hacking – Page 1333 – STE WILLIAMS

Customized Malware: Confronting an Invisible Threat

library
crime | hacking | security

Hackers are gaining entry to networks through a targeted approach. It takes a rigorous defense to keep them out.

How secure is your network from unauthorized access?

Before you launch into a practiced response regarding your best-in-class firewall and robust antivirus software, you should know that the rapidly evolving malware landscape has rendered these technologies increasingly ineffective. Prolific, adaptable hackers are deploying customized malware to compromise networks throughout the financial services, healthcare, technology, and government sectors. However, it is possible to mitigate the risk.

What Is Customized Malware?
Customized malware is malicious software that has been modified to evade detection by traditional security technologies. Customized malware comes in many forms, including ransomware. The most common delivery method is through inbound email, by a phishing or spearphishing attack. Because traditional antivirus products provide signature-based detection, only malware variants whose algorithms have already been identified are successfully quarantined. Therefore, the modified variants escape detection at an alarming rate.

Whenever a new malware variant is identified, a “patch” that addresses this specific threat is created, distributed, and installed. In an enterprise environment, conscientious security administrators ensure that all new patches are installed as soon as possible. Unfortunately, the period that elapses between identification and analysis of a new variant and then the distribution of an update is 30 to 90 days. In the interim, organizations are significantly exposed to the risk of a customized malware attack.

Although these undetectable threats have existed for several years, the widely publicized attack on Target provided an unprecedented glimpse of how customized malware is used. In that breach, the malware installed within the company’s network permitted a group of hackers, based in Eastern Europe, to perform extensive system reconnaissance and, ultimately, steal over 40 million credit and debit card numbers without ever being internally detected.

Shortly after the attack on Target, the United States Secret Service initiated an investigation and engaged iSIGHT Partners to assist in the forensic review. In January 2014, iSIGHT issued a report entitled “KAPTOXA Point of Sale Compromise.” The KAPTOXA report revealed that the malware variant used to attack Target had a 0% detection rate. Simply put, the malware was customized to be completely invisible.

Mitigation Approach
The evasive nature of customized malware requires the implementation of a multilayered approach to data protection and network security. Given that antivirus products have become increasingly ineffective in preventing these attacks, enterprises can’t rely solely on security technologies. An approach that combines employee education, threat containment, and network monitoring will reduce the risk of a customized malware penetration.

Education: Given that phishing and spearphishing remain the most prevalent delivery methods for initiating a customized malware campaign, it’s essential that enterprises provide all users with clear, practical guidance on how to identify and guard against this tactic. Management must recognize that all users, whether employees, contractors, or interns, are conduits for a malware exploit through a continuous barrage of “social engineering” overtures. Therefore, the most proactive method of preventing an attack is through workforce education. The education process begins with the distribution of a clear, current information security policy that provides specific, practical guidance.

The next element of effective cyber education is mandatory employee training. The curriculum must be aligned with the policy and include a discussion of employee responsibility, an explanation of prohibited activities, and a description of the consequences for violators. An ongoing training program is a central element of an organization’s cybersecurity program, without which users will engage in arbitrary and irresponsible behavior when using technology resources.

Containment: Although educating users will reduce an organization’s risk of being compromised by a customized malware attack, it doesn’t eliminate the threat. Through effective network segmentation, intruders may be contained within “segments” that do not house or process confidential information. Network segmentation is the process by which a network is divided into various subnetworks, letting an enterprise restrict segment access to only those with a clear business need. If intruders surreptitiously enter a “flat” network, one that hasn’t been properly segmented, they enjoy lateral movement and may gain access to payment applications, databases storing personal information, or intellectual property. In a properly segmented network, all critical technologies are isolated and the confidential data residing there is protected.

Think of your local bank. When you walk in, your access is restricted to the teller window and perhaps the branch manager’s office. The bank doesn’t permit customers unrestricted access from the lobby to the vault or safe deposit boxes. This is an example of a segmented physical environment but is analogous to network segmentation.

Monitoring: If implementing an employee awareness program and network segmentation fails to prevent an intrusion, system monitoring allows entities to identify and disrupt malicious activity. Although customized malware is undetectable by conventional firewall and antivirus technologies, the activities initiated by this harmful software are identifiable through network monitoring. For instance, although data-scraping malware may penetrate a retailer’s point-of-sale environment without detection, network monitoring would detect credit card data being exported from the infected terminals to suspicious, external locations.

