I attended day two of Secure World Boston on Wednesday. I find that taking notes during sessions helps me learn more — plus, it means I can put together a short blog post to more easily share what I learned with you about PCI compliance, cyber assurance, and using the public cloud for enterprise security. Here are some of the highlights...
Information Security Officer, Alegeus
PCI compliance is mandatory if you maintain cardholder data, so companies have to deal with this. Version 3.2 of the standard comes within the next month. A brief survey of the audience indicated that audits often come with heartburn. The presenter liked the Verizon 2015 DBIR report in both tone and content, and she shared the trends from 2014 DBIR report. PCI compliance is actually three standards, depending on your usage: PTS, PA-DSS, & DSS.
Talking about PCI gets riddled with three letter acronyms, and she defined the ones she used:
- PAN = primary account number
- CHD = cardholder data
- ROC = report on compliance
Erika described three roles important to PCI:
- Card brand compliance programs
- Qualified Security Assessors (QSA), including an approved scanning vendor
- Self-Assessment Questionnaire (SAQ)
Not all Qualified Security Assessors (QSA) are created equal, so it’s okay to switch. Being scared of them is probably a good thing! There’s six goals of PCI, which lead to 12 requirements, each with their own sub-requirements, which leads to around 240 controls. Multiply that by the aspects of your environment, and you get a very complex and large audit space. She stressed that PCI is not your entire information security program; it can be part or even a lens, but there needs to be more. The jump from the 3.0 standard to 3.1 was a bit large. Early versions of TLS and SSL dropped, but the compliance date has been postponed to June 2018.
The presenter reviewed the critical coverage areas of PCI:
- Network Security
- Firewall Configs
- Change Management
- Daily Procedures
- Incident Response
- Restrict Access
- Account MAnagement
- Track & Monitor
She reminded us that some things have to happen every quarter or every half a year, so if you're waiting until right before the audit to start prepping, then it's already too late. PCI doesn't really cover business continuity, risk management, or vendor management, so you need to keep those in mind too. PCI does include some physical security, so that means wearing badges and watching for tailgating. You really want operations folks to take over and "own it" so they do your job for you! They are the SMEs. Your auditor wants pictures (diagrams) with the words describing the pictures.
- Mock audits help uncover the "gotcha" questions.
- Remember the OWASP Top Ten.
- Project management is a huge part of PCI compliance.
- Label evidence with the requirement prefix.
- Don't volunteer information.
- Feed your people!
The Verizon PCI Report 2015 shows that PCI compliance actually helps protect against data loss.
[Two open questions I have:
- What tools in your experience and opinion have facilitated or hindered successful PCI audits?
- Can you speak to payment as a service vs. cost of maintaining PCI compliance?]
Former Director for Software Assurance - Cybersecurity & Communications, US Department of Homeland Security
Joe started by thanking SecureWorld for building a community. We come together because we recognize a real issue. Today we rely more and more on external dependencies. Lateral movement is how compromises are happening. Physical and cyber are coming together with IoT. Physical harm is coming from cyber breaches: congress and insurance come in when that happens. He mentioned the Barr Group report. More and more legislation is coming since we fail to self-regulate.
Trust in cyber assurance is convergence with quality, safety, and security. In Joe’s opinion, security subsumes safety. People often try to "build a wall" to gain assurance. It's all reactive. Necessary, but reactive. Instead, we can control our attack surfaces. Application software is the soft underbelly of the enterprise. IT professionals need to be able to explain the business or mission risk of using an application. Remember: if you got breached, that simply means someone else is more committed to finding your weaknesses than you are. His slides list some software-related expectations for 2016.
US DHS CIO Enterprise Services reported: 92% of vulnerabilities are in the application level and 70% of security breaches happen at the application level. Joe asserted that CVEs can be used to assess software maturity. Eliminate or mitigate weakness as you find them. Talking about the supply chain means thinking about the incorporating of software libraries (the supplies). People are making risk decisions with each library they include. People may use whitelisting products but then not even do binary checking for known vulnerabilities (CVEs). Tools exist for that. Most modern software development consists of putting together libraries and third party code. Do you trust what's in your third party code? Software 'decays' over time without patches. You need an active DevOps environment! 69% of security defects come from open source. 10% of high visibility vulnerabilities come from open source.
[I had some serious cognitive dissonance here. Does the high number of security defects in open source come because it’s bad code, or because we can actually see the code? If over two-thirds of the security defects come from open source, why do only 10% of the serious ones come from that pool?]
How do we make sure that an average development team can incorporate security automation?
The presenter works at Synopsis and they used the FS-ISAC 3rd Party Software Security Working Group as a guide. Leveraged Signoff (and Coverity too). Software Composition Analysis (SCA) helps coordinate development, legal, and security teams. Be sure to leverage CVSS.
There’s a relationship between cyber assurance and cyber insurance. Think about fire alarms for home insurance: cyber needs a similar analogue. The automotive industry has "got religion" about security. Feb 9th, 2016: Strengthening our Nation's Cybersecurity has resulted in Underwriters Labs Cybersecurity Assurance Program (UL CAP). The program will be formally announced on Monday (April 4th, 2016). It consists of three parts: general, industry specific, and organizational process. UL CAP: open standards for delivering cyber assurance. Joe expects that insurance will be pushing this more than anybody.
