security personnel to keep your assets, personnel, intellectual property and trade secrets safe or to help restore the integrity of your operations with incident response and forensics and other measures following a security breach.

For more information on the services offered by our team effort please use our contact pages here:  Contact Us

Three critical reasons why include:

(1) the CIO can neither create nor maintain the attorney client privilege without general counsel’s direction of the corporation’s cybersecurity efforts;

(2) for the same reasons, general counsel, not the CIO, is responsible for corporate governance at large, and cyber security is first and foremost a corporate governance issue; and

(3) the role of interpreting and directing action to meet federal and state compliance statutes, covering a wide variety of legal mandates from privacy, to identity theft, to notifications requires legal counsel to direct actions that protect corporate interests and meet the legal obligations.

The consequences of information compromises present business issues that require legal planning and action to mitigate the risks to the corporation and its shareholders.

Now is the time to be proactive and lay the groundwork to protect legal interests, promote strong corporate governance, and reduce the potential of legal missteps, significant litigation and other actions arising from information compromise.

Please contact us to learn more about our comprehensive solutions that will appropriately position your organization to address the growing business risks created by information compromise.

Now being a technologist you might answer that it is at the forefront of your activities and that’s great but for the business people at what point does it enter the business discussion?  Chances are it doesn’t.

The reason I raise the question is simple.  Effective security should be core to business operations and culture, not a bolt on application, or a retrofit but rather part of the business process itself.  I think it is in our human nature to look at the upside when discussing anything new whether a business opportunity, investment, or other venture.  Far too often we forget the downside perhaps choosing to ignore it and without consideration we create situations that are emotionally charged and highly reactive when the unforeseen arises.

The same is true for information security.  While organizations and business leaders seek the advantages of implementing technology based solutions to create competitive advantage, the downside and potential risks associated with exposing electronic forms of critical business assets are generally not given appropriate consideration.  Without consideration the threat of electronic asset theft is left unmitigated and the cost of such an event never considered.

Too often information security is seen as a purely technical function that adapts to the needs of the business.   However such an approach leaves huge gaps in business process and procedure for which technology is not an effective stopgap.  Without clearly architected and documented business process, and technology solutions that support the business process, technology solutions have no hope of keeping a check on unwanted activity.

We see repetitive disconnects in organizations that have suffered information compromise, are seeking to become compliant, or in general looking to improve their overall security posture.    Information security is not effective operating as a disconnected organization that builds perimeters of firewalls, intrusion detection systems, log analysis devices and jumps to the call of some alarm.   Too often broken process can be a root cause that reactive security measures will never stop and a security breach goes on unnoticed for months and beyond.  Once identified the organization’s approach to the information breach is emotionally charged and highly reactive.  The lack of preparation can cost the affected organization dearly between brand degradation, costs of cleanup, loss of customers, and legal proceedings.

Effective information security programs are tightly integrated into the businesses they serve across people, process and technology.  Highly effective, high profile organizations get this.  You can see it in the manner in which the organizations themselves are structured, how new ideas are discussed, vetted, and implemented.  Sound risk management principals prevail in the organizations that get it.

A highly integrated approach applies business centric risk management principles that evaluates risk, identifies compensating controls, and implements the appropriate structures to prepare, prevent and respond in protecting sensitive business assets from information compromise.

A well-constructed information security program should bridge the gap between business operations and its processes, to standards based security measures such as those developed by NIST, SANS, ISO or others.

To find out how your information security programs measure up contact us.

I am amazed at the number of organizations that continue to take either a lax, or too narrow approach in protecting information assets. I am certain that those of our legislators who understand the threats against our corporate assets and the individual’s identity would agree. Just look at some of the regulations that currently exist, Sarbanes Oxley, PCI DSS, Red Flags Rule, HIPAA, GLBA and you will begin to get where I’m going. Throw in the regulatory bodies FTC, SEC, FFIEC, and so on.

There are armies of resources now and a growing attitude for more legislation and governing bodies. This is purely reactionary and misguided when it comes to securing information assets. What is really missing in the equation is focus by the companies themselves who hold the intellectual property, sensitive consumer information, or infrastructures of national concern.

In general executive leadership does not understand the real and growing threats that their businesses face. There are literally thousands of attempts at their organization’s assets on a daily basis from, internal hackers, and externally sophisticated organized crime and espionage groups. Still none of this is on the average executives’ radar screen. Too often the media when they do speak on the topic doesn’t get it right as they are going for the sensational as opposed to the facts. We need to focus on the facts, as this is not a Sci-Fi drama, its real world.

Perhaps the government has gotten the attention of corporations in only the way it believes it can through regulation. However regulators don’t always do their job so various frauds and information thefts of identity, healthcare, credit, and other crimes continue to grow. In large part the regulation has pressed companies to focus on passing audits and not securing information assets. The two require markedly different approaches and levels of commitment. A complaint organization is not necessarily a secure one.

