PKF AvantEdge

Category: Technology (Page 8 of 11)

PCI-DSS v3.2 is officially published

April 29, 2016 / / 0 Comments

pci-compliance

After some back and forth on the draft versions, PCI v3.2 is now officially published. You can go ahead and download it here, and click on the nice little link saying 3.2 and agree to all sorts of terms and agreements nobody ever reads about.

Anyway, a little bit of background on this release. Usually, versions for PCI are released in the later stages of the year in November. In fact, even I mentioned this to a few clients that version updates were done in November, until PCI recently announced that v3.2 is to be released in March/April timeline due to a few factors as described in this article. So yeah, now I need to admit I was bamboozled. PA-DSS v3.2 is likewise to be released sometime in May or June.

So here’s how it works: 3.2 is now officially effective. PCI v3.1 will be retired end of October 2016 (basically to allow everyone to sort of complete the v3.1 if you are already in the final stage of completing it). So all assessments/audit that occurs AFTER October will be version 3.2. This is important to note, because if any gap assessments begin now, and has a timeline to complete AFTER October, you want to use 3.2. For ongoing projects, it is best we scurry and get it all done before October! Chop chop!

There is a bunch of ‘best practices’ that will become requirements by February 2018. Other dates you need to be aware of:

a) June 30, 2016 – for companies not migrated yet out of SSL/early TLS, you will need to have a secure service offering (meaning an alternative service utilising TLS.1.1 and above. I will go out on a limb here and suggest to use TLS1.2 knowing how volatile PCI guys are in changing stuff).

b) June 30, 2018 – SSL/early TLS becomes extinct as far as PCI is concerned. No more mitigation plan! The exception is on POS terminals that has no known exploits.

c) January 31, 2018 – This is the deadline where new requirements graduate from being ‘best practices’ to ‘mandatory requirements’.

OK, now that’s out of the way, here’s a snapshot on the main stuff of v3.2 and what we are facing:

a) New Appendix A3 covers the Designated Entities Supplemental Validation. This basically means that if any acquirer or VISA/Master deems that a service provider needs to go through ADDITIONAL requirements on top of the torture they have endured for PCI, they can. These victims could include companies making ridiculous amount of transactions, aggregators or companies that are constantly breached. So PCI has a whole bunch of extra stuff for you to do, mainly to deal with BAU activities, incident response, documentation and logical access controls.

b) Additional cryptographic documentation – Service providers are not going to enjoy this. We will now need to formally document the protocols, key strength, cryptoperiod, key usage for each key and HSM inventory. This should technically be done anyway in your key management procedure document, but now its a requirement. Take a look at NIST SP800-57 for the key concepts to get you started.

c) 8.3 is significant : Multifactor login. Whereby previous versions stated that 2 factor authentication is required for remote access from non-secure networks, now 3.2 shifted this requirement to “all personnel with non-console administrative access, and all personnel with remote access to the CDE”. Wait, what? This means, even if you are accessing an administrative UI or page (non-console) from a secure environment, multi-factor (2 factor is good enough) is required! I think there would be some pushback on this as this requires a fair bit of effort. We have until February 2018 to implement this.

d) Another big one is 11.3.4.1 – segmentation PT now needs to be done every SIX months as opposed to a year. This is not good news for some clients who have segments popping up like acne on a pubescent face. That’s quite a lot of work for them to do and this might give them more cause to think of a completely isolated network just for PCI-DSS with its own link and architecture, as opposed to sharing with multiple not in scope segments. Again, we have some grace period till Feb 2018.

e) New requirement 12.11 is interesting. I have always been an advocate to do constant checks with clients to make sure they are at least practicing PCI. We have this free healthcheck service every quarter for clients who take up our other services and we are checking exactly this: daily log reviews, firewall is clean, new systems are documented and hardened, incidents are responded, proper approval for changes etc. It’s nice to see that our efforts now have something formal tied to them. Feb 2018 is the deadline.

f) Here’s a downer. Appendix A2. We all know there was some sort of escape loop for those who were caught with SSL and early TLS in their applications. They created mitigation documents which may or may not be true. Just saying. Now, if you take this route, this is no longer a free pass for your ASV scans or vulnerability scans. If you have these protocols in place, your mitigation plan must fully address A2.2 requirements. If you are a service provider, take note of A2.3: YOU MUST have a secure service option in place by June 30, 2016! Not 2018. 2018 is when you stop using SSL/early TLS. So this timeline is slightly confusing. Like X-Men:Days of Future Past confusing.

