Entries tagged with “Chris Mark”.


The payments industry sees new technologies being released on an almost daily basis.  One simply needs to read an industry publication or take a quick spin through Google to see the latest mobile technology, risk analysis software, or some other product that proposes to be “today’s solutiont o tomorrow’s problem.”  While many of these technologies are good, how does one seperate the wheat from the chaff? 

I am the consumer that marketers love.  I am what is referred too as an ‘early adopter’ of technology.  XBOX 360 came out…bought it the first week.  Caseopia PDA came out…bought one the first week (2001).  Blu-Ray came out…bought it the first week.  IPAD came out…bought it the first week.  The upside to being an early adopter as a consumer is that you get some bragging rights and you may find some really cool technology.  The downside?  You will always spend more on the first generation than on subsequent generations and much of what you buy may end up in a drawer never being used.  Fortunately, being an early adopted as a consumer may hurt the pocket book but will likely not have long lasting consequences.  As a company, it is always wise to consider the technology closely before deciding to throw your lot in with one technology.  Here are some ideas to minimize the cost and risk associated with new technology.

1) If at all possible, wait until the product matures and is at 2nd generation or later.  1st generation products are always still working out the bugs and usually more than subsequent generations.  As an example, in my previous company we purchased an application layer firewall for about $50,000 to comply with the PCI DSS.  It was awesome but quite frankly, way too much for our small company.  If we had waited 9 months we could have purchased a similar model for smaller companies for less than $18,000 from the same company.

2) Buy from reputable, known manufacturers and vendors.  Few things are more aggravating than having a piece of technology that cannot be fixed or upgraded because the vendor went out of business.  Often new technology fosters new companies.  Manyof these companies do not survive or they may simply discontinue the product line.  CISCO recently discontinued their popular FLIP video camera.  While this likely would not hurt many businesses it is an example of waiting until the product is mature and marketable before spending signifigantly to acquire.

3) Evaluate your needs closely.  As an information security professional I have had opportunity to work with numerous companies on their security needs.  When an issue is brought to the technologies their first recommendation is to find some technology to fix the perceived issue.  In many cases good old fashioned processes can accomplish  what technology can accomplish for much less money and aggravation.  Don’t buy techology if you don’t really need the technology.

4) Don’t forget security! Technology can frequently increase the operational efficiencies of business.  A purchasing consideration should always include an analysis of the impact to your company’s security with the inclusion of the new technology.  One of the most relevant examples I can think of is wireless techology.  Wireless technology is great and adds a tremendous amount of flexibility and efficiency to many companies.  Unfortunately, it can be extremely dangerous if the wrong technology is used, or if it is not configured and managed correctly.  Trading security for convenience is a dangerous game.

Hopefully these simple tips will help when evaluating technology for your own company.

A story today on CNN discusses how a Phishing attack which originated (it is believed) in China has allowed unauthorized persons to access the Gmail accounts of US Government, and South Korean Government personnel, among others.  While the story is interesting, the most relevant part, in my mind, is the fact that Phishing attacks are still be used to such success to obtain authentication information.  As a reminder for those who may be unfamiliar.  A phishing attack is when someone sends an email to people under false pretenses in an attempt to have that person provide information which can then be used for fraudulent purposes.  Likely everyone reading this has received hundreds of Phishing emails in the past few years.  Most of the phishing emails are clumsy attempts at gaining information and often have misspellings, incorrect language usage and other issues that indicate that the email is not legitimate.  Spear phishing emails are much more effective.  In a spear phishing attack, a data thief will send directed emails to the actual person often referencing enough information to allow the person to believe it is from a legitimate source.  Once trust is established, people are much more willing to provide information.  When Epsilon was breached many people debated the value of the data stolen since it was not, apparently, financial data.  What the criminals did not get in financial data they were able to get in personal data and email addresses which allowed for spear phishing attacks.

So what can a user do?  Simple, NEVER provide your personal information in response to an email.  Do NOT click a link in an email and enter your personal information (username, password, credit card data, etc.).  Links are easy to be spoofed.  If, for example, you receive an inquiry which by all accounts appears to be from your bank, do not click the link in the email.  Simply navigate to your bank using their primary domain and login through the normal channels.

While high-tech criminal attacks capture our attention, it is often the low tech attacks that are most effective.  Stay diligent.

These are common eCommerce related security questions we hear from merchants.  Hopefully, this will help some merchants in their pursuit of compliance and security.

If I don’t store credit or debit card data, do I have to comply with the PCI DSS?  Yes.  The PCI DSS applies to any organization that either stores, transmits, or processes payment card data.  Simply not storing data does not relieve your company of their obligation to comply with the standard.

I use anti-virus software.  Can I still get a virus on my computer? Yes.  Anti-virus and other malicious software protection typically uses signatures to detect malicious software such as viruses.  Unfortunately, until a signature is created and your anti-virus is updated, you may still have malicious software on your system that is undetectable. 

Doesn’t a firewall prevent hackers from getting into my systems? No.  Firewalls doe not prevent all traffic from entering and exiting your network they simply restrict access to specific ports and services.  If, for example, your company has a web server, then  your firewall would need to allow port 80 (HTTP) inbound to allow people to access your website.  It has been estimated that almost 99% of exploits are specific to HTTP.

Doesn’t encryption protect my data from being stolen? Maybe.  Encryption prevents unauthorized personnel from being able to read the data.  The weakness in any encrpytion solution is that it relies upon keys to encrypt and decrypt the data.  If the keys are not adequatly protected then they can be compromised and the data can be accessed.  Also, it is is important to remember that it only prevents unauthorized people from accessing the data.  If a data thief can obtain the logon credentials of an authorized user, they can simply use those credentials to access the data.

