You are on page 1of 53

• Todd Bramblett, President at Nehemiah Security

• Steven Furnell, Professor of Information Systems Security at Plymouth University


• Jeremiah Grossman, Chief of Security Strategy at SentinelOne
• Limor Kessem, Executive Security Advisor at IBM Security
• Zoran Lalic, Enterprise Security Architect at a software company.

Visit the magazine website at www.insecuremag.com

Feedback and contributions: Mirko Zorz, Editor in Chief - mzorz@helpnetsecurity.com

News: Zeljka Zorz, Managing Editor - zzorz@helpnetsecurity.com

Marketing: Berislav Kucan, Director of Operations - bkucan@helpnetsecurity.com

(IN)SECURE Magazine can be freely distributed in the form of the original, non-modified
PDF document. Distribution of modified versions of (IN)SECURE Magazine content is
prohibited without permission.

Copyright (IN)SECURE Magazine 2017.

www.insecuremag.com
When it comes to cybersecurity, plans involving business stakeholders with-
businesses remain overconfident in the past year.
• 46 percent say their organization performs
and vulnerable war games and threat simulations on a
quarterly or semiannual basis.
Consumer products companies, retailers and • 25 percent report lack of cyber funding.
restaurant businesses may be operating with • 21 percent lack clarity on cyber mandates,
a false sense of security, according to a new roles and responsibilities.
Deloitte study. The study captures input from
more than 400 CIOs, CISOs, CTOs and other The study also found companies may under-
senior executives about cyber risks and re- estimate the importance of consumer trust. In
sponse plans affecting customer trust, pay- fact, when thinking about potential cyber inci-
ments, executive level engagement, human dents, consumer product companies surveyed
capital and intellectual property. seem to be primarily concerned with produc-
tion disruptions (48 percent) and loss of intel-
According to the study, 76 percent of con- lectual property (42 percent), while significant-
sumer business executives report they are ly fewer — 16 percent — are concerned with
highly confident in their ability to respond to a tarnishing brand perceptions related to trust.
cyber incident, yet many simultaneously face
issues that critically impair their ability to do Many US consumers already express height-
so. Among the findings: ened security concerns, with a startling num-
ber going so far as to delete mobile ap-
• The majority of executives surveyed (82 plications and avoid websites, which can
percent) indicate their organization has not threaten a critical engagement touchpoint for
documented and tested cyber response consumer businesses.

www.insecuremag.com 5
Password Reset MITM: Exposing the make an account on the malicious website,
need for better security choices the attacker can offer free access to a wanted
resource (e.g. free software). Once the user
initiates the account registration process by
Attackers that have set up a malicious site can
entering their email address, the attacker can
use users’ account registration process to
use that information to initiate a password re-
successfully perform a password reset
set process on another website that uses that
process on a number of popular websites and
piece of information as the username (e.g.
messaging mobile applications, researchers
Google, YouTube, Amazon, Twitter, LinkedIn,
have demonstrated.
PayPal, and so on). Every request for input
from that site is forwarded to the potential vic-
The Password Reset Man in the Middle (PR-
tim, and then his or her answers forwarded
MITM) attack exploits the similarity of the reg-
back to that particular site.
istration and password reset processes.
In the most basic form (when the password
To launch such an attack, the attacker only
reset request depends on security questions),
needs to control a website. To entice victims to
the attack looks like this:

Average data breach cost declines tries saw 26 percent decrease in the total cost
10% globally of a data breach over last year’s study.

Businesses in Europe operate in a more cen-


The average cost of a data breach is $3.62
tralized regulatory environment, while busi-
million globally, a 10 percent decline from
nesses in the United States have unique re-
2016 results. This is the first time since the
quirements, with 48 of 50 states having their
global study was created that there has been
own data breach laws. Responding to a multi-
an overall decrease in the cost. According to
tude of regulatory requirements and reporting
the study conducted by Ponemon Institute,
to potentially millions of consumers can be an
these data breaches cost companies $141 per
extremely costly and resource intensive task.
lost or stolen record on average.
According to the study, “compliance failures”
Analyzing the 11 countries and two regions
and “rushing to notify” were among the top five
surveyed in the report, researchers identified a
reasons the cost of a breach rose in the U.S. A
close correlation between the response to
comparison of these factors suggests that
regulatory requirements in Europe and the
regulatory activities in the U.S. could cost
overall cost of a data breach. European coun-
businesses more per record when compared
to Europe.

www.insecuremag.com 6
Equipment already in space can be in a way that alerts the intended communicat-
adapted for extremely secure data ing parties that the key has been compro-
mised and should not be used. The fact that
encryption this system detects eavesdropping means that
secure communication is guaranteed.
In a new study, researchers from the Max
Planck Institute in Erlangen, demonstrated Although methods for quantum encryption
ground-based measurements of quantum have been in development for more than a
states sent by a laser aboard a satellite decade, they don’t work over long distances
38,000 kilometers above Earth. This is the first because residual light losses in optical fibers
time that quantum states have been measured used for telecommunications networks on the
so carefully from so far away. ground degrade the sensitive quantum sig-
nals. Quantum signals cannot be regenerated
Today, text messages, banking transactions without altering their properties by suing opti-
and health information are all encrypted with cal amplifiers as it is done for classical optical
techniques based on mathematical algorithms. data. For this reason, there has been a recent
This approach works because it is extremely push to develop a satellite-based quantum
difficult to figure out the exact algorithm used communication network to link ground-based
to encrypt a given piece of data. However, ex- quantum encryption networks located in differ-
perts believe that computers powerful enough ent metropolitan areas, countries and conti-
to crack these encryption codes are likely to nents.
be available in the next 10 to 20 years.
Although the new findings showed that quan-
The looming security threat has placed more tum communication satellite networks do not
attention on implementing stronger encryption need to be designed from scratch, Christoph
techniques such as quantum key distribution. Marquardt from the Max Planck Institute for
Rather than relying on math, quantum key dis- the Science of Light in Germany notes that it
tribution uses properties of light particles will still take 5 to 10 years to convert ground
known as quantum states to encode and send based systems to quantum-based encryption
the key needed to decrypt encoded data. If to communicate quantum states with the satel-
someone tries to measure the light particles to lites.
steal the key, it changes the particles’ behavior

Cloud-based security services mar- endpoint protection management, threat intel-


ligence and WAFs.
ket to reach nearly $9 billion by 2020
SMBs are driving growth as they are becom-
Growth in worldwide cloud-based security ser-
ing increasingly aware of security threats.
vices will remain strong, reaching $5.9 billion
They are also seeing that cloud deployments
in 2017, up 21 percent from 2016, according
provide opportunities to reduce costs, espe-
to Gartner. Overall growth in the cloud-based
cially for powering and cooling hardware-
security services market is above that of the
based security equipment and data center
total information security market. Gartner es-
floor space.
timates the cloud-based security services
market will reach close to $9 billion by 2020.
“The cloud medium is a natural fit for the
needs of SMBs. Its ease of deployment and
“Email security, web security and IAM remain
management, pay-as-you-consume pricing
organizations’ top-three cloud priorities,” said
and simplified features make this delivery
Ruggero Contu, research director at Gartner.
model attractive for organizations that lack
Mainstream services that address these priori-
staffing resources,” said Mr. Contu.
ties, including SIEM and IAM, and emerging
services offer the most significant growth po-
The enterprise sector is also driving growth as
tential. Emerging offerings are among the
they realize the operational benefits derived
fastest-growing segments and include threat
from a cloud-based security delivery model.
intelligence enablement, cloud-based malware
sandboxes, cloud-based data encryption,

www.insecuremag.com 7
Is Europe ready for GDPR? of all businesses surveyed admitted that, if
fined, their business would close. This number
What impact will GDPR have on businesses jumps to 54 percent for small businesses with
across the UK, France, Belgium and Luxem- less than 50 people. In addition, 39 percent of
burg? Vanson Bourne surveyed 625 IT deci- IT decision makers surveyed revealed that
sion makers in four countries and found that fines would also lead to redundancies at their
the UK is far behind when it comes to GDPR business.
readiness.
Despite this concern, only 6 percent of UK
The research also found that 54 percent of businesses view GDPR as a number one pri-
businesses have little understanding of the ority, yet 30 percent of businesses in France
fines associated with GDPR. Businesses that and 25 percent of Benelux businesses have
don’t comply with GDPR will face hefty fines of made it a priority. 20 percent of UK businesses
up to €20 million or 4 percent of annual rev- that consider GDPR to be a low priority, a
enue in the event of a data breach. 17 percent much higher number than in France at 8 per-
cent and Benelux at 11 percent.

Google game teaches kids about The game and learning materials, designed
online safety with the help of online safety experts like the
Family Online Safety Institute, the Internet
Keep Safe Coalition and ConnectSafely, are
Talking to kids about online safety is a difficult
aimed at children that are between 8 and 11.
undertaking for many adults, and making the
lessons stick is even harder. To that end,
Interland leads the player through several
Google has launched a new program called
floating islands where the challenges and
Be Internet Awesome, which includes an on-
puzzles they have to complete will teach them
line video game called Interland, a classroom
about several aspects of online safety.
curriculum, and a YouTube video series.

www.insecuremag.com 8
Cybersecurity workforce gap to hit and Alta Associates, the survey is the most
1.8 million by 2022 extensive in the industry, incorporating insights
from over 19,000 cybersecurity professionals.
The cybersecurity workforce gap is on pace to
“There is a definite concern that jobs remain
hit 1.8 million by 2022 – a 20% increase since
unfilled, ultimately resulting in a lack of re-
2015. 68% of workers in North America be-
sources to face current industry threats – of
lieve this workforce shortage is due to a lack
the information security workers surveyed,
of qualified personnel.
66% reported having too few of workers to
address current threats. We’re going to have
To help combat the growing gap, a third of hir-
to figure out how we communicate with each
ing managers globally are planning to in-
other, and the industry will have to learn what
crease the size of their departments by 15%
to do to attract, enable and retain the cyberse-
or more. Conducted by Frost & Sullivan for the
curity talent needed to combat today’s risks,”
Center for Cyber Safety and Education, with
said David Shearer, CEO at (ISC)2.
the support of (ISC)2, Booz Allen Hamilton

