Oct 13 2015
Leave a comment
Blog Posts

Ending the Tyranny of Expensive Security Tools

My obsession with talking about low-cost security tools all started with an article for TechTarget. It morphed into a session for Interop, then a sponsored webinar (by a vendor, go figure) and finally a longer mega-webinar for Ipspace.net. Maybe it’s because I’ve spent most of my time in the non-profit realm, but I simply hate spending money unnecessarily on products that replicate functionality of something my organization already owns. What follows is an excerpt of a post I wrote for Solarwinds on the topic.

Security tools: sometimes it seems that we never have enough to keep up with the task of protecting the enterprise. Or, at least it seems that way when walking the exhibit floor at most technology conferences. There’s a veritable smorgasbord of tools available, and you could easily spend your entire day looking for the perfect solution for every problem.

But, the truth is, IT teams at most organizations simply don’t have the budget or resources to implement dedicated security tools to meet every need and technical requirement. They’re too busy struggling with Cloud migrations, SaaS deployments, network upgrades, and essentially “keeping the lights on.”

Have you ever actually counted all the security tools your organization already owns? In addition to the licensing and support costs, every new product requires something most IT environments are in short supply of these days—time.

Optimism fades quickly when you’re confronted by the amount of time and effort required to implement and maintain a security tool in most organizations. As a result, these products end up either barely functional or as shelfware, leaving you to wonder if it’s possible to own too many tools.

There has to be a better way.

Maybe it’s time to stop the buying spree and consider whether you really need to implement another security tool. The fear, uncertainty, and doubt (FUD) that drives the need to increase the budget for improving IT security works for only so long. At some point, the enterprise will demand tangible results for the money spent.

Try a little experiment. Pretend that you don’t have any budget for security tools.  You might discover that your organization already owns plenty of products with functionality that can be used for security purposes.

You can read the rest of my rant here.

Tagged , , ,
Oct 01 2015
Leave a comment
Blog Posts, Security Resources

Security Training for Cheapskates

During a recent webinar I gave, someone asked how soon I would be doing another one. I was flattered, but responded that because of a full-time job as an architect, my time was limited. “Besides,” I said, “you don’t need to wait for me, there’s plenty of free or inexpensive security training available online.”

Security professionals love to share and show off what they’ve learned. Some of us crave the warm fuzzy of helping our colleagues, while others do it to demonstrate their wicked skills or build their resume. Regardless of the motivation, that means there’s always abundant content to help you learn and grow.

Here’s a list of useful sites that I’ll try to keep updated. If you know of others and would like to contribute or if you think the training is outdated or bad, please let me know and I’ll adjust the list accordingly.

Securitytube.net – a project of security researcher, Vivek Ramachandran.

Hak5.org – Online security show produced by Darren Kitchen (of Pineapple WiFi router fame) and a collection of nerds who demo security tools and hacks. Includes Metasploit Minute with the awesome @Mubix.

OWASP – The Open Web Application Security Project has lots of “how to” guides and videos.

Offensive Security’s Vimeo Channel

Metasploit Unleased, Made for Hackers for Charity, an ethical hacking course provided free of charge to the InfoSec community in an effort to raise funds and awareness for underprivileged children in East Africa.

Georgia Weidman:Bulb Security – creator of the Smartphone Pentest Framework, researcher and author of Penetration Testing: A Hands-on Introduction to Hacking. She offers inexpensive online training in pentesting.

Adrian Crenshaw’s site, Irongeek, with conference and training videos.

Official BlackHat Conference Youtube Channel 

Defcon Youtube Channel 

Chaos Communication Congress videos

OpenSecurityTraining.info – CreativeCommons licensed security training site

Cyber Kung Fu for the Eight (8) Domains of CISSP – Training videos from Larry Greenblatt, a CISSP training guru.

Pentester Academy – video training site available for monthly or yearly subscription fee. Some free content.

Pentester Lab – Free online pentesting courses with practice images.

Penetration Testing Practice Lab – A mindmap of available vulnerable applications and systems practicing pentesting.

ENISA(European Union Agency for Network and Information Security) incident handling training

Carnegie Mellon University Software Engineering Institute (SEI) training – low-cost security training from a research, development and training center involved in computer software and network security.