How do data theives get into my system? Unfortunately, people often invite them in.  “Drive by” infections of malicious software are often the main vectors in which malicious software such as trojans, viruses, back doors, etc. are planted on systems.  In drive by infections a user will access an infected website while surfing the Internet and the website will infect the system.  For this reason, it is important to filter and control Internet access.

Hopefully these simple answer provide some value to those trying to understand some of the threats facing their company.

A quick read through the various security websites, blogs and even headlines of major newspapers show a trend developing in data compromise strategies.  Until 2010 or so, data thieves were laser focused upon stealing credit and debit card data.  While card not present data was often acceptable, their goal was to steal magnetic stripe data which could be used to counterfeit cards.  In 2010, we began seeing a trend toward stealing banking information which would allow data thieves to transfer funds from personal and business banking accounts through ACH transactions.  As companies have begun to bolster their security processes and controls, we are seeing another shift in data compromise objectives.  The recent news that Epsilon, and Sony (3 different divisions) experienced major breaches was interesting for several reasons.  First, it did not appear that the data thieves were targeting  financial information rather they were after personal information such as email, full name, addresses etc.  For those that are not familiar with tactics to steal information, this data is often more dangerous than credit or debit card data. 

One method that data thieves use to obtain account data is through a technique known as phishing.  In a phishing attack, an email  structured to appear legitimate is sent to thousands (if not more) recipients  in the hope that a small percentage of the recipients will act.  The email may direct people to a fraudulent website where the users are instructed to input their personal data or it may be a simple instruction to respond with credit card data.  Likely every reader on this blog has received numerous phishing attempts.  A more sinister variation is known as spear-phishing.  In spear-phishing, legitimate looking emails are sent to specific people.  The emails are addressed to the people and appear legitimate.  Because the recipient is addressed by name, it has a much higher rate of success as people are more inclined to believe it is legitimate.  The downside?  If I receive an email from Bank X I know it is fake as I have no business with Bank X.  This is where the recent breaches are cause for concern.  Because the data stolen is associated with one or more companies the spear-phishing attacks are much more targeted and will likely be much more successful.  People are receiving emails from what looks like companies with which they legitimately do business and the emails are personalized.  Many people will take action on this type of email than on a random, blind communication.

It is important to remain diligent in security.  Never enter your credit, debit card or personal information into a website upon direction from an email. 

This is part 2 of a recent post: “Smoke and Mirrors; What are they really saying?” In reading an article on the ETA website today I found a statistic that did not seem quite accurate.  It stated that: “PCI Compliant merchants fare better, but 36% still report breaches over 2-year span.” In reviewing the article the statistic was taken from the The 2011 PCI DSS Compliance Trends Study was released in April of this year.  After reading the ’study’ I had to admit I was somewhat taken aback.  Two major items stuck out immediately.

1) Respondents ’self reported’ and were “…deemed to be PCI compliant if they chose “all” or “most applications and databases are compliant.” According to the definition 66% of companies were ‘deemed’ compliant.   This definition is inconsistent with the PCI SSC’s, and the card brands’ definition of compliance which is meeting compliance with all application PCI DSS requirements.  Even using the more liberal interpretation, only 33% of the respondents should be considered ‘compliant’.  Additionally, it does not differentiate between when the companies were reported (self, I might add) “compliant” and when the “breach” occurred.  It simply asks if the company was ‘all’ or ‘mostly’ compliant and whether they had a breach.

2) While the study references data breaches numerous times and survey questions Q8a and Q8b ask about data breaches, there is no definition of “data breach” provided in the study.  Is an anti-virus infection considered a data breach?  Is a data breach defined as an intrusion which exposes confidential or protected personal data?  Is encrypted data that is exposed, considered a data breach?  Without a consistent definition, there is no way to understand the intent of the respondent.  It is possible that many respondents feel that a virus infection is a data breach.

Another interesting comment is found on page 1, paragraph 3 of the study.  It states: “In fact, virtually all (99 percent) compliant organizations in this study report that they have had only one or no data breaches involving credit card data compared to 85% of non-complaint organizations that had one or no such breach incidents.” What?!?  Having one breach involving credit card data is a bad thing and requires reporting to the card brands.  It then goes on to state that: “…the percentage of respondents reporting that their organization had a data breach in the past 24 months increased from 79% to 85% in 2011.” These numbers are difficult to understand and more difficult to believe.   So, reading these two statistics together, it appears that 85 of organizations (doesn’t say compliant or non compliant) had a breach in the previous 24 months.  Given that there are 6.5 million merchants in the US, if this represents a statistically valid representative sample, it would suggest that roughly 5.5 million companies experienced a breach in the previous 24 months.  This certainly seems unlikely.  It is more likely that the ’self reported’ breaches include virus infections, web server vulnerabilities and other issues that are not considered ‘data breaches’.

While it is important for companies to understand that protecting data is critical to their company’ success, it does not help to provide information that spins data in an attempt to support a pre-defined position.  When I first began working in data security I learned a new word.  FUD.  FUD Is an acronym for Fear, Uncertainty, and Doubt and is how many companies choose to sell security products.  In essence, you scare the heck out of your clients and they buy the products.  The lesson to be taken from this post is to continue to critically analysis statistics that are provided.  Sometimes a close look will reveal information that is not quite as it seems.