Unprotected database exposes VINs, Kromtech’s Chief Communication Officer Bob


owner info of 10 million cars Diachenko says that the database appears to
be a collection of marketing data from big and
small US-based auto dealerships.
A database containing information on 10 mil-
lion cars sold in the US and personal informa-
“The database has been online for more than
tion about their owners has been found ex-
137 days now. Security Researchers have yet
posed online.
to identify the owner of the database and ask-
ing for anyone from the exposed dealerships
The unprotected database was discovered by
or the potential owner to contact us,” he
researchers from the Kromtech Security Re-
added.
search Center, and contains three sets of
data:
Knowing a car’s VIN might also allow criminals
to create duplicate keys for it, and steal it
• Vehicle details: Vehicle Identification Num-
without having to break into the car. This par-
ber (VIN), make, model, model year, vehi-
ticular approach was used by members of a
cle color, mileage, etc.
Tijuana-based motorcycle club to steal a con-
• Sales details: VIN, mileage odometer,
siderable number of Jeep Wranglers in the last
sales gross, pay type, monthly payment
three years. These criminals, though, did not
amount, purchase price, payment type,
steal the VINs from a database, but obtained
etc.
them by simply reading them from the
• Customer details: Full name, address, mo-
vehicle’s dashboard.
bile / home / work phones, email, birth
date, gender, occupation, etc.

www.insecuremag.com 9
You don't have to look very far to find people heralding the death of passwords. In-
deed, in recent years, Google, Microsoft, and many others have predicted their
passing. And yet, passwords are demonstrably still a major part of the everyday
security landscape.

If a website requires users to sign up/sign in, it ditional hardware beyond that which the de-
almost certainly uses passwords as a means vice can be relied upon to have by default.
to authenticate users. Even the various de-
vices that now use biometrics for frontline au- So, if passwords aren’t dead, how can we
thentication still rely upon a master password continue to live with them? One answer is
(or passcode) as the fallback. So, the pass- workarounds.
word is very much alive, and the reports of its
death are greatly exaggerated! But some of these workarounds are less ac-
ceptable than others. For example, writing
From a security perspective this isn’t exactly passwords down or using the same one
good news. There is no doubt that passwords across multiple systems are classic
are past their prime: they are poorly used, workarounds, but clearly bad ones. By con-
vulnerable to compromise, and used on far trast, using password management tools or
too many systems to allow their management browser features to store passwords are more
without some sort of workaround. Better alter- satisfactory options. However, even the use of
natives are highly desired, but the problem is password assistance has drawbacks: systems
that existing substitutes are not as straight- can suggest passwords so we don’t have to
forward to deploy or as universally applicable. think about creating long, unique ones, and
Passwords continue to offer a low-cost solu- can store them so we don’t have to remember
tion that works on anything, from a smart- or type them, but this can lead to a situation
watch to a desktop, without requiring any ad- where we don’t know the password in the first

www.insecuremag.com 10
MANY OF THE WEBSITES THAT REQUIRE
USERS TO REGISTER AND CREATE PASSWORD-
PROTECTED ACCOUNTS LACK ANY GUIDANCE
FOR PASSWORD SELECTION
place, and so can’t gain access from some- 2. Four points of basic guidance were pre-
where where we don’t have the option to re- sented alongside the password selection
trieve it. box (namely that the password should be
at least 8 characters long, should include
Part of the problem with passwords is that both upper and lower case letters, should
users are not supported in how to use them include at least one number and one spe-
properly. Indeed, many of the websites that cial character, and should avoid dictionary
require users to register and create password- words or personal information).
protected accounts lack any guidance for 3. Guidance was supplemented with a stan-
password selection. Although password me- dard password meter, rating password
ters are commonly used to rate the choices, choices as weak, medium or strong.
there is often no accompanying information. 4. The meter was replaced with sad, neutral
and happy emoji images to signify the
Users are not given any insight into why the suitability of the choices. This was ex-
password they chose is weak or how to make plored to see if users might respond any
it stronger. And even though many sites still differently to something more emotional
apply restrictions when it comes to password than a password meter (e.g. would they
choices, some of the most popular ones are make more effort to try to please the sys-
surprisingly relaxed in what they will accept tem and get a smiling face?).
(e.g. while Facebook prevents the use of 5. Emojis accompanied with an emotive
“password” or “qwerty”, users can still get feedback message (e.g. “This is not good
away with their surname and a “1” after it as enough!” for weak password choices),
their password). It shouldn’t surprise us, then, again differentiating things from the stan-
that users continue making poor/weak choic- dard weak-medium-strong approach to
es. ratings.

All of this raises the question of whether it re- The results showed a dramatic difference be-
ally matters what the sites do. If users are in- tween the unguided and guided scenarios,
clined to make dumb choices, won’t they just decreasing weak choices from 75% in the first
do them anyway, regardless of advice telling scenario down to around a third in the final
them otherwise? one (in parallel, passwords rated as strong
increased from none at all up to 12% as a re-
Well, apparently not. sult of guidance and feedback). The average
length of chosen passwords went from 6.7
An experiment performed on 300 users found characters in the unguided scenario up to 8.8
that the mere presence of guidance (i.e. listing in the scenario with guidance and emoji-
the rules without enforcing them) made a sub- based feedback, with the character diversity
stantial difference to the resulting password also increased.
choices. The study was designed to observe
realistic password selection behaviour, and Of course, the results still weren’t perfect, but
evaluated five scenarios, with 60 participants they illustrate the effect of putting users in a
assigned to each one: more informed position. Also, the guidance
was only telling them what to do; if it had been
1. Passwords were chosen without any guid- supplemented with a reason why they should
ance or feedback at all. make better a better choice, it’s likely that
even more users would have complied.

www.insecuremag.com 11
PASSWORDS ARE STILL WIDELY USED, AND
WILL PERSIST FOR YET SOME TIME

Obviously, one could argue that the highest The ideal combination – not just for pass-
level of compliance would be achieved by words, but for end-user security in general – is
simply enforcing appropriate rules, and by not to provide guidance and enforcement, giving
permitting weak choices. However, this still users the chance to understand and buy-in,
leaves the user as the uninformed victim, but still ensuring a safety net against those
forced to follow a process that they don’t real- that resist or remain oblivious.
ly understand.

Why don’t more services provide better guid- reason to change things, as we know by now
ance as standard? Perhaps because that user behaviour will not adjust by itself.
providers think people are familiar with these Passwords are still widely used, and will per-
points already? Perhaps because they think it sist for yet some time. Claiming otherwise
will make no difference? Or perhaps because, might make for attention-grabbing headlines,
in some cases, they don’t want to put up bar- but it ultimately leads to a premature celebra-
riers that disincentivize people from signing tion of their demise. Meanwhile, the real news
up. Whatever the reason, there is perhaps a will be the incidents that continue to occur
when weak password usage gets exploited.

Steven Furnell is a professor of Information Systems Security at Plymouth University & senior IEEE member.

www.insecuremag.com 12
Those of us who work in the information security industry understand that “security”
is not binary — i.e. we cannot think of everything as either “secure” or “not secure.”
Rather, information security exists on a continuum. There is also a widely accepted
concept that something can be “secure enough” for its designated purpose.

Battle-tested encryption algorithms are good In all seriousness, if we study all the reported
examples of “secure enough.” If we set aside breaches from the recent past, we’ll find that
the possibility of exploitation of unknown there wasn’t a single method of attack that
weaknesses, the time it would take for an at- surprised those of us in information security.
tacker to brute force the entire key space and
succeed in breaking a “secure enough” en- The Yahoo hack, arguably the biggest breach
cryption algorithm may be longer than the time in history, is an example of this. The US De-
it will take our Sun to go supernova. partment of Justice issued a 36-page long in-
dictment regarding the breach, which singled
We can also apply the “secure enough” con- out four alleged perpetrators and the methods
cept to other areas. For instance, in informa- they used to gain entry. After reading the en-
tion security, we know how to develop secure tire document cover to cover, I was unable to
enough software. We know how to configure find a single technique the intruders used that
secure enough systems. We know how to is not at least a decade old. Do you want to
build secure enough networks. And if really know what they relied on? Spear phishing.
pressed, we know how to design a secure Yes, spear phishing. Not some zero-day ex-
enough Internet. We really do. Technically we ploit or other advanced tools or a new, never-
know how to make just about everything se- before-seen technique. Just your garden-vari-
cure enough, except maybe PHP. (OK, I'm ety spear phishing approach.
mostly kidding on that last thing.)

www.insecuremag.com 14
But if information security pros are not sur- work, nor the publisher (website) is liable for
prised by any of this, why do these breaches the infection of potentially millions of viewers
happen so often? or the damage this infection may cause them.
And what’s worse, these advertising entities
Worldwide spending on information security actually continue to make money by showing
has reached nearly $81 billion, and yet, day- malware-laced ads - so they’re only going to
after-day, month-after-month, and year-after- help so much in the fight against them.
year, we keep seeing headlines about breach-
es. No one is safe: not individuals, not small Let’s also note that ad blocking is something
businesses, not mega corporations, govern- that just about every security professional
ments, hospitals, law firms, banks, and not uses and has recommended to others for
even security companies. After so much time, years. Mainstream browser vendors, who
money and energy has been invested, I be- have direct access to billions of users, could
lieve we should be doing far better. help protect people by natively integrating ad
blocking technology by default in their soft-
I’m convinced the reason things are the way ware. On the surface this would seem to be a
they are has little to do with a lack of know- smart move, but they’re not going to. Brave
how, time, budget, talent, and so on. While we did it, but mainstream browser vendors don’t
could always use more of those resources, it and won’t include ad blocking because they
is not the lack of them why most organizations are in the advertising business or depend on
find themselves just on the edge of “secure advertising-related revenue. As you can see,
enough.” After nearly 20 years working in in- those in the best position to curtail the malver-
formation security, I believe the biggest con- tising problem are simply not incentivized to
tributing factor across the board is simply a do so.
misalignment of incentives in the ecosystem.
Those in the best position to make a real im- The list of examples of misaligned interests
pact are not properly incentivized or held re- goes on and on, so this is where we get to the
sponsible for doing so. And since they are not obvious and necessary question: how can we
motivated, everyone else suffers the costs and correct the situation? I’ve been spending
externalities of that inaction. much of my time the last several years study-
ing this aspect of the industry and I’ve found
The Mirai botnet, the first major attack that three key areas of focus:
leveraged the Internet of Things, is a perfect
illustration of misalignment of incentives. 1. Cyber insurance
Bruce Schneier lays out the conundrum ex- 2. Security product warranties or guarantees;
tremely well: 3. Software liability.

