Sunday, August 26, 2007

Addressing Information Security - Tips for Home Machines

Personal computers being used by the users at their home are the worst affected machines when there is a virus or worm outbreak.  These machines are not the actual targets.  Infact these machines are the escape goats for the malicious users for using them for a bigger and more severe attack on the target.  The malicious users or the way we commonly know them as Hackers find the Home machines to be the easier victim to launch their attack on the target networks by converting vulnerable home machines into Zombie machines and thus use them remotely to master their attack strategy.

The reasons that leave the Home machines highly vulnerable can be sighted one for many; following are a few of the ones that may be listed –

1.      Home machines are often left unpatched for the latest service packs and hot fixes

2.      Home machines often lack updated virus signatures.  In many cases the antivirus installed are not capable of countering the latest worms/viruses/malicious codes

3.      Home machines often have unrequired services running

4.      Home users often install freeware and shareware versions without knowing the functionality completely, these also at times open more avenues for weaknesses

5.      Home users often do not think prior to clicking on various links as they are forwarded in the junk/spam mails.  This makes it easier for the hackers to carry out phishing attacks, or attacks that might lead to dissemination of vital information about the surfing patterns etc.

6.      Home users often click open attachments even from untrusted sources, these attachments specifically if are .scr, .pif or as very recently .pdf, can be various malicious codes.

Though there is no best way to defeat the malicious intent but we all can certainly be more aware about the odds of conducting certain activities before we actually do them.  As it is said, it is better to be safe then be sorry.  As for me I would suggest following steps to be taken at the minimum to safeguard a Home Machine from being used as a Zombie by a hacker –

1.      Use a Licensed software so that the patches and latest security service packs could be downloaded and installed on the machine.  Though it might cost dear to purchase the license, but its better to pay a price much higher, lest your machine gets compromised.

2.      Use a standard antivirus solution and there are quite a number of good ones available. Counting between money and safety would never get you the best in longer run as safety comes first and money can be earned if you are safe.

3.      Suggest you to instruct your technical helpdesk/service person to help you stop all the unrequired services on your machine that you have purchased. For instance one can always stop services like – Alerter and Messenger.  Once should also disable autoplay for the plug and play devices as at times they might be the source of malicious codes.

4.      Do not install any shareware and/or freeware unless you are well aware about the functionality it is going to add to your machine.  Also, Beta Software are meant for high skilled professionals and not for the simple end users.  Beta Software are not the final products and might have more than expected levels of vulnerable points.

5.      Ensure that the attachment you are opening is a valid attachment that you are expecting from a reliable source.  Its always better to have the mail sender’s address verified before opening any attachment.

6.      Ensure that the link you are clicking on is the right link and would take you to the source it claims to.  Also ensure that the sender of the link is the authentic sender and ensure that it is coming from a legitimate email address.

Though these are just few of the basic steps, the home users might also consider and evaluate installation of personal firewalls on their machines, but again they need to be sure of the genuinity of the source from where the said personal firewall is being downloaded and installed. Its always advisable to use the best though it might cost a little over a months supply of cigars.

Mayank Trivedi

 

Tuesday, August 21, 2007

Information Security and Governing Structures

Information Security today is Governed by Regulations, Standards, Guidelines and Industry Best Practices.  They provide for frameworks, methodologies and approaches to attain Information Security baselines. Compliance to any of them is just meeting these baselines, but there is more to be done over and above the compliance.  Compliance achievement is something that holds importance with the industry, but more is to the Management of Sustenance with increased maturity of the Information Security Program and the overall Information Security Posture.  Any Security Program aimed at Compliance does not reflect in the organizational effectiveness as the program that is driven by the Top Management and that precipitates to the Grass Root Level.

 

An efficient Information Security Program brings in paradigm shift in organizational work culture, infusing the Business Process Reengineering to imbibe Security Practice as the Core of Business Operations.

 

 

Mayank Trivedi

 

Wednesday, August 1, 2007

PCI-DSS - Simplified Approach

PCI-DSS compliance can be achieved with effective and efficient mapping of control requirements with either the ISO 27001 or the COBIT framework as already established and accepted across the world and industry segments.

But whatever framework we follow for PCI-DSS Compliance, following steps must be followed in order to ensure that the compliance is being targeted under the right Category viz - Merchant / Service Provider and for the right level - (Level 4 through 1 for merchants and Level 3 through 1 for Service providers).

1. Identify the category - Payment Gateways, Processors, Call Centers/BPOs would fall under the Service Provider category whereas the Merchant category as the name clearly sets out would have the endpoints where the customer transactions take place.

2. Identify the level applicable for the organization -

· For Merchants - Level 4 to Level 1,

§ Any merchant processing less than 20,000 e-commerce transactions per year, and all other merchants processing up to 1,000,000 transactions per year.