Cybrary – free online IT and security training that grew out of a Kickstarter project.

Udemy, Coursera, edX and many universities offer MOOCs in computer science and information security. You can get a list from MOOC-Online.

Tagged , , , ,
Sep 19 2015
Leave a comment
Blog Posts

Security Vs. Virtualization

Recently, I wrote an article for Network Computing about the challenges of achieving visibility in the virtualized data center.

Security professionals crave data. Application logs, packet captures, audit trails; we’re vampiric in our need for information about what’s occurring in our organizations. Seeking omniscience, we believe that more data will help us detect intrusions, feeding the inner control freak that still believes prevention is within our grasp. We want to see it all, but the ugly reality is that most of us fight the feeling that we’re flying blind.

In the past, we begged for SPAN ports from the network team, frustrated with packet loss. Then we bought expensive security appliances that used prevention techniques and promised line-rate performance, but were often disappointed when they didn’t “fail open,” creating additional points of failure and impacting our credibility with infrastructure teams.

So we upgraded to taps and network packet brokers, hoping this would offer increased flexibility and insight for our security tools while easing fears of unplanned outages. We even created full network visibility layers in the infrastructure, thinking we were finally ahead of the game.

Then we came face-to-face with the nemesis of visibility: virtualization. It became clear that security architecture would need to evolve in order to keep up.

You can read and comment on the rest of the article here.

Tagged , , , , , , ,
Sep 17 2015
Leave a comment
Blog Posts

Is Your Security Architecture Default-Open or Default-Closed?

One of the most significant failures I see in organizations is an essential misalignment between Operations and Security over the default network state. Is it default-open or default-closed? And I’m talking about more than the configuration of fail-open or fail-closed on your security controls.

Every organization must make a philosophical choice regarding its default security state and the risk it’s willing to accept. For example, you may want to take a draconian approach, i.e. shooting first, asking questions later. This means you generally validate an event as benign before resuming normal operations after receiving notification of an incident.

But what if the security control detecting the incident negatively impacts operations through enforcement? If your business uptime is too critical to risk unnecessary outages, you may decide to continue operating until a determination is made that an event is actually malicious.

Both choices can be valid, depending upon your risk appetite. But you must make a choice, socializing that decision within your organization. Otherwise, you’re left with confusion and conflict over how to proceed during an incident.

baby_meme

Tagged , , , , ,
Sep 11 2015
11 Comments
Blog Posts, Security Resources

Malware Analysis and Incident Response Tools for the Frugal and Lazy

I confess: I covet and hoard security tools. But I’m also frugal and impatient, so often look for something free and/or quick. And yes, that frequently means using an online, hosted service. Before the security-purists get their panties in a wad, I’d like to offer this disclaimer: you may mock me for taking shortcuts, but it’s not always about having the best tool, but the one that gets the job done.

Here’s a list that I frequently update. You’ll notice that sometimes I have the same tool in more than one section, but this is because it has multiple functions. If you know of others and would like to contribute or if you think the tool is outdated or bad, please let me know and I’ll adjust the list accordingly.

Many thanks to @grecs for his additions and helping me to organize it. Also to Lenny Zeltzer, author of the REMnux malware analysis and reverse engineering distro, who I’ve borrowed shamelessly from. You’ll find many of these tools and others on his own lists, so I encourage you to check his posts on this topic as well.

Online Network Analysis Tools

Network-Tools.com offers several online services, including domain lookup, IP lookup, whois, traceroute, URL decode/encode, HTTP headers and SPAM blocking list.

Robtex Swiss Army Knife Internet Tool

CentralOps Online Network tools offers domain and other advanced internet utilities from a web interface.

Shadowserver Whois and DNS lookups check ASN and BGP information. To utilize this service, you need to run whois against the Shadowserver whois system or DNS queries against their DNS system.

Netcraft provides passive reconnaissance information about a web site using an online analysis tool or with a browser extension.

Online Malware Sandboxes & Analysis Tools

Malwr: Malware analysis service based on Cuckoo sandbox.

Comodo Instant Malware Analysis and file analysis with report.

Eureka! is an automated malware analysis service that uses a binary unpacking strategy based on statistical bigram analysis and coarse-grained execution tracing.