“The market can't fix this because neither the Each of these is new and unfamiliar, which
buyer nor the seller cares. The owners of the leads to a fair amount of skepticism when
webcams and DVRs used in the denial-of-ser- discussed in information security circles.
vice attacks don't care. Their devices were
cheap to buy, they still work, and they don't Cyber insurance
know any of the victims of the attacks. The
sellers of those devices don't care: They're Cyber insurance carriers write policies for their
now selling newer and better models, and the business customers. In the event of a breach,
original buyers only cared about price and fea- carriers compensate customers financially for
tures. There is no market solution, because specific types of losses. As we would expect,
the insecurity is what economists call an ex- the carriers are increasingly dictating what se-
ternality: It's an effect of the purchasing deci- curity controls businesses must have in place
sion that affects other people. Think of it kind to reduce the risk of compromise and resulting
of like invisible pollution.” financial damages. Insurers are motivated to
get the guidance right because it’s their cash
Let’s look at another example: malvertising. on the line. Customers are economically en-
When malware-laced ads are distributed, nei- couraged to do what the insurer says other-
ther the advertiser, nor the advertising net- wise they risk premiums increasing, their

www.insecuremag.com 15
policy being cancelled, or their payouts being Hypponen describe as the biggest lie on the
denied. In the realm of cyber insurance, all of Internet: ”I have read and agree to the license
a sudden security interests are brought into agreement.”
alignment. So it’s not a surprise that the cyber
insurance market shows an annual growth of The vast majority of end user software licens-
60 or 70 percent (or more), while at the same ing agreements makes it clear that the soft-
time the information security market increases ware vendor offers no warranty, no guarantee,
by 5 to 7 percent. and as such takes no financial liability - period.
In an age where software powers every as-
Security product guarantees/warranties pect of modern life - from self-driving cars, to
the energy grid, to our dinner reservations -
Many security products simply don’t work as consumers deserve, and frankly should ex-
well as advertised. Unfortunately for the cus- pect, a far better degree of software security
tomer, they often realize the ineffectiveness of and quality.
a security product only after a breach. But the
security vendors who sold the defective prod- Similar to security vendors offering warranties,
uct are not liable for the damage, and the cus- if software vendors were liable for the lack of
tomers are on their own. Sadly this is the norm security or performance of their products we’d
in the information security field. get better software. Sure, secure software
might be more expensive, but it just may be
What would happen if customers demanded a worth it - especially since our lives often de-
product warranty or service level agreement pend on it.
from their security vendors? If a product or
service fails to perform as defined in the fine The bottom line
print, the vendor would be legally financially
accountable. And then perhaps we would see Making advancements in information security
security vendors offering more effective prod- is less about technology and know-how. Mov-
ucts and being more upfront and honest about ing the security needle is instead far more
their capabilities. Also, customers could make about the economics involved and the lack of
smarter purchases. Once again, interests incentives to make it right. Internalize this
would be better aligned with the security concept and you’ll be among the industry
needs of the organization. leaders who work to make information security
more than just “secure enough.”
Software liability

Finally, let’s briefly discuss the thorny topic of


software liability, and what I first heard Mikko

Jeremiah Grossman is the Chief of Security Strategy at SentinelOne (sentinelone.com).

www.insecuremag.com 16
The WannaCry ransomware attack has hit over systems 300,000 in 150 countries
worldwide. Much of WannaCry’s “success” is due to the fact that it spreads via the
SMB protocol, capitalizing on a Microsoft vulnerability associated with the Eternal-
Blue NSA exploit. Coincidentally, Microsoft released a patch for this vulnerability for
all supported versions of Windows in mid-March, two full months before the exploit
was used by WannaCry. Nasty? Yes. Avoidable? Totally!

The WannaCry attack is another harsh re- Savvy organizations are waking up to the real-
minder that organizations are vulnerable to ization that cyber hygiene must become a
“patch gaps” or endpoint blind spots that can core competency within their IT departments.
result in damage, losses and business inter- To advance the cause, I will address the fol-
ruptions. In fact, according to Gartner, 99% of lowing topics in subsequent sections: 1) Three
vulnerabilities that are exploited continue to reasons cyber hygiene is hard, 2) Tell-tale
be those already known to security and IT signs of poor cyber hygiene, 3) An actionable
professionals for at least a year. cyber hygiene program.

Before we dismiss this as an issue tied to old Three reasons cyber hygiene is hard
machines or mom-and-pop operations, let us
not forget Sony Pictures, Target and JPMor- Before we jump right to the solution, it can be
gan Chase. Recent events prove that even helpful to understand why this is such a mon-
security-conscious companies are not ster problem. While there are many reasons,
immune. three in particular stand out:

www.insecuremag.com 17
Innovation distraction: The IT industry loves tal trading partner out of every vendor and
innovation. Much of the talk at big trade supplier in their delivery chain. The business
shows and in industry magazines surrounds benefits are undeniable, but the complications
the newest technology such as artificial intelli- are immeasurable. Add to this the IoT, and an
gence, machine learning, near real-time de- organization’s attack surface becomes limit-
tection and remediation, self-healing methods, less. Finally, top it all off with elastic, virtual
and so on. But while innovation is not a bad cloud instances, ensuring that one can no
thing, our fascination with innovation is a dis- longer physically point to their data, and it is
traction from the core mission of making the enough to make information security opera-
attack surface as small as possible. tors throw their hands up in defeat.

Attack surface explosion: We are headlong It’s everybody’s job: Try announcing to your
into a perfect storm that is massively increas- company that it’s everybody’s job to make
ing companies’ exposure to the most basic sure the refrigerator is cleaned out by 5pm
cyber threats. The perfect storm is best de- every Friday. How did that work? Cyber hy-
scribed by this formula: Digital Transformation giene really is everybody’s job: the CEO has a
+ IoT + Cloud = Attack Surface Explosion. critical role, as does his assistant, as does the
UPS guy with a keycard to the office. But if no
Digital transformation is sweeping through or- one is held accountable, and if nothing is
ganizations that are hell-bent on connecting measured and managed, then, just like with
everything and anything that contains or gen- the refrigerator, the mess will continue to
erates data. This also includes creating a digi- grow.

ROGUE SOFTWARE APPLICATIONS OR OUT-OF-DATE SOFTWARE


VERSIONS REPRESENT EASY ACCESS POINTS FOR BAD ACTORS

Telltale signs of poor cyber hygiene has 1,100 unknown applications installed on
company devices. Rogue software ap-
Now that everyone is overwhelmed by the plications or out-of-date software versions
magnitude of the task, the next natural ques- represent easy access points for bad actors.
tion is “How well are we managing cyber hy- Do you have the capability to discover all of
giene now?” While the actual job of minimiz- the software applications and versions run-
ing the attack surface includes a long list of ning on your machines? Is this built into your
activities, items and responsibilities, here are standard cyber hygiene operating procedure?
three things you can quickly evaluate to figure
out your starting position: Credential management and access control is
central to managing who has access to critical
Patch management has a reputation as a assets on your network. Do you have well-
mundane, low-level checklist item, and eyes documented credential management and ac-
often glaze over when patches are discussed. cess policies? Are you able to audit these
However, mishandled patch management is a within the system? Consultants and interns
top contributor to breaches. Look at your come and go, and their credentials often live
patch management processes, procedures, well past their tenure. Employees get promot-
and schedules. Are they published? Are met- ed or move within the organization, and their
rics around patches tracked and managed? Is access to old systems is never updated. This
this a regular discussion topic with key people access and credential creep makes it much
in the business? Scheduled, honest assess- easier for hackers to fly around your network
ments will give a good sense of the state of and impersonate a legitimate user.
cyber hygiene.
While these three factors are by no means a
Application management is another blinking comprehensive list of cyber hygiene tasks,
light on the cyber hygiene dashboard. One they serve as a good litmus test of the maturi-
report suggested that the typical organization ty of an organization’s cyber hygiene plan.

www.insecuremag.com 18
An actionable cyber hygiene program tion, a process that enforces timeliness, and a
person who is accountable.
Cyber hygiene is not a set of boxes to check.
Rather, it is a muscle that has to be devel- Manage. It is incredibly challenging to man-
oped: it will take time, practice, and patience age a network, so companies often turn to au-
to strengthen the systems, skills and proce- tomation. Automated management of network
dures. To implement and enforce a high-per- assets becomes critical to pursuing a high
forming cyber hygiene system, we must go level of cyber hygiene and is really the only
through the following steps: Know→Man- way to avoid overburdening an already busy
age→Protect. security and IT staff.

Know. You can’t defend yourself against the Tools and technologies that enforce the items
exploitation of vulnerabilities you don’t know on the list generated in the “Know” step be-
you have. And you can’t defend systems, ap- come important because they are able to au-
plications and users that you are unaware of. tomatically handle a lot of cyber hygiene tasks
Knowledge is a critical first step to a well-oiled that burden the IT department (e.g. pushing
cyber hygiene machine. In order to achieve patches out).
the necessary knowledge, asking the right
questions is key: Protect. In spite of advanced automation and
great effort, it is impossible to create an im-
• What devices/applications are operating permeable environment. It is inevitable that
on my network? something will penetrate your defenses. The
• Who are they communicating with? key is to be able to quickly detect the penetra-
• Who has access to critical assets on my tion, prevent the attacker from doing damage,
network? and fix any damage that may have occurred.

It is easy to generate the list of questions but In my experience, companies are much better
the hard part is answering them on a timely equipped to make good decisions about what
and ongoing basis. Doing so requires a com- protection solutions are needed in their orga-
bination of a tool that can capture the informa- nization AFTER establishing sound “Know”
and “Manage” capabilities.