§ Level 3 is for the merchants processing 20,000 to 1,000,000 e-commerce transactions per year

§ Level 2 is for the merchants processing merchant processing 1,000,000 to 6,000,000 transactions per year.

§ Level 1 is for the merchants, regardless of acceptance channel, processing over 6,000,000 Visa transactions per year.
(there is one catch for the merchants for selecting the level irrespective of the size of operations - Any merchant that has suffered a breach that resulted in an account data compromise would also be treated as Level 1. Moreover, for level one, the transaction limit as defined could be composite score of transaction for all the brands of Credit/debit cards forming the PCI Council, or could be the single brand.)

· For Service Providers – Level 3 to Level 1

§ Any service provider that stores, processes, or transmits less than 1,000,000 accounts/transactions annually.

§ Any service provider that stores, processes, or transmits more than 1,000,000 accounts/transactions annually.

§ All payment gateways and processors (Member/non member for any of the credit/debit card network)

3. Establish the Validation Action required for each level –

Level

Validation Action

(For Merchants)

Validated By

1

Annual On-site PCI Data Security Assessment

Quarterly Network Scan

Qualified Security Assessor or Internal Audit if signed by Officer of the company

Approved Scanning Vendor

2

Annual PCI Self-Assessment Questionnaire

Quarterly Network Scan

Merchant

Approved Scanning Vendor

3

Annual PCI Self-Assessment Questionnaire

Quarterly Network Scan

Merchant

Approved Scanning Vendor

4*

Annual PCI Self-Assessment Questionnaire

Quarterly Network Scan

Merchant

Approved Scanning Vendor

*The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.

Level

Validation Action

For Service Providers

Validated By

1

Annual On-Site PCI Data Security Assessment

Quarterly Network Scan

Qualified Security Assessor

Approved Scanning Vendor

2

Annual On-Site PCI Data Security Assessment

Quarterly Network Scan

Qualified Security Assessor

Approved Scanning Vendor

3

Annual PCI Self-Assessment Questionnaire

Quarterly Network Scan

Service Provider

Approved Scanning Vendor

4. Download the self assessment questionnaire from https://www.pcisecuritystandards.org/tech/supporting_documents.htm for a quick self assessment about the current scenario or the organization has a choice for hiring a Service Provider / Consultant for the same. Other Self-Audit resources are available from SANS, IT Security Magazine, and the individual bloggers.

5. Identify the approach to take in order to fix the issues identified on the first run of the Self Assessment Questionnaire. One thing that needs to be made clear is the steps to be taken here onwards must also be compliant to the other certifications relevant for the merchant/service provider. It is hence recommendable to use either ISO 27001 or COBIT as the base framework.

6. Have all the relevant documentation in place including the Information Security Policy, Procedures, Processes and the respective records as evidence of compliance.

7. Select the QSA/ASV from the approved list as available on https://www.pcisecuritystandards.org/resources/index.htm

Once the Audit is conducted the QSA/ASV, the report would then be submitted to the PCI Council along with required recommendations, but that is no the end of the road. The journey of Compliance to PCI-DSS has just begun and it would be a never ending journey to head to. There may be road-blocks, but there is NO Dead End J

Mayank Trivedi

PCI-DSS Challenges and Considerations

With PCI-DSS fast approaching its deadline for the compliance adherence, most of the organizations are putting their act together to meet the compliance requirements. But there lies a challenge to look for the right approach therein. The consultants/implementers/maintainers are often dwindling about what approach to take in this area. Various vendors are pitching for their products and many are claiming to achieve the same through technical deployments. But following questions stand by with us -

  • Will technological deployment only help achieve the results as required and desired?
  • Will it not be a piecemeal approach to plug the issues with what we see as the right requirement for each of the areas as stated above?
  • Will we be able to work towards integrating these distinct products and technologies together to achieve the required output?
  • What effect changes in the architecture and infrastructure would have on the other Compliances as ISO 27001, SOX etc.

There are many such other questions that would always be hovering around in our minds for us to answer and act upon. However, whatever the approach be the steps to PCI-DSS compliance must focus on the following –

  • Highly Sensitive Payment Card Information stored in business databases
  • Identification of all systems within the organization where Payment Card Information is stored
  • Legacy systems not supporting the PCI DSS requirements for encryption
  • Access to payment card information to large no. of business users
  • Log Management and Monitoring
  • Data Classification and Handling
  • Access Management on various systems and devices
  • Information Security Policies and Procedures
  • Periodic vulnerability assessment and penetration testing
  • Segregation of Duties among Production, Development and Testing Teams

Mayank Trivedi