How much do you think data is worthy of companies such as Google or Facebook? You might be surprised, according to a Netflix documentary the Great Hack, Data for these companies is worth more than the price of oil! The question is how valuable is your data?
In this modern age of big data and analytics, data is the queen, which should be protected securely. What I have found is before the enforcement of EU GDPR, in the context of personal data most organisations do not know where their data resides (data storage), how much they process (number of records), what type of data they process, which critical business processes that are processing the data, hence the question comes how can you protect your data?
In my view, first, everything starts with architecture, data architecture for this matter will drive everything in regards to people, processes, and technology from the data strategy, data protection strategy, and data breaches response plans. Do you have data architects? Do you use a data architecture framework such as DAMA, TOGAF? Maybe that’s the best resources to start at https://dama.org/ ; https://pubs.opengroup.org/architecture/togaf91-doc/arch/chap10.html
Secondly, organisations need to map the flow of the data from the time when the data enters the organisation, processed, go out of the organisation or if it requires to be disposed of securely. On all these processes, security should be embedded by design and not an afterthought.
Data as your queen needs to be protected all the time, the same way this applies in chess, the same way applies in the real life, the way monarchies are being protected over the centuries, use the same concept when protecting the organisation’s data that matter to you. All the best 🙂
I have been a QSA for the past 6 years and before that I have been involved in managing PCI programs for more 3 years in the banking environment. So it is fair to say I have experience PCI from QSA ,and merchant/issuer point of view. During this time I have worked with a pool of QSAs and I have conducted a handful PCI assessment covering organisations in different industries including healthcare, retail, insurance, TV/media, government/public, mobile service providers and many more.
regardless of the complexity of the environment and payment channels, most of the organisations either service providers or merchant have fundamental technologies e.g. database, virtualisation, cloud computing, networking etc which should comply with the PCI DSS standard. So the QSA is expected to understands these technologies at least to the basic level i.e. understand how it works prior to go onsite and conduct the assessment, the reason being, is you understand the technology, processes and people that you are going to audit. Whilst this sounds common sense, you will be surprise how many QSAs do not take this into consideration. Below are the five common mistakes made by QSA.
(1) Dont understand the scope of the assessment
(2) No enough time allocate to conduct the assessment.
(3) Not understanding the underling technologies used by the audited organisation i.e merchant / service provider.
(4) Do understand the in-scope payment channel and the applicability of PCI requirements / eligibility as per SAQ.
(5) Do not follow the audit procedures on the PCI DSS reporting template.
I will expand on each of these mistakes one by one in the updated post. For now I would like to make you aware of a nice PCI blog by PCI Guru here — https://pciguru.wordpress.com/which goes into details to specific requirements and guidelines or any discussion in regards to PCI DSS.
Most organisation have either regulatory / industry requirement to do penetration testing on annual basis or when significant change happen to their environment. Whilst this is consider a good practise, the coverage of the test usual include the technology infrastructure both externally and internally. The question remaining how many organisation test their own people?
In today world of beefy technological security solutions, penetrating the external perimeter (for traditional model) is very hard comparing to the previous years. This also apply the same to the cloud services. As the results, the attackers, have focused their attacks on people, who as you may know present the weakest link in the security chain such attacks including spear phishing etc.
Business understand this but regardless they have not invest in protecting people with security controls such as security awareness training , and targeted security training per job role e.g. CEO specific training, Bank Teller specific trainings. Failure to do so open doors for attackers.
So next time you do penetration test, ensure you include the people testing, and this can be social engineering test by specialised organisations. while these tests can be done once a year, the organisations are encourage to have internal tests done at least quarterly to keep human at very defensive mindset to understand that security attacks can happen anytime and they are the one targeted the most.
Incident Response (IR) is the decision away from having your business go down under or resurface after a few hours.
Most organisations have IR shelved somewhere collecting dust. The IR is good to the extent to be shown to auditors for compliance tick box, however not to the extend to save the business when it comes the time to do so.
We have heard a lot of stories on the internet and front-pages of data breaches, the most prevalent theme is the difference between detection time and discovery time, that is the time when the incident actually happen(when the hacker breached your systems and resides in) and the time when the organisation when actually discovery the breach happen. Organisation takes long to detect the breaches and when they do, they can’t get their IR plan running as expected. This boils down due to the fact that the IR plan have not been tested on frequent basis (not annually :), this need to be more frequent than that).
IR coordination activities is not only to be managed by the cybersecurity department, the activities need to be organisation wide, this should include senior management (CxO officers), public relation, business units, IT and cybersecurity departments.
My 2cents, organisation need to to the below when comes to IR
– Draft IR plan which should include all the critical business unit
– The IR plan should have communication plan and assign the ultimate decision maker e.g. CEO, CIO or C-Level executive
– Test different scenarios e.g. state-sponsored attacks, physical attacks, insider attacks etc.
– Test more than twice a year (not table top exercise, actual war games)
– Improve your plan once tested, from the lesson learned.
I am PCI QSA,
part of PCI assessment require assessment of physical security controls for
systems, this include but not limited to visit facilities e.g. data centres,
computer rooms where CDE is hosted. I have had a good share of visiting these
data centres and computer rooms. I have seen the best physical security
controls from acoustic wire, bomb shelters, shutter proof windows, mantrap
insider the mantraps, to the computer rooms locked with a key which is not
under any dual control. While most of the data centre are secure by design, the
service offerings from these data centre are also standard, including offering
dedicated suites, shared halls, shared cabinet (yes, not open your eyes wide
open) and some other companies will basically say or my system and data are in
the cloud (where? AWS, yes where? I don’t know, let’s ask our account manager).
organisation e.g. merchants and service providers who have system hosted by
third party co-location providers, may or may not understand the offering in
detail or the security department may not be involved in the decision making or
the client may have no idea from physical security point of view how the data
centre security looks like, it worthy visiting it.
- This is where the all the suite
is dedicated to an organisation.
- Security controls like CCTV and
access controls are pretty tight.
- This is where a shared space, a
bunch of racks from different customer are on shared space.
- What to look out for, how the
cabinets are secured, some are secured with padlock with keys, other with
padlock with combination, other both, and I have even since fingerprints.
- Sometimes CCTV are not
installed on the aisle, for the fear of seeing client system? How? I don’t know
- Organisation should understand
the co-location services offered.
- Should visit the data centre if
- Security dept. should be
involved in making decision in selecting security controls.
- It is best to have controls
such as frequently / quarterly auditing including checking the inventory, and
have automated security controls to check for system tampering, and whether any
physical devices have been plugged to the data centre.
The UK National Cyber Security Centre (NCSC) have published the 10 steps to Cyber Security (originally published by CESG) in 2012. The 10 steps are basic security controls that that organisations can use to build a security program as minimum baseline.
The ten steps are build arounf the risk management regime and as follows.
- Network Security
- User education and Awareness
- Malware prevention
- Removable media controls
- secure configuration
- managing user priviledges
- incident management
- home and mobile working
While these may seem very basic and every organisation should already have in place, you will be suprised how many organisations they dont have these controls in place, including small and large organisations.
From experience point of view, most organisation they dont have mature security programs and they want to make a big jump, without starting with the basics! The proper way is to start small and build up the security program, and it should be top down approach, which the 10 steps to cybersecurity start with Risk Management Regime which should be driven by the senior management.
To explore more, visit https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security
Beyond Cybersecurity by Bailey et al.
Becoming a Global Chief Security Executive Officer by Cloutier
SABSA by John Sherwood, Andy Clark and David Lynas