NSP-BHDC2010-MaryLandesman.mp3

Whether you’re going or not, Rob McMillan over at IDG has done a good job of summarizing some of the key stories you should be watching come out  of Vegas this week.  I should be able to get interviews with at least a few of the people giving these talks, so keep an eye out here and the podcast page for this year’s series of microcasts.  Or if you hate those, you might just want to unsubscribe until next week.  In fact, if you don’t want to hear about the events going on in Vegas this week, you just might want to stop reading most security blogs, Twitter, Facebook, blogs and most other social media outlets security folks use for a little while. 

Following the twitter stream, it’s easy to see that there are a lot of security professionals eager to get to Las Vegas, meet with old friends, make new ones and get the party started.  And the parties really are an integral part of the the whole experience.  If nothing else, try making it to the IOActive Freakshow Saturday night; if last year is any example of what they have planned for this year, it’ll be worth it if only so you can say you saw it.  Just be careful how much you drink and what you say, you don’t want to be this year’s example of someone who ignored that cardinal rule.

So much for seeing eight hours of sleep a night for at least a week.

We also spend a little time talking about how we handle our connectivity and security while at Black Hat and Defcon, which happen to be next week.

Network Security Podcast, Episode 206, July 20, 2010
Time: 42:38

Show Notes:s

• Millions of Home Routers Vulnerable to Web Attack.
• Visa issues guidance on tokenization.
• Visa pushes acquiring banks to stop forcing merchants to store credit card numbers.
• Wikileaks founder skips HOPE conference to avoid feds.
• NPR story on shortage of US cyberwarriors.
• Alex Hutton proposes Evidence Based Risk Management for security.
• Tonight’s Music:  Brian Bergeron and the Late Greats with Avalanche
  

I believe that the Visa best practice papers for tokenization and truncation are just like the PCI standards themselves; they’re a good place to start your journey, but these requirements aren’t enough to build your entire security stance from.  It’s up to you to continue from here to determine how the particular technologies are going to impact and secure your environment.  I think the difference between providing guidance and issuing edicts is something we’ll be talking about next Sunday at Defcon, so this is good timing.

I agree with many of Adrian’s criticisms, including that Visa could have just given more specific guidance overall.  But I also understand Visa’s need to keep the guidance vague enough so as not to provide undue direction to what is basically a fledgling market space.   Which is exactly where I see the tie in with Josh Corman’s primary argument about the PCI Council; intentionally or not, they are steering the security market space through the PCI standards.  Visa could be a force for good in the tokenization and truncation markets if they predict correctly and back solutions that are for the best over the long term.  Or they could be seen as stifling innovation if they issue poor guidance.  Much like the PCI Council.

Earlier today I heard someone make the statement that the majority of companies who are compromised are using encryption in some form, but they still got compromised.  He was reminding me that none of the other silver bullet’s we’ve thought would save us from the bad guys have worked, so use truncation and tokenization, but know they won’t solve all our security issues.  As is so often the case, they’ll just move the attack to other targets and use other vectors.

If you’re part of a merchant organization or somehow dealing with credit card numbers and you’re not considering tokenization or truncation, why not?  Is it lack of time, lack of resources, lack of management backing or something else?  Have these technologies simply not risen to the level where you felt the need to take them seriously?  I’m curious as to why you might not be looking at a technology that could limit the amount of sensitive information on your network.  I’ve talked to a number of merchants over the last year and there’s been plenty of interest in the ideas of tokenization and truncation, but I’ve only seen a few merchants actually making a move towards implementation.

I hope the next guidance we’ll see comes from the PCI Council, giving instructions on how both of these technologies can be used to reduce the scope of a PCI assessment.  What can you take out of scope?  What common mistakes might bring systems back into scope?  What should we be looking for in an implementation?  These are still relatively new technologies, the implementations differ significantly enough that greater direction and care are going to be needed in their assessment and validation.  There are some things that are laid out in the Visa documents, but I think we need to look for more specific guidance from the Council.

Network Security Podcast, Episode 205, July 13, 2010
Time:  44:44

Show Notes:

• Listener Mail
• Interview with Bob Russo
• FBI Raids ‘Electronik Tribulation Army’ Over Witness Intimidation.
• Letter to the client.
• Tonight’s Music:  Missing You by Blue Matters

Here’s a letter of my own with several more points to ponder.

Dear Client,

We’re about to start on an effort of many months of work that both of us hope will culminate in the issuance of a compliant Report on Compliance.  There will be surprises and setbacks along the way, but I’m sure that we can work together to overcome them.  My job is to help assess the security of your cardholder environment and provide you with honest feedback about your compliance with the PCI standards.  Your job is to provide me with the information I need to make that assessment.  Together we will document your environment and show that it is both secure and compliant.

Several things you should know:

1. Securing your data and your network should be the goal and PCI is just a signpost along the way.  Please, please, please don’t make the mistake of thinking once you pass your assessment that you’re secure and you have no more work to do until next year.  PCI is a good starting point for securing your environment, but each company is so unique that there are innumerable holes it leaves open to exploitation.  And the assessment only covers your cardholder data environment: what about the rest of your network?
2. I am judge, but I am not jury nor executioner.  I will make judgment calls on the state of your environment and I may find things I do not believe are compliant.  You may agree or you may think your controls and safeguards are sufficient.  Make your case to me, and if we still don’t agree, we can bring in other QSA’s within my company to review the situation, starting with my manager.  Sometimes they’ll see something I didn’t. 
3. I will never leave you wondering if I found something wrong.   I will always try to let you know at the end of the day, if not at the end of each meeting, if I have any questions or concerns.  It’s in both of our best interests for me to be as transparent as possible.  The sooner you know of an issue, the sooner you can begin investigating and getting it resolved.
4. You are my client and it is my job to help you receive a compliant RoC.  I will give you the best advice I can to help you achieve compliance.  But it is up to you to establish the policies, procedures and controls needed to reach this goal.  If I identify a requirement that is not being met, I will bring it to your attention and help you address the issue in a timely and cost conscious manner.

Clear communication is a good salve for many of the pains an annual PCI assessment brings.  I look forward to learning about your company, your network and your people.  And I hope that the lessons I’ve learned helping dozens of companies become compliant can be used to help you avoid some of the pitfalls and false starts of compliance.

Network Security Podcast, Episode 204, July 6, 2010
Time:  30:28

Show Notes:

• PCI Standards to be updated every 3 years
• US Largely ruling out North Korea in 2009 cyberattacks
• Apple’s app store filled with app farms
• Employees crack Facebook security
• Full Disclosure and no disclosure
• Tonight’s Music:  Missing You by Blue Matters

Network Security Podcast, Episode 203, June 29, 2010
Time: 32:57

Show Notes:

• The National Strategy for Trusted Identities in Cyberspace.
• Sen. Bond says DHS shouldn’t oversee cybersecurity.
• Why the disclosure debate doesn’t matter.
• Disclosure via court.
• Tonight’s music: All India Radio with Endless Night