Todd Bramblett is the President at Nehemiah Security (nehemiahsecurity.com).

www.insecuremag.com 19
Most people would pay a ransom to house the data, most consumers said. Next
get their data back came cybersecurity companies, then software
providers. Government organizations are least
responsible, in their eyes.
The high-profile WannaCry attack was the first
time that 57% of US consumers were exposed
Would consumers consider leaving a business
to how ransomware works, the results of a re-
hit by ransomware? 72% said they would con-
cent Carbon Black survey have revealed.
sider leaving their financial institution in such a
case. That percentage is 68% and 70% for
On the one hand, this high percentage is very
healthcare providers and retailers, respective-
disturbing. Ransomware has been around
ly.
since 2005, and you would think that they
would have at least heard of the danger from
“Tying these numbers to what consumers
other people. On the other hand, it definitely
consider their most valuable personal informa-
means that a considerable number of the
tion is an interesting exercise,” the company
pollees haven’t been hit with ransomware
noted.
before.
“Financial information led the list (but only
The company has also asked the 5,000 indi-
barely over family photos) while medical
viduals that participated in the survey things
records [undeservedly] only made a blip on
like who’s responsible for keeping their data
the radar, with 5% of consumers saying it was
safe, and how much are they willing to pay to
their most valuable information. In fact, med-
get their encrypted files back if they were to be
ical records tied with phone data (messages,
hit with ransomware.
contacts, applications, etc.).”
The biggest responsibility for keeping their
data safe is with the individual companies that

www.insecuremag.com 21
Google’s whack-a-mole with Android been spotted and flagged many times before,
adware continues and continued to pollute apps on Google Play
for years.
Why can’t Google put a stop to adware on
The main reason the Xavier ad library is able
their official Android app marketplace? The
to escape detection by Google Play’s Bouncer
analysis by Trend Micro researchers of a Tro-
malware prevention system are the dynamic
jan Android ad library dubbed Xavier tells the
detection evasion mechanisms it employs.
story.
The library checks whether it is being run in a
The Xavier ad library is third stage of evolution
sandbox, an emulator (testing environment),
of the AdDown family, which was initially able
and if the user’s email address contains a
to install apps behind the user’s back, but now
string (e.g. “test”, “review”, “qaplay”, etc.) that
limits itself to harvesting device information,
might indicate that it’s being used by a tester.
the user’s email address, and showing ads.
If it detects any of this, it stops working.
The various AdDown incarnations are dis-
The library also encrypts all its constant
tributed to many app developers through an
strings to make static detection and manual
advertising SDK, and it was thus inevitable
analysis more difficult, and encrypts traffic to
that they would end up being included in many
its C&C server.
apps. Indeed, the offending ad library has

www.insecuremag.com 22
US restaurants targeted with fileless • The emails are believable enough to trick
malware employees into downloading and opening
the file AND exiting Protected View
• The JavaScript code contained in the doc-
Morphisec researchers have spotted another
ument bypasses security solutions’ behav-
attack campaign using fileless malware. The
ior analysis by delaying the execution of
campaign is believed to be the work of the in-
malicious code, as well as making it so that
famous FIN7 hacking group, and its goal is to
the second stage JavaScript is not directly
gain control of the target businesses’ systems,
executed by the first stage JavaScript
install a backdoor, and through it perform con-
• The second stage JavaScript triggers a
tinual exfiltration of financial information.
first stage PowerShell process that then
performs a second stage PowerShell
“Like in past attacks, the initial infection vector
process, which then injects shellcode into
is a malicious Word document attached to a
its own process
phishing email that is well-tailored to the tar-
• That shellcode compiles next stage (en-
geted business and its day-to-day operations,”
crypted) shellcode directly from memory,
the researchers noted.
from snippets obtained through DNS
queries.
“The Word document executes a fileless at-
tack that uses DNS queries to deliver the next
“After decryption of the second stage shell-
shellcode stage (Meterpreter). However, in
code, the shellcode deletes the ‘MZ’ prefix
this new variant, all the DNS activity is initiated
from within a very important part of the shell-
and executed solely from memory – unlike in
code. This prefix indicates it may be a DLL,
previous attacks which used PowerShell
and its deletion helps the attack to evade
commands.”
memory scanning solutions,” the researchers
found.
The researchers attribute this one important
change to the group’s efforts to stay one step
“If this DLL was saved on disk, many security
ahead of the defenders, and they are suc-
solutions would immediately identify it as a
ceeding:
CobaltStrike Meterpreter, which is used by
many attackers and pen testers.”
• The booby-trapped RTF documents don’t
get flagged by AV solutions
But it’s not, and it passes undetected.
www.insecuremag.com 23
New PowerPoint malware delivery final payload from a C&C server (in this
technique tested by spammers case, a banking Trojan).

This particular spam campaign has been di-


A spam run detected by several security com-
rected against European and UK companies
panies has attempted to deliver malware
in the manufacturing, device fabrication, edu-
through an innovative technique: a link in a
cation, logistics, and pyrotechnics industries. It
PowerPoint slideshow.
was limited, and Trend Micro researchers be-
lieve it might have been just a dry run to test
The attack unfolds like this:
the new technique.
• A malicious Microsoft PowerPoint Open
“Time will tell whether this new infection vector
XML Slide Show (PPSX) or PowerPoint
gains popularity among the criminal element.
Show (PPS) is delivered attached in a bo-
The fact that it does not need a macro is novel
gus email (invoice, purchase order, what
and triggers on mouse activity is a clever
have you)
move,” Malwarebytes researcher Jérôme Se-
• Victims download the file and run it, and
gura noted. “There is no doubt threat actors
are faced with a single text link (or hyper-
will keep on coming up with various twists to
linked picture) in the file
abuse the human element.”
• They are puzzled by it, and hover with the
mouse’s pointer over it in order to discover
And while there are a number of things com-
where the link will take them
pany IT/system administrators can do to pro-
• That simple move triggers a mouseover
tect employees from this type of threat, indi-
action that leads to a security warning pop-
vidual (home) users must rely on their email
up (Microsoft disables the content of sus-
provider’s phishing filters to block such emails,
picious files by default via Protected View)
up-to-date antivirus to detect and stop the
• Users who are still curious and allow the
malware, and their own capability to spot so-
program to be run, either by clickling the
cial engineering tactics.
Enable All or Enable button, start a chain
reaction: an embedded malicious Power-
Also, according to SentinelOne, users of the
Shell script is executed that downloads
PowerPoint Viewer tool are likely safe, as it
another downloader in the form of a JScript
refuses to execute the malicious script.
Encoded File (JSE), which retrieves the

www.insecuremag.com 24
If you’re a Computer Science student or an IT professional looking for a new job
that’s interesting, well paid, and for which demand is constant, you might want to
consider becoming an IT architect.

“Basically, the IT architect is a person who can ties to influence the decisions in your compa-
come up with a high level solution for a busi- ny for the long term, especially if you are a
ness portfolio, application, system, in- business architect (you get to influence the
frastructure or the entire enterprise,” says business direction of the company), or an en-
Cristian Bojinca, Enterprise Solution Architect terprise architect (you guide the organization
at RBC, and the author of a book aptly named of the entire enterprise).
“How to Become an IT Architect.”
But all of these roles require much knowledge
The term is used to encompass all architect and great skills.
roles currently existing in the IT industry:
For one, you need to have a wide and deep
• Domain architect (business, application, understanding of business systems and tech-
data/information, and infrastructure), nologies. Technical, business, and industry
• Enterprise architect (encompassing all knowledge allows the architect to come up
domain architectures), with technical solutions while taking into con-
• Solution architect (developing solutions to sideration industry best practices, models,
specific business problems), frameworks, and so on. An IT architect needs
• Cross-cutting roles such as security archi- to have the ability to see the “big picture.”
tect (focusing on all the processes, mech-
anisms, technology used to protect the as- Secondly, you need to possess architecture
sets of the enterprise against unauthorized design skills – foundational skills that will al-
access). low you to create a high level design (using
different modeling languages and tools) that
Requirements for the IT architect role will satisfy stakeholder needs and require-
ments. Then, you have to be comfortable with
Working as an IT architect will never be bor- documenting and communicating the model
ing, says Bojinca. You have a lot of possibili- used to understand the enterprise, system,

www.insecuremag.com 25
application, and network through a series of gument in private instead of having a huge
views (based on predefined viewpoints). And conflict in front of everybody in a meeting,”
finally, you need to have the “soft skills” nec- Bojinca explains.
essary to get sustained buy-in and coopera-
tion from stakeholders to achieve best out- Planning – Although there is probably no ex-
comes. These skills include presentation, pectation to come up with elaborate project
communication, facilitation, and so on. plans, one of the deliverables that the enter-
prise architect has to produce is a roadmap
A practical scenario showing the transition from the current state
to the target state including the major activi-
Take for example the following scenario: A ties and milestones.
large organization has just been acquired, the
lead IT Architect left, and the company’s in- Stakeholder management – The most impor-
frastructure is being merged with that of the tant stakeholders must be identified early in
new owners. A new IT Architect to lead this the project and their input must be used to
merger is needed, but how to choose the right shape the architecture to ensure their later
one? support and the validity of the architecture
model. The successful candidate should be
“Currently, there is a lot of confusion about the able to quickly understand the culture of both
various architect roles. The definition or re- organizations and identify the common things
sponsibilities for those roles varies from one that will make the foundation for the new or-
company and industry to another. This lack of ganization.
uniformity makes it hard for companies to re-
cruit or assign staff to fill architecture posi- Change management – The merger is an
tions,” Bojinca notes. important change for both organizations and
should be carefully planned. This change will
“The TOGAF framework has a section (Archi- include multiple aspect such as people (how
tecture Skills Framework) that defines a num- will the architecture change influence the or-
ber of roles including enterprise architect as ganization of the company), business pro-
well as different kind of skills that include en- cesses and functions (business architecture),
terprise architecture skills, project manage- data or application changes (information ar-
ment skills, IT general knowledge skills, tech- chitecture), or changes in the infrastructure
nical IT skills, and legal environment skills.” (infrastructure architecture). “The successful
candidate should demonstrate the ability to
But what is unquestionable is that this person use an established change model (such as
has to be able to do these specific things: ADKAR) to advocate the architectural change
because otherwise team members will not
Leadership – Coming from the outside of the view it as important and they might start to
organization, he or she needs to establish the push for the old way of doing things,” he says.
trust with the important stakeholders, never “The architect should not only know the archi-
imposing leadership but getting things done tecture inside out but should also be the
through personal influence and credibility. This champion of the architecture, making sure to
person should be able to clarify expectations build awareness of a need for change and
and goals, painting a compelling picture that making sure that team members have the
everybody will keep in mind at all times. knowledge and desire to work through this ar-
chitectural change.”
Communication and presentation – Com-
municating and presenting this picture effec- Consulting skills – Last but not least, the
tively to all levels of management as well as successful candidate must demonstrate con-
subject-matter experts in different domains is sulting and advisory skills, know how to build
crucial, and so is the ability to negotiate con- an effective client relationships and deliver
flicts instead of leaving things bubbling under excellent client service. “This might make the
the surface until an explosion occurs. “In difference between leading a successful
some cases, this might be only about taking merger and only creating the blueprints,” he
discussions offline and trying to settle an ar- says.