Network monitoring is the process by which select components, such as customer databases, are continuously analyzed to detect unauthorized access. A variety of automated monitoring solutions provide the capability of generating real-time alerts of potential network threats. Network monitoring administered by properly trained staff gives an enterprise a final layer of protection against unauthorized access.

Customized malware poses an unprecedented risk to virtually all organizations. Organizations that fail to understand the dynamic nature of this situation and adjust their approach accordingly are at imminent risk of a cyberattack and the consequences that accompany these incidents.

Related Content:

John Moynihan, CGEIT, CRISC, is President of Minuteman Governance, a Massachusetts cybersecurity consultancy that provides services to public and private sector clients throughout the United States. Prior to founding this firm, he was CISO at the Massachusetts Department of … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/advanced-threats/customized-malware-confronting-an-invisible-threat/a/d-id/1328524?_mc=RSS_DR_EDT

Customized Malware: Confronting an Invisible Threat

library
crime | hacking | security

Hackers are gaining entry to networks through a targeted approach. It takes a rigorous defense to keep them out.

How secure is your network from unauthorized access?

Android under siege from malware – here’s how to protect your phone

library
crime | hacking | security

The SophosLabs 2017 malware forecast warned that smartphone infections are skyrocketing, especially in Android devices. The latest Nokia threat report backs up that assessment, showing how mobile malware spread faster than any other sinister code last year. Among other things, the report said:

Android phones and tablets accounted for 81% of primary targets.
Malware infected approximately 1.35% of all mobile devices in October – the most since Nokia started tracking it in 2012.
Overall infection rates rose 63% sequentially in the second half of 2016.
Smartphones were the top malware targets by a large margin, making up 85% of all mobile device infections in the second half of the year.
Smartphone malware attacks surged nearly 400% over the previous year.
Far fewer attacks targeted iOS-based phones – just 4%. The dominant malware in those cases was Spyphone, software that tracks the users’ calls, social media apps, text messages and GPS locations.

Meanwhile, Nokia’s report cited major vulnerabilities in devices connected to the Internet of Things (IoT). The best example of that came in the form of October’s coordinated assault against Dyn, one of several companies hosting the the Domain Name System (DNS). In that attack, Mirai malware was used to hijack internet-facing webcams and other devices to turn them into massive botnets that were then pointed at Dyn. The attack crippled such major sites as Twitter, Paypal, Netflix and Reddit.

Android under siege

Nokia’s finding that Android devices are a top target matches up with what SophosLabs reported in its malware forecast, released in February during RSA Conference 2017. SophosLabs analysis systems processed more than 8.5m suspicious Android applications in 2016. More than half of them were either malware or potentially unwanted applications (PUA), including poorly behaved adware.

When the lab reviewed the top 10 malware families targeting Android, Andr/PornClk was the biggest, accounting for more than 20% of the cases reviewed in 2016. Andr/CNSMS, an SMS sender with Chinese origins, was the second largest (13% of cases), followed by Andr/ DroidRT, an Android rootkit (10%), and Andr/SmsSend (8%).

In addition to malware, Android was found vulnerable to a variety of hacking techniques. In one such case, researchers found that attackers can crack Pattern Lock within five attempts by using video and computer vision algorithm software.

Earlier this month, meanwhile, researchers at Palo Alto Networks discovered 132 Android apps on Google Play tainted with hidden IFrames linking to malicious domains in their local HTML pages. Interestingly, the malware was Windows-based. SophosLabs showed additional research tracing that malware back to a developer who goes by the name Nandarok.

Defensive measures

Though Android security risks remain pervasive, there’s plenty users can do to minimize their exposure, especially when it comes to the apps they choose.

Stick to Google Play. It isn’t perfect, but Google does put plenty of effort into preventing malware arriving in the first place, or purging it from the Play Store if it shows up. In contrast, many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
Consider using an Android anti-virus. By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.
Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features, alongside or ahead of hardware advances such as “cooler camera” and “funkier screen”?