So when do most corporate leadership, principals, partners and other executives focus on information security? The all to often answer is, after the compromise. The approach then is ad hoc, reactionary, and an ill focused response to an information compromise. The loss occurred, the organization not prepared, preventative measures failed, the compromise not detected for an extended period of time, and now chances are there is little opportunity to fully recover at any cost. Information security breaches can cost an organization millions and high-profile public cases can run into the hundreds of millions of dollars.

Information Defense is often called in on incident response and forensic investigations. Many times long after the breach has occurred. We have seen “compliant” organizations suffer significant information losses. Again I want to stress that securing information assets and being complaint are not one and the same. Piecing together the facts in an investigation where a theft has occurred is difficult, costly and a lengthy process. Results are highly dependant on evidence that may no longer exist and are out of the control of the incident response and forensics team. While comprehensive information security programs, across people, process, and technology often form the basis for solid compliance solutions the converse is not true.

While security awareness can often arise from comprehensive steps taken to become compliant, without understanding at the most senior levels, and a corporate mandate accompanied by the resources to drive the necessary steps for information security the organization will be largely unsuccessful.

Engaging expert external resources such as Information Defense can bring the critical comprehensive experience and balance to the organization. Experts can help to balance compliance and security initiatives while help define and drive priorities and timelines to manage what can be enormous investments. Often outside resources can assist in engaging the executive team for sponsorship and drive the importance of following strong risk management practices and principles to support today’s information rich, connected, online present organizations.

See here for Managing your PCI Audit & Compliance blog part 1

By now your organization has chosen a Qualified Security Assessor (QSA) who will be performing PCI compliance assessments, but now when do you schedule the on site visit for the QSA? The answer is simple; once the organization is prepared. As discussed prior in Managing Your PCI Audit (Part 1), without appropriate preparation the PCI audit process can rapidly deteriorate.

Now this may seem shocking, but it is not unusual for some very large organizations, and smaller ones too, to not understand or have documented all of the ways in which the company accepts and processes credit card information.  For the purpose of this blog lets assume your company does know and has documented comprehensive credit card information flows throughout the network.  We will detail these requirements in a later blog.

From the large organization and data center to the mid level business, assigning the key participants for the PCI audit is crucial and must occur before scheduling the onsite review with your QSA.   Key stakeholders depending on the size and complexity of the company may include among others:

• Management
• Infrastructure Engineering
• Systems Administration
• Applications Development
• Information Security

Coordinating with the appropriate resources from the participating departments and discussing the upcoming PCI audit is key.  This includes making certain participants are informed of their roles, time requirements and availability requirements.  Once complete, it is time to reach out and schedule the QSA.

Request that your QSA send an itinerary and schedule one-week prior to arrival. This will help set schedules and necessary arrangements for your key personnel.  Depending on your company size and complexity the QSA may be onsite for a week or more.

Once onsite the QSA will want to schedule a meeting to coordinate activities, meet the key participants, layout the schedule, establish management rapport, and answer any questions.   It is important that your key participants are effective communicators and clear on their roles.  As the main point of contact for the organization you should plan on dedicating your time to participate in all QSA meetings and interviews.

I would like to point out that almost all QSA firms (an auditor) also offer PCI consulting (advisor).  This is however a very fine line to have one firm in both the role of advisor and auditor.  It is best to separate these functions obtaining a PCI consultant to advise your company on identifying the necessary actions to achieve compliance and a QSA to measure the organizations compliance.

A typical QSA itinerary might be as follows:

• Project kickoff meeting
• Network Diagram and CDE review
• Credit card flow review
• Key Personnel Interviews
• Supporting documentation review
• Remediation review

Always remember that while the QSA is providing the itinerary you the customer need to maintain control. Participating in all meetings and interviews will eliminate audits going off track and insure that each key participant is focused on their area of responsibility and expertise and maintain the scope as defined in the organizations pre-assessment meetings. I cannot stress enough that preparation, knowledge and management oversight are key to an effective and efficient audit.

In my next blog I will go into details an exactly what needs to be done around Network Diagrams, Credit Card Flow, and Documentation. Until then contact us here to see how we can advise your organization on reaching PCI Compliance.  See you soon!

FACTA added sections to the Federal Fair Credit Reporting Act intended primarily to help consumers fight the growing crime of identity theft.  In adopting FACTA, Congress recognized that consumers were unable to prevent identity theft and could only react long after the event had occurred.  In order to stop the fraud at its source businesses that offer credit need to address the events that signal a potential fraud.

