PKF AvantEdge

Page 28 of 40

Avant Edge is now Alien Vault

July 15, 2015 / / 0 Comments

alienvault-logo

PKF Avant Edge is now a channel partner for AlienVault in Malaysia.

Over the course of 5 years since we started in 2010, we have resisted the urge to go into becoming a partner for a particular vendor. We’ve had a number of security companies calling us, and asking us if we wanted to bring in their products, given our incision into the market, especially in BFSI. But most of these products were either heavily priced or just wasn’t right for the sort of customers we know we have.

We also did not want to compromise our audit and assessment integrity by carrying too many third party technologies, as we will end up giving recommendations that suit the margins we are getting on each box.

So from the onset, our vision is to give independent advisory, and if there is a great product that comes along, worth recommending, we would do that.

Well – we have been evaluating Alien Vault for a few months now, and about a month ago, we contacted the channel director in the region and asked if he was interested in getting together for a chat. Our philosophies meet. We need to get good products out there that suit our customers – not that suit our margins. Because Avant Edge’s main business is in compliance management and advisory, we don’t have too much stake in pushing Alien Vault down our customer’s collective throats. We are willing to give a demo, or a trial, and if it suits, it suits. If not, let’s move on. Unlike traditional SIs who build consultancy surrounding the technology products, we build products surrounding our consulting services. A slight difference is there.

So over the next few articles, aside from our usual foray into PCI and PDPA, expect a little more on our experience in AlienVault. We believe in hands on experience, so we’ve already set up a trial box in our labs and we are going to walk through the technical details in this blog.

Stay tuned! If you need more information, contact us at alienvault@pkfmalaysia.com. Yes. We started a new mail group for this!

PCI-DSS Applicability to Hosting Providers and Data Centers

July 12, 2015 / / 0 Comments

MDCA-final_FINAL-logo-300x199

Recently I was invited to speak in the quarterly meeting for the Malaysian Data Center Alliance (MDCA) regarding the applicability of PCI-DSS to their business.

More and more we are getting questions from traditional data center and hosting businesses on whether they should go for PCI-DSS and whether we can help them.

Here’s a quick FAQ for these businesses:

a) Why do Data Centers need PCI?

Actually – you don’t. PCI-DSS is applicable to businesses dealing with payment card data – storing, transmitting and processing. These are probably your clients – and in general, where they need to be PCI certified, they want to ensure their ‘providers’ – such as yourself – are certified as well.

The pressure for compliance does not come from the payment brands for data centers – instead in almost all cases, they come from the customer themselves.

b) So what benefit do I get from PCI?

The move of hosting providers to become PCI compliant is in parallel to the move of businesses to offload their servers and infrastructure to the ‘cloud’, or to third party providers to host their applications. The cost savings vs building their own data centers from ground up makes sense to most entities, except for large payment companies and banks. Even so, some of these larger entities will outsource their disaster recovery site to a third party – and if they deal with credit card, then that DR site needs to be compliant as well.

c) So should I be spending money on this compliance?

From a data center perspective, there is no direct requirement to be PCI compliant. However, if their customer is going for PCI-DSS compliance, and the data center is NOT compliant, then the data center is obligated to participate in the customer’s PCI program. While this might be manageable for a small group of customers, the idea of managing multiple customers projects and participating in such projects over the long run is not feasible. Therefore, more and more data centers and hosting providers are moving to become ‘PCI Certified’ themselves. Doing so, basically requires them to just show their certificates to their clients instead of participating in their individual compliance programs. Some of the largest success stories of PCI certified hosting/infra are Amazon Web Services and Microsoft Azure Trust Center.

d) SO…how much will it generally cost?