www.insecuremag.com 26
IT Architects are some of the best
paid IT or business practitioners
The variety of skills and knowledge needed The solution architect has to include data se-
makes it so that good architects are always in curity as one of the main drivers to establish
high demand, but are usually a scarce re- the solution architecture for the specific busi-
source. If in possession of the right skills and ness problem.
a good reputation, IT architects don’t have to
worry too much about finding employment. But, no matter what type of IT architect you
are, you need to have some knowledge of
IT architects are also some of the best paid IT data/information security so you can talk with
or business practitioners, and have the added the security architect about concepts such as
bonus of being in constant communication encryption, security protocols, and so on.
with executives and managers, which means
better career advancement opportunities. “This will allow you to leverage the expertise
of the security architect, who has a much
IT architects and data security deeper knowledge in regards to data security,
in order to include this aspect of the architec-
The fast-paced threat landscape made data ture in the enterprise, application, data, in-
security an essential part of every business, frastructure or solution architecture,” he notes.
and the responsibility for data security now
goes beyond the company’s data/information How to become an IT architect?
or security architect.
As noted before, an aspiring IT architect
“Each type of IT architect should consider se- needs to have a wide technical knowledge,
curity and especially data security,” says Bo- but also an in-depth knowledge of the specific
jinca. domain he or she wants to build their career
in.
“The enterprise architect who should consider
data security as a cross-cutting concern for all For example, an aspiring architect with a
the architecture domains. He/she should work business/systems analyst background will
with the security architect to adopt guiding have to become familiar with the business ar-
principles such as: least privilege, deny by de- chitecture concepts and expand his/her
fault, defence in depth (and many others breadth by understanding more about the
specified in my book) to provide the guidance business strategies, drivers and how they de-
for the application, data, infrastructure, solu- termine the business architecture.
tion, etc. architects who will then apply them
to derive their own architectures.” A would-be application architect with a soft-
ware developer background will have to hone
The application architect should always con- his or her soft skills, as well as to get a feel for
sider data security when creating the high the level of detail required for the various doc-
level design of the application, focusing on the uments and presentations.
security measures required to protect the ap-
plication from exposing ways to access the In his book, Bojinca offered advice on how to
data by unauthorized users. This should not get the required knowledge, delineated specif-
include only the most common mechanisms to ic career path guidelines for different IT archi-
protect the data (such as encryption) but also tect roles, and guidance on how to get a job
the application protocol used, authentication, as an IT architect.
authorization mechanisms, etc.

Zeljka Zorz is the Managing Editor of (IN)SECURE Magazine and Help Net Security (helpnetsecurity.com).

www.insecuremag.com 27
Infosecurity Europe 2017 helped visitors stay • Infosecurity Europe partnered with the
up-to-date with the latest industry trends, ap- Cloud Security Alliance to host the 2017
plications and solutions. The event welcomed CSA Summit
360 exhibitors as well as 200 sessions where • New for 2017, the Talking Tactics theatre
visitors could collect CPE/CPD points while became the 10th theatre to be launched
developing their career and skills. across the show. It showcased real-life
lessons from across the industry.
Key highlights included: • CheckRecipient was announced as the
winner of a national competition to find the
• The speaker programme featured prom- UK’s Most Innovative Small Cyber Security
inent spokespeople from a range of differ- Company of the Year. The final saw four
ent industries, from organisations such as competition finalists showcase their prod-
Costa Coffee, HSBC, Europol EC3, Royal ucts in front of an expert judging panel and
Bank of Scotland and O2 Telefónica Infosecurity Europe audience.
• A dedicated Women in Cybersecurity Net- • A highlight in the Keynote Stage pro-
working Event, which put careers for gramme was the "Live Incident Response
women in cybersecurity under the spot- Scenario: Cyber Attack Survival Guide:
light, was hosted at the show for the very Fostering Cyber Resilience within the Or-
first time ganisation" session. The event brought to-
• Prominent forensic cyberpsychologist Pro- gether expert speakers from across the
fessor Mary Aiken was inducted into the industry who shared their perspectives on
Infosecurity Europe Hall of Fame how to respond to a cyber breach as the
situation unfolded.

www.insecuremag.com 29
Centrify Identity Platform now secures Mac Centrify recognises EMEA channel
endpoints achievements

Centrify announced enhancements to the Centrify has announced the winners of its
Centrify Identity Platform that deliver local EMEA Channel Programme Awards. The
administrator password management for Macs awards were presented at a ceremony held on
and Mac application management and soft- 7th June 2017 at The Distillery, Portobello
ware distribution via turnkey integration with Road in London.
the Munki open source solution.
The full list of winners is as follows:
The solution can be enabled for all Macs en-
rolled in the cloud-based management ser- • VAD of the Year – Inforte (Turkey)
vice, ensuring support for remote machines as • VAR of the Year – Kerberos (France)
well as those on the corporate network. Autho- • Marketing Initiative of the Year – Bytes
rized admins can check out the admin pass- GDPR Campaign (UK)
word, and the rotation of the admin password • Outstanding Performance – Starlink (Mid-
is automated. Who accessed what and when dle East)
is fully audited across Mac administrative ac- • Partner Representative of the Year – An-
cess and all other endpoints and infrastructure thony Walsh at Integrity360 (Rep of Ire-
and available through reporting. land).

iStorage introduces ultra-secure hard ical protection mechanisms designed to de-


drives fend against external tamper, bypass laser at-
tacks and fault injections. Unlike other solu-
iStorage launched of their new range of USB tions, all the drives within this range react to
3.1 HDDs and SSDs, consisting of the disk- automated hacking attempts by entering the
Ashur, diskAshur SSD, diskAshur PRO, disk- deadlock frozen state, which renders all such
Ashur PRO SSD and the diskAshur DT – all of attacks as useless. In simple terms, without
which are designed, developed and assem- the PIN, there’s no way in!
bled in the UK.
With software free set up and operation, the
One of the underlying security features of the diskAshur range works across all operating
diskAshur range is the dedicated hardware systems including all versions of Windows,
based secure microprocessor (Common Crite- macOS, Linux, Android, Chrome, Thin Clients,
ria EAL4+ ready), which employs built-in phys- Zero Clients and embedded systems.

www.insecuremag.com 31
Qualys enables customers to efficiently pliance can be used to validate and track ac-
comply with key GDPR elements cess to the files and databases on these sys-
tems, and eliminate security configuration ex-
Qualys now offers customers purpose-built posures, reducing the risk of unauthorized ac-
content, workflows and reporting in its cloud cess.
platform to provide them with continuous IT
asset visibility, data collection and risk evalua- Supplier visibility – Qualys Security Assess-
tion for compliance with the EU GDPR. The ment Questionnaire (SAQ) enables customers
Qualys Cloud Platform incorporates more than to scale and accelerate third-party security
10 applications, which allow customers to effi- audits to verify those parties are compliant
ciently comply with key GDPR elements by with GDPR.
enabling them with global and continuous visi-
bility, and the tools to secure data and pro- Process review – GDPR compliance requires
cesses across their IT assets and third parties: organizational awareness, implementation and
review of process controls, policies and pro-
Asset visibility – The highest-risk assets are cedures for infosec and data classification,
those that go undetected, and gaining com- and significant data gathering and risk as-
plete visibility across IT environments is critical sessment. SAQ automates the entire process
to GDPR planning and compliance — espe- of data collection across an organization’s af-
cially amongst many moving parts involved in fected teams.
collecting and processing personal informa-
tion, which must be identified and tracked. As- GDPR-mandated security program support
setView stores and indexes both IT and secu- – GDPR also requires appropriate technical
rity data, including installed software types, and organizational measures to protect per-
allowing customers to search, track, and tag sonal data from unauthorized access, misuse,
critical assets holding personal data whether damage and loss. Qualys Vulnerability Man-
on-premise, mobile, or in the cloud. agement and PC give customers continuous
visibility to enforce proper security controls
Data visibility – Once an organization has full with out-of-the-box mandate-based reporting
visibility into their IT assets, they can use this for GDPR requirements. SAQ can also help
information to create data maps, and better assess organizational measures to enforce
understand which technical controls may be policies.
required to secure sensitive data. Policy Com-

www.insecuremag.com 33
Endpoint Protector 5: Responsive interface rest have been enhanced, providing organiza-
and updated eDiscovery module tions more control over their Intellectual Prop-
erty and other critical data,” said Roman
CoSoSys released Endpoint Protector 5 with Foeckl, CoSoSys CEO.
updates on the management console which
has been redesigned for a modern, user- Besides the upgraded interface, Endpoint Pro-
friendly and responsive experience. tector 5 provides new features that support
companies in having more personalized DLP
Features of the new UI: policies and in managing their licenses and
their queries to the Support Team more effi-
Faster access to certain features, such as ciently:
DLP blacklists and whitelists, which have been
included in the main menu as a separate • Option to import files with up to 50,000 en-
section. tries for Custom Content Dictionaries
• Extended eDiscovery capabilities to cover
Flexibility – IT Administrators are now able to a broad spectrum of sensitive data and
manage policies and check reports from any endpoints
device, from desktop to tablet due to the • Notification bar alerting about new avail-
responsive console able features, licenses status, and other
important events
Intuitive design – it is easier to navigate and • Integrated Support section with options to
learn, so Administrators can focus on the ac- include system information, server informa-
tual DLP policies; the new Endpoint Protector tion and an e-mail copy when writing to the
interface is functional, simple, but still straight- Support Team; support tickets are now vis-
forward. ible directly in the Support section of the
management interface for easier access.
“Endpoint Protector’s content scanning capa-
bilities as well as visibility of sensitive data at

www.insecuremag.com 35
High-Tech Bridge reinforces ImmuniWeb code injections and various RCEs) will be reli-
with IAST technology ably detected without requiring a customer to
disclose its source code.
High-Tech Bridge announced availability of its
proprietary Interactive Application Security High-Tech Bridge ImmuniWeb named Best
Testing (IAST) technology. The IAST offering Emerging Technology
will reinforce its current Static Application Se-
curity Testing (SAST) and Dynamic Application Web and mobile application security testing
Security Testing (DAST) available for web and services provider High-Tech Bridge has won
mobile applications via the ImmuniWeb appli- the “Best Emerging Technology” category at
cation security testing platform. All Immuni- the SC Awards Europe 2017. The company
Web packages will continue to provide a zero has also been named a Cool Vendor by Gart-
false-positive contractual guarantee. ner.