Joe Sandbox Document Analyzer checks PDF, DOC, PPT, XLS, DOCX, PPTX, XLSX, RTF files for malware.

Joe Sandbox File Analyzer checks behavior of potentially malicious executables.

Joe Sandbox URL Analyzer checks behavior of possibly malicious web sites.

ThreatTrack Security Public Malware Sandbox performs behavioral analysis on potential malware in a public sandbox.

XecScan Rapid APT Identification Service provides analysis of unknown files or suspicious documents. (hash search too)

adopstools scans Flash files, local or remote.

ThreatExpert is an automated threat analysis system designed to analyze and report the behavior of potential malware.

Comodo Valkyrie: A file verdict system. Different from traditional signature based malware detection techniques, Valkyries conducts several analyses using run-time behavior.

EUREKA Malware Analysis Internet Service

MalwareViz: Malware Visualizer displays the actions of a bad file by generating an image. More information can be found by simply clicking on different parts of the picture.

Payload Security: Submit PE or PDF/Office files for analysis with VxStream Sandbox.

VisualThreat (Android files) Mobile App Threat Reputation Report

totalhash: Malware analysis database.

Deepviz Malware Analyzer

MASTIFF Online, a free web service offered by KoreLogic Inc. as an extension of the MASTIFF static analysis framework.

Online File, URL, or System Scanning Tools

VirusTotal analyzes files and URLs enabling the identification of malicious content detected by antivirus engines and website scanners. See below for hash searching as well.

OPSWAT’s Metascan Online scans a file, hash or IP address for malware

Jotti enables users to scan suspicious files with several antivirus programs. See below for hash searching as well.

URLVoid allows users to scan a website address with multiple website reputation engines and domain blacklists to detect potentially dangerous websites.

IPVoid, brought to you by the same people as URLVoid, scans an IP address using multiple DNS-based blacklists to facilitate the detection of IP addresses involved in spamming activities.

Comodo Web Inspector checks a URL for malware.

Malware URL checks websites and IP addresses against known malware lists. See below for domain and IP block lists.

ESET provides an online antivirus scanning service for scanning your local system.

ThreatExpert Memory Scanner is a prototype product that provides a “post-mortem” diagnostic to detect a range of high-profile threats that may be active in different regions of a computer’s memory.

Composite Block List can check an IP to see if it’s on multiple block lists and it will tell you if blocked, then who blocked it or why.

AVG LinkScanner Drop Zone: Analyzes the URL in real time for reputation.

BrightCloud URL/IP Lookup: Presents historical reputation data about the website

Web Inspector: Examines the URL in real-time.

Cisco SenderBase: Presents historical reputation data about the website

Is It Hacked: Performs several of its own checks of the URL in real time and consults some blacklists

Norton Safe Web: Presents historical reputation data about the website

PhishTank: Looks up the URL in its database of known phishing websites

Malware Domain List: Looks up recently-reported malicious websites

MalwareURL: Looks up the URL in its historical list of malicious websites

McAfee TrustedSource: Presents historical reputation data about the website

MxToolbox: Queries multiple reputational sources for information about the IP or domain

Quttera ThreatSign: Scans the specified URL for the presence of malware

Reputation Authority: Shows reputation data on specified domain or IP address

Sucuri Site Check: Website and malware security scanner

Trend Micro Web Reputation: Presents historical reputation data about the website

Unmask Parasites: Looks up the URL in the Google Safe Browsing database. Checks for websites that are hacked and infected.

URL Blacklist: Looks up the URL in its database of suspicious sites

URL Query: Looks up the URL in its database of suspicious sites and examines the site’s content

vURL: Retrieves and displays the source code of the page; looks up its status in several blocklists

urlQuery: a service for detecting and analyzing web-based malware.

Analyzing Malicious Documents Cheat Sheet: An excellent guide from Lenny Zeltser, who is a digital forensics expert and malware analysis trainer for SANS.

Qualys FreeScan is a free vulnerability scanner and network security tool for business networks. FreeScan is limited to ten (10) unique security scans of Internet accessible assets.

Zscaler Zulu URL Risk Analyzer: Examines the URL using real-time and historical techniques

Hash Searches

VirusTotal allows users to perform term searches, including on MD5 hashes, based on submitted samples.

Jotti allows MD5 and SHA1 hash searches based on submitted samples.