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BAzZk1lkxXM/

Facebook, Google, etc: Yeah, yeah, we’ll work on the nasty stuff about bombs – but we ain’t doing no backdoors

library
crime | hacking | security

Big Tech has told the UK government it will do more to remove extremist content from their networks, but has refused to offer concessions on encryption.

Following a meeting between Britain’s Home Secretary Amber Rudd and communication service providers, called in the aftermath of the murders in Westminster, senior executives from Facebook, Google, Microsoft and Twitter put out a joint statement.

“Our companies are committed to making our platforms a hostile space for those who seek to do harm and we have been working on this issue for several years,” the statement reads, adding: “We share the Government’s commitment to ensuring terrorists do not have a voice online.”

In order to do that, the companies said they would “look at all options for structuring a forum to accelerate and strengthen this work.”

The letter outlines three ways to do that:

Improve automatic tools to remove extremist content.
Help other companies to do the same.
Support efforts from “civil society organizations” to “promote alternative and counter-narratives.”

The statement is more notable for its omissions than its promises, however. There is no mention of timelines either on taking down such content, or on taking action. There is no promise to remove such content. There is no offer of firm resources. And the only actual project referred to is the “innovative video hash sharing database that is currently operational in a small number of companies.”

Crucially, there is no mention at all of the other pressing issue – encryption.

Reading material

Two days after the attack, Amber Rudd made headlines by arguing that the authorities must have access to the communications of the attacker – Khalid Masood/Adrian Ajao – and specifically highlighted Facebook-owned chat app WhatsApp that she said Masood had used on the day of the attacks.

The Home Office put out its own short statement following the meeting in which it also glossed over the encryption issue, noting that the meeting “focused on the issue of access to terrorist propaganda online.”

Rudd said she “welcomes the commitment from the key players to set up a cross-industry forum,” but pointedly notes that she would “like to see the industry go further and faster in not only removing online terrorist content but stopping it going up in the first place.”

Another recent critic of tech companies on this topic, chair of the Home Affairs Select Committee Yvette Cooper, called the outcome “a bit lame.”

“All the Government and social media companies appear to have agreed is to discuss options for a possible forum in order to have more discussions,” Cooper complained. “Having meetings about meetings just isn’t good enough.”

Social media companies in particular are under fire in Europe over the ready availability of extremist material and the apparent ease with which extremists communicate among themselves and with others on systems run by large Western corporations.

The issue is complicated by the fact that most of those corporations are based in the United States and so have a strong belief that removing or even blocking content is tantamount to censorship and breaks the First Amendment.

Europe takes a different approach to what constitutes fair or free speech and has threatened to introduce legislation obliging social media companies to remove extremist content or face large fines and lawsuits. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/31/tech_giants_uk_home_sec_encryption/

WONTFIX: No patch for Windows Server 2003 IIS critical bug – Microsoft

library
crime | hacking | security

Microsoft will not patch a critical security hole recently found and exploited in IIS 6 on Windows Server 2003 R2 – the operating system it stopped supporting roughly two years ago.

The buffer overflow bug can be exploited to inject malicious code into a vulnerable machine and execute it, allowing an attacker to gain control of the computer. It requires WebDAV to be enabled. If you have such a machine exposed to or reachable from the internet, and you get hacked, maybe you deserve it.

On Monday, details of the vulnerability and proof-of-concept exploit code were published on GitHub thsi week: the code is attributed to “Zhiniang Peng and Chen Wu. Information Security Lab School of Computer Science Engineering, South China University of Technology Guangzhou, China.”

Apparently, the “buffer overflow in the ScStoragePathFromUrl function in the WebDAV service” was “exploited in the wild in July or August 2016.”

Shodan.io – a search engine for internet-facing devices – has found hundreds of thousands of servers still using IIS 6.0, and about 20,000 machines using Windows Server 2003. Not all of them will be exploitable. In any case, Microsoft has indicated it won’t fix the bug.

“This issue does not affect currently supported versions,” a spokesperson told The Reg. “We continue to recommend that customers upgrade to our latest operating systems and benefit from robust, modern protection.”

The vulnerability in the IIS WebDAV component allows an attacker to run code remotely on a target system by sending in an overly large ‘If’ header entry in a PROPFIND request. Done right and the target is pwned, but even a malformed IF header can cause a crash.