The new IAST technology provides customers Ilia Kolochenko, High-Tech Bridge’s CEO and
with ImmuniWeb’s open-source server agent founder, said that they are honored to have
that will correlate a web server’s and other been selected as the winner of one of the
available system logs with dynamic application most challenging categories in the SC Awards,
security testing in real-time. This original ap- and that they are excited and grateful for this
proach to IAST assures that blind and com- validation of their strategy, vision and technol-
plex-to-detect injections (i.e. SQL injections, ogy.

High-Tech Bridge and DenyAll partner to High-Tech Bridge named a Cool Vendor by
defend web applications and services Gartner

The announced technology integration en- High-Tech Bridge has been named a Cool
ables joint customers to export vulnerability Vendor in Gartner’s May 2017 research “Cool
data from ImmuniWeb Portal and import it to Vendors in Security for Midsize Enterprise
DenyAll WAF in just a few clicks. 2017” by Adam Hils.

Once imported, the vulnerabilities will be virtu- High-Tech Bridge’s Application Security Test-
ally patched by the WAF preventing any at- ing Platform ImmuniWeb is based on a hybrid
tempts of their malicious exploitation. This re- security testing approach that combines and
sults in increased security and quicker turn- correlates manual application security testing
around time when new vulnerabilities are dis- with managed vulnerability in real time.
covered.

www.insecuremag.com 37
Bored employees seen as biggest potential ing, authorization when accessing sensitive
data security risk data or data belonging to other users.
Over 95% of vulnerabilities residing in mobile
Employees who become distracted at work application code are not easily exploitable and
are more likely to be the cause of human error do not pose a major risk. The most popular
and a potential security risk, according to a flaw in mobile applications within banking, fi-
snapshot poll conducted by Centrify at Infosec nancial and retail sectors is insecure, or clear-
Europe. text storage of sensitive or authentication data
on a mobile device.
Of the 165 respondents, more than a third
(35%) cite distraction and boredom as the 98% of web interfaces and administrative
main cause of human error. panels of various IoT devices had fundamental
security problems. Among them: hardcoded
Other causes include heavy workloads (19%), and unmodifiable admin credentials, outdated
excessive policies and compliance regulations software (e.g. web server) without any means
(5%), social media (5%) and password shar- to update it “from the box”, lack of HTTP traffic
ing (4%). encryption, various critical vulnerabilities in the
interface, including RCE (Remote Command
Poor management is also highlighted by 11% Execution) in the login interface directly.
of security professionals, while 8% believe
human error is caused by not recognising our 2/3 companies that leverage a DevSecOps
data security responsibilities at work. approach to application development, had at
least one high or critical risk vulnerability in
Also according to the survey, over half (57%) their external web applications due to lack of
believe businesses will eventually trust tech- internal coordination, human negligence or a
nology enough to replace employees as a way business reason. For example, a highly se-
of avoiding human error in the workplace. cure web application can be located on a do-
main with a file upload form, or a recent data-
Despite the potential risks of human error at base backup, in a predictable location.
work, however, 74% of respondents feel that it
is the responsibility of the employee, rather Attack rates are increasing across the
than technology, to ensure that their company board
avoids a potential data breach.
Finance and technology are the sectors most
Application security trends: What you need resilient to cyber intrusions, new research
to know from Vectra Networks has found.

At Infosecurity Europe 2017, High-Tech Bridge The company released the results of its Post-
released a summary report on application se- Intrusion Report, based on data from a sample
curity trends for Q1 – Q2 2017. set of nearly 200 of its enterprise customers.
They looked at the prevalence of strategic
The Bug Bounty fatigue trend is set to phases of the attack lifecycle: command-and-
progress: 9/10 web applications in the scope control (C&C), reconnaissance, lateral move-
of a private or public bug bounty program, ment, botnet, and exfiltration attacker behav-
running for a year or longer, contained at least iours across thirteen industries.
two high-risk vulnerabilities undetected by the
crowd security testing. They discovered healthcare to be the most
frequently targeted industry, with 164 threats
83% of mobile apps within banking, financial detected per 1,000 host devices, followed by
and retail sectors have a mobile backend (web education and media, which had 145 and 123
services and APIs) that is vulnerable to at detections per 1,000 host devices, respective-
least one high-risk security vulnerability. Most ly. By comparison, the food and beverage in-
popular vulnerabilities are insufficient, or miss- dustry came in as the least targeted industry
with just 17 detections per 1,000 hosts.

www.insecuremag.com 39
After exploring overall IoT security implications and consumer attitudes toward it,
it’s clear to me that consumers and companies using IoT devices are mostly un-
aware of the risks that come with them. Let’s explore why.

Most consumers believe that a product manu- ample: let’s say you manage production for a
facturer has imbued all aspects of the product large industrial manufacturer that uses heavy
with the required level of safety – including IoT equipment. An old piece of machinery your
security. It should be a safe assumption, but team has been operating for a couple of
unfortunately it’s not, and this thinking makes decades has recently been deemed obsolete,
for many insecure devices in the hands of and it is time for an upgrade. You ask your
consumers. procurement department to contract a vendor
to supply a nifty new beast in place of the old
This all raises another serious question: if one.
most IoT device vendors do not make com-
prehensive efforts to secure simple consumer After the initial contact, procurement receives
products like cameras, baby monitors, and a call from the vendor advising that the new
dolls, then who ensures the security of bigger machine will be more sophisticated than the
connected “things,” i.e. the Industrial Internet older version your company has been operat-
of Things (IIoT)? ing. This new one connects to monitoring ap-
plications, reports machine performance to
Whose security risk is it, anyway? the operators via email, and it can easily con-
nect to the network to ensure that relevant
When it comes to managing security, the risk parties receive access to its output, can up-
to any part of the business, including all IT date it, and be notified about possible mainte-
and OT assets operated by the organization, nance issues. Sounds great!
is ultimately owned by management. For ex-

www.insecuremag.com 40
But this is where trouble can start unless se- by operational technology (OT) staff, but
curity is also into the picture from the get-go they did not know how to figure out what
(either by the vendor or by the purchaser). risks need to be addressed.
This is also where the question arises: whose
call is it to coordinate the security and data New equipment, new risk
protection attributes of the new purchase be-
fore it becomes a fait accompli? Let’s look at another example involving heavy
construction equipment. Current day machin-
Is it the vendor’s call? Are they supposed to ery has several IIoT monitoring devices at-
include security of their product? Who is read- tached. The monitoring devices help both the
ing that fine print? construction company and the vendor foresee
potential operational anomalies and equip-
Is it the purchaser’s responsibility? Since the ment outages, and plan for product improve-
procurement department is the one handling ments. However, when devices are connected
the purchase, it could be considered as the to the Internet, they become vulnerable to all
party that should initiate the process. Pro- its ailments, including malicious hackers.
curement can be a heralding stakeholder that
can bring machine specification data to the IT An attacker may hack into the IIoT devices
and security departments for an information and try to take control of the equipment, and
security assessment. IT and security can thus use it for purposes other than those intended
each plan for the new purchase, but also es- by the construction company. He or she can
tablish risk, evaluate threats, determine which make the unit a part of a DDoS botnet, or use
options to use, and what sort of controls will the equipment as a launching point to access
be needed before that new machine is other devices connected to the same network.
plugged in. In the most extreme of cases, such abuse can
directly endanger human lives. Consider also
Procurement has its mandate this example: an attacker hacks into the moni-
toring device of an automated crane in a ma-
Unfortunately, the more likely situation in this jor warehouse of one of the largest manufac-
example is that procurement departments, turers in the world. Do you think that company
and sometimes even procurement organiza- would be okay with the fact that a hacker con-
tions, forego these steps altogether. Their ducts business espionage on their operational
mission is to handle the procurement process, activities, and collects information from that
which is often very complex, and not to evalu- crane and potentially other equipment on-
ate the need for security, privacy, and data site? The answer is no.
protection aspects of the equipment.
What is the likelihood that the procurement
If no steps are taken at this point, new equip- team has the responsibility and support to
ment can become known to the IT and securi- think such scenarios through, and ask that the
ty departments in one of at least two possible vendors secure the crane with relevant con-
scenarios: trols before they buy or rent it? If it’s slim to
none, should the new equipment be intro-
1. When it falls into IT department’s lap at the duced without those concerns addressed?
moment when it’s time to connect every- The answer is: it should not.
thing. At this point, this ad-hoc operation
will most likely end with some network The vendor view
segregation and maybe a firewall, but no
real analysis beyond that. Ad-hoc security It’s safe to assume that major vendors offer
is always more expensive and takes un- top-notch technology that has been seeing
merited precedence over other scheduled considerable advancement throughout the
projects. past decades. But nowadays, technology is
2. The worse case scenario: IT will learn connected to the Internet. This connection of-
about the new connection later, after it is fers added productivity and business value,
already an existing part of the plant and but should also require added protection.
the networks. The equipment was installed

www.insecuremag.com 41
It is, therefore, critical for vendors to build se- and reduce risks. Questions about these as-
curity into IIoT, starting with the design phase. pects can become rather pressing when
Pen-testing machinery to make sure it doesn’t equipment is contracted as a purchase, but
have the top applicable vulnerabilities should also as a rental, where the lines of security
be part of the basics required to understand responsibility become a bit blurry.