Some main clarifications include:

a) Secure code training now officially needs to be done annually – you won’t want to guess how much push back I get on this when I tell clients it’s annual, and not something that is done when they have the budget for it (which is never).

b) Removing the need to interview developers to ‘demonstrate’ their knowledge – I do programming a bit, but I’ll be foolish to think I can go up against a senior developer who eats, breathes and … lives for coding. How awkward I’ve seen some younger QSAs struggle to do this (determining whether the senior dev guru is good enough), when its obviously not something they even know about. Let auditors audit and let developers code.

c) Finally, note added to Req 8 to say that authentication requirements are not required for cardholder accounts, but only to administrative or operational/support/third party accounts. We have always practiced this anyway but now its clear.

d) More clarifications on addressing vulnerabilities considered ‘high’ or ‘critical’. I am not a big fan of these. I think every vulnerability should eventually be addressed, just prioritised in terms of timing. Even if it’s low or medium, it’s still important to have a mitigating factor to it. There is a reason why it’s a vulnerability and not something you can sweep under the carpet.

e) A good note on pentesting in 11.3.4c – testing now needs to be done by qualified internal or external resource with independence. Again, we already practice this but it’s good that now it’s official.

So, that’s about it. Of course, there’s a fair bit more. I suggest you to poke through the summary of changes first and then go through the documentation itself.

Be aware of those dates! It’s all over the place (June 2016, June 2018, Jan 2018), and who knows these might change in the future. Have a happy compliance.

 

 

 

Application of PCI-DSS in Retail

February 26, 2016 / / 0 Comments

“Technology…is a queer thing; it brings you great gifts with one hand and it stabs you in the back with the other.” – CHARLES PERCY SNOW”

This was a quote by a man born more than a century ago, that is resonating in its applicability even now, especially in the payment processes for retailers.

On one hand, we are discovering amazing new methods and breakthrough in payment and doing transactions, all driving convenience to the end customer. mPOS has been around for years, and is now migrating to using smartphones to replace bulky handheld terminals; Applepay and other technologies enable mobile phones to make micro transactions through a few clicks; internet transactions increasing to the billions whereby someone a thousand miles away can order something and receive it a few days later. And we are only skimming the possibilities. Cryptocurrencies like Bitcoin might dictate the future of retail where the entire currency is virtual. Transporting of goods through drones might be in the horizon, and in the future not as distant as you would like to think, 3D printing will enable item blueprints to be sent to your printer by the retailer and the item can be created in front of you. It is an exciting time to be involved in technology, for sure.

Yet, on the other hand, as there are people aiming to make a positive impact to the world, there are also those who will twist technology to their selfish ends. Every transaction funneling through the world wide web can be tracked, and tapped, and risk being stolen. Credit card information residing in so-called secure servers can be taken off by just one employee accessing the hard drive through a malware-infected laptop. The very thing that makes life convenient can also make it dangerous: the very same 3D printer that prints out your son’s first airplane toy, can also be used to print out a functioning AK-47 by terrorist cells.

Payment Card Industry Data Security Standard (PCI-DSS) is one of the emerging standards in the attempt to counter this onslaught of security risks. This standard was created by a group consisting of VISA, Mastercard, American Express, Japan Credit Bureau and Discover a decade ago and has now evolved to version 3.1 (with version 3.2 coming this year). The standard applies to any retailers involved in any sort of credit or debit card transactions involving any of these brands.

In PKF Avant Edge, we know there is no magic pill to solve all security issues. But having been actively involved in PCI-DSS since 2010, and with a portfolio of more than 30 PCI-DSS clients, ranging from up and coming payment processors that processes online games to mega sized oil and gas firms, we have experienced companies that are virtually built like a house of cards. Without proper guidance, their IT systems and information security have survived only by sheer luck. Through our methodology of assessing, remediating and certifying, we have helped them strengthen their systems; secure their information and limit needless propagation and storage of critical information assets.

Retailers have a larger challenge, whereby the more locations you have, the more security headaches you will receive. PCI-DSS attempts to do two things for retailers – limit only necessary credit card information to where it should be and to secure this information where it is stored, transmitted and processed. It is not always easy – in fact, the opposite is often true. Most retailer underestimate their security posture and think that PCI-DSS can be passed in a few weeks. In all cases, the rude reality is that they have to undergo changes to their architecture and project thought to be completed in 2 months can stretch to 6 to 8 months. Or even longer.

While some practitioners might say that the remediation effort is the most important aspect of the PCI-DSS program, we are of the opinion that it is in the scoping exercise right at the beginning. Retailers especially, due to distributed location, MUST scope correctly. In PCI, there is such a thing as ‘overscoping’, meaning the coverage of unnecessary items. This places pressure on cost, time and resources. There are alternative ways to make PCI easier, and this is where having an experienced PCI advisor is key. We are not just office consultants looking at a standard document or checklist. We are on the field technology practitioners not just experienced in PCI, but with real world work experience in IT service management, IT security and network operations control, security testing, software development, IT forensics and architecture solutioning. PCI-DSS is a technical standard, and whoever you select to guide you on your journey MUST be technical.

