Recently in Compliance Category

PCI at the House of Representatives

| 1 TrackBack
| More
From Computerworld.

At a U.S. House of Representatives hearing yesterday, federal lawmakers and representatives of the retail industry challenged the effectiveness of the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS). They claimed that the standard, which was created by the major credit card companies for use by all organizations that accept credit and debit card transactions, is overly complex and has done little to stop payment card data thefts and fraud.

I disagree that the standard is overly complex - in fact most of it is straightforward, common sense information security. The reason it has proved to be ineffective is because organisations focus on ticking the compliance boxes rather than taking the holistic approach to security that's needed. There's enough ranting on this subject elsewhere - the best being on Anton Chuvakin's blog - and I have little to add.

Top 5 Information Security Annoyances

| More
I'm generally a tolerant and easy going sort of person. There's a fairly short list of things that get my goat. For instance, our local doctors surgery has a call queuing system with 6 different options. However, I know for a fact that there's only one person working in the reception and that regardless of which button you press (press 1 for a long wait etc etc) after about 12 rings you'll get through to her. How pointless is that? Our home phone number is fairly similar to a local pizza take-away place. At least a few times a week I'll take orders. Sometimes, I tell the caller that I've got no pizza left but they are welcome to have some of what I'm having...

The information security industry can be similarly infuriating at times. Here's a short paragraph on each of the five things that wind me up the most:

1. Security awareness programs

A whole cottage industry of consultants and websites has been built up around the perceived need to educate company employees about information security. It's all a waste of time and money. Certain individuals will point to a reduction in the number of lost laptops as a measure of success, or an increase in the number of people who can correctly click "a). All policies are on the Intranet" in a multiple choice questionnaire. The fact is that security awareness programs are received within the organisation with about as much enthusiasm as a plate of sick. The key to good information security is strong governance, good communication and well managed, decent processes.  Security awareness programs sap energy and resources, and have little positive effect. Drop them.

2. Compliance = security

Nothing reduces the security status of a business faster than a blind determination to achieve compliance with a policy or a new regulation. PCI is the obvious one, with whole armies of "Qualified Security Assessors" driving their company Mondeos up and down the motorways of England en-route to the next company that's fallen into the trap of believing that so long as they can tick all the right boxes they are protected as if covered by some magic force-field. Having the certificate that says "compliance" tells you nothing more than that on the day the assessor came, you had the right combination of smoke and mirrors in place to pass the test. Information security is not a compliance project. It's an ongoing program without an end-date.

3. Risk modelling

Many "experts" preach the importance of working through risk models. It's a load of tosh. No matter which way you try to do it, you'll always come out with the answer you first thought of.  You might as well use a crystal ball and read tarot cards. Nobody needs to work through a complex risk model to understand that if a retail website suffers a denial of service that it'll have some financial consequences, or  that if the internet connection is lost that there wont be  access to I've got better, more constructive and practical ways to spend my day than conspiring over risk models. Much more relevant is threat modelling - understand your systems and know the business so that you can make relevant risk-based decisions. 

4. Where are all the analysts

Here are two examples of what I mean. i) A vendor does a "penetration test" of a web site (I use the term loosely because these days most pen tests seem to involve little more than pressing a button labelled "scan now") and sends you a report highlighting several "High Risk" issues. On closer inspection you discover that most of them are either false positives, or irrelevant. ii) A network scan report is given to a newly CISSP qualified security analyst and he's asked to review it as part of a job interview. He spots the obvious highlighted security holes but doesn't question why a web server has non-standard ports open. Are we becoming too reliant on auto-scan reports? Security analysts need to be inquisitive, well practiced in basic technical skills, able to spot anomolies, and not afraid to question things that don't look right. The scan results never tell the full story!

5. It's not my fault

The first 9 years of my working life were spent in the Royal Air Force where I enlisted as an Assistant Air Traffic Controller. I learnt a few useful things out of that: how to make a good cup of tea, write backwards on a plastic board with a chinagraph , and operation of a mumeter, being three that will stick in my mind. Most important of all though was the lesson that excuses don't count. Only results. There's an evolving culture of making excuses for poor results. Lack of time, lack of resource, lack of training, lack of ability to think of a decent answer. All it shows is a lack of imagination, planning and initiative on the part of the person making the excuse. If you get something wrong it's your fault. Admit it and learn from it.

Licence to practice information security?

| More
Here in the UK, you need a licence to drive a car, or watch television. You also  need a licence to go fishing. You don't need a licence to have a child - unless you want to adopt or foster somebody elses. In those circumstances you have to undergo a thorough assessment of everything from sexual orientation to your preferred brand of tea. However, there is no licence to prevent two neanderthal inhabitants of the British underclass to mate, produce and then leave their offspring to rot in squalor. The result is stories such as this one here where a mating pair took their hungry pup out to the pub, or this now infamous tale of the mother who organised the kidnapping of her own daughter in order to claim a ransom.

