Archive for the 'Security' Category

Page 2 of 3

The Payment Processing Chain – Holistic Risk Management

Published on December 20, 2012 in Security. Closed
Posted by Jeff Reich

A lot of people in the credit card industry focus on the compliance and security component of the payment processing chain that they control. This is expected and is the right thing to do. Most people do not have an appreciation of the steps needed for a successful transaction. Some merchants, cards and banks could have varying processes but most transactions involve, at a minimum, a consumer, a merchant, a payment gateway or processor, the card brand and the bank issuing the card. In order for a transaction to complete, the reverse path is taken to validate the transaction. Add in credits, refunds and loyalty programs and that’s a lot of moving parts in a system that appears to act instantaneously. The system works well and we all depend on that.

Like any complex ecosystem, components need occasional maintenance. Operators for every component of the ecosystem should be cognizant of the controls in place for the entire ecosystem as well as recognizing their place in the system. A credit card and its associated transactions will be as secure as the weakest spot in the processing chain. The consumers that believe they should be able to depend on the security of payment processors and banks are correct in their assumptions. In the same vein, banks and payment processors should be able to depend on the security practices of consumers and merchants.

What does this mean to all of us? For the issuing banks, this means monitoring the behavior patterns of consumers to facilitate better and faster fraud detection. Acquiring banks do the same for merchants. For merchants, a demonstration of security and compliance competence is needed. If merchants do not have this expertise, they should engage with a firm that does and allow them to do that. Many merchants have not grown security and compliance expertise, focusing instead to grow their business on their core competency. Banks have regulators for oversight and examiners for validation.

That leaves the consumer. Every consumer plays a vital role in the risk management chain but many do not recognize that and do not utilize the tools available to them. Some of these tools are:

Credit Card Statements
- Perhaps the best tool available to consumers – address unexpected activity!
- Use online statements to see current (very recent) activity.
- Use SMS and email alerts for higher than expected volume or value of activity.
Credit Reports (things to look for are below)
- Higher balances than expected
- Unexpected new accounts opened
- Unexpected accounts closed by credit grantor
ATM Machine Activity
- In addition to being aware of ATM fees, make sure you trust the machine.
- When using a machine for the first time, consider techniques such as entering an invalid PIN once to see if it is rejected. If it is and the valid pin works, the machine is on your network.
- Watch your surroundings. If someone sees you enter your PIN, your chances of a compromise increase.
Utilize the security and control measures of your merchants and banks
- If you cannot rely on them, ask them to change or move your business.

At any point in the chain, inspect the controls and ring the bell if they do not meet your standards.

Image Credit: Catatronic

About the Author: As Chief Risk Officer at Layered Tech, Jeff Reich (@LayeredTechCRO, +Jeff Reich) drives the company’s security and compliance services and guides risk mitigation efforts for clients. With more than 30 years of experience, Reich is a well-known risk management and security expert in the industry. He holds CRISC, CISSP and CHS-III certifications and is an ISSA Distinguished Fellow.

Holiday Security – Manage Your Risks

Published on November 20, 2012 in Security. Closed
Posted by Jeff Reich

Welcome to the holiday season! Along with the holiday cheer, parties, presents and spending come some risks of which we should all be aware. Situational Awareness is a phrase that some might not recognize. Situational Awareness entails being aware of your surroundings and environment and adapting your behaviors to address the risks being presented.

One special area of interest is web sites. Some web sites will present offers that seem too good to be true. If you cannot confirm that you are visiting a web site that you know and trust, be very wary of entering any identifying information about yourself, especially items such as account numbers, social security numbers and credit card numbers.

Another problem that is related to web site scams is unsolicited email messages. My simple recommendation for this is that any email message that you receive and was not the result of a request on your part, asking for information or prompting you to click a link should be deleted.

In both of these cases, should any situation persist, at a minimum, you can report the offending web site or message to abuse@domain.com where domain.com is the end segments of the sender’s email address or of the web site in question. Should you believe that a crime has been committed, contact law enforcement. At Layered Tech, we manage inbound abuse complaints for most of the domains hosted by use and we take complaints very seriously.

One bit of data that the bad guys would like to get is your Credit Card information. I have already talked about being cautious on web sites and with email. The same cautionary tales apply to unrequested telephone solicitors. One of your better defenses against credit card fraud is to examine your charges often. I make it a point to examine all of my credit card charges at least five times per week. As soon as I see a charge that is suspicious, I notify the credit card company. Most are very willing to work with you on fraud issues.

