crowmoor.se

I really love books and books that expand my knowledge in security are even better. As an old social worker I am quite skilled in psychology, sociology and especially crisis management. Reading “The science and politics of fear” is like standing with you head down, bending you neck upwards and for the first time see the stars.

A bit too much praise, ehh? Well. How many times have you done a risk analysis, got the whole crowd to agree on you very bright insights just to learn that all the risk you and the crowd brought forward did of course not happen but that obvious thing indeed happened and it did cost them a fortune. This is all due to how our brain works.

I must urge you to read the book by Dan Gardner as I have to change quite a lot in my risk analysis to circumvent the Example Rule, the Good-Bad rule and the Rule of Typical Things. The brain is nothing more than a cave man in New York, surrounded by other cave mans, that is trying to understand what is happening around us. Do not ever make the mistake to think that a risk analysis is all about numbers and logical decisions. It is all about feelings, either you admit it or not.

You have surly met them, you know, those trying to describe security as locked doors, and the so old question “Why bother with locking the door when a windows is placed beside it?” I ran into one of those just recently and we had a bit of an argument as he was trying to promote network based firewalls instead of using a combination of appliances and host based. So after a bit of discussion the house came up and after listening to the door/window I grew tired and delivered the following:
A locked door may protect you from a would-be thief passing by your door. Locking the doors inside your house may also be beneficial but when doing the risk analysis you should not only think on externals trying to get in. You must also take into account the risk of having a cold from your kids, the possibility of boiler problem, your teenage daughter taking money from your wallet and finally the possibility that your home computer has a disk crash. A locked door only solves a very little problem in a very complex world.

For some reason the discussion ended then and there.

During my years working with security I have met many claiming to work within security, some actually is doing it, some real jokers and some not understanding what it really is. What I learnt during all this years is that security is really complex, specializing in security means that you have to know everything about everything. Being an expert in security without understanding the core of your clients business is like explain the security of a car without having a drivers license.

I have had the opportunity to work with some very passionate people when it comes to security and I must say that there is such a huge difference. If you ever get a team of passionate security people you are very lucky. Not only will you get a secure business but you will get a business that actually works securely with future proof tools and with the most effective processes there is. The team I currently work with in London is all about passion and the feedback we get is marvelous.

I just wonder? Should I implement a Crowmoor approved certification for security professionals?

In a Swedish article today they describe a case of skimming at an unmanned gas station. This has become rather common nowadays with new cases found weekly. This is just in line with my previous posting on the subject. One would suspect that more of the oil companies would have updated their payment systems but sadly not. In some cases it boils down to bad internet connection, cost of authorizing every transaction and the cost of new technology but sadly in many cases it is all a matter of the cost of upgrading versus the costs for fraud. PCI DSS fines are rising. I wonder when the oil industry will be hit by VISA/MasterCard.

Forrester reports are always interesting to read. I cannot say that I trust them all of the time but they do often point in the right direction. Just recently I found a report showing the % of retailers in US that have been fined, currently 8% with 27% more that have been threatened with fines. As US often is the frontrunner when it comes to compliance this will of course spread to Europe soon. Currently I know of several retailers in Europe that are stalling their PCI DSS projects as their acquirer has not engaged them further to reach PCI DSS compliance.

This of course leads to that card security has stalled in Europe as well. Last figure I heard was that 3 300 000 cards was stolen I Europe every week from retailers. Let’s hope the number goes down fast.

One of the most important tools I use when working with security is reference architecture. It really helps me speed up my projects. So what is reference architecture? It is as simple as a visualized description of the best way to solve a problem. So whenever I am to implement PCI DSS, ISO 27001 or any other compliance or if a client asks me about the best way to implement remote access solutions I bring up my diagrams and start mapping.

Best thing is that I directly find any possible flaws in the solution they are proposing making me seem to be extremely knowledgeable. But in the end it is only a thing of understanding the best way to do something and then adapt it to map the client’s possibilities in their current setup. If you are not working with reference architecture then you are bound to be doing the same errors over and over again in a very slow pace.

Where do you find reference architectures? Some are proprietary like the ones I have created. Others are readily available at for example www.opensecurityarchitecture.com.

I have worked several years with PCI DSS and even if I am not as experienced as some QSAs I know I do have a kind of experience they don´t, working with security from a business angle. In one assignment we were looking into several possibilities to make the client PCI DSS compliant. One of those routes was to implement a payment service provider everywhere payments were handled. At first glance this looked like the best solution. There was an added annual cost of 1.2 M€ but that should be matched towards the 40 M€ it would cost to changes the systems to become compliant.

So, what was the deal breaker here? Fraud. The payment provider could of course handle credit card fraud in all ways possible and imaginable but what about fraud specific for this industry? Nope. In case my client couldn´t use credit cards for investigating fraud between different payments they expected fraud costs to rise with 2-8 M€ annually. Now the 40 M€ looks much more promising.

Finally when we looked at the solutions to become compliant we found yet many more ways to decrease the cost hitting ROI much faster than imagined in the first place.

BBC ran an interesting article today regarding how easy it is to take control of a car even when it is in motion. The scientists says that it is a rather difficult attack for the common man but something we all learned is that when it is hard in the beginning soon enough there will be a tutorial on YouTube and exploit code to download at different sites.

So, what’s the problem from an architectural point of view? This is a quite easy one actually. If you have an application that communicates someone will try to communicate with it. There for you need to implement secure coding. Any application will at one point attract a malicious user’s attention and if you are not writing secure code…you are history.

In this specific case we could have a rather interesting situation when it comes to insurance fraud. “I swear, the breaks didn´t work anymore. The car must have been hacked! BTW my laptop was lost in the crash. It must have flown out the window and disappeared with an elk.”

So Writing secure code (read the book) and implement SDL: Secure Development Lifecycle (read this as well) is something you have to do in all projects from now on. To use one of my favorite commercials: Just do it!

In a Swedish newspaper today they ran a story regarding identity theft. A woman´s drivers license (the main identification in Sweden) was stolen and used to take out credits in here name. They got several thousands of SEK before she finally understood and contacted “Upplysningscentralen”, UC where you block the possibility to take credits in your name.

Usually an identity theft stops here but not in this case. The imposter sent a new application to lift the ban to take out credits in her name. During the same time they had her mail temporary stored at the post office where they, with the same drivers license, was able to confirm lifting the ban and then take out credits for over 100 000 SEK.

So where are the problems here? The obvious is that the ID was not checked enough by any clerk where they managed to get credits. Even if an application exists that should be used for checking the ID against UC it is not always used. Secondly there is no way to distinctly tell that a single ID has been used for fraud. When the woman got her new ID it looked exactly as the first one. Third and most important, relying on mail service for security is still very unreliable. The possibility to have mail stored at the post office is of course very convenient but there has to be a check to UC if this should be allowed for the single client.

No one in Europe has missed the fact that there is a volcano erupting spewing out ash all over Europe grounding virtually all flights here. This has of course put a strain on a lot of sectors. During media coverage there have been the usual comments but one thing that became very visible this time was all the domes day prophets crying out that we are going back to the sixties, no planes will leave the ground for years and a lot of flight companies will go broke sending us back into a recession.

This is actually not far from my own industry. I don´t know how many times I have read risk analysis pointing out one risk after another with this or that probability but very seldom I find a follow up report that actually investigated the risk analysis prognosis and compared it to actual facts.

Could this be to that logging of incidents is not taking place or that incidents are kept so well hidden that not even their management gets the reports due to the information is classified? I prefer the Apache approach giving full disclosure both on what happened and how the mitigate the problem again. Information is our best weapon in the battle of security.