Some other things you'd need a licence for: to operate as an acupuncturist, own an airgun, run a butchers shop, hold a car boot sale, operate as a debt collector, give public demonstrations of hypnosis, run a lottery, or hold a public procession. And if your name is James Bond, you require a licence to kill.

A few years ago there were rumblings of proposals to licence IT security professionals as a part of the Private Security Industry Bill. The resulting Security Industry Authority currently licences guards, wheel clampers and a variety of others (read more here). IT and Information Security professionals do not require any qualifications or licence to practice. There are plenty of certifications around but none of them are obligatory. It's up to the employer, and the individual. I've worked with plenty of very skilled and knowledgable individuals who have no security specific certifications and encountererd a few not so accomplished who have one or more.

Given the information security disasters of 2008, should we be heading for a time where information security professionals are obligated to be licenced to practice? Would it make any difference or make those of us in the industry more accountable?

Additional note: added 8 January

The idea of a parental "breeding licence" has actually been proposed before. "Prime Minister" Jim Hacker mentioned it in a classic episode of Yes Prime Minister. See below....

Storage Expo emphasis on data protection and security

| More
storageexpo.gifI had a good day yesterday at the Storage Expo in London. It's not an event I would usually have considered attending however there was a heavy emphasis on data storage solutions geared towards meeting regulatory, data protection, recovery and forensics requirements, so as it turns out it was very relevant indeed.

Dr Guy Bunker of Symantec gave an interesting presentation on the theme of Data Loss Prevention - relevant in light of Symantec's recent acquisition of DLP solution developer, Vontu. I'm still undecided on the value of DLP. I think that like many security products it's probably easy to run a pilot and find lots of problems that the product provides a solution for but, as with for instance web vulnerability scanning tools, the results you see rarely represent the full scope of the issues. Just my opinion though. Let me know if you feel differently.

I also enjoyed the presentation from Mimecast describing their SaaS data archiving solution. While obviously a biaised view, the point made by James Blake that there is a world of difference in terms of reliability and understanding of business needs between consumer focused and enterprise focused SaaS service providers is a valid one.

Lastly, Ian Masters of Double-Take Software gave an interesting show on disaster recovery for virtualised environments. I'd recommend taking a look.

Virgin Media data breach highlights the powers of the ICO

| More
The news that Virgin Media have experienced a data breach is not so interesting as the consequences (see full story here).

On reporting the loss of a CD containing 3000 unencrypted customer records, the company has been ordered by the Information Commissioner's Office (ICO) to encrypt all portable media that store or transmit personal data. Note that this instruction also extends to third parties processing data on their behalf.

The incident highlights the power and willingness of the ICO to impose sanctions, and also the fact that organisations are now obligated to report any data breaches that involve more than a thousand records.

Some of you might not be aware that their powers were recently strengthened following changes to the Criminal Justice and Immigration Act. You can read more about this at If anyone is left in any doubt about how much power and authority the ICO is now welding then simply review the organisations recently served with enforcement notices. The list includes government departments, large organisations, and small institutions alike. HMRC, Marks & Spencers, Carphone Warehouse, FCO, and so on. As Virgin Media have just found, it is not difficult to end up on that list.

PCI Compliance - dispelling some common myths

| 1 Comment
| More
I was supposed to be in Paris today, auditing various PCI related things. Unfortunately, the fire in the Channel Tunnel has put paid to those particular plans. Not that I'm too upset - I'm rather reluctant to travel too far right now because my wife is heavily pregnant and it'll be sods law that she'll go into labour the moment I'm more than a couple of hours away from home.

I've recently been putting a lot of energy into dispelling within the organisation one or two myths about PCI compliance. The most common that I come across being:

1) We're alright if we can pass most of the criteria.

The pass mark is 100%. The standard is supposed to represent a minimum baseline for protecting data, so if you can't meet all the criteria then you've still got work to do.

2) We don't do any eCommerce so the standard doesn't apply.
PCI applies to any company within which card data is stored, processed, or transmitted by any means. So, for  example, if you have a shelf full of paperwork that contains customer credit card details then that's still cardholder data and the standards still apply.

3) We only do a handful of credit card transactions so PCI is not applicable
It doesn't matter if you are doing 10 or 10,000 transactions, the standards are set to protect all credit card data regardless of the scale of the business.

I consider PCI compliance to be a business-as-usual activity. We're taking credit card payments so we need to putting the right controls around it. We shouldn't need regulation to tell us how, we should just be doing it.

M&S 'whisleblower' gets the sack

| More
A worker at Marks & Spencer (M&S) has been sacked after telling the media that the company planned to cut redundancy pay to staff.


According to The Times today, Brendan Barber, General Secretary of the TUC, said that the decision was "truly shocking that an employee can be dismissed for exposing underhand and secretive decisions about issues that will directly affect staff in his workplace."

That's not the point. Whether or not M&S are doing the right thing by their employees is not the issue. From my perspective the individual was sacked for gross misconduct: he exposed company confidential information to an unauthorised third party. The action was calculated and designed to cause trouble.

We all have an axe to grind from time to time, but if you deliberately drop your employer in the muck because of it then that makes your position untenable. M&S have done the right thing.