Six agencies were involved in drafting the red flag rules: the Treasury Department’s Office of Thrift Supervision, Office of Comptroller of the Currency, Federal Deposit Insurance Corp., Federal Trade Commission, National Credit Union Administration and the Federal Reserve System. The Red Flags Rule identifies 26 “ Red Flags” which may be indicators of attempted fraud.

According to FTC statistics nearly 10 million people were victims of identity theft in 2008 in the US.   In the broadest sense identity theft is the act of someone assuming the identity of another individual to gain access to the victim’s personal resources.  Last year over 35 million known data records containing sensitive personally identifiable information (PII) were stolen.

While some perpetrators know their victims, having stolen their wallets, credit cards, checkbooks or other personal items, the vast majority of perpetrators do not.  Identity theft comes in many forms and most victims learn their fate long after the initial event occurs, often months to years after the fact.

Most data theft is primarily due to poor controls surrounding PII.  This can range from sensitive records being thrown in dumpsters to electronic records being improperly secured online and breached by hackers.

Personal resources accessed by data thieves may include use of credit cards, establishment of credit under the victims identity, access to utilities, healthcare benefits, banking, employment, loans, government benefits, and many other acts limited only by the imagination of the perpetrator.  The common element is the use of defrauded individuals persona to gain credit or access to established resources.

The Red Flags Rule applies to both financial institutions and creditors.   The definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.  These companies may not traditionally be thought of as extending credit and include utility companies, health care providers, telecommunications companies, cable and satellite providers, and others, depending on how and when they collect payment for their services.

The Rule also defines a “creditor” as one who regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. Examples include finance companies, mortgage brokers, real estate agents, automobile dealers, and retailers that offer financing or help consumers get financing from others by processing credit applications.  Additionally, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit – for example, a third-party debt collector who regularly renegotiates the terms of a debt.

Organizations that are covered under the Red Flags Rule must create written plans that are reviewed and signed off by the organizations board of directors that:

• Create Policies and Procedures that Identify Red Flags Which Pertain to their Business
• Create Policies and Procedures that Detect the Identified Red Flags
• Create Policies and Procedures that define the Actions to be take when Red Flags are Detected
• Monitor changing Red Flags, Train Employees and Monitor 3rd party contractors

An appropriately designed and managed plan depending on the business may require considerable skill and effort.  Most organizations will do well to reach out to experts in designing their programs.  Is your organization subject to the Red Flags Rule?

Information Defense is prepared to assist in evaluating whether your organization is subject to the FTC ruling and assist in defining and developing the necessary steps to reach compliance.  Contact us here for further information.

PCI DSS compliance has now become a household name for security and IT departments worldwide, potentially having significant impact on those organizations that store or process credit cards. According to the PCI Security Standards Council “All merchants, whether small or large, need to be PCI compliant.”

While the security requirements are the same for all covered organizations, the method of proving compliance depends on the number and value of annual credit card transactions. For merchants processing more than 6 million transactions a year, this means an on-site audit by a Qualified Security Assessor (QSA). For more information on PCI DSS please visit https://www.pcisecuritystandards.org.

For many organizations the term “PCI Audit” seems to be shrouded in mystery. Having facilitated many PCI audits for large organizations, I have probably been asked every question imaginable in regards to PCI. What exactly is involved? What is my Cardholder Data Environment? How much information must I provide?

As an adviser I have always tried to impress upon my clients the need to understand and proactively manage the PCI Audit process, and in particular to be prepared for onsite interviews by the QSAs. Many of the staff members that the auditor will be interviewing (e.g. office PC users, call center operators, systems administrators) may view the auditor; either as an adversary, from whom as much information should be withheld as possible, or as a friend, to whom all information should be provided when requested. In fact, neither of these positions is appropriate and both can lead to trouble for the organization being audited.

Proactive PCI Audit management is the cornerstone to a successful audit process. While many businesses simply do not have the time, staff, or trained personnel to prepare for all aspects of a PCI audit, I recommend finding qualified external resources to help the organization down this path. It is important to remember that while most QSAs are reasonable and professional organizations they are not employees and maintain significantly different roles, responsibilities, and organizational insight.

Managing the PCI audit carefully will help reduce time, costs, and operational impacts to the organization. At a minimum audit management will refine the scope and keep answers to audit questions on point. Keys to a successful audit and meaningful results are to appropriately prepare staff, set expectations, and sharpen scope. Expert resources to manage the process can add significant benefit to the organization and potentially reduce the cost of compliance.

The PCI audit process consists of many areas, however we will be focusing on the “on-site Interview” portion. The first step in the onsite interview is preparation. Once you have chosen your QSA find out exactly when the auditor will be on site, what activities the auditor will be conducting, and what documentation they will require. Knowing all of this will help you to understand exactly what level of detail the auditor is looking for, as well as which team members will be asked to take part in onsite interviews. Make sure to schedule the auditor’s on-site presence when there is the minimum impact on your business operations.