Now that a Python-written exploit has been fully published, malware operators will be quick to integrate it into attack code. According to the latest data, the US leads the world in Server 2003 R2 systems online, with China a close second, and the pickings could be rich for canny operators.

But before you rush to criticize Microsoft, it should be remembered that the R2 version is about ten years old, and mainstream support ended for it on July 13, 2010. Microsoft carried on emitting security and essential patches for the software until July 2015, but there’s a limit to how long Redmond – or indeed the vast majority of software companies – will continue to support outmoded operating systems.

However, there is a fix if you’re concerned, thanks to third-party patchers at ACROS Security in Slovenia. The firm has made it its business to offer alternative patches for Microsoft flaws and this one is no exception.

“Owners of these servers each have their own story, their own set of constraints to work within, and their own budgets that they would rather spend for something other than upgrading a server that works,” said ACROS CEO Mitja Kolsek.

“To help maintainers of Windows Server 2003 computers block almost inevitable attacks under these unfavorable circumstances, we decided to provide them a free solution: a micropatch for CVE-2017-7269, which they can apply on their machines not only without rebooting, but also without even restarting Internet Information Services.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/31/microsoft_wont_patch_server_2003/

Researchers steal data from shared cache of two cloud VMs

library
crime | hacking | security

A group of researchers, one from Microsoft, say they can extract information from an Amazon Web Services virtual machine by probing the cache of a CPU it shares with other cloudy VMs.

A paper titled Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud (PDF) explains the challenges of extracting data from CPU cache, a very contested resource in which the OS, the hypervisor and applications all conduct frequent operations. All that activity makes a lot of noise, defying attempts to create a persistent communications channel.

Until now, as the researchers claim they’ve built “a high-throughput covert channel [that] can sustain transmission rates of more than 45 KBps on Amazon EC2”. They’ve even encrypted it: the technique establishes a TCP network within the cache and transmits data using SSH.

The results sound scarily impressive: a Black Hat Asia session detailing their work promised to peer into a host’s cache and stream video from VM to VM.

The paper explains that this stuff is not entirely new, but has hitherto also not been entirely successful because it’s been assumed that “error-correcting code can be directly applied, and the assumption that noise effectively eliminates covert channels.”

The authors knock both of those arguments over, the first by figuring out a way to handle errors and the second with a method of scheduling communication between two VMs.

The paper details those efforts extensively, names them a “Cache-based Jamming Agreement” and offer you working code on GitHub so you can build your own all-in-cache covert channel, either on-premises or in the cloud.

Getting this going in the cloud is non-trivial, because you must first figure out how to get two VMs running on the same host. A 2015 paper titled A Placement Vulnerability Study in Multi-Tenant Public Clouds found that’s possible in Amazon, Google and Azure and is cited by “Hello from the Other Side’s” authors.

Yes, this is a little esoteric. But it also shows why many users are willing to shell out for dedicated instances in their chosen clouds. We can also see that secure multi-tenancy may have a way to go. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/31/researchers_steal_data_from_shared_cache_of_two_cloud_vms/

Is this a solution to Trump signing away your digital privacy? We give Invizbox Go a go

library
crime | hacking | security

Hands-on How fast things change: once upon a time (last week), Tor was seen as a tool for the paranoid and the criminal. VPNs were aimed at safeguarding traffic over insecure hotel and conference Wi-Fi networks – or for business.

But following a Congressional vote this week to effectively scrap digital privacy rights and give US ISPs the right to sell pretty much any data they can gather on you without needing to seek permission (or even inform you)… suddenly it doesn’t seem so crazy.

With President Trump having already indicated he will approve the “congressional disapproval” vote of FCC privacy rules, it is only a matter of days before your personal information becomes the property of some of America’s largest corporations.

What can you do about it? We’ve advised several things: particularly, setting up your own trusted VPN – if you’re confident on how to do it – and installing browser extensions that will encrypt website connections. There’s also the Tor network, which has its up and downsides.

Of those, using a VPN is top of the list because it acts as an effective block to your ISP being able to follow you around the internet. But signing up for a VPN provider, or getting on Tor, securely can still be a hassle and requires enough steps to put most people off.

Fortunately there may be a simpler solution: the Invizbox Go.