Malware Hash Registry by Team Cymru offers a MD5 or SHA-1 hash lookup service for known malware via several interfaces, including Whois, DNS, HTTP, HTTPS, a Firefox add-on or the WinMHR application.

Domain & IP Reputation Lists

Malware Patrol provides block lists of malicious URLs, which can be used for anti-spam, anti-virus and web proxy systems.

Cisco SenderBase Reputation data about a domain, IP or network owner

Malware Domains offers domain block lists for DNS sinkholes.

Malware URL not only allows checking of websites and IP addresses against known malware lists as described above but also provides their database for import into local proxies.

ZeuS Tracker provides domain and IP block lists related to ZeuS.

Fortiguard Threat Research and Response can check an IP or URL’s reputation and content filtering category.

CLEAN-MX Realtime Database: Free; XML output available.

CYMRU Bogon List A bogon prefix is a route that should never appear in the Internet routing table. These are commonly found as the source addresses of DDoS attacks.

DShield Highly Predictive Blacklist: Free but registration required.

Google Safe Browsing API:  programmatic access; restrictions apply

hpHosts File:  limited automation on request.

Malc0de Database

MalwareDomainList.com Hosts List

OpenPhish: Phishing sites; free for non-commercial use

PhishTank Phish Archive: Free query database via API

ISITPHISHING is a free service from Vade Retro Technology that tests URLs, brand names or subnets using an automatic website exploration engine which, based on the community feeds & data, qualifies the phishing content websites.

Project Honey Pot’s Directory of Malicious IPs: Free, but registration required to view more than 25 IPs

Scumware.org

Shadowserver IP and URL Reports: Free, but registration and approval required

SRI Threat Intelligence Lists: Free, but re-distribution prohibited

ThreatStop: Paid, but free trial available

URL Blacklist: Commercial, but first download free

Additional tools for checking URLs, files, IP address lists for the appearance on a malware, or reputation/block list of some kind.

Malware Analysis and Malicious IP search are two custom Google searches created by Alexander Hanel. Malware Analysis searches over 155 URLS related to malware analysis, AV reports, and reverse engineering. Malicious IP searches CBL, projecthoneypot, team-cymru, shadowserver, scumware, and centralops.

Vulnerability Search is another custom Google search created by Corey Harrell (of Journey into Incident Response Blog). It searches specific websites related to software vulnerabilities and exploits, such as 1337day, Packetstorm Security, Full Disclosure, and others.

Cymon Open tracker of malware, phishing, botnets, spam, and more

Scumware.org in addition to IP and domain reputation, also searches for malware hashes. You’ll have to deal with a captcha though.

ISC Tools checks domain and IP information. It also aggregates blackhole/bogon/malware feeds and has links to many other tools as well.

Malc0de performs IP checks and offers other information.

OpenMalware: A database of malware.

Other Team Cymru Community Services  Darknet Project, IP to ASN Mapping, and Totalhash Malware Analysis.

viCheck.CA provides tools for searching their malware hash registry, decoding various file formats, parsing email headers, performing IP/Domain Whois lookups, and analyzing files for potential malware.

AlienVault Reputation Monitoring is a free service that allows users to receive alerts of when domains or IPs become compromised.

Web of Trust: Presents historical reputation data about the website; community-driven. Firefox add-on.

Shodan: a search engine that lets users find specific types of computers (routers, servers, etc.) connected to the internet using a variety of filters.

Punkspider: a global web application vulnerability search engine.

Email tools

MX Toolbox  MX record monitoring, DNS health, blacklist and SMTP diagnostics in one integrated tool.

Threat Intelligence and Other Miscellaneous Tools

ThreatPinch Lookup Creates informational tooltips when hovering oven an item of interest on any website. It helps speed up security investigations by automatically providing relevant information upon hovering over any IPv4 address, MD5 hash, SHA2 hash, and CVE title. It’s designed to be completely customizable and work with any rest API. Chrome and Firefox extensions.

ThreatConnect: Free and commercial options.

Censys: A search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet. Driven by Internet-wide scanning, Censys lets researchers find specific hosts and create aggregate reports on how devices, websites, and certificates are configured and deployed.

RiskIQ Community Edition: comprehensive internet data to hunt for digital threats.

