Just Check In, we'll sort out the rest!

With great power comes great responsibility but I guess Zuckerberg didn’t watch SpiderMan. Turning on features without appropriately (an email would be nice!) notifying the users (unless you follow their blog) is probably becoming a norm. It is assumed that all the users will get the news. But when the change, in this case a new feature, influences 500 million + users’ privacy, I believe there has to be some sort of notification mechanism. Well, tough luck Facebook users, it is not yet to be. This particular change is not as bad for those outside the US as Facebook Places feature is only active in the US. However, each user's the profile ‘Privacy Settings’ will show three new entries/settings that default to:

Things I share:

Places I check in = ‘Friends Only’

Include me in “People here now” after I check in = ‘Enable’ checked

Things others share:

Friends can check me in to places = ‘Select one’ (Enabled/Disabled)

Ideally, one would have liked the new features to be set as per the user’s preference but again, Facebook has set it for you. One would have preferred a notification to enable the Places feature on user’s permission and then asked the user to set the above three settings to their own liking. Anyway, if you don’t like Places, just disable it as below by going into Account>Privacy Settings>Customise Settings

Often in business, due to competition the end user benefits. With personal data at stake, in this particular case it seems the cost is privacy.

Personally, ‘Friends Only’ setting is quite generic and ‘Friends’ on Facebook does not really accurately reflect real life relationships. Facebook 'Friends' can be classed into acquaintances, friends and close friends in real world. One may not want all 'Friends' to see status updates, locations, photos, videos etc. In this case, the ‘lists’ functionality within Facebook can be used to group friends into appropriate lists and fine tune the privacy settings to restrict sharing. But things may get a little complicated there. The privacy update earlier this year didn’t do much for the user in this regard. It was a well presented screen/facade to the same behind the scene workings that enticed the users to ‘recommended’ settings and silence the critics. Prof. Ross Anderson sums it up very aptly in an OWASP podcast , Facebook is trying something extremely difficult here and it is going to have to face many challenges in the road ahead.

For the readers interested further in Facebook Privacy Settings, Sophos has a good basic guide to the settings here.

Security training - make the message stick!

Security training programs are boring. I don’t have the statistics to support this claim but surely there are other things that employees have to do or are rather interested in than attend a one hour session instructing them on security policies and best practices! Think about a security professional sitting in an accounting training class. It is done because it has to be done with varied level of interest, mostly low.

And the aim of a training program, albeit any presentation is to engage the audience and deliver a message that sticks, preferably for a long period of time. Going through slide after slide of bullet points is just another presentation that the audience will never remember.

I recently delivered a PCI training session to a few DBAs. The slide deck was ready to take them through the whole nine yards of PCI DSS, ensure that they understood what it meant and that it has 12 requirements they should be aware of. Having sat in their chairs before, I thought maybe there is a better way of delivering it to make the training more interesting. An impromptu decision, I thought a real story is always a great start.

So I decided to tell them the story about one particular individual named Albert Gonzalez. Now, he should’ve been classed as one big APT by looking at number of ‘results’ he had under his belt! :) His was more of a joint effort but the story of several breaches he led sticks, and it sticks well. The events are also directly/indirectly responsible for the onus on QSAs to store evidence while performing an assessment. I’m sure many of the QSAs don’t like Mr Gonzalez for that but I must thank him for providing such an entertaining story for my audience.

I didn’t have this transcript during the training but the conversation excerpt is a good insight into one of the many threats the standard aims to protect against. I must mention that A Gonzalez bought a 0-day but let’s not go there.

This also is the key approach in Security - realise the threats.

Once a good DBA knows what is the threat and what is being protected, it usually helps them understand the rationale behind the rigor of controls, their responsibilities and help watch out for suspicious events better.

Chances are, it may help them avoid installing the Facebook Dislike Button!

Blame the game #QSAs

QSAs get a lot of criticism from the security and business community. Following a recent discussion on QSA quality and how it can be improved in order to improve the client experience, I decided to look at the existing QSA qualification requirements and the course structure from PCI SSC site. This may help me understand whether the criticism is justified and what can be done to address this.

Cost

NEW QSA Training Fee - $1,250 USD
Annual Requalification Fee - $995 USD

Experience/Background

CISSP, CISA or CISM Certificate, or

5 Years of IT Security experience in a Resume’ format

Training

This class test is a closed book; the only document you will be allowed to reference during the test is a translation dictionary if needed.