More than a year ago, we wrote about the Invizbox – an Ethernet connected box that gives you an instant connection to Tor, protecting your privacy in one simple step. The product was good, if not perfect. And it differentiated itself by relying on open source software as well as allowing for firmware upgrades.

The main point of it is to route your internet traffic through Tor or a VPN, and do this separately from the computer you’re using. This potentially thwarts attempts by ISPs – and to be honest, the Feds – to track you, because all packets must go through the box, and out to the internet via Tor or your VPN provider. Any efforts by snoops to smuggle out a signal from your computer, to unmask your true public IP address and work out where you are and what you’re doing, will still go through the router, and out via Tor or the VPN, thus confusing the digital trail back to your home, office or hotel room.

Portable protection

With that in mind, we were really interested in the company’s next iteration: a portable Tor router that uses Wi-Fi rather than a cable and includes VPN access, as well as acting as a Wi-Fi extender and a USB charger. The company raised its goal of €100,000 on Kickstarter and in January this year, it shipped.

Unfortunately for Invizbox, literally days later the digital certificate included with the box’s VPN service expired, requiring a firmware upgrade that, thanks to the product’s security standards, was not a quick and easy solution.

And so the Invizbox Go has sat in a drawer at El Reg offices waiting on the ideal time to pull it out, update the firmware and test the product.

And that time is now.

Let’s jump straight to the conclusion: if the fact that your ISP can now sell your personal data has you looking for a solution and you’re willing to pay for it, and you’re not happy with setting up your own VPN, then the $99 Invizbox Go is a potentially terrific option.

You can pay that and get two months VPN for free (thereafter $5.50 a month) or you can pay the company more upfront (for one or two years) and save on VPN fees. If you are really serious, $399 will get you a lifetime of VPN, the company promises.

By the way, we must state this: if you choose to use Invizbox’s VPN, you are essentially trusting them completely with your privacy. Your internet traffic will flow through their VPN systems and out to the world. Therefore, your unencrypted connections to the ‘net can be examined by the company, or they can be compelled by governments to grant access. Similarly, if you use Tor, you are trusting whoever is running the Tor exit node you happen to be using to not snoop on you. It is essential that you encrypt as much, or all, of your traffic as possible – using HTTPS Everywhere, and so on – if you route through Tor or someone else’s VPN.

With that said, the box itself is the same size as an iPhone and what it does is create its own Wi-Fi network that you connect your devices to. One you’ve gone through setting up the gizmo (a five-minute job), the box handles all the VPN and Tor issues for you, so you connect to it and away you go.

That’s a pretty neat solution for a lot of people. Especially since it comes with very little hassle: you turn the box on by pressing on its case and you put its SSID top of the list of networks for your phone/laptop to connect to, and you’re done. What’s more you also have a phone charger and a Wi-Fi extender if needed.

Practicalities

There are, of course, some practical issues:

The box has to be charged. It charges through a USB cable so you can connect it to your laptop port while using it. But if not connected and charging, it should easily last a whole day. So treat it like your phone in terms of battery power and you should never run out of juice.
You have to connect it to an available wireless point. You’ll only have to set it up once but you will have to do so at each location: at home, at work, at your favorite coffee shop. This requires you logging into the box and connecting to the wireless point through its interface. It’s an additional step but not a big one.
You don’t have a choice of VPN supplier – Invizbox has partnered up with IPVanish and you sign up for them through the box. Fortunately IPVanish appears to be a respected VPN company and – crucially – one that promises not to log or sell your data. But if you have your own VPN service already, you won’t be able to connect to it through the Invizbox.
You have to choose Tor or VPN. You can’t do Tor over VPN. And if you want to use Tor you need to select it in the Invizbox interface. If you want to switch to VPN, you need to go in and change your choice. Fortunately the interface is extremely simple and easy to use, but if you switch a lot between the two, it will, again, be an extra step.

In terms of security, Invizbox seems to be doing a very decent job of ensuring that it is difficult to compromise either the box or your account.

When it arrives, the box comes with its own custom and complex password – no defaults here – and of course you are free to change the SSID and the password. An included card also has VPN login details that are, again, custom and complex.

The company is constantly updating its firmware – it’s on 1.2.1 right now and updates have been put out at the rate of roughly once a month. Your Invizbox can be set up to update automatically every 24 hours or if you want control of the process, you can download and upgrade yourself offline.