When buyers are not willing to forego security to


get a lower price, vendors will implement it to
meet that demand.
Procurement is a security ally lower the organization’s risk of suffering future
loss.
IoT threats are already a risk we must reckon
with, and organizations are equipping their One way the procurement department can
networks with controls to mitigate IoT-enabled help ensure equipment is subject to security
DDoS attacks. IIoT may be receiving a similar revision and controls is by simply treating new
amount of attention, but that hardly seems equipment purchases as IT/computer equip-
enough, especially since an IIoT compromise ment purchases, for purposes of evaluating
is likely to be more physically damaging than security risk, data protection, safety, and other
an irresponsive website or network. Just like it concerns. After all, IIoT equipment is a com-
is better to secure any device from its very in- puter with arms, legs, wheels, or blades at-
ception, it is wiser to weave security into IIoT tached to it. CIO/CISO teams should be in-
machinery throughout the design, develop- cluded in equipment evaluation decisions, and
ment, test, deployment, and management the security team can then assess the product
phases. This is where the procurement and prepare for its arrival. The teams can also
process offers a fine opportunity to pause and instruct the procurement agent on the points
engage the security team. This could also they should add to the purchase agreement to
promote the desirable effect of letting market help reduce risk right out of the box.
sources dictate and demand more attention to
security. When buyers are not willing to forego Another way procurement can promote secu-
security to get a lower price, vendors will im- rity is by collaborating with the CIO/CISO to
plement it to meet that demand. demand from their equipment vendors certain
security standards. Industrial equipment re-
From a high-level viewpoint, in organizations quirements are well-regulated when it comes
with mature security, the CISO’s office drives to physical safety, but less so where it comes
and manages supply-chain security for the to security and privacy. Standards are a good
organization, and procurement is part of it. But reference point that can be used to kick off a
not every organization applies this to all deeper, beneficial change in that regard.
equipment procurement. In a Ponemon Insti-
tute survey commissioned by Siemens, 68 A good example where standards are used as
percent of respondents said their organization a pillar is the Mayo Clinic, a nonprofit medical
experienced at least one cyber compromise in research group. Since medical devices and
2016, yet many organizations lack awareness equipment are considered part of the IIoT,
of the OT cyber risk criticality or have a strat- they are used by large healthcare organiza-
egy to address it. tions, connected to networks and the Internet,
and as such must be secure in addition to per-
This is where the organization’s security team forming their intended purpose. The Mayo
and procurement departments can join forces Clinic took security to heart by requiring that it
to improve the corporate security posture and be part of all its vendor contracts.

www.insecuremag.com 42
In a similar sense, procurement contributes to of anything ever going wrong?” The chances
the organization’s security posture by aligning and key risk indicators may be different for
purchases with the company’s existing regula- each organization and their own risk appetite,
tory choices. For example, they can limit pur- but overall, both the impact and the probability
chasing to vendors who are ISO 27001 certi- factors of the risk equation are rising every
fied and can show certification for their tech- year and should be updated to ensure the
nological manufacturing as well as their business is not exposed to risk it is unaware
equipment’s connectivity hubs. Other stan- of.
dards can be NIST 800-82, ISA99 or IEC
61508. IIoT security risks can range from business
espionage to lost productivity, or safety risk
In cases where regulation is not an option, the due to a looming compromise.
organization can develop certain conditions
with their vendors, as well as internal policies Ultimately, security threats risk costing com-
to control incoming new equipment and en- panies time and money. The organizations
sure it complies with the company’s own secu- that can properly set up processes to ensure
rity objectives. that security is part of all procurement pro-
cesses and all activity across the organization
IIoT security affects business bottom lines will be the most prepared to meet them
headlong.
Organizations who operate with a lower secu-
rity posture might ask: “What are the chances

Limor Kessem is the Executive Security Advisor at IBM Security (www.ibm.com/security).

www.insecuremag.com 43
HITB GSEC 2017 Singapore
gsec.hitb.org/sg2017/ - Singapore / 21 - 25 August 2017

HITB GSEC Singapore is a deep knowledge security conference where the audi-
ence votes on the talks they want to see and speakers they’d like to meet. This
year’s event features keynote speakers Mark Curphey of SourceClear, George
Kurtz from Crowdstrike and Kelly Lum, HTTPS Czar at Tumblr. In addition, there will
also be a Smart City / Smart Nation panel discussion on the evening of the 24th
with Cesar Cerrudo (CTO at IOActive), Matteo Beccaro (CTO at OpposingForce),
Eddie Schwartz (Executive VP, DarkMatter) and Alan Seow (former Head of Cyber
Security at Singapore Ministry of Communications and Information).

4th Annual Cyber Operations for National


Defense Symposium
cybersecurity.dsigroup.org - Alexandria, USA / 2 - 3 August 2017

This symposium will focus on the policy and operations necessary to ensure
freedom of operation and defense of US networks. Cyber leaders from all as-
pects of the defense community will come together to discuss the ever-evolving
cyber threats, vulnerabilities, and opportunities that our nation faces.

The event will focus on defensive cyber operations and the necessity of dominat-
ing cyberspace to fight and win in a multi-domain battle. The Symposium will
also address the efforts by DHS to protect the US Government’s networks and
the nation’s most critical infrastructure.

www.insecuremag.com 45
Cybersecurity is finally getting the attention it deserves – it is only regrettable that
this good news is the result of bad news: more numerous, complex, and damaging
cyber attacks than ever before.

Cybersecurity takes a step forward the design of their IT infrastructure and im-
plementing a security-by-design strategy.
“The WannaCry ransomware attacks have re-
cently made the headlines around the world. “The old mindset is changing, and leaders are
This attack was a wake-up call for many or- beginning to acknowledge that cybersecurity
ganizations and, in particular, for those that must evolve. In fact, a proactive defense, al-
believed they could never be a target (e.g. though useful in warding off attacks, is no
manufacturing companies),” says Vincent longer enough. Organizations’ responses to
Villers, partner and cybersecurity leader at incidents must also focus on managing their
PwC Luxembourg. business impact,” Raymond says.

Ludovic Raymond, director at the same com- The human factor


pany, notes that organisations are beginning
to understand that users are often the weak The boardroom and company leaders must
link in the security chain and that, if trained work to ensure that business, IT and cyberse-
well, they can become a strong asset for the curity strategies are aligned, and cybersecuri-
defenders’ side. ty has to be treated as a key pillar for all initia-
tives and projects, and not just a special do-
Companies are also evolving from simply buy- main for experts.
ing their cybersecurity solutions to rethinking

www.insecuremag.com 45
Companies must train employees in cyberse- tech fields or in computer science? The chal-
curity, but must also be able to attract quality lenge for organizations is to find people who
security professionals. At the moment, that are able to talk to business leaders, under-
can be somewhat of a problem. stand technical people, define strategy, and
manage a crisis,” he adds.
“We are confronted with a shortage of cyber-
security talent and the impact of this shortage To achieve this, companies need to foster new
is twofold. On one hand, there’s a strong education models, accelerate the availability
competition between players, who need to of training opportunities, and deliver deeper
pay more to hire key talent. On the other automation, so that talent is put to goos use
hand, there’s the emergence of a new operat- on the front line.
ing model, in which companies think increas-
ingly about outsourcing certain tasks,” Ray- And, finally, like in all other traditional func-
mond says. tions (accounting, management, marketing,
etc.), the development of the cybersecurity
He believes that we’ll soon see more special- workforce must be addressed at the highest
ized service firms taking over roles currently level of the business, not left to the IT depart-
kept within organizations. Also, that business- ment.
es should stop looking just for security em-
ployees with classical technology credentials. As complexity rises and demand is booming,
governments also need to take action – a
“Security is everyone’s problem, so why limit shortage of cybersecurity talent can be ex-
security positions to people with degrees in pected to impact global security, Villers noted.

Security is everyone’s problem, so why limit


security positions to people with degrees in
tech fields or in computer science?
Technologies to invest in “Introducing artificial intelligence into cyberse-
curity is a good way to handle time-consum-
Being good at the cyber essentials and having ing, low value-added tasks. It will require a
strong foundations for their network, work- training / development / improvement period,
force, users, and data is crucial for organiza- but it will certainly help cybersecurity special-
tions that want to keep secure and thrive, ists focus on more decision-making tasks and
Villers points out. making the right decision in a timely manner,”
Raymond adds.
That said, businesses are always on the look-
out for next-gen solutions that can create sus- “Companies no longer have the means to pro-
tainable and resilient cyber architectures, and tect everything, so it’s essential for them to
make cybersecurity tasks easier and faster. invest in detection technologies in order to ob-
tain the right information and the source of the
Villers believes that threat intelligence is information. This implies even more data to
mandatory for ensuring long-term security, process and, thus, the implementation of
and that organizations should invest in data technologies based on data analytics and ma-
loss prevention solutions, as well as finding a chine learning, such as behavioural analysis.”
way to tackle the insider threat.

Zeljka Zorz is the Managing Editor of (IN)SECURE Magazine and Help Net Security (helpnetsecurity.com).

www.insecuremag.com 46
If it’s not handled properly, achieving PCI DSS compliance can be a costly and
time-consuming process. I have seen organizations struggle with the PCI DSS
compliance project for years due to a misunderstanding of the standard. In fact,
many organizations struggle to understand the requirements and, as a result,
improper implementation of PCI controls occurs.