PCI audits may become less effective and minimally productive due to a lack of preparation on the client side. Inappropriate preparations may lead to a host of issues including the over exposure of information, withholding or attempts to hide information by well intended but ill advised staff, or as well as inaccurate and or inconsistent answers.   Theses issues among others can cause significant problems and expense down the road for the organization under audit. Preparing each staff member before the onsite meeting is vital to a successful, efficient, and effective audit.

Some examples of staff interview preparation includes understanding exactly what is meant by “Cardholder Data Environment” and what this actually means to the organization. The organization and the auditor must agree on the scope prior to the commencement of the audit. Only information directly related to the CDE should be provided in interviews. Auditors should be expected to provide their interview questions for review beforehand, comply with an interview schedule, and should not interview additional staff members who may confuse the issues or provide inappropriate answers. It is the responsibility of the individual managing the audit process to ensure the interview is on topic, within scope, and with the appropriate staff.

My next blog I will cover actual questions that have been asked as well as the proper way to answer them. I will also dive deeper into the audit process.  Until then please contact us here to learn more about how we can assist your organization to manage the compliance process.

See my next blog post here – Managing Your PCI Audit & Compliance part 2 – preparing for the QSA visit.

Organizations that use shared accounts for employee and or vendor access also increase the difficulty to efficiently and effectively manage the process.  Vendors that manage key functions for the company must be considered much the same as an employee and must integrate similarly into the termination process.   Recovery of key cards and changing physical access authorizations as well are key but an ongoing monitoring of logical access logs needs to compliment revocation of all access.

Another growing issue is the proliferation of websites and blogs where angry ex-employees can post anonymous rants about their former employer that can be very damaging from a public relations perspective.  Even worse, they could post sensitive or proprietary information that could lead to the loss of millions of dollars in revenue.  Because it is so easy and anonymous, even people who would never dream of theft, destruction of property or committing violence may be very tempted to retaliate in this manner if they feel that they have been wronged.

We recommend to our clients that a decommissioning team should be set up with key representatives from finance, human resources, corporate security, IT a labor law specialist and a representative from the executive board.  The team should make their plans well in advance, train management in how to properly break the news and bring on additional temporary help to facilitate the process if necessary. Many companies hire outside consultants to assist in planning, securing and implementing mass layoffs and terminations.  A strategic plan should be created, implemented and managed by the decommissioning team so that every individual layoff and termination follows the same process in order to deflect potential litigation or security threats.

The team should evaluate every potential termination for legal, security and financial risks. A set of “red flags” should be established to screen each potential reduction in personnel and security should be increased around the entrances to the building or office for several weeks after the layoff has occurred.  Extra vigilance during this time period is critical because most “revenge attacks” occur after the employee has had time to ruminate over the ramifications of being terminated.

Don Aviv, CPP, PSP, PCI
COO and Physical Security Director
Interfor, Inc.

What your employees know about your business may be of strategic value and provide that competitive edge.  It may be the special sauce that took the company years to develop and it may walk out the door prior to any exit interview or tender of resignation.

Recent surveys, media reports, prosecutions, and our investigations show an alarming number of ex-employees stealing company data, including when changing jobs.  Compromised data may include customer lists, contact information, know how, and other forms of intellectual property.  The majority do so in order to benefit in some financial arrangement or assist with a new job.  A recent theft of a proprietary trading platform at a major Wall Street financial institution is under investigation.  The platform enabled the firm to generate millions of trading profits each year.

There is a growing pervasive sense of entitlement to works for hire. Access to computers and technology without appropriate controls makes such theft inviting and simple for those inclined. How these thefts occur and remain undetected for extended periods of time has much more to do with the lax protective measures in place within the organization then the skills of the perpetrator.

In our investigative experience we have seen far too many cases where there is employee theft, limited binding agreements, no procedural or technical controls or measures, and far too much blind faith and trust extended to those who are not trustworthy.

Forgive me if my experiences make me appear cynical but I have seen thieves rob charities, business owner’s life’s work compromised by over zealous employees, and organizations hobbled and made vulnerable by employees gone bad.

Too often the lack of detective measures, extended periods before suspicion and investigation, further compounded by the lack of protocol in disengaging employees compromises critical evidence.  Lacking sustentative evidence, it is increasingly complex and costly for the organization to pursue justice in what may have been otherwise a clearly defined case.

Organizations must take comprehensive controls and measures seriously to avoid a potentially devastating event precipitated by a individual to which the organization has extended its trust.  This starts with the appropriate legal, technical, and procedural controls from engagement through discharge, employer beware.