Brightfly, Inc.» Is PCI Enough Protection?

Is PCI Enough Protection?

admin — Thu, 01 May 2008 06:00:00 +0000

As we all saw, New England supermarket chain, Hannaford Bros., recently discovered a potential 4.2 million credit card data breach; despite the fact that they had been told they were PCI compliant. According to this WSJ article, the data was exposed while transmitted over the (unencrypted) internal network. Anyone familiar with the PCI Standard is aware that it provides explicit instruction to “encrypt transmission of cardholder data across open, public networks,” which was a control measure that was in place.

So what went wrong? Did they do what was necessary to really ensure compliance? Is there a problem with how compliance is being measured, which may lull an organization into thinking they are protecting cardholder data when in fact controls are weak or lacking?

We would argue that Hannaford Bros. fell into the same trap that many organizations fall into. How would you propose these organizations ensure their compliance with the PCI Standard? What, if anything, is missing?

Related articles:

Poor Identity and Access Management may have led to breakdown at French bank

admin — Tue, 05 Feb 2008 15:36:01 +0000

Ripped straight from Slashdot, we have some post-incident analysis of the losses at French bank Société Générale. Was the failure of a simple IT chore to blame?

Société Générale has released a few technical details about how trader Jerome Kerviel managed to lose €4.9 billion (USD$7.3 billion). It turns out that he was able to bypass many controls by “misappropriating passwords.” Now we don’t have many details on how he obtained all of these passwords, but I can guess. Kerviel started in the back office of the bank in 2005 and moved to the front office. I would guess that when the additional access was granted, there was no review to see what access should be disabled.

Lets review some common red flags that you should be aware of to prevent fraud in your organization:

Employees who seem overly dedicated, never take a vacation, always working later than other people in similar positions
Employees who have access privileges that relate to job functions they no longer perform
Employees who share their passwords

What can you do to prevent fraud?

Employees should be required to take vacation periodically
Closely review transactions that are completed on holidays and weekends
When an employee changes jobs, ensure that they do not retain the privileges that relate to their prior position
Change passwords periodically
Work with management to make security part of the process and not an impediment

Related articles:

2008: More ID Theft

admin — Fri, 21 Dec 2007 15:53:16 +0000

The identity theft scourge is only going to get worse in 2008 as perpetrators — in pursuit of easy money — get younger and pop up in developing countries. Those are among the sobering conclusions of a new report on ID theft by the Identity Theft Resource Center.

Driving the surge: easy availability of sophisticated forgery equipment, lax security measures at businesses that handle mountains of data, and a deluge of viruses. For those of you who have been keeping up with the news this should come as no surprise. What really scares me about this report is that they predict that businesses will introduce or refresh their security policies, lawmakers will enact legislation that limits the use of Social Security numbers, and states and nonprofits will provide more assistance to victims at no charge. Uhh, yeah, right. The first prediction is a stretch, and simplistic at that. As far as the second prediction goes, since when has legislation become a cure-all? Look at all the companies that are still not complying with PCI or HIPAA. Lastly, assistance for victims at no charge is nice, but that occurs after the fact.

What I predict is that the Federal Trade Commission is going to continue its aggressive approach by going after companies that are not securing customer data. A few days ago there was a press release stating that the FTC told the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security that “identity theft remains one of the highest priorities for the Commission, and that the agency is playing a lead role in preventing identity theft and helping those who are victimized.” As part of its ongoing efforts, the FTC has made available new online tutorial on practical and low- or no-cost ways to keep data secure. Given the FTC’s recent enforcement actions. Businesses would be well-advised to take advantage of this resource.

Related articles:

Data Breaches On The Rise

admin — Tue, 18 Dec 2007 17:22:46 +0000

According to a new survey by Deloitte & Touche LLP (“Deloitte”) and the Ponemon Institute LLC, personally identifiable information (PII) of customers and employees is being exposed — frequently and repeatedly — potentially putting hundreds of thousands of individuals at risk.

For those of you who have been keeping up with current events this should come as no surprise. And don’t forget the incidents that have occurred recently in the UK either. I thought that increased regulatory requirements like PCI and HIPAA were supposed to fix this sort of thing. So what’s happening? In a word: capitalism. Remember, in a market economy the primary goal is to maximize profits. This also means that public companies have a legal obligation to maximize shareholder value. It should therefore be apparent that spending on things that provide no tangible value (like security) will usually be low. Yes, I know how all the security consultants and vendors go around telling everybody that security and compliance should be viewed as a way to gain competitive advantage, but they’re doing a terrible job of persuading the C-suite. I’m not advocating that we ditch capitalism. On the contrary, I think it’s the C-suite that simply doesn’t get it. So who’s fault is that?

Related articles:

IT Pros Routinely Break the Rules

admin — Thu, 13 Dec 2007 02:11:18 +0000

According to a recent survey, most IT professionals admit to personally breaking security policies at some time, knowingly or otherwise. More than half said they had copied confidential data onto USB memory sticks, although 87 percent said it was against company policy. So everyone who is surprised by this, please raise your hand.