If you do not have a Smartphone or Tablet, you may be receiving one this holiday season. Between apps that allow you to shop, bank and engage on social media, your device contains a treasure trove of data. Regardless of when you get your device, I recommend taking the following measures:

Lock it – Most devices have either a swipe pattern or PIN or password capability. Activate this feature as soon as you have your device. A longer password is better than a four-digit PIN and a complex swipe is better than a simple one.
Backup your data – Whether through your synchronization software or other means, do this often.
Hang on to your device – If they don’t have it, they can’t use it.
Determine how to find it – Using Find My iPhone, Where’s My Droid, Plan B, Lookout or similar apps will allow you locate, message and even wipe your device clean of data, should you lose it. Of course your data is still backed up if you followed the second step.
Report missing devices – Your carrier and local police department may be able to take steps to locate or prevent reuse of your device.

Knowing that you are aware of your surroundings and the value of your data allow you to be a happy and safe holiday consumer. Here’s to a great start to the holiday season this year!

Image Credit: 401(K) 2012

How Much is Your Data Worth?

Published on November 1, 2012 in Security. Closed
Posted by Jeff Reich

Everyone knows that a lot of information about each of us is floating around various segments of the internet. The prevalence of online shopping, social media and portable computing has made us comfortable with this and in many ways that is a good thing for commerce, society and individuals. Many of us feel very confident in the controls that exist to protect data about us and in most cases that confidence is well founded.

October is Cyber Security Awareness Month and this is a great time to address this topic. Unfortunately, as a result of conditions, attacks and social engineering, components of our information slip out of the control of those that we trust. When this happens, those with motives less honorable than those of most of us will choose to take advantage of the situation.

This is when the value question comes into play.

What would you do if you were told that your information was being held and could be disclosed to others or, in some cases, withheld from your use unless a demand is met?
What can you do about this?

First of all, try to do all you can to limit the amount of data that you share with others. You do not always have to give everything requested to everyone requesting. Another technique that could help limit your exposure is being less than truthful when you do not have to be completely honest. Now, I am not suggesting that any of us lie, outright, but consider when and how data is used.

When you sign up for a service of some sort and you are asked for your “security questions” think about using answers that won’t allow someone to gather more information about you than is absolutely necessary. For example, many of you identify your city of birth in a public place like Facebook. With that information, that is rather available, someone could easily guess the answer to at least one of your security questions on another site. For that reason, rather than always entering your actual city of birth, consider mixing up your answers (of course, the more complex you make this, the more you need to track).

If you enter your city of birth as the North Pole, no confirmation will occur and as long as you remember that you used “North Pole” for that site, the chances of someone being able guess your answer will be greatly reduced. This is just one example and will be best used if you add your own creativity to it.

On the downside of captured data, recognize that at some point, some of your data will be taken hostage or withheld. Work on your plan to respond to that. Demand that your merchants and providers demonstrate that they meet or exceed industry standards and are protecting your data. In that vein, remember to not volunteer information unnecessarily. One example in that area is that most healthcare providers ask for your social security number when you start as a patient. I always decline to supply that and I have never lost the opportunity to use a healthcare provider that I wanted to use.

I believe that it pays to play close attention to your credit reports and related activity. The sooner that you notice anomalous activity, easier it will be for you to prevent further damage and repair what has happened.

Go have fun on the internet and let’s be safe and aware out there!

Image Credit: garethjmsaunders

Cost of Data Breach Review

Published on October 23, 2012 in Security. Closed
Posted by Ed Welsh

Recognition of information security responsibility is reducing costs of breaches.

From time to time I look over the Ponemon Institute reports related to data breach costs to get a feel for the business value of securing data. After reading the most recent Ponemon Institute report, I want to talk about the interesting executive summary highlights.

The cost of data breach declined in 2011.

Opinions vary on why costs would decline, but the decline can be generally attributed to both company preparation prior to breach and a lower customer churn value. When companies can take advantage of preparedness and mature response facilities the costs of the breach are spread out. It is also noted that a non-panic or hurried response promotes less spending after a breach.

More customers remain loyal following the data breach.