Day 1 Module 1- PCI DSS Program Overview o    PCI Security Standards Council o    Roles & Responsibilities o    Payment Industry Terminology o    Payment Transaction Flow o    Service Provider Relationships o    Payment Brand Compliance Programs o    SAQ Overview o    PA-DSS Applicability	Module 2- PCI DSS Assessment Scoping o    Cardholder Data Discovery o    Cardholder Data Flow o    Cardholder Data Storage o    Network Segmentation o    Scoping the Cardholder Data Environment
Day 2 Module 3- PCI DSS Requirements o    PCI DSS v1.2 Overview o    PCI DSS v1.2 Requirements o    PCI DSS Assessment Preparation o    Report of Compliance Documentation o    Prioritized Approach for PCI DSS 1.2
Day 3 Module 4 - Compensating Controls o    Compensating Controls Definitions o    Compensating Controls Worksheet o    Compensating Controls Examples Team Case Studies Exam	Module 5 - PCI DSS Compliance Program Development o    Ten Common Myths of PCI DSS o    PCI Compliance Process o    PCI Compliance Recommendations o    Information Security Management System Implementation (ISO 27001)

I took the QSA training around mid 2008 and having sat for CISSP test before, I thought the QSA test was relatively light. I’m sure many others share my views and this partly reflects in the changes introduced in Jan 2010.

The test structure has since changed to become a closed book CBT test now with Continuing Education requirement (120 hours in 3 years, 20 min each year)

From a QSAC's (Company that employs QSAs - QSA 'C'ompany) point of view, they’d want as many qualified consultants to be QSAs to support the clients and the QSA training costs can be recouped in a few days of QSA consultancy. To add to this, the pre-requisites to qualify are not very stringent either. One needs to show 5 years of IT Security experience. I’m not sure whether this experience is validated directly by SSC. I believe it remains QSAC’s responsibility to do so.

Understanding the businesses, transaction process and the various relationships is not an easy one. It is not something that an individual with 5 years of IT Security experience and 3 day training and a test can readily address. It cannot be consistent either as the standard is open to interpretation. Acquirers have been proactive and have published guidance around call recording of SAD post authorisation to avoid mis-interpretation. Every acquirer has their own PCI team with their own interpretations and requirements. It becomes difficult for the QSAs to ‘sing from the same hymn sheet’.

To improve this, tiers/levels can be assigned to QSAs based on the assessments they do. I’m sure each QSA will agree that it is a learning process. No QSA knows a 100% of everything when he/she comes out of the training. If a freshly qualified QSA is assigned to a relatively difficult project without any support from a 'gold' or 'silver' QSA, that is down to QSAC and client's experience. Since it is an assessment/audit related role with technical emphasis, it may also help if certifications like CISSP, CISA or CISM are made mandatory. Most of the QSAs do have one of these certifications, hence it shouldn't be too onerous.

On the bright side, I have seen the QSA market mature over last year and QSACs are asking for experienced QSAs with several RoCs under their belt. This is a good thing. Organisations are also getting mature in addressing PCI compliance to engage QSAC early to provide experienced QSAs to lead towards a successful assessment. All this comes at a cost, a cost that some organisations may not have foreseen in their business plans. That’s when the fun begins. Dave did a great post on selecting your QSAs here.

Show me the data

I was watching National Geographic channel the other day learning how Philadelphia's SEPTA service that acts as a transit network is managed and maintained. The trains use an overhead power source that requires regular maintenance. Coupled with this, there are incidents occur that the authorities must respond to. Each out-of-service carriage costs the network and appropriate procedures are followed to ensure the safety of the passengers.

I enjoyed the episode and being a security professional, could quickly relate to the similar processes and controls in IT Security. The major difference was the impact or the experience not being as visual. Workers bringing down a power line to change a section of electrical cable and impacting the line during BAU is more tangible an experience to the viewer than a 0-day patch being applied to a Web Server that ends up effecting the business. The former is easier to explain too and the risks are more tangible i.e. carriage damage/financial loss due to delays or line failure or in worst case loss of lives. Talking about the risks of a compromise/malware outbreak and eventual data loss due to CVE-2010-1423 or CVE-2009-4324 used in Eleonore exploit kit will probably not have the same impact.

Visibility is the key here - of the assets and the risks. Most organisations clearly struggle to identify and classify their data assets as the business grows and the related risks are blurred or suppressed by business objectives. The patching process is a clear victim here and it usually becomes secondary and takes a back seat in order to support the business. Obviously, offense is easier, more exciting and rewarding (to the malware authors) than defense.

PCI-DSS has succeeded to an extent to identifying the asset and listing requirements to protect it. I'm not sure patching is as simple as requirements 6.1 and 6.2 lead us to believe. I have seen businesses struggle in this area and go past the nets of QSAs to remain exposed.

Bits are not as exciting, if only I could colour my data red and green and see it going across the network! Cut the cable and see the red drip. I would like to see more innovations happen at an application level where the data is created. Why doesn't MS-Word or Excel ask me to mark/classify my data? It may be as simple as red and green. Surely this model has to change. May be the customer is not asking for such functionality or it isn't being asked enough. There is DLP and then there is Web DLP. Organisations try to cap data leaks from ports on the devices but miss the big port i.e. the Internet.