We wouldn’t go so far as to say the system is NSA-proof (what is?) but if you are serious about protecting your personal data in the wake of Congress’ decision to kill off privacy protections and you are willing to spend $100 upfront and another $65 a year on a VPN – and you trust the VPN provider to be true to its word – then this is a product you should seriously consider. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/30/invizbox_solution_for_digital_privacy/

Minnesota, Illinois rebel over America’s ISP privacy massacre, mull fresh info protections

library
crime | hacking | security

President Trump has yet to sign off on congressional legislation that allows American ISPs to sell their subscribers’ online habits to advertisers – but US states aren’t waiting for his signature and are moving to protect their constituents’ privacy.

On Tuesday, the Minnesota House of Representatives introduced legislation to ensure that those living in the state would have to give written permission to their internet providers before it could sell details of their private internet activities. The legislation easily passed through the House.

The following day, Minnesota Senator Ron Latz (DFL‑St Louis Park) introduced an amendment to a budget bill that would require ISPs to get written consent from customers before selling off their browser histories to marketers.

Republicans tried to block the move by insisting it go through a committee stage, but Senator Warren Limmer (R‑Maple Grove) crossed the aisle and voted to ensure the amendment was considered. It was then added to the bill by a 66‑1 vote, with one Republican senator voting against, arguing that more study of the issue was needed.

Once the state’s Senate and House have worked out the final wording of the privacy safeguards, the bill will be passed to the governor to sign – and then it’s live.

“We should be outraged at the invasion that’s being allowed on our most intimate means of communication,” Limmer told the Twin Cities Pioneer Press. “This … urgently needs to be addressed.”

Illinois, too, has decided to fight back with its own ideas. On Thursday, the state’s Cybersecurity, Data Analytics IT Committee approved two new privacy measures. One would allow state residents to demand what data companies such as Comcast, Verizon, Google and Facebook is sharing about them. The other would require consent before an app can track users’ locations. The bills are in an early stage of development, and are still being debated.

Several other states are said to be considering legislation in response to Congress’ new rules eliminating privacy protections for internet users in America. Public opinion isn’t in favor of letting ISPs have a free hand. If you’re hoping Donald will scupper efforts to open up people’s private data to advertisers, forget it: the White House said in a statement that Trump’s advisors “would recommend that he sign the bill into law.” ®

PS: How about the time Google – the online advertising giant that once had dreams of becoming an ISP – wrote to the FCC strongly in favor of scrapping opt-in privacy protections for online browser histories?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/30/states_rebel_against_isp_internet_history_grab/

Payment Card Industry Security Compliance: What You Need to Know

library
crime | hacking | security

A quick refresher on all the different PCI SSC security standards that are relevant for organizations that accept electronic payments.

In the dynamic world of payments, transaction security is of paramount importance. When we speak with our customers and partners, the topic of payment security and Payment Card Industry (PCI) compliance always comes up. Although there is a lot of useful information about payment security available, the industry is also filled with many questions regarding PCI. So, with the latest PCI Data Security Standard update and the release of the latest security standards for payments terminals, now is a great time to provide a quick refresher on PCI compliance and the various security standards merchants need to know.

The PCI Council and its various Security Standards
The Payment Card Industry Security Standard Council (PCI SSC) is a global, open body created to develop, enhance, distribute, and assist with the understanding of security standards for payment security. The council also provides critical tools needed to implement various security standards. Below is a list of all the different security standards from PCI SSC that are relevant for organizations that accept electronic payments.

1. PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) covers the security of the cardholder data environment, the IT systems that process, store, and transmit credit and debit card information. Most merchants are familiar with PCI DSS through their annual assessments. As the threat landscape that merchants and payments providers face is not static, neither are the standards for the protection of the cardholder data environment. PCI SSC has released updates to version 3 (the latest being version 3.2) in response to those evolving threats.

2. PA DSS
The Payment Application Data Security Standard (PA DSS) covers security for payment applications that access cardholder data. A payment application is software that is developed to help merchants process electronic payments, including magnetic stripe, EMV (Europay, MasterCard, and Visa), and contactless transactions. This standard ensures that third-party payment applications properly handle cardholder data and meet industry best practices for secure application development.