Contact us at pcidss@pkfmalaysia.com for more information about our services .

The IOT (Internet of Things) : My Personal Experience

August 24, 2015 / / 0 Comments
ThumbPrint

ThumbPrint

Unless you have been living in a cave or on a secluded island without internet connection, you may have come across the term ‘Internet of Things’ or IoT. According to Gartner, “The Internet of Things (IoT) is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.”

Living in an era where we have easy access to information at the tip of our fingers is now taken for granted. Going out of your home without your smart phone is absolutely unthinkable – well, at least for me. I can be connected with my friends & family members anytime and anywhere – it can’t get better than that right? Well, let’s re-think this carefully.

Security
I am a huge fan of Strava application. This mobile application uses GPS and mobile data to track your activity (be it cycling or running) – it tracks your mileage, exercise effort level (wattage), time taken to complete the activity and then, further provides data on your ranking against other Strava users on the same activity/route. As I cycle and run competitively as a ‘hobby’, Strava is a great way for me to track my improvements and also pit myself against my friends to be the Queen Of Mountain of a certain mountain anywhere in the world. Awesome! – well, maybe….

The great thing with Strava is that it is connected to Facebook. In fact, if you use your Garmin to track your activity, you can set up your Garmin to connect seamlessly to Strava on every activity tracked on Garmin. Notice the word I’ve used here: SEAMLESSLY. Yes, it is that easy. Friends on Facebook are able to know where I was or where I am currently at based on my post through Strava.  Now, my friends can like my activity and comment as well. Let’s just say that a friend of my Facebook friend intends to track me and know my current whereabouts, s/he can definitely find all that information via Facebook. If s/he intends to break-in to my home (assuming s/he knows where I live), can do so as well – because I am not at home – I’m still cycling back to my house. Dangerous? Am I inviting trouble? You bet! The internet of things have enabled different types of devices to be connected seamlessly and we love that; however, have we ever stopped to think of the danger that we’re opening ourselves up to? It doesn’t take much to be information technology savvy to track a person’s whereabouts.

We love to tell our Facebook friends where we are at by posting “Agnes Yew checked in at Mid Valley” or “Agnes Yew checked in at Madam Kwan, Mid Valley City”. Have you ever stopped to think that we’re providing information to people on our whereabouts willingly and this could be used to our disadvantage?

Time to stop and think…

Data Breach
Ashley Madison was recently hacked and it was let out that the hackers had access to its customer database and have posted the information on a public website for all to see. Ashley Madison is a discreet website which allows their customers to hook up with other folks who are interested in dabbling in a little fun outside the marriage bed. If you were a registered customer (married or attached) of Ashley Madison, you’ll be jumping or maybe peeing in your pants as the list of customers are now in the hands of hackers and shared on a public website.

Personal data is very much valued by consumer marketing companies and anyone who has access to a database has the upper hand to sell that information. I’ve been bombarded with these annoying SMS(es) on properties going on sale and what not every day. Yes, every day. I have to add these numbers under SPAM. It’s annoying as I don’t know where and how they got my mobile number. It could be when I got on the internet and signed up for some newsletter and I did not read the fine print and,or, I did not un-check a box to unsubscribe.

The Personal Data Protection Act in Malaysia was gazetted in 2010 and has been in enforcement from April 2013 on-wards. PDPA is supposed to protect consumers whereby companies holding our personal data are obligated to set up policies and a structured framework to ensure that the data is stored safely and not be leaked out. In my opinion, Malaysia is still in its infancy in comparison to US or EU, in terms setting up a stringent DPA (Data Protection Act) framework. Companies are not investing in being PDPA compliant unless they are required to by the Ministry. At the moment, the Finance, Telecommunications and health industry players are required to be PDPA compliant.

As a Malaysian consumer, we have every right to be concerned if companies managing our personal data are not enforcing a certain measure of security to ensure that our data is safely kept. Companies in Europe and US are willing to invest huge dollars in a Security Information Event Management (SIEM) solution to manage internet threat intrusions. At the moment, the Multimedia and Communication Ministry has not published any data on companies in Malaysia that are allocating budgets for SIEM or some sort of Internet Security application.
Time to stop and think….

How to Be Safe
I want to be safe. I want my family members to be safe as well. What measures am I taking to make sure that only people I want to know about me, know about me?
• I and my family members do not post our actual profile pictures on Watsapp, LINE and Facebook.
• I clean up my friends’ list in Facebook every three months. ‘Friend of Friends’ will be deleted.
• I read and uncheck boxes when I sign up for newsletter/etc. online. I read the fine print.
• I do not post my Strava activity until I get home – Announcing that I am Queen of Mountain can wait.
• I do not ‘check in’ to any location using Facebook. Yes, I may miss getting some discounts from that restaurant or shop by not checking in but I really don’t think it is worth letting people know where I am at.
• I block all sms’ numbers that are marketing in nature and park them under SPAM.

