In a recent development, Heartland Payment Systems will pay American Express $3.6m to settle claims related to the criminal breach of its payment processing network last year.
During this security incident, which is disclosed by HP in January 2009, (incident took place during 2008) millions of credit card data has been stolen exploiting the security vulnerabilities in the web sites. Albert Gonzalez AKA "segvec," "soupnazi" and "j4guar17 has used the SQL injection techniques to steel the card data. As the SQL injection techniques exploits the web application vulnerabilities, the firewall protection was not adequate or rather it can bypass the conventional network firewalls. The decade-old technique exploits web applications that fail to adequately scrutinize text that visitors type into search boxes and similar website fields that accept user-supplied input.
Though the actual cost of this incident could be much higher than the settlement amount as they have to account for the reissuing of the cards, settlement of any disputes etc...
Now the key is the vulnerabilities in various systems. How can an organization detect such vulnerabilities, even during the assessments by QSA, ASV or other parties are not detecting it?
It is important to have Security as active participant in the software development life cycle. Another option would be to procure applications which are PA-DSS certified.
Is it still going to save the company? protect the card holder information? May be...
Dec 21, 2009
Dec 17, 2009
NIST Updates Automated Computer Security Validation Guidelines
Labels:
NIST,
Security News
SP 800-126 Revision 1, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1 can be found at http://csrc.nist.gov/publications/drafts/800-126-r1/draft-sp800-126r1.pdf. The public comment period runs through Jan. 23, 2010. Comments should be addressed to 800-126comments@nist.gov.
image from www.newswise.com
Outsourcing the payment card related activities
Labels:
Outsourcing PCI DSS,
PCI DSS,
VISA
Many organizations outsource their work to third parties for meeting their business objectives. The objectives vary from simple low cost labor to risk management practices. Some organizations outsource part of the work while others outsource a major chunk of their work.
In this essay, I will be covering some aspects of outsourcing the payment card related activities. The key focus is on doing a review of what are the areas to be looked into when the payment card related processing is outsourced.
Being an Information Security Manager at a Bank, I would be concerned about the information security practices of the third party. A key area to be looked into is the risk posture of the vendor and how it is aligning the information security best practices.
Does it have ISO 27001 implemented, is it managed and reviewed periodically. What is the scope of the ISO27001 implementation? These are some of the questions to be asked to understand if the vendor is serious about the information security practices.
Coming to the specifics of PCI DSS, the 12.8 section of the PCI DSS standard discusses the controls to be implemented when the card holder data is shared with service providers.
12.8.1 requires the organization to maintain a list of all the service providers readily available.
12.8.2 requires the organization to have a written agreement with the vendor and also requires that the vendor (service provider) acknowledges the responsibility of securing the card holder data.
It would be easily addressed through adding these clauses in the business agreement or security agreement and is acknowledged by the service provider when they sign the agreement.
12.8.3 is more interesting. It requires the organization to have a formal process in engaging with service providers. This includes ensuring due diligence before engaging with the vendor / service provider.
There are many ways for doing it. The best way I should look for is to check the compliance of the vendor towards PCI DSS. An easy mechanism is to ask for a copy of the PCI DSS compliance certificate issued to the vendor. In addition, one can also check the PCI Security council website for a list of active service providers with a good compliance status. In short, it is advisable to ensure that one criteria for vendor selection shall be the PCI DSS compliance and certification.
12.8.4 is for monitoring the service providers PCI DSS compliance status. The best mechanism is to include legally binding clauses in the business agreement whereby the vendor is required to communicate the status of the PCI DSS status to the organization as and when there is a change in the status which includes renewal, failure to comply etc...
In addition, the organization shall periodically check the status of the service provider at the PCI Security council website for validating the status.
If these requirements are met, the organization can outsource the payment card related activities while ensuring the compliance towards the PCI DSS standard. A key advantage in addition to the low cost labor, is the transfer of risk to a third party
In this essay, I will be covering some aspects of outsourcing the payment card related activities. The key focus is on doing a review of what are the areas to be looked into when the payment card related processing is outsourced.
Being an Information Security Manager at a Bank, I would be concerned about the information security practices of the third party. A key area to be looked into is the risk posture of the vendor and how it is aligning the information security best practices.
Does it have ISO 27001 implemented, is it managed and reviewed periodically. What is the scope of the ISO27001 implementation? These are some of the questions to be asked to understand if the vendor is serious about the information security practices.
Coming to the specifics of PCI DSS, the 12.8 section of the PCI DSS standard discusses the controls to be implemented when the card holder data is shared with service providers.
12.8.1 requires the organization to maintain a list of all the service providers readily available.
12.8.2 requires the organization to have a written agreement with the vendor and also requires that the vendor (service provider) acknowledges the responsibility of securing the card holder data.
It would be easily addressed through adding these clauses in the business agreement or security agreement and is acknowledged by the service provider when they sign the agreement.
12.8.3 is more interesting. It requires the organization to have a formal process in engaging with service providers. This includes ensuring due diligence before engaging with the vendor / service provider.
There are many ways for doing it. The best way I should look for is to check the compliance of the vendor towards PCI DSS. An easy mechanism is to ask for a copy of the PCI DSS compliance certificate issued to the vendor. In addition, one can also check the PCI Security council website for a list of active service providers with a good compliance status. In short, it is advisable to ensure that one criteria for vendor selection shall be the PCI DSS compliance and certification.
12.8.4 is for monitoring the service providers PCI DSS compliance status. The best mechanism is to include legally binding clauses in the business agreement whereby the vendor is required to communicate the status of the PCI DSS status to the organization as and when there is a change in the status which includes renewal, failure to comply etc...
In addition, the organization shall periodically check the status of the service provider at the PCI Security council website for validating the status.
If these requirements are met, the organization can outsource the payment card related activities while ensuring the compliance towards the PCI DSS standard. A key advantage in addition to the low cost labor, is the transfer of risk to a third party
Dec 7, 2009
Microsoft Security Essentials - First impression
Labels:
antivirus,
Security Management
I have tried downloading some virus infected files, which triggered alerts. Also opened some old virus infected files from the archive.
The thing is that all the tests were done against the old viruses, now what I need to see is that how this work against the new or zero day threats.
Overall, I am satisfied at this point in time and waiting to see how this is going to react to the new threats.
If you would like to download this, click here
Dec 3, 2009
IBM to buy Guardium
The database security solutions company Guardium might get bought by the IT giant IBM.
Guardium's product enables companies to extend the use of corporate applications to customers, partners and providers while ensuring that the databases used by those applications are shielded.
More news at http://news.yahoo.com/s/nm/20091129/bs_nm/us_guardium_ibm
Guardium's product enables companies to extend the use of corporate applications to customers, partners and providers while ensuring that the databases used by those applications are shielded.
More news at http://news.yahoo.com/s/nm/20091129/bs_nm/us_guardium_ibm
Phishing in the middle eastern banks are on rise
Labels:
Business,
Crime,
Identity Theft,
Kuwait,
Middle East,
Phishing,
Society and Culture,
Theft
Recently I was noticing an increase in the phishing emails targeted to the Banks in Kuwait. This was very low in the past years, as low as only 10 attempts noticed at some banks. However, recently the number of attacks are risen drastically. I am wondering what made the phishers to target these countries all of a sudden?
Is it the fact the cyber laws are not strong or that the money?
Is it the fact the cyber laws are not strong or that the money?
Subscribe to:
Posts (Atom)