Threatminer Data mining for threat intelligence.

IBM X-Force Exchange  a threat intelligence sharing platform that you can use to research security threats, to aggregate intelligence, and to collaborate with peers.

Recorded Future: Free email of trending threat indicators.

Shadowserver has lots of threat intelligence, not just reputation lists.

The Exploit Database: From Offensive Security, the folks who gave us Kali Linux, the ultimate archive of Exploits, Shellcode, and Security Papers.

Google Hacking Database: Search the database or browse GHDB categories.

Privacy Rights Clearinghouse: Data breach database.

Breach Level Index: Data breach database.

AWStats: Free real-time log analyzer

AlienVault Open Threat Exchange

REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware: a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software.

Detection Lab: collection of Packer and Vagrant scripts that allow you to quickly bring a Windows Active Directory online, complete with a collection of endpoint security tooling and logging best practices.

SIFT Workstation: a group of free open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings.

Security Onion: free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management.

Kali Linux: Penetration testing and security auditing Linux distribution.

Pentoo: a security-focused livecd based on Gentoo

Tails:live operating system with a focus on preserving privacy and anonymity.

Parrot: Free and open source GNU/Linux distribution designed for security experts, developers and privacy aware people.

Tagged , , , , , ,
Sep 05 2015
1 Comment
Blog Posts

The VAR Quagmire

The topic of the Value Added Reseller (VAR) can elicit powerful emotions among information technology professionals. Some people find them to be valuable partners, others consider them parasites on the buttocks of humanity. Love them or hate them (I have felt both, sometimes for the same reseller), they are a fact of life in this industry.

Right now I’m feeling a little bitter about the whole construct, mostly because of a recent difficulty I had trying to obtain price quotes for an IDS refresh. As many do, I work for an organization that requires competitive bids for large purchases. Personally, I don’t have a problem with this requirement, because I would bargain with the Dalai Lama himself over a pint of yak milk if I thought I could get a better price. And I don’t even like Yak milk. I can’t really help myself, it’s the thrill of the hunt for me. But I recently struggled to obtain price quotes on the product in question because of the way the reselling process works.

Luckily, I’m acquainted with a former sales rep who explained the VAR rules to me. The whole thing left me pretty frustrated with the current system, wondering how anyone ever manages to work for a VAR without hanging themselves with an Ethernet cable. I’ve decided to include portions of what he told me below.

Today, deal registration is the key status a reseller company secures to achieve for a particular opportunity at a particular enterprise.  In order to obtain a “deal registration”, the reseller must bring a technology requirement and
revenue opportunity to the manufacturers attention which was previously nonexistent.  If the manufacturer has existing knowledge of the technology opportunity, which is often the case, the manufacturer will either award the deal registration to a preferred reseller, or allow no deal registration whatsoever.

So “deal registration” offers a competitive advantage, translating to:

 …8 to 10 additional percentage points from the standing partner discount,creating a price disparity “advantage” versus all other aspiring resellers, or in another model, deal registration reduces the discount extended to all of the aspiring resellers except the awarded, registered reseller, creating a price disparity “advantage” because the non-registered aspiring reseller costs are higher by comparison to the costs the registered.

Okay, this explains why obtaining a price quote from a VAR is difficult when they aren’t the incumbent.

In the absence of a deal registration, the lowest cost to a reseller is based on the tiered status of their partnership with the manufacturer. Silver partner, gold partner and platinum partner are examples of some of the designations often used to describe these tiers, with each ascending “rung on the ladder” providing a more advantageous reseller costs for the manufacturer’s products and services, for example, silver partnership tier might produce 25% off list price, gold at 30% off list price, platinum at 35% off list price, etc.)

If I am to unseat an incumbent reseller, I must have been awarded a “deal registration” by the manufacturer being considered.  If not, I am relegated to the role of providing the second or third quotation, really just a formality or courtesy to procurement departments who require multiple quotations in order to award a P.O.  Purchasing then awards to the “winning” bid, which, of course, will be the “registered” reseller 100% of the time.

What a racket. My take: The vendor has created an ecosystem which is a right old mess and they’re the only ones who come out on top.