This is very subjective because even hosting providers and DCs have scope. However, the general rule of thumb is that the less visibility you have on card data and less services you offer, the less it will cost. For instance – if a data center only offers M&E and Physical room for client. This against another data center that offers those AND an internet gateway to get out and IPS/IDS, firewall etc. The latter DC will be up against Requirement 1, requirement 3, requirement 9 and other related requirements, while the first one will probably just need to deal with Requirement 9. You could be looking anywhere between RM30K – RM40K for the entire compliance program. (Gap, Remediation, Certification, Scans etc)

This might sound like an awful lot, but the whole program consist of two assessments from QSA (Gap and Cert) and a whole lot of other services during remediation. A typical onsite security assessment is around 18 – 20K already from any of the big 4 firms. And they usually just send their juniors who are just out of college and generally still staying with their parents. Here you get a full fledge QSA and director or senior management level guys supporting the audit. We take it extremely seriously, and we don’t send out pencil pushers with a little checkbox and hardly a stubble under their chin. Penalty for PCI is very very serious and we need to ensure all our clients get the best possible support.

e) Are you open for a quick meeting onsite?

Of course. Drop me an email at pcidss@pkfmalaysia.com and we will get working on it!

Personal Data Protection Act Training

July 8, 2015 / / 0 Comments

personal-data-protection-act

We recently provided PDPA training to a public listed company. Unlike the normal awareness training or the dragging-through-the-entire-Act training that we are accustomed to, we have made this specifically for internal auditors on how to build an audit program surrounding PDPA (utilising AICPA GAAP and several other programs), as well as demonstration of some tools to hack/gather personal information and also some tools to prevent/monitor people hacking/gathering personal information.

The full training program is here

Assessing Compliance of PDPA in Your Organization

 

MPSB is re-certified as PCI v3.0!

May 30, 2015 / / 0 Comments

logo_mpsb

Congratulations to ManagePay Services Sdn Bhd for re-certifying under PCI v3.0. They are the first among our clients who achieve V3.0!

PCI v3.0 maintained the 12 main requirements from PCIv2. PCI DSS v3.0 is effective January 1st 2014, but organisations are given the choice to comply to either v2 or v3 in 2014. All certifications in 2015 (MPSB included) is certified under v3.0. Under v3.0 however, major changes include:

a) Testing of segmentation adequacy through penetration testing

This determines whether segmentation had been done properly. We have seen many implementation where ‘segmentation’ was supposedly implemented, but we found that route between network had unfiltered access between zones. This will ensure whether CDE is properly isolated from non-scoped access.

b) Validation of 3rd party providers

PCI-DSS compliance must be validated if card holder data is being shared out to 3rd party providers. This is either through their own AOC (like AWS), or an agreement to participate in the customer’s PCI program.

c) Business as Usual

By far, this is the most challenging to us. Most of organisations undergoing PCI-DSS struggle in the second and third year re-certification as they need to demonstrate compliance in everyday activities and not just during audit period.

d) Protection of POS

Most of the issues of recent times like Target are due to POS Malware exploitation.V3.0 requires companies to maintain inventory and maintaining POS from being tampered with as well as periodic training.

Of course, v3.0 covers a lot more than these. For a more detailed look at PCIv3.1 and how it affects your organisation, you can contact avantedge@pkfmalaysia.com. Or you can join our monthly PCI training, which is HRDF claimable, the latest schedule is at http://www.pkfavantedge.com/training-programs/.

The Star Online Hacked

May 8, 2015 / / 0 Comments

 

Like the entire population of Malaysia and everyone else on this planet except the few strange people from MARA (who obviously do not have children of their own, or if they do, have an extreme dull sense of what morality is) – I was keeping up with the story of the Malaysian Paedophile case. Everyone knows about it. Nur Fitri was busted and convicted as a paedophile (one who sexually abuses children – granted, he was caught with images, not actually abusing, but its just as bad), and MARA (the organisation that had given Nur Fitri the scholarship) went on the record stating that he deserves a second chance because he is a Maths Genius and an asset to the country. And that being convicted as a paedophile is like playing truant at school.

???

Anyway, while trying to get to the Star online, the message popup received was You’ve been hacked by the Syrian Electronic Army.

Tsk.

It’s actually not Star that got hacked. They attacked Gigya, a customer identity management platform that is apparently used by The Star. This is an attack that is prevalent since last year so I am not sure why Star is still having this issue. Any link to Gigya gets pointed to SEA’s images and servers. A quick look at Star’s load up and we see a whole bunch of references to Gigya.

Star, you need to remove that component from your site!

If you need help in testing your site for vulnerabilities, please contact us at avantedge@pkfmalaysia.com

 

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