The Conficker worm is still lurking around the internet four months after nothing on the 1st of April; it has still infiltrated millions of Windows machines & continues to update itself. What is Conficker waiting for? The recent attacks on Twitter & Facebook earlier this month have raised researchers concerns that Conficker may be controlled by a foreign intelligence or military agency.
Read the original storey in The New York Times.
I recently had the privilege to hear David Jesse Coker, Attorney & Counselor at Law speak at my ISSA local chapter meeting. David gave a great presentation on Digital Forencsic & E-Discovery Countermeasures. One thing that really stuck out in my mind after the meeting, was what David said about In Re Honza, 242 S.W.3d 578 (Tex. App. Waco 2009).
Did you know that the court makes it clear In Honza that a firm’s entire hard drive can be imaged/cloned by an expert as the first part of the electronic discovery process, even when the scope pertains to a very limited amount of information contained on the computer?
The files are *in* the computer.
So Visa finally has RSS feeds to hopefully give us all the latest informaton on alerts, bulletins, webinars and their lovely guidelines. RSS Feeds can be a great tool if they keep it up to date.
The PCI Security Standards Council (PCI SSC) announced earlier this week in a press release a new paper that educates merchants on indoor payment terminal data protection aimed at preventing credit card skimming attacks.
The paper, Skimming Prevention: Best Practices for Merchants, includes actionable recommendations that address physical location and security, terminal and terminal infrastructure security, and staff and service access to payment devices.
The Council’s Pin Entry Device (PED) Working Group, incorporating input from law enforcement officials and industry experts, developed the paper. Its guidelines are intended to help merchants:
“In today’s heightened threat environment, skimming remains a popular method of data compromise,” said Troy Leach, technical director, PCI Security Standards Council. “Merchants can protect their business and their customers by educating themselves on risk, and taking active steps to protect their terminal infrastructure from fraud. By following the guidelines outlined in this document, merchants can improve security levels in their terminal environment and defend against this type of attack.”
The PCI SSC Skimming Prevention paper can be downloaded online. (NOTE: before you download, this is a large 40MB file).
To secure information in today’s environments isn’t easy. The value that criminals are getting for unsecured data, whether it’s cardholder data, personal information or other data that can be used and sold with malicious intent, the challenge is not going to get any easier.
I recently came across an article Mike Rothman wrote for SearchSecurity.com.
In the article, Mike Rothman focuses on two specific documents produced by NIST, the National Institute of Standards and Technology. The documents are special publication 800-100, the Information Security Handbook: A Guide for Managers(pdf)and special publication 800-53, Recommended Security Controls for Federal Information Systems (pdf).
Read what Mike Rothman had to say.
PCI DSS is a great security baseline, but there is more to preventing breaches than just becoming PCI DSS compliant. How many more data breaches must occur in the payment card industry before the card brands step it up. Everyone in the payment card industry has the same objectives… Protect the cardholder data. The common denominator for everyone in the payment card industry would be the card brands and yet they are slow in adopting the technology to support better security controls for the entire industry & consumers.
If we really want to prevent data breaches the entire industry needs to be on board together with a sound solution and it needs to start at the top with the card brands and then the acquirers and then down to the merchants. Lets implement a solution so that merchants don’t even need to keep the card holder data, just send the merchant back a unique token to reference the transaction.
To me the way it looks is the card brands want to hand out all these cards to you and I the consumers, but we better hope that were we shop the merchants have sound security controls in place or we the consumer could be at risk for credit fraud, identity theft & more.
This is a relatively a reasonable way of thinking, however there is one catch. Not all regulations are created to reduce risk. Think about PCI-DSS compliance by merchants. PCI-DSS tries to reduce risk for card brands, issuers and acquirers by forcing the key point of compromise (merchants) to apply proper security controls. However, the cost for the merchant to apply those controls is higher than the risk reduction they will gain. That’s why fines are usually established by regulating bodies, to artificially increase the risk to the organization responsible for applying the controls. If this “manipulation of risk economy” is not done properly, then the “good risk management leads to compliance” concept does not work.