Aug 25 2015
1 Comment
Blog Posts

A Cautionary Security Tale

Early this morning a Facebook acquaintance, henceforth known as “S,” reached out to me with an interesting problem. Some time ago, she bought a laptop from a liquidation auction at Living Social. When she finally got around to booting it up, she discovered something concerning. What follows is our conversation:

S: Hey there! have a tech question for you….I bought a laptop from an auction at Living Social a couple of months ago. Said laptop was supposed to have been wiped clean, but it wasn’t (requires the former users password). Tried calling/emailing Living social, but they’ve been completely non responsive. How can I reboot it?

Mrs. Y: that’s quite frightening, that someone’s personal data is on a laptop that was resold. I can try reaching out to contacts at Living Social, but probably won’t get you much. Was it supposed to come with an operating system already installed?

S: When it boots up it MS7 Enterprise. It’s not supposed to come with an operating system.

Mrs. Y: Yikes. Okay, I would just reinstall, unless you want me to break into it and figure out which organization or individual was silly enough to give an unwiped laptop over to an auction. If it’s MS 7 enterprise, I’m betting that it was an organization and it might have confidential data on it. FYI this is every security professional’s nightmare

S: it was Living Social. They were liquidating from their 9th street office. That’s why I tried reaching out to them. Thought it made sense to let them know and I could bring it back to them so they could wipe it.

Mrs. Y: (Where I finally realize that the laptop formerly BELONGED to Living Social, not simply being resold by them.) holy crap!

hahahhahhaha

OMG

that’s friggin’ hysterical

Mrs. Y: You are so honest. Most would have already broken into it. I can reach out to contacts, but you can probably wipe. I mean, that’s probably the safest thing for you to do. Honestly, they probably won’t have time to deal with it or care since they’re downsizing. They won’t have the staff to deal with it. Worst part is that it doesn’t seem to be encrypted.

S: If you want to break into it, I’m fine with that! I feel I did my due diligence in alerting them.

Mrs. Y: (Yielding to my better nature) I reached out to them via Twitter. BTW, is there anything that identifies the system as previously having belonged to Living Social? An asset tag or branding when the OS boots up? Feel free to send me screenshots.

living_social_2living_social_invoice
Mrs. Y: #FACEPALM. I’m horrified.
S: I’m so annoyed. But I also wondered how many other units weren’t wiped.
Mrs. Y: You’re trying to do the right thing by letting them know.

 Moral of the story: Make sure your organization has a disposal policy and procedure. Here endeth the lesson.
Tagged ,
Aug 22 2015
Leave a comment
Blog Posts

OPM Hack: What We Can Learn

I frequently write for actual publications and my latest article is an analysis of the OPM breach. What I hope makes mine different is that I tried to avoid the schadenfreude so common in the industry and focus on what we could all learn and correct in our own organizations.

From TechTarget SearchNetworking

When Office of Personnel Management (OPM) Director Katherine Archuleta gave her cringe-worthy testimony before Congress earlier this summer, it felt like a nightmare from the IT collective unconscious. A series of embarrassing appearances revealed she didn’t seem to know essential details of the OPM hack or understand the problems that allowed OPM to be compromised twice in one year. Her resignation seemed a forgone conclusion and a relief for the .GOV crowd.

So what went wrong?

It would be a mistake to categorize the compromise as simply a failure in OPM’s security strategy, because the agency’s entire information technology program was a management catastrophe — a guidebook in what not to do. In watching testimony and reading reports from the Office of the Inspector General (OIG), it isn’t only the security failures that stand out, but clueless leadership that flunked at basic strategy and risk management. This kind of negligence is all too familiar to those of us with any tenure in IT. Reading those OIG reports feels like déjà vu, because they could be about almost any enterprise.

Full article continued here.

Tagged , , ,
Aug 12 2015
Leave a comment
Blog Posts

PCI Purgatory*

*Updated: Now with Extra Snark!

Let me clarify, I’m not a QSA, ISA or any other type of SA**. But as the senior architect for a security team, I’m usually expected to have the last word on technical implementations. Like many, I’ve been stuck in PCI purgatory since the release of the 3.0 standard. New requirements to interpret, countless discussions with the QSA and the acquirer, arguments with the rest of the organization who barely understand payments and think they get to have an opinion: it makes me want to shred all my own credit cards. In addition to the scoping changes with ecommerce, the Service Provider definition was modified.

Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
Okay, I admit it, I didn’t pay much attention to this. It didn’t really seem that different. But the devil is in the nuanced PCI details. We recently engaged a contractor who performs third-party security for my organization. He was new to PCI DSS and we wanted to modify our TSP questionnaire to capture PCI DSS status if the partner was capturing payment card data for us and interacting with our payment processor on our behalf, using our merchant ID. He actually READ the new standard, pointing out that these entities were now considered service providers and to my horror, I discovered he was correct. I also realized that EVERYONE seems to be freaking out over this, most getting it completely wrong.

If there was even one iota of doubt left in my mind, this section from the PCI DSS Information Supplement: Third Party Security Assurance resolved it:

Examples of ThirdParty Service Providers

Below are examples of types of services and providers with which an entity may work:

  • Organizations involved in the storage, processing, and/or transmission of cardholder data (CHD). Third-party service providers in this category may include:
    • Call centers
    •  E-commerce payment providers
    •  Organizations that process payments on behalf of the entity, such as a partner or reseller
    • Fraud verification services, credit reporting services, collection agencies
    • Third-party processors
    • Entities offering processing-gateway services
  • Organizations involved in securing cardholder data. TPSPs in this category may include:
    • Companies providing secure destruction of electronic and physical media
    • Secure storage facilities for electronic and physical media
    • Companies that transform cardholder data with tokenization or encryption
    • E-commerce or mobile-application third parties that provide software as a service
    • Key-management providers such as key-injection services or encryption-support organizations (ESO)
  •  Organizations involved in the protection of the cardholder data environment (CDE). TPSPs in this category may include:
    • Infrastructure service providers
    • Managed firewall/router providers
    • Secure data-center hosting providers
    • Monitoring services for critical security alerts such as intrusion-detection systems (IDS), anti- virus, change-detection, compliance monitoring, audit-log monitoring, etc.
  • Organizations that may have incidental access to CHD or the CDE. Incidental access is access that may happen as a consequence of the activity or job. TPSPs in this category may include:
    • Providers of managed IT delivery channels and services
    • Companies providing software development, such as web applications
    • Providers of maintenance services

So stop arguing with reality (and me). Oh and for the record, I don’t care what you, your mom, your dry cleaner, or another merchant thinks about PCI. I love those people who spend 30 minutes going through the standard and think they understand it because they’ve read the words. As most of us know who’ve worked with PCI for any amount of time, it’s a bit like pornography. Everyone has a different definition. As far as security and compliance teams are concerned, the only opinions that matter come from the acquirer, the QSA and the organization’s ISA. Moreover, a security team for an organization usually has thousands of hours of combined experienced in PCI DSS. A non-practitioner offering us “suggestions” is the equivalent of someone offering Misty Copeland advice about her grand jetes after taking one ballet class.

**Qualified Security Assessor, Internal Security Assessor

Tagged , , ,
Aug 08 2015
Leave a comment
Blog Posts

No More Mrs. Nice Guy

Time To Reclaim My Bitch Status.

I’m exhausted. I’m tired of working in a field that’s become a veritable wasteland for women. And while everyone seems to be discussing the absence of women in STEM fields, it’s really “a tale told by an idiot, full of sound and fury, signifying nothing.”

I also know that even the men who care about this issue are on empathy overload. So where’s the disconnect? Why are we still stuck at the beginning of the conversation?

I think it’s because women have become classic enablers in a dysfunctional situation. Instead of standing our ground and demanding equal, gender-neutral treatment, we feel obligated to play by a different set of rules. We constantly work to gain approval, managing the discomfort of those around us by walking on eggshells, ultimately failing to realize that this behavior keeps us shackled to the past. Is anyone telling men to “Lean in?”

So go ahead and say it. I know you want to. BITCH. I’m not going crumble and run into the ladies room. I’m not going to weep into my monitor. I’ve decided to wear that Bitch Label as a badge of honor. Because as Tina Fey said, “Bitches get stuff done.” So screw Sheryl Sandberg’s polite, Lean-In Army. If that’s what you need to call me in order to feel less threatened,both men and women, then do it. I’m prepared to own it.

Pix Plz from xkcd.com

Tagged , , ,
Older posts
Newer posts