I think two factors relate to this point. The prepared are forgiven and exposure teaches. Customers seeing a company with security features in place and one prepared to deal with a breach will readily stay with that company. This reduces churn and therefore cost of a breach. Companies have learned how to successfully deal with relations from previous public exposure events. We have learned that concentrated and deliberate attacks are unlikely to be rebuffed, but our direct and honest response can score points with consumers and regulators.

Negligent insiders and malicious attacks are the main causes of data breach.

This makes sense on a fundamental level. How else could data be lost? It must be negligence or maliciousness. I’ll contend that the one allows the other.

Certain organizational factors reduce the overall cost.

Organizations with direct Information Security leadership showed lower cost of breach metrics. This means the company has focus at the top for information security issues including breach response efforts. The role is described as a CISO, but the representation could take many forms. It is the assigning of the responsibility with corresponding resources which is important. There is also a note that engaging experienced third parties during a breach event can reduce the loss.

Detection and escalation costs declined but notification costs increased.

Regulations and mandatory standards for information security practices relating to specific types of data are responsible for this point. The mandatory requirements allow companies to prepare and budget for the tools which provide detection. The requirements also inform companies on proper methods or processes to escalate. At the same time stronger notification laws have enforced more frequent notification activities increasing how much companies spend.

Breach costs are being reduced, but only for organizations that are prepared and that have assigned a direct leadership role for information security. As with most things in IT, preparedness results in the most cost effective outcomes when negative events are experienced. Assigning focus via a dedicated leadership position is the most important step a company can take.

Image Credit: Don Hankins

About the Author: As Director of Compliance and Security services, Ed Welsh maintains and guides a dedicated team in the delivery of Layered Tech’s compliance and audit services. Ed’s 16 years in IT security includes network and web application security experience from positions in the Financial Industry, HRBlock, Fishnet Security, and independent contracting. He holds a CISSP certification and has been successfully implementing PCI compliant hosting solutions for the last 5 years.

ConSec ’12 Recap

Published on September 26, 2012 in Events and Security. 1 Comment
Posted by Jeff Reich

ConSec '12 Consumerization of IT – Are You Keeping Pace? Earlier this month, I attended ConSec ’12 Consumerization of IT – Are You Keeping Pace? in Austin, TX. This year marks the tenth bi-annual gathering and it was a three-day event that offered attendees a choice of one of four optional workshops followed by two full days of sessions in three tracks. This regional conference targets attendees from Texas and the four surrounding states. Vendors were clearly visible in the exhibit area. The uniqueness that helps contribute to the continuing success of this conference is the hosting. Volunteers from four organizations act as planners, schedulers, marketers, logistics experts and hosts.

Without a third-party conference facilitator, this environment creates a level of intimacy and trust that does not exist in all conferences because you know that practitioners are doing everything for the conference. The focus of the attendees is around security, compliance or business continuity and that trust is important to them.

The organizations involved here are the Capitol of Texas Chapter of the Information Systems Security Association (ISSA), the Austin Chapter of the Information Systems Audit and Control Association (ISACA), the State of Texas Department of Information Resources (DIR), and the Capital of Texas Chapter of the Association of Contingency Planners (ACP).

For the workshop day, each of the hosting organizations facilitated a Bring Your Own Device (BYOD), all-day workshop. The four workshops were well attended by a specialized subset of the attendees for the remainder of the conference.

For the two days of the conference, three tracks were established, each focusing on Information Security, Business Continuity Planning or IT Auditing. Attendees registered for the sessions that they wanted to attend but were not limited to stay within any given track. Four general sessions were spread out over the two days, with internationally known speakers for each and 21 specialty breakout sessions were offered in the three tracks. The conference concluded with a final general session that was associated with yet another organization, the InfraGard Central Texas Chapter.

I picked up great and fresh information on the risks around BYOD, how to deal with the fear of BYOD destroying the enterprise, security and privacy in the mobile world and remembering that it is still most important to protect the data appropriately. I had the privilege of co-facilitating the Information Security workshop and presenting a session dealing with Security and Compliance in the Cloud. In addition to delivering content to the attendees, I was also an avid attendee and learned a lot during the sessions that I joined..

The key take-away from this conference is that you can find great value in a regional conference. The long-term benefit from encounters such as this, with multiple volunteer organizations, is the trust that you can develop with organizations and people. When your job is providing compliance or security to your clients and partners, you need to be able to depend on your trust network. The force multiplier for the value can come from having diverse organizations work together on offering a quality deliverable for a common purpose.

—