Feed on
Posts
Comments

Today I got the question from a POS (Point Of Sale) vendor if it is OK to store the credit card numbers in the RAM of the computers. The issue from the POS-vendor was regarding the statement file that should be sent to the bank. Is it allowed to have the file unencrypted in memory while waiting for the connection to the bank?

I searched the internet for any answers on this question but could not find any. I checked with the auditors I currently work with regarding this issue and got the following response:

“It is OK to store the credit card numbers in RAM as long as it is only temporary and is not a huge amount of numbers.”

Of course this is rather obvious. If you store the information encrypted in the database you have to decrypt them in RAM if you ever want to use them.

Even if I really appriciate WSSRA and have had quite a lot of use for it, sometimes I run into issues where it is not as clear as one could hope. The description and relationship of the following words: Threat, Threat Agent, Vulnerability, Exploit and Risk are, in the big picture, correct and you understand the writers intention. But if you think a little bit more you will find that the circle is not complete and that it is not entirely consistent. There are two things missing and that is Asset, the thing that could be damaged and Safeguard, the way to mitigate the risk. It is important to include the asset otherwise the risk value is void. You could say that it does not matter if someone hacks the website and uploads warez if no one could download it. But if someone could download then what has been damaged? The reputation of the company and the internet connection due to overload, probably not the webserver in itself (yes, I am aware that a complete reinstall should be done in either case).

Because this is a Security Architecture, i .e. a blueprint how to solve security problems, you should also include the safeguards. A vulnerability that cannot be exploited due to a safeguard has no risk. It is as easy as that. One could argue that safeguards will be the result of the architecture but very often there are already safeguards in place to handle some of the vulnerabilities. If the are not included you could end up solving problems already solved.

The word Exploit is defined as “The method used by a threat agent to expose vulnerability.” Even if this is interesting it has little value in a Security Architecture. It is a lot more interesting to know if the vulnerability will create an exposure. After that when you are in the design phase to solve the problem then the exploit is interesting becuase it could dictate how you should solve the problem.

Logging and monitoring as a big issue in many compliance schemes today, not least PCI DSS. One very good tool for auditing and monitoring computer logs on hetrogenic platform is Operations Manager 2007. If you are interested in this product take a look at www.contoso.se. The founder and webmaster of that site, Anders Bengtsson, was awarded an MVP for his knowledge and devotion for the product yesterday. You´ll find a direct link to the site in my blogroll to the lower right.

In todays news I was told that there are a risk that the kidnapped girl Madeleine could be help by a circle of pedofiles. Hopefully she will be found unharmed soon and in the following events several others could be saved as well and a number of those bastards arrested. I cannot help arresting those “humans” but I can help with the Computer Forensics.

I here by vow to help the police in this matter in any way I can for free and I urge security professionals around the world to at least put in 16 hours of work for free to help the police track pedofiles all over the world.

I have got quite a few mails saying that they want to comment my posts. I have had comments turned off to get rid of all the spam but I have implemented a spamprotection for the blog so lets try it out.

During my years within the IT industry working with security I have taken pride in never just say no, but say no and give an explanation. By doing that my no later on could be a yes because the customer could explain what they wanted and I could help dem create a secure solution. Sadly I seem to be one of few who ever takes the time to give a good answer, who dives into the problem, tries to understand it and later on give an explanation. I met a collegue in the business who works for a customer that has the policy to just say no on everything. Then the change requestor has to come back with a new solution that is either rejected or accepted but he/she would never get a good answer what is right or wrong.

“This is to save time. We cannot try to understand every little problem.” I was told. Sadly this will destroy all creativity there is and make the security department look like a big bad roadblock.

If you ever think of going into this business, always give good explanations.

When I am out having workshops regarding implementation of PCI DSS one of the first questions I ask is: Why do you save the information? It have turned out that not a single company has had the need to store the information for a longer timeperiod then 10 minutes. Something to think off when you do your next evaluation. Why implement encryption on all databases when a simple delete statement will do.

I have made several Computer Forensics at companies and I often wonder why timesync in the domain seldom works or is not implemented alltogether. Apart from technical issues with Kerberos and such there is also a big problem when doing investigations if the clock on the client do not match the clock on the servers. I once was called to a case to make a review of an investigation that gone done the drain. It turned out that the client was five minutes and 22 seconds off the servers so every log that was matched to the clients behavior was off. This ment in the end that a guy could get of the hook for fraudulent behavior and a gal was catched instead.

So make sure that the clock is set correctly on all servers AND clients.

Security professionals shudder and CSO:s turn their heads away when Shadow IT is mentioned. This is a part of IT that is not regulated and therefor is dangerous… or is it? I agree that Shadow IT indeed could pose a threat if for example some employees or managers opens up corporate information for the whole world but I will also state that a too secure environment is leathal to the creativity of an organisation. The existens of Shadow IT is a good sign that there still are creative people in the company.

I had the big opportunity to attend a conference in Redmond where Andy Mulholland, Global CTO of Capgemini, in lenght described how SOA could be used for letting mashups be used in an unsecure/secure environment. One part of the conference was a workshop where we where assigned the task of create a security architecture for (and a lot of other stuff) that stimulates the creativity while still securing the information. I will not give you the whole solution here but in short: Information Classification for knowing what data that could be published with web services, Terminal Servers and Softgrid for providing access to sensitive data, webservices as the only way to publish data externaly by using ISA-server and finally an unlocked desktop where virusprotection and encryption is running with Windows 2008 NAP active and monitoring.

Bye bye, secure laptops. Freedom here I come! 😉

I had a rather long discussion with a good friend and former collegue today regarding simplicity in security. It is a well know fact that when your solution is to complex you probably have done it wrong. But the issue he had was that if you do not implement a security solutions so it is simple for a user to handle they will find a way to circumvent it. This of course makes it quite interesting when doing ROSI-calculations. The ordinary ROSI goes like this:

(Cost of risk) – (Mitigations Actions) = Total Amount Not Lossed.

The question is if the cost of simplicity should be included in the cost for mitigations actions or if this should be presented as a specified amount? Or to write it more simple. What costs do you include in the mitigating actions? If your solutions is way to complex your users will find another way around making your cost of control rise to the same cost as the risk.

So in short. Use simple solutions that has a clearly communicated business need.

« Newer Posts - Older Posts »