Let’s tackle this challenging journey from a 1. Determine your merchant level, which is
project management perspective – with the based on the number of transactions per year.
caveat that the PCI DSS compliance project is The merchant level will also determine
never-ending and requires constant monitor- whether a Qualified Security Assessor (QSA)
ing and updating after the initial completion. is required to conduct an onsite audit. There
are 5 major payment card brands - VISA,
Project initiation MasterCard, AMEX, Discover, and JCB – but
compliance with VISA and MasterCard re-
The organization assembles a dedicated quirements typically covers everything. The
project team and assigns to each of them a levels below are based on VISA and Mast-
role and responsibilities. The project manager erCard.
should create a project plan and ensure that
the project is on target to achieve the main ob- Merchant Level 1
jective – PCI DSS compliance.
• More than 6 million transactions per year
Project plan and assessment (PCI DSS • Any merchant that has had a data breach
readiness) that resulted in compromised card holder
data
In this phase you determine your current com- • Any merchant that was identified as Level
pliance state and create a roadmap for achiev- 1 by the card brands.
ing PCI DSS compliance. Consider undertak-
ing the following activities:

www.insecuremag.com 49
Merchant Level 2 port that is opened on this firewall must be
justified, approved and documented.
• 1 million to 6 million transactions per year. • Tokenization – This method replaces the
PANs with tokens, so that the organization
Merchant Level 3 no longer stores them.
• P2PE – Point-to-point encryption ensures
• 20,000 to 1 million transitions per year. that the organization has no access to un-
encrypted PCI data or encryption keys to
Merchant Level 4 decrypt it.

• Less than 20,000 transactions per year. Tip 1: Properly implementing tokenization or
P2PE solutions may qualify organization for a
2. Determine which Self-Assessment Ques- SAQ with much less controls and require-
tionnaire (SAQ) to complete. There are 9 dif- ments.
ferent SAQs – A, A-EP, B, B-IP, C-VT, C,
P2PE-HW, and D. (SAQ D is for merchants Tip 2: The PCI DSS does not require shared
and service providers). If your organization services such as an Active Directory to be
stores the full Primary Account Number (PAN), separate and inside the PCI DSS island.
then your organization automatically qualifies However, be aware that these shared services
to complete the PCI SAQ D – all 12 require- are in scope for compliance and the organiza-
ments. tion must ensure proper protection. It is up to
the organization to assess and accept the risk
3. Determine the cardholder data flow. This is of CDE sharing services with other environ-
a diagram that illustrates the locations where ments.
cardholder data is stored and how it flows
through the organization’s systems, ap- This article assumes that the network seg-
plications, networks and people. mentation is used to reduce the scope. It is
extremely important to properly segment your
4. Determine the scope. For something to be network. Improper segmentation will introduce
“in scope”, it must be within the cardholder exponential risk due to lack of security con-
data environment (CDE), directly connected to trols where applicable and required. Addition-
the CDE, or it can affect the security of the ally, this article also assumes the usage of
CDE. The CDE is comprised of people, pro- SAQ D.
cesses and technology that store, process or
transmit cardholder data (CHD). Depending • Create an inventory of all your assets that
on an organization’s network, topology and are in scope.
design, it can be that the entire network is in • Conduct an external and internal vulnera-
scope for PCI DSS compliance. Typically, this bility scan based on PCI DSS scanning
will increase the risk and achieving PCI DSS policy.
compliance may take years. So, what do you • Conduct an external and internal penetra-
do? The answer is to reduce the scope. You tion test.
can use several methods, and the following • Review the organization’s current policies,
are the most common: processes and procedures to ensure they
meet PCI compliance.
• Network segmentation – This is not a PCI • Choose a proper risk assessment method-
DSS requirement, but it is a proper and ology and conduct a risk assessment. I
popular approach to isolate components would suggest conducting a risk assess-
that store, process and/or transmit card- ment before the segmentation takes place.
holder data from the ones that do not. This This way you can justify the reason for the
is where you create your PCI DSS island network segmentation.
and properly isolate it from the rest of your • Conduct a preliminary gap analysis by per-
network (on its own VLAN). The only way forming a walk-through of all 12 PCI DSS
to reach this highly secured island is requirements (SAQ D), which are as
through a dedicated firewall. Every single follows:

www.insecuremag.com 50
1. Install and maintain a firewall configuration Validation
to protect cardholder data
2. Do not use vendor-supplied defaults for The validation phase ensures that the organi-
system passwords and other security pa- zation is indeed PCI DSS compliant. I suggest
rameters conducting a walk-through of each require-
3. Protect stored cardholder data ment and perform the following:
4. Encrypt transmission of cardholder data
across open, public networks • Collect evidence for each applicable PCI
5. Use and regularly update antivirus soft- DSS requirement (where possible)
ware • Interview personnel (where necessary)
6. Develop and maintain secure systems and • Validate your policies and procedures
applications • Observe processes
7. Restrict access to cardholder data by busi- • Verify the scope.
ness need-to-know
8. Assign a unique ID to each person with Reporting
computer access
9. Restrict physical access to cardholder data Each Merchant Level has specific and varying
10. Track and monitor all access to network compliance requirements.
resources and cardholder data.
11. Regularly test security systems and pro- If an organization falls into Level 1, it is re-
cesses quired to undertake the following validation
12. Maintain a policy that addresses informa- activities:
tion security.
• An onsite audit by a Qualified Security As-
Note: Each requirement contains sub-re- sessor (QSA)
quirements. There are over 220 controls • A Report on Compliance (ROC) must be
altogether. filled by the QSA
• Run a quarterly external network scan by
Project execution (implementation and an Approved Scanning Vendor (ASV). The
remediation) organization must obtain a passing result
• Complete an Attestation of Compliance
The result of your PCI DSS readiness phase (AOC). This is a form that is signed by an
is a deficiency report (requirements the orga- official of the organization, to attests that it
nization currently doesn’t meet) and a risk is complying with the PCI DSS annually.
treatment plan. The previous phase provides
the organization with a roadmap from the cur- Note: If an organization employs a person
rent state to the PCI DSS compliance state. In who is a PCI SSC Certified ISA (Internal Secu-
the implementation and remediation phase, rity Auditor), they are not required to use an
the organization needs to take corrective ac- external QSA.
tion by undertaking the following activities:
If an organization falls into level 2, it is re-
• Implement all required controls to comply quired to undertake the following validation
with all 12 applicable PCI DSS require- activities:
ments (SAQ D)
• Update current policies, processes and • A PCI SSC Certified ISA must conduct an
procedures to meet PCI DSS compliance assessment and complete an Annual Self-
(develop new ones if necessary) Assessment Questionnaire (SAQ)
• Remediate and/or lower risk to an accept- • Run a quarterly external network scan by
able level an Approved Scanning Vendor (ASV). The
• Remediate all high- and medium-risk find- organization must obtain a passing result
ings from an external vulnerability scan • Complete an Attestation of Compliance
• Remediate all high-risk findings from an (AOC).
internal vulnerability scan
• Remediate all exploitable vulnerabilities If an organization falls into level 3 or 4, it is re-
discovered serious during an external and quired to undertake the following validation
internal penetration test. activities:
www.insecuremag.com 51
• Complete an Annual Self-Assessment Conclusion Tip 6: The EMV (Europay, Mast-
Questionnaire (SAQ). Remember, you erCard and Visa) chip cards do not reduce the
must be compliant with all applicable re- scope of PCI DSS compliance. They don’t
quirements make you compliant. Furthermore, no PCI
• Run a quarterly external network scan by DSS requirements are met by just using EMV
an Approved Scanning Vendor (ASV). The terminals. EMV technology has been devel-
organization must obtain a passing result oped to fight credit card fraud in card-present
• Complete Attestation of Compliance scenarios (stolen credit card numbers cannot
(AOC). be used to make a new EMV card).

Monitoring Conclusion Tip 7: Only your acquiring bank


can truly determine the required SAQ and
PCI DSS compliance is a never-ending compliance validation.
process, and compliance is validated annually.
An organization is obligated to constantly Conclusion Tip 8: Depending on the particu-
monitor the cardholder environment for intru- lar situation, service providers could be in-
sion and respond to security incidents. scope of your PCI DSS compliance.

Conclusion Tip 1: It is not easy for malicious Conclusion Tip 9: Any voice recordings that
users to compromise a system that is out of contain cardholder data (CHD) are in-scope
scope and then leverage the compromised for PCI DSS compliance. CHD is credit card
system to gain access to a system that is in numbers (PANs). For example, SSNs (social
scope for PCI DSS. security numbers) are not in-scope of PCI
DSS.
Conclusion Tip 2: Avoid PCI myths. Exam-
ples: Conclusion Tip 10: Your organization must
perform both external and internal vulnerability
• Outsourcing card processing makes the scanning on a quarterly basis, with additional
organization automatically PCI DSS com- scans if there was a significant change to your
pliant. in-scope environment. Your organization is al-
• We are a small organization that processes lowed to perform its own internal scans. Ex-
only 500 credit cards a year, thus PCI DSS ternal vulnerability scans must be performed
does not apply to us. by an ASV (Approved Scanning Vendor). Addi-
tionally, the penetration testing must be per-
Conclusion Tip 3: If you do not need the Pri- formed annually both internally and externally,
mary Account Number (PAN), do not store it! or after significant changes to your in-scope
environment. Penetration testing can be per-
Conclusion Tip 4: Understand the new ver- formed by a qualified internal team or a third
sion of the standard (v3.2) – what is required party utilizing proper penetration testing
today, and what is a best practice today but methodology.
will be a requirement in the near future.
Conclusion Tip 11: The risk that cannot be
Conclusion Tip 5: PA-DSS (Payment Appli- eliminated must be properly managed. This is
cation) compliance does not equal PCI DSS a never-ending process. The PCI DSS re-
compliance. PA-DSS applies only to vendors quires an annual risk assessment of the card-
that make and sell payment applications. If holder data environment.
your organization developed a payment appli-
cation that is used only in-house, your organi- Conclusion Tip 12: The PCI Council website
zation does not have to be PA-DSS complaint. provides documentation and templates that
However, you will have to be PCI DSS com- can make your PCI DSS compliance journey
pliant. much, much easier, so use them.
And remember: do not take the shortcuts to
simply check the compliance box.

Zoran Lalic is an Enterprise Security Architect at a software company.

www.insecuremag.com 52