Stronger penalties needed to force better data handling - I don't think so

| 1 Comment
| More
An article by Ron Condon on states..

Security experts agree that until the Information Commissioner's Office (ICO) is given the power to impose hefty fines on those who break the Data Protection Act, companies will continue to treat information with what one expert described as "reckless disregard." 

I disagree, but then nobody asked for my opinion on this one. Maybe I don't yet mix in the right circles or get invited to the best parties where all the experts are gathering. I certainly don't know Alan Calder, chief executive of IT Governance Ltd, one of the experts quoted in the article as stating that Companies should always ensure that PID (personally identifiable data) is destroyed on their premises and not left to a third-party. That's nuts. I'd rather not leave it up to the IT department, brilliant and capable as they are. I contract a perfectly capable third party who specialise in data destruction and do the job properly.

Back to the point though. Do stronger penalties work? I doubt it. Stronger penalties might motivate organisations to try harder but until we put an end to this break/fix way of running information security and start focusing on dealing with the problem - which is all about people and not about technology at all - then the incidents will continue to occur on a depressingly frequent basis. 

What is meant by a stronger penalty? One that's so severe it puts the company out of business, or simply teaches them a harsh lesson? Make the penalties too severe and we'll end up with an equivalent of the health and safety culture where nobody is willing to take any chances for fear of the consequences. Imposing penalties is not solving a problem, it'll increase the fear of disclosure and lead to a "check-box" compliance mentality. Tackle the problem from the root causes and we might start getting somewhere. 

The Coleman Report - An Independant Review of Government Information Assurance

| More

The Cabinet Office recently commissioned Nick Coleman, an Independent reviewer of Information Assurance for the UK government , to report back on how well the Government is doing when it comes to protecting and handling information.

The result of that review, The Coleman Report, can be downloaded here: Coleman Report.pdf.

It's a succinct document, first describing the transformation to electronic-based services (for example, in one week the NHS sends 1.4 million prescriptions electronically) across the public sector, and secondly highlighting the main features of the changing environment. The two stand-out items being the rapid pace of technological change, and information sharing on an unprecedented scale.

The section on "Findings from the review: how well is government doing" does not make for particularly positive reading. For example, when talking about accountability Nick states that

"no role exists to provide Independent Oversight that the appropriate Governance;
Information Risk Management; Policy and Operations; and Monitoring and Controls around Information Assurance are in place across departments and agencies."

On risk management, we get also get a far from positive report;

"Risk assessment is patchy leaving many without a clear understanding of the risks they are facing or exposing their stakeholders to."

The list of recommendations makes for equally gloomy reading. And here's why. We've been talking for years, even decades, about the need for strong information security governance, accountability, and setting minimum standards. It's nothing new. But here we are heading towards the end of the first decade of the 21st century and a report about and for the Government - the highest authority in the land - is highlighting a need to  "Define minimum standards that (public sector) departments sign up to"

Good grief. What on earth have they been up to all these years? If there were a book entitled "Information Security for dummies" then that would be on page 1. It shows just how far behind the public sector is and makes for good explanation as to why it is subjected to so many data breach incidents.  

There is a follow-up ministerial statement here. The range of measures being described is sensible enough but even in a modest size commercial organisation such measures don't get implemented overnight. It's going to be a mammoth task in my opinion.

"The Government is determined to take the necessary steps to improve data security."

I don't doubt it.

Web based email and a prediction for the future

| 1 Comment
| More

I've been following an interesting Q&A thread on LinkedIn where the question is asked "Should business messages be allowed to flow through personal/webmail services?"

What's interesting to note is the difference in opinion between the more technical network security analyst types and those more business orientated individuals.

Security & Systems Engineer: This should not be allowed. Security is tough enough without introducing additional systems that are not under your control

Sr Systems Architect: Business messages should not be allowed to flow through personal services, just as employees should not be doing work on the home computers.

Network and Data Security Architect: Absolutely not. It's unprofessional.

Information Security Specialist: This is a business decision not one for IS engineers

Principal Consultant: while many security researchers and practitioners would be quick to shoot down the suggestion of personal webmail, that's oversimplifying the situation

Chief Information Security Officer: The business owns the data, so they measure the risk and define the acceptable use for that information

This comes back to the point I made a few days ago about not allowing the IT department to set policies. Decisions such as this must come from the business and I wholly agree with the response quoted above from the CISO. If the business decides that it needs to use webmail services for whatever reason then it's up to us to ensure that the risks in doing so are adequately mitigated, communicated, agreed etc. Of course, I might want to recommend a different service from the one being proposed and I would hope that my views on risk would be taken into account (and don't forget to review the terms and conditions too - you want to make sure that you still own your own documentation!).

In this particular question of webmail, there is a much bigger picture to take into account too. "In the cloud" services (PaaS, SaaS) such as Google Apps, web-based email, SFDC and so on will, in my opinion, one day very soon be just as normal in the workplace as Microsoft Word and Exchange-based email are today. We need to adjust our thinking accordingly.