3. PCI PTS
The Payment Card Industry PIN Transaction Security (PCI PTS) standard is a set of technical and operational requirements for payment terminals focused on protecting cardholder data. The PCI PTS standard is modular, covering hardware and firmware security requirements to protect against physical, logical, and network tamper attacks. The PCI PTS requirements now include security requirements for open protocols — such as TCP/IP, TLS, Bluetooth, and USB — and the ways cardholder data are read and encrypted through the Secure Reading and Exchange of Data module.

PCI PTS standards are updated on a three-year cycle. Unlike most other PCI standards, PCI PTS does not involve point-in-time assessments. Instead, terminals are submitted to approved third-party labs for evaluation against the then-current PTS version. On approval, a Letter of Approval (LOA) is issued with the validity period for the evaluated version of the specification.

Version 1: LOAs expired April 30, 2014
Version 2: LOAs expire April 30, 2017
Version 3: LOAs expire April 30, 2020
Version 4: LOAs expire April 30, 2023
Version 5: LOAs expire April 30, 2026

Terminal manufacturers can’t ship a terminal once the LOA for the terminal has expired; however, repairs and warranty replacements are still allowed. The expiration of a terminal’s PCI PTS LOA does not, per se, affect the ability of a merchant to continue to use the terminal. Sunset dates for terminals are set by the individual card brands and PCI, both of which recommend that merchants choose terminals that meet the highest security standards and also meet their specific needs.

4. PCI P2PE
The Payment Card Industry Point-to-Point Encryption (PCI P2PE) standard is a set of security requirements that cover all aspects of a P2PE solution, including the payment terminal, terminal application, deployment, key management, and decryption environment. PCI P2PE validated solutions are the “gold standard” for the protection of cardholder data. Merchants that use PCI P2PE validated solutions receive significantly reduced scope of their PCI DSS assessments through the use of Self-Assessment Questionnaire P2PE. PCI P2PE validated solutions are listed on the PCI SSC website.

Who Needs to Be PCI Compliant?
Accepting electronic payment involves handling of sensitive cardholder information, and keeping it secure needs to be a top priority for businesses that accept, process, or transmit credit card information. In simple terms, if you accept electronic payments for selling goods or services, your business needs to be PCI compliant. Businesses that fail to meet the relevant PCI compliance standards not only put sensitive cardholder data at risk, but they’re also subject to heavy fines.

Evolution of PCI Standards
The technology to accept payment is constantly evolving, and so are the ways to protect sensitive customer information, such as credit card details, from cyberthreats. The PCI SSC is constantly working toward improving its security standards to align with the changing needs of the payments industry. The last iteration of the PCI DSS standard expired in October 2015, and a new version, PCI DSS 3.2, will be enforced starting in November. These updates include a number of clarifications, updated guidance, and some new requirements. You can read more about the new version on the PCI Security Council’s website.

Related Content:

Dr. Robert Martin serves as Vice President of Security Solutions, Ingenico Group/North America. Dr. Martin is active within several industry security bodies and has been involved in the technical and product end of the payments business since 2000. Prior to joining Ingenico … View Full Bio

Article source: http://www.darkreading.com/compliance/payment-card-industry-security-compliance-what-you-need-to-know/a/d-id/1328517?_mc=RSS_DR_EDT

The Business of Security: How your Organization Is Changing beneath You

library
crime | hacking | security

And why it’s your job to change with it and ‘skate where the puck is headed.’

I’m a security professional, but I’m also an MBA graduate and student of organizational design and behavior. It’s my business background that has shed the light on a few major trends that are changing organizations as we speak. Like most major changes, they are happening at an incremental pace, and not obvious to the naked eye. But they represent a tectonic shift that will define how security professionals operate in the decades ahead.

Consider, for example, the fragmentation of centralized IT. Today, more and more IT services are delivered by technologists embedded within business units, not via centralized IT organizations run by all-powerful CIOs. This used to be referred to and dismissed as “shadow IT.” But what might have been thought of as a rogue operation is now an accepted approach to delivering IT services across the enterprise.