A recent high-profile example is the case of a senior database administrator for a consumer reporting agency in Florida who has admitted to stealing more than 8.4 million account records and selling them to a data broker. He netted $580,000 over five years from the scheme. The article goes on to say that his employer, Fidelity National Information Services, was alerted to the theft by a retail customer who was apparently paying attention to check transactions and the receipt by the retailer’s customers of direct telephone solicitations and mailed marketing materials. Finally, we have the typical downplaying of the impact of the whole affair: “The company is unaware of any identity theft or fraudulent financial activity resulting from the theft. Rather, it believes the stolen records were used for marketing purposes.” All I have to say is, they had better hope so. Read my previous article on how circumstantial evidence can now be admissable in a court of law in ID theft cases and you’ll see how this could get very bad in a hurry for Fidelity.

Related articles:

More Laptop Thefts

admin — Mon, 22 Oct 2007 14:03:27 +0000

Are stories involving the loss or theft of a laptop containing sensitive information are on the rise, or is it just me? Maybe it’s just that October has been a busy month for laptop thieves.

A story dated October 19th revealed that Administaff Inc. of Houston has begun notifying 159,000 current and former employees that their data has been exposed due to the theft a laptop containing unencrypted personal data. This is on the heels of another story about a laptop containing personal data on about 10,000 Home Depot employees being stolen from the car of a regional manager last week. Finally, some of you may remember the dual-laptop loss (theft?) suffered by the TSA earlier this month containing the personal data of 3,930 truckers who handle hazardous materials. I think we here at Brightfly might need to add a new feature to web site called “Laptop Theft of the Week” so we can keep track of all this. What really gets me is that there are many solutions out there to protect data should it fall into the wrong hands. It should be common knowledge that organizations WILL eventually suffer a loss or theft of a mobile device containing sensitive information, so why don’t more of them take a proactive approach? I have my own suspicions, but I’d love to see some feedback from our readers on this.

Related articles:

Should CIOs Heads Roll?

madams — Thu, 04 Oct 2007 15:22:23 +0000

Imprisoned hacker Robert Moore says it was child’s play to dig into thousands of corporate systems because most IT groups don’t follow basic hygiene such as resetting default passwords and keeping logs. Is it the CIO’s fault? If so, should he be fired? Reprimanded? I can tell you for certain that the people who tend to expose a company to being hacked are the admins. Why? Because they’re the only ones with the elevated system and network privileges to bypass the security policies and settings that everyone else has to abide by.

When I first got into network administration I saw first hand how admins gave themselves preferential treatment, and then excusing it by saying that it was necessary for them to do their jobs faster and better. In other words, it was for the “greater good”. Some companies are worse than others of course. I’ve had clients that were really hard core about security, and Ive had clients that were just the opposite. In most cases it’s the “tone at the top” that determines the commitment to information security. Something else that is very disturbing though is the tendency to make excuses or place blame on someone else (like a subordinate). Whatever happened to “the buck stops here” mentality?

No related articles.

I’ll take ‘Fear’ for $100 Alex.

bsdunlap — Tue, 25 Sep 2007 06:00:00 +0000

OK, top of the category…

As reported by The Register , Symantec's DeepSight went off the DeepEnd. Apparently, some product testing caused the ~~ThreatDown~~ ThreatCon level to go from 1 to 4 (that would be like going from "Honky Dory" to "The Apocolypse"). Unfortunately, an official response from Symantec has not been found at this time. More info can be found in this Computerworld article.

Related articles:

TD Ameritrade Breach

bsdunlap — Sat, 15 Sep 2007 15:34:26 +0000

A database breach at TD Ameritrade Holdings, Inc. exposed approximately 6.3 million account holders to an increase in spam. Account holder information, including e-mail addresses and phone numbers were stolen in the breach but more sensitive information, such as Social Security numbers, appears to have not been compromised. So far, there have been no reports of confirmed identity theft. Similar to the timeline of the TJX debacle, it appears that the breach could have occurred as far back as October and was only recently fixed.

Related articles:

The True Cost of Compliance

bsdunlap — Thu, 13 Sep 2007 06:00:00 +0000

Back in June, an intern with the State of Ohio was entrusted with a backup designated for “offsite storage”. The backup was stolen from the intern’s car, along with a radar detector, on June 10th. Now, let’s not quibble over the fact that sensitive information was entrusted to an intern. Nor should we dwell on the seemingly braindead decision of using said intern’s home as the “offsite storage location” for the backup. Instead, we should focus on the fact that the loss of approximately 1.3 million records is expected to cost teh state of Ohio $3 million! Of that sum, $2.3 million is for enrollment in credit protection services offered by Debix, Inc . This service runs $99 per year for the average person to sign-up for. At the rate we are going, I would suggest not paying the $99 and just waiting for your personal data to get lost and having the costs absobed by the offending entity.

Related articles: