Feed on

I was advising a QSA recently that struggled to understand a mainframe tokenisation solution. She could not her head around the technology hence she couldn´t review it. I asked her if she had conceptualised it but that had not occurred to her.

To solve the situation I brought forward my architecture views on PCI and showed here how I had conceptualised all of PCI. From those we collected the conceptual components needed for a tokenisation and how it should work.

Now it became a lot easier for her to identify the matching components in the mainframe and instead of giving up she solved the assignment in just a few days. The power of a good architecture should not be underestimated.

I just signed for Sogeti and will start working there as National Cyber Security Driver the 1st of November. Back in the Group again. :-)

The events currently unfolding at a large car producer points at a specific problem within security: The fears of letting other know. In many organizations today security has a somewhat impenetrable workflow. The board is briefed by the CSO or CIO with only a minimum off information according to “need to know”. Non-security personnel have no insight in what is logged or not logged and have no means of actually getting the information what is happening out from the security department. To top this forensics praxis is seldom followed and it is very easy to frame anybody if you have control of the security systems. In short, the security department has sometimes returned to the days when the Inquisition was feared.

Being a global security consultant I have seen my fair share of incidents, cover-ups, unknowing CEOs and direct malpractice, where I was called in to sort it all out. Many times it was just lack of understanding of real security or processes that didn´t work that was the culprit but in a few cases it was actually personnel at the security department that hold a grudge towards someone and tried to frame him or her.

The reason they were almost able to pull it off have been the same as it always has been within security, lack of insight in the process, a process that has been decided to be too risky to expose and where secrecy has been implemented for its own good, not to protect anything. Ask any cryptologist about openness and they will tell you that when it comes to algorithms it has to stay secure even if the attacker has the algorithm and the encrypted text. Ask any security specialist about “security by obscurity” and they will tell you that it doesn´t work, that the attacker always has all the time in the world and always find the possible vulnerabilities. Ask the same guy about their process or their network drawings and you´ll get the answer: “No, it is classified!”
It is my opinion that security departments for way to long have been allowed to work as an internal police force hidden under secrecy, conducting risk analysis trying to protect everything without any real understanding of business value. It is not an effect of a bad apple. It is more an effect of a bad barrel as explained in the Stanford Prison Experiment. Without clear rules of engagement, without clear rules from management of what needs to be protected and why you will eventually get a security department that is dysfunctional.

Learning how to run a security department with the same rules of engagement as any other department takes skill and understanding. Equally important are methods and tools that make security an integrated part of the company. Getting something as simple and easy as a risk analysis right have many times been proven to be an impossible task for many companies. Failing this, fear will govern the security department; fear of a breach and fear of having to lax security and thereby always producing answers like: “It is too high of a risk.” or “We can´t allow that because we are not sure it is safe.” Fear creates secrecy, secrecy creates impenetrable areas and sooner or later you will get a bad apple, produced by your bad barrel, which tries to make way with a large amount of money believing he was protected by the system of his own design.

During a visit to a client today we discussed AST (Application Security Testing) and that it would have been an interesting concept to add to their security. During the visit I was tasked with investigating what the cost would be. I have to say that I was somewhat baffled by the prices for licenses when you looked at enterprise levels.

Isn´t there anyone offering AST as a service?

During the last months I have looked into breach detection. There are several numbers on the web from different reports and of course there is no exact figure but an estimate is somewhere around 263 days give or take 50. In any case it is still a way to large a number.
During a presentation recently I was asked how I would explain this for top management in a way that they could understand. I came up with the following description:
Imagine that someone enters your house, eats your food, pets your dog, talk to your neighbours and sits in your favourite chair without you ever noticing. Can you imagine what damage they could have done? When you realise that someone been there you find traces everywhere and you find that you need to replace everything you have and many things are lost forever.

263 days…

I have a long track record with business down situations. When everything fails, no one manage to get the systems up and running again my phone used to ring and I was expected to come and solve the situation and…I always did. After a while you have seen it all and know where to tackle a specific problem. One thing that was very common then, and sadly still is, is the lack of incident response plans. In at least 40% of the cases a simple incident response plan would have stopped a problem in it´s tracks and returned it to a simple backup restore solution. Today in 2014 only two-third of the companies have incident response plans. In any business down situation those plans are worth their weight in gold. Anyone that has had a visit by me knows that.

Finding hard facts about breaches and statistics is quite often a cumbersome process. For this reason I have added a new key word Security metrics to tag post where I have identified valuable security metrics.

This is a report from UK with some interesting facts. 81% of large organisations had a breach during 2013 and the average cost was estimated to £600k – £1.5M for the worst breaches. The median of breaches for large organisations was 16. Even if the cost for a small breach was substantially lower it still put the cost of breaches for a company at a very high figure.

Something to think about when you ask for the budget next year.

Running a small business with an unknown brand is not protection enough anymore or attacks. As soon as you have a web presence you will be scanned and possible hacked. The reason that small business are in scope for attacks now is that they quite often have lower defences and simply are easier to breach. As companies tends to integrate with each other a foothold at a minor company that integrates with a bigger target could prove to be a great way to get hold of the riches in the otherwise hard to crack large corporation. So investing in cyber security will be important even for smaller companies if they want to conduct business with larger more secure companies. Read some more insights about small companies here.

Military attacks are quite often interesting from the viewpoint that they will sooner or later find its way into the attacks geared towards different civil companies. I doubt that there is a possible gain to target civil nuclear centrifuges but of course there are other possibilities. Reading this article you get a bit of an insight of how Stuxnet where initially deployed and the first type of attack that was launched. It turned out that a vector of attack was highly specialised contractors that are lousy at cyber security.

With the trend of outsourcing everything and acquiring systems where you depend on a contractor to manage the system you need you are possibly giving an attacker a possible foothold.

If you ever been to Sweden you now that the third Friday in June is Midsummer Eve and all of Sweden goes to celebrate that summer has finally arrived. I´m not an exception here so just a short post today.

If a credit card costs as much as $40 and is resold for $20, $10$, $2, $1, $0.1 making it a grand total of $73.1 how much money is there in a hack rendering you a total of 300 000 credit cards with CVV code? Simple enough $21 930 000. Any one still thinks that credit card theft is a declining business?

There is way too much money in it still.

Older Posts »