Different folks may have different appetites of risk tolerance towards being bombarded by SPAM or wanting to let the world know what they are doing or where they are at. The effort level you put into ensuring that you and your family members are safe is a choice and for me, is a very important choice.
Stop and think…..

For PDPA Training/Advisory or Internet Security Applications, drop us an email at avantedge@pkfmalaysia.com or contact us at +603 6203 1888.

by Agnes Yew, PKFAE Project Manager

FREAK Vulnerability on Windows

March 7, 2015 / / 0 Comments

freak

As we do our penetration testing, we have to continue to get updated on some of the latest issues affecting systems out there. SSL seems to get the mother of all shares of vulnerability, with Heartbleed and then POODLE, and now, FREAK.

FREAK is found in detail at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204, which is basically a MiTM attack exploiting weak 512-bit keys. It affects OpenSSL, and upgrading to v1.0.2 fixes the flaw.

Basically, if you have weak cipher suites supported or SSL/TLS RSA-Export less than 512-bits, then get rid of it.

Resolution: We have always advocated to remove weak ciphers. Nobody really understood why, but now there is a vulnerability to include in our report.

If you need some assistance in vulnerability assessment, penetration testing or security audit to cover FREAK and other vulnerabilities, drop us an email at avantedge@pkfmalaysia.com and we’ll get a team to you.

A writeup on the recent FREAK vulnerability.

Hundreds of millions of Windows PC users are vulnerable to attacks exploiting the recently uncovered “Freak” security vulnerability, which was initially believed to only threaten mobile devices and Mac computers, Microsoft Corp warned.

News of the vulnerability surfaced on Tuesday when a group of nine security experts disclosed that ubiquitous Internet encryption technology could make devices running Apple Inc’s iOS and Mac operating systems, along with Google Inc’s Android browser vulnerable to cyber attacks.

Microsoft released a security advisory on Thursday warning customers that their PCs were also vulnerable to the “Freak” vulnerability.

The weakness could allow attacks on PCs that connect with Web servers configured to use encryption technology intentionally weakened to comply with U.S. government regulations banning exports of the strongest encryption.

If hackers are successful, they could spy on communications as well as infect PCs with malicious software, the researchers who uncovered the threat said on Tuesday.

The Washington Post on Tuesday reported that whitehouse.gov and fbi.gov were among the sites vulnerable to these attacks, but that the government had secured them. (wapo.st/18KaxIA)

Security experts said the vulnerability was relatively difficult to exploit because hackers would need to use hours of computer time to crack the encryption before launching an attack.

“I don’t think this is a terribly big issue, but only because you have to have many ducks in a row,” said Ivan Ristic, director of engineering for cybersecurity firm Qualys Inc.

That includes finding a vulnerable web server, breaking the key, finding a vulnerable PC or mobile device, then gaining access to that device.

Microsoft advised system administrators to employ a workaround to disable settings on Windows servers that allow use of the weaker encryption. It said it was investigating the threat and had not yet developed a security update that would automatically protect Windows PC users from the threat.

Apple said it had developed a software update to address the vulnerability, which would be pushed out to customers next week.

Google said it had also developed a patch, which it provided to partners that make and distribute Android devices.

“Freak” stands for Factoring RSA-EXPORT Keys.

– Source from Reuters

PKF Avant Edge is now HRDF certified training company

March 2, 2015 / / 0 Comments

hrdf

We are now a HRDF certified training company.

We have several training that is SBL claimable that includes training materials and certificate of attendance:

1) PCI-DSS Foundation Training (PCIP Led, QSA developed materials), certificate of training from PKF and our vendor QSA Control Case International

2) PCI-DSS Implementor Training (PCIP Led, QSA developed materials), certificate of training from PKF and joint QSA vendor Control Case International

3) GST Malaysia Training (Led by RMCD Certified Trainer)

3) Introduction to Technology Audit (Led by Certified Auditor and Certified Information Security Professional – CISA,CISSP)

5) Project Management Level 1: Foundations (Led by Project Management Professional Certified)

6) Project Management Level 2: Advance (Led by Project Management Professional Certified)

7) Personal Data Protection Act Training (Led by Certified Auditor and Certified Information Security Professional)

Stay tuned for more details. Our training site has been updated at http://www.pkfavantedge.com/training-programs/

If you need more information, please send your enquiries to training@pkfmalaysia.com.

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