How Adopting the Public Cloud Can Improve Your Enterprise Security
Chief Technology Officer
The presenter listed several of the major examples of enterprise clouds: Google, Amazon, Azure, Salesforce, Dropbox. He spent time talking about the types of cloud deployments and the characteristics of clouds. He noted that one traditional admin can handle between 100 and 250 things, while a cloud admin handles between one and 25,000 things.
There’s a spectrum of using the cloud with increasing complexity and security risk: SaaS -> PaaS -> IaaS -> On-Prem. The question of compliance has got more sophisticated. You can download the compliance pages from the various cloud providers. One common threat is that cloud security is a shared responsibility. Russinovich(CTO of Azure) and Amazon both have stated that.
Bill gave an interesting and tragic example of Code Spaces. They were hit with a DDoS and then a ransom demand. They noticed a corresponding security breach and started to fight back. The attackers then conducted a malicious destruction of assets the resulted in a security & business #fail. The whole process took 12 hours. There's a data plane and a control plane, and we must think about both. One of the mistakes Code Spaces made was to not do that.
Arthur C. Clarke said that "Any sufficiently advanced technology is indistinguishable from magic.” Cloud security is like magic in some ways. Cloud providers have security sensors. You can easily deploy solutions in front of your assets. However, cloud security is not actually magic.
The big clouds are enterprise ready! Slides will be available on blog.codingoutloud.com. During the Q&A Bill affirmed that Microsoft Azure will sign a HIPAA BAA.
Panel: Emerging Threats
Jack Daniel, Tenable
Paul Fletcher, AlertLogic
Jimmy Ray Purser, Illumio
Sorin Dediu, Bitdefender
Robert Slocum, ForcePoint
Scott Drucker, SecureAuth
Moderator: Ken Patterson
I’ll admit I had a little bit of fanboyism listening to Jack Daniel in person instead of just on Paul’s Security Weekly.
Ken Patterson kicked things off by pointing out that, "If you wait long enough, the threats won't be emerging." He then solicited audience concerns: Cloud-specific threats and responses, IoT, how to prioritize, and threat actors. He then started with his own question, but before that Jack compared him to a bad manager: "Thank you for your input, I'm going to do what I want"
What Are Our Biggest Emerging Threats?
- Insider threats: That’s not even a well defined or well understood term.
- Skills: The defender’s dilemma from Microsoft and a lack of skills training. Jack reminded people: "What if we train our employees and they leave? What if we don't and they stay?"
- Asset inventory: Security starts with an accurate inventory of what's in our environment.
- Visibility: Microsoft said the day before that they see a 200-day dwell time for breaches.
- Educating your end users: Users are still the weakest link.
Ken mentioned a couple of interesting data points: the value of a health care record is $393, while the value of other records is $157.
Cloud-specific Threats and Responses
Everything is as-a-service with cloud-specific threats, including "malware-as-a service." They even offer SLAs. Almost all threats are cloud-based at some point. Cloud services do not provide consistent security practices. Paul Fletcher spoke about their experiences with their honeynet. Jack noted that "the fundamentals still apply: you can just screw up at scale in the cloud."
[I noticed that nobody talked about pets and cattle. I find this a useful and important paradigm of living in the cloud, but it might not fit into the audience’s non-cloud view where everything is a pet.]
The discussion started with an anecdote of a high ranking government official worried about his pacemaker being attacked via bluetooth, so now we don't have that anymore. IoT allows for new types of threats. For example, an attacker can turn off your server room locks and then crank up the heat to destroy all the equipment and data. One panelist described how his company helped a customer deal with an attack on their server room and backup data that started through their refrigerator. Paul said in response: “Two words: Network segmentation!”
How Do We Prioritize?
Jack started by pointing out that if I have things that are number one in my environment, do not assume it's number one in your environment (even if we're in the same industry). "It comes down to people" said another panelist. You need well trained people. "Trust is the most important thing." Then Jack responded with "Don't outsource incompetence. We can all be incompetent ourselves for much cheaper."
Robert Slocum summarized this part of the discussion:
- Start with smart people
- Inventory your systems and data
- Know who creates the risk
- What's the process?
Preventative defense spending is 86% of the budget, leaving only 14% on visibility. We spend too much money on preventative defense and not enough on visibility. He urged us to balance our spending. Don't just buy five products that all protect against the same threat.
- Start with current employees and internal threats.
— Think about how American industrial revolution occurred with us stealing technology from Britain, only it took years. Now it’s much faster.
— The collapse of the US chemical industry, largely unpublicized, was due to Chinese cyber-espionage.
Social engineering is still an easy way in. A panelist related a story about zipping up an entire corporation's worth of W2's for a telephone call claiming to be the CFO. Sorin warned that more Blitzkrieg-type attacks are coming. The entire panel cautioned those present to be careful with attribution. We, as an industry and as a country, have an issue with profiling. A panelist shared the story of his son in Oklahoma who was pulled out of home because he wore a cowboy slicker after the Columbine shooting.
Last words: Machine learning will help. Visibility is key. IPv6 is coming. It’s “when was I” and not “if you were” hacked.