crowmoor.se

I was approached by a data centre locally here in Sweden that asked me regarding a contact they have with a company that needs to be PCI DSS compliant. Apparently the company had outsourced their entire infrastructure to the data centre but kept their architecture unit and application management in-house. The question I received was who is responsible for the card dataflow that you need to document according to the PCI requirement. My first question was if the data centre had access to the documentation for the applications and the straight forward answer was no. They were only responsible for the infrastructure. Everything above that was part of the company´s responsibility. And that answered that question. If you are only responsible for the infrastructure you are not responsible for creating the card dataflow chart.

I was recently contacted by a company that sells vulnerability scanners and hacking tools. They promise that they had access to exploit code for vulnerabilities that are unknown. The reason why this was a sales argument was that we could show our expertise by always finding a vulnerability. I argued that this was NOT a sales argument as a serious client is not interested in us always finding a vulnerability but that we find all possible vulnerabilities and shows them how to fix the problems. If we always were to show a vulnerability that has no fix we are not proving that we are a competent partner.

I was advising a QSA recently that struggled to understand a mainframe tokenisation solution. She could not her head around the technology hence she couldn´t review it. I asked her if she had conceptualised it but that had not occurred to her.

To solve the situation I brought forward my architecture views on PCI and showed here how I had conceptualised all of PCI. From those we collected the conceptual components needed for a tokenisation and how it should work.

Now it became a lot easier for her to identify the matching components in the mainframe and instead of giving up she solved the assignment in just a few days. The power of a good architecture should not be underestimated.

I just signed for Sogeti and will start working there as National Cyber Security Driver the 1st of November. Back in the Group again. 🙂

The events currently unfolding at a large car producer points at a specific problem within security: The fears of letting other know. In many organizations today security has a somewhat impenetrable workflow. The board is briefed by the CSO or CIO with only a minimum off information according to “need to know”. Non-security personnel have no insight in what is logged or not logged and have no means of actually getting the information what is happening out from the security department. To top this forensics praxis is seldom followed and it is very easy to frame anybody if you have control of the security systems. In short, the security department has sometimes returned to the days when the Inquisition was feared.

Being a global security consultant I have seen my fair share of incidents, cover-ups, unknowing CEOs and direct malpractice, where I was called in to sort it all out. Many times it was just lack of understanding of real security or processes that didn´t work that was the culprit but in a few cases it was actually personnel at the security department that hold a grudge towards someone and tried to frame him or her.

The reason they were almost able to pull it off have been the same as it always has been within security, lack of insight in the process, a process that has been decided to be too risky to expose and where secrecy has been implemented for its own good, not to protect anything. Ask any cryptologist about openness and they will tell you that when it comes to algorithms it has to stay secure even if the attacker has the algorithm and the encrypted text. Ask any security specialist about “security by obscurity” and they will tell you that it doesn´t work, that the attacker always has all the time in the world and always find the possible vulnerabilities. Ask the same guy about their process or their network drawings and you´ll get the answer: “No, it is classified!”
It is my opinion that security departments for way to long have been allowed to work as an internal police force hidden under secrecy, conducting risk analysis trying to protect everything without any real understanding of business value. It is not an effect of a bad apple. It is more an effect of a bad barrel as explained in the Stanford Prison Experiment. Without clear rules of engagement, without clear rules from management of what needs to be protected and why you will eventually get a security department that is dysfunctional.

Learning how to run a security department with the same rules of engagement as any other department takes skill and understanding. Equally important are methods and tools that make security an integrated part of the company. Getting something as simple and easy as a risk analysis right have many times been proven to be an impossible task for many companies. Failing this, fear will govern the security department; fear of a breach and fear of having to lax security and thereby always producing answers like: “It is too high of a risk.” or “We can´t allow that because we are not sure it is safe.” Fear creates secrecy, secrecy creates impenetrable areas and sooner or later you will get a bad apple, produced by your bad barrel, which tries to make way with a large amount of money believing he was protected by the system of his own design.

During a visit to a client today we discussed AST (Application Security Testing) and that it would have been an interesting concept to add to their security. During the visit I was tasked with investigating what the cost would be. I have to say that I was somewhat baffled by the prices for licenses when you looked at enterprise levels.

Isn´t there anyone offering AST as a service?

During the last months I have looked into breach detection. There are several numbers on the web from different reports and of course there is no exact figure but an estimate is somewhere around 263 days give or take 50. In any case it is still a way to large a number.
During a presentation recently I was asked how I would explain this for top management in a way that they could understand. I came up with the following description:
Imagine that someone enters your house, eats your food, pets your dog, talk to your neighbours and sits in your favourite chair without you ever noticing. Can you imagine what damage they could have done? When you realise that someone been there you find traces everywhere and you find that you need to replace everything you have and many things are lost forever.

263 days…

I have a long track record with business down situations. When everything fails, no one manage to get the systems up and running again my phone used to ring and I was expected to come and solve the situation and…I always did. After a while you have seen it all and know where to tackle a specific problem. One thing that was very common then, and sadly still is, is the lack of incident response plans. In at least 40% of the cases a simple incident response plan would have stopped a problem in it´s tracks and returned it to a simple backup restore solution. Today in 2014 only two-third of the companies have incident response plans. In any business down situation those plans are worth their weight in gold. Anyone that has had a visit by me knows that.

Finding hard facts about breaches and statistics is quite often a cumbersome process. For this reason I have added a new key word Security metrics to tag post where I have identified valuable security metrics.

This is a report from UK with some interesting facts. 81% of large organisations had a breach during 2013 and the average cost was estimated to £600k – £1.5M for the worst breaches. The median of breaches for large organisations was 16. Even if the cost for a small breach was substantially lower it still put the cost of breaches for a company at a very high figure.

Something to think about when you ask for the budget next year.

Running a small business with an unknown brand is not protection enough anymore or attacks. As soon as you have a web presence you will be scanned and possible hacked. The reason that small business are in scope for attacks now is that they quite often have lower defences and simply are easier to breach. As companies tends to integrate with each other a foothold at a minor company that integrates with a bigger target could prove to be a great way to get hold of the riches in the otherwise hard to crack large corporation. So investing in cyber security will be important even for smaller companies if they want to conduct business with larger more secure companies. Read some more insights about small companies here.