Several trends are combining to accelerate this metamorphosis. Topping the list is the adoption of outsourced cloud services. Cloud services are bought and implemented by business chiefs without the prior approval or buy-in of CIOs – think salesforce.com being contracted by a VP of sales, or online job application SaaS platforms being adopted by HR. Couple the cloud transition with the consensus for businesses to move faster, embodied in system and product development delivered via Agile and DevOps approaches.

Goodbye to Imperial CIOs
The old model of centralized IT and business units with well-defined organizational boundaries are changing by embedding IT production inside the business units via cross-functional teams that spin up and spin down as projects begin and end. A likely outcome of this change is the gradual weakening of what I call “the imperial CIO” – the all-powerful IT leader who can drive business agendas and tolerate long-term development cycles for key business projects.

The challenge for security professionals will be to recognize this dispersal of centralized IT and to adapt a coverage model for security services that reflect the new reality. Perhaps the highest priority will be to stay close to business initiatives and company-wide capital expenditure (CAPEX) projects to understand how new operating models and technology platforms will need to be secured. These are typically well-funded, have CEO support, and provide the opportunity for security professionals to embed protections early in the development process to get upstream of potential weakness. This means strengthening relationships with business line owners and provides security leaders the opportunity to add value on important projects instead of being perceived as saying “no” to potential risks.

In addition to fragmentation, organizations are restructuring to be more project- and product-driven. This complexity will strain static identity management constructs, and put positive pressure on security leaders to understand who is doing what, what they need to access to be successful, and when they need to be deprovisioned afterwards. Simply put, security leaders need to better understand where security functions are needed, irrespective of organizational charts, and focus even more on embedding security protections at the earliest stage of the project. More broadly, we need to adapt for change, or to steal a popular metaphor in use in business circles, to skate where the puck is headed.

The Faster Tempo of Business
Competitive pressures, breathtaking technological changes, and a variety of other external pressures have increased the pace of business substantially. This speed is embodied along a progression of two steps. First, organizations are moving from inflexible waterfall methods to Agile development methods in order to better integrate application development and business concerns. The second step is the onward evolution of DevOps where Agile developers break down barriers between the development and operations teams. Automating the entire software development process from code commit to deployment highlights how DevOps approaches can further squeeze cycles out of the software deployment process.

These changes represent a challenge and an opportunity to security leaders because they turn the existing ‘waterfall’ approach to software development upside down. It will be more important for security leaders to make sure they are invited to the earliest design meetings, so they can inject security use cases into the software development process. Up front security guidance will be needed because opportunities to test new features before they get deployed may simply not exist. Instead of 11^th-hour vulnerability scans before products go live, we now have an opportunity to architect in security scans, getting upstream of the deployment process. Finally, security experts should focus more energy on identifying attack patterns in live environments.

The Evolving Worker
In the not too distant past, most companies were staffed by employees, or what we now call FTEs (full time equivalents) or “badged” employees. That employment model mirrored the relatively static nature of the enterprise networking environment that security was tasked to protect. A defined network perimeter protected everyone inside the network from outside the network. Today’s employment model has turned this upside down. Now you have full-time employees, part-time employees, temp-to-perm hires, long-term contactors, short-term staff augmentation, offshore resources, interns, and other types of employment categories that your HR department can describe for you. To make matters more confusing, internal organizations are changing to be more project and product-based, reflecting the fluid nature of the business itself.

For the security worker, the challenge will be to identify who has access to what, when. An evolving organization drives more complex identity management, which is the foundation and starting point for security. But it will also demand tighter coordination with the business to understand how employment and contract roles have changed in order to harmonize access controls. Supporting project-based IT capabilities that are built up and torn down on a weekly basis is also key to adapting. The SharePoint collaboration site to support the CEO’s secret MA project is a good example of this type of quick requirement capability. Understanding how and when to turn off access to protect the business will also be increasingly important in this ever-changing environment.

The businesses we serve as security practitioners are changing at a faster pace today than at any other time since technology was introduced in the 1980’s. Some changes are obvious, others less so. Savvy security leaders must learn to take advantage of these changes to further security goals and to protect their evolving organizations.

Related Content:

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As … View Full Bio

Article source: http://www.darkreading.com/endpoint/the-business-of-security-how-your-organization-is-changing-beneath-you/a/d-id/1328526?_mc=RSS_DR_EDT