Pacific Coast Informer Blog

While talking with Forrester analyst John Kindervag about IT security trends this week, we discussed the issue of educating companies about PCI DSS compliance. Of course, compliance is part of what PCIS helps companies achieve through a range of boxed services, so it came up naturally enough in the conversation. And as some of our readers may know, Kindervag is an expert on PCI DSS, so it was a great opportunity for us to learn as well.

PCI DSS stands for Payment Card Industry Data Security Standard. It is a worldwide security standard enforced by the founding members of the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to ensure vendors and merchants protect your private credit card information when they are processing transactions. Even though the PCI standard has been around for some time, many companies have still not even heard of PCI, much less taken steps to improve their security measures.

Kindervag wrote an excellent analysis a while back entitled PCI Data Security Standard compliance: Setting the record straight. It’s an excellent overview of some issues in PCI DSS that I’d like to follow up in a series of posts here.

Myth #1: PCI Compliance is hard

One objection companies have to undertaking PCI compliance is because it’s hard. As Kindervag points out, what they usually mean is they think that it’s expensive. According to a Forrester study, The State of PCI Compliance, American and European companies seeking to meet PCI standards typically spend 1 to 5 per cent of their IT budget on the task.

While that can be significant in terms of total dollar outlay, it seems entirely reasonable when looked at as insurance against a security breach where records are exploited, that could cost between $9 million and $14 million even before the credit card companies get around to assessing fines for PCI non-compliance. Check out Tech//404’s handy Data Loss Calculator, which lets organizations get more accurate numbers on what to expect from a data security breach).

For companies that are already undertaking good practices for security, additional costs for PCI compliance may be negligible. The benefits of good security practices were clear even before PCI was developed and for organizations that have already done these things, PCI compliance is not hard at all. It pays to be proactive.

More than half of small-to-medium businesses plan to spend more on IT over the coming year to help increase productivity in a tougher economic climate, according to a new study from CompTIA Research (Thanks for the tip, Laptop Security Blog).

In the past, IT spending has been the first to get cut during hard times. Not any more. The use of technology is already so entrenched across industries and departments that managers realize that IT is no longer a fancy optional extra – it’s at the core of an organization’s ability to maintain operations.

Now crafty professionals will be looking at ways they can spend a buck on IT to save – or earn – five. This is a huge change, in that IT is recognized as a “need”, not a “want”.

The people in charge of spending the bigger IT budgets will be careful to avoid the nice-to-have purchases and zero in on the must-have items.

That new version of your application that might give you some fancy options if you have the time to learn how to use them, might be out. But that firewall that needs updating can't be put off. Same goes for the network security assessment.

The increased spending will go to investments that affect the bottom line, cash flow and security. The upside of a downturn is that it forces businesses to keep a sharp eye on their budget priorities.

Why Do Hackers Hack?

The online threats to business operations that I've been discussing on this blog aren't going away anytime soon. That's because when it comes to hacking, the promise of high rewards outweighs the risk of getting caught.

A ringleader of a group of hackers who stole 40 million credit card numbers from TJX made more than $11 million from his criminal activity (SearchSecurity.com). This was an extreme case (or so we hope, since much hacking goes undetected), but it’s safe to say that hackers who sell hundreds or thousands credit card numbers and other information they can extract in minutes make good money.

IT security analysts suggest cyber criminals earn $40,000 to $60,000 per attack (Information Week).

Meanwhile, just one out of every 7,000 cyber criminals gets convicted, although it could be as low as one out of every 600,000, suggests Lloyd Hession, chief security officer at British Telecom’s global financial services division (Wall Street Journal).

Why is it so hard for law enforcement to crack down on hackers and reduce the ratio of risk to reward? Here are a few reasons:

1. Without application layer firewalls and network firewalls, it is difficult for IT security experts (and impossible for everyone else) to directly detect hacking efforts. Attacks are often only inferred from slowed performance of web applications or computers – or bank accounts being emptied unexpectedly. No detection => no reporting of a crime => no investigation => hacker drives away in a new BMW.

2. Even when you find out you’ve been hacked, tracking down the hacker isn’t straightforward. There are ways for hackers to disguise their location of origin.

3. Diplomatic immunity? Not quite, but close enough to protect the bad guys. A lot of hackers are based out of places with weak legal systems, where lawmakers have little incentive to crack down on cyber crime that disproportionately exploits us supposedly rich, decadent Westerners -- meaning they're targeting everyone from Bill Gates down to the poor owner of a small corner hardware store that finally got around to posting a website.

The ratio of risk to reward? Not even close. That’s why hackers hack.

Let’s face it: convincing companies on being proactive and taking a holistic approach web and network security isn’t always an easy gig. Many of companies "get it", unfortunately, many more remain in denial. Their response is similar to poking your fingers in your ear and saying "la-la-la, I can't hear you".

Some objections are pretty standard. For example:

“We haven’t budgeted for conducting security analysis, so we unable to do it.” OK - understood. No money to check for potential attack vectors that could cost your business time, money, and effort. I understand, many IT departments are challenged with doing more with less these days.

Consider this: have you budgeted for the damage-control campaign when all your customers’ financial information ends up in the hands of joe hacker who in turn resells the information to willing buyers? In this same budget, are there funds set aside for emergency IT work to plug security holes that could have been identified before the attack? Then there is the added chore of reporting to the company's executive an attack took place, and that it was both foreseeable, and preventable.

I'd much rather tell my boss what the problems were, than for them to learn about it from an angry customer. By knowing what needs to be secured in advance, you can easily plan for costs related to securing your applications, rather than paying in multiples to solve it when a crisis occurs.

Another objection goes:

“We’ve never had a problem in the past. Why do we need help with IT security? Our website is so small nobody will try to attack us.” I'm sure that the IT managers at eBay and CIBC probably raised the same objection before they had some very public problems regarding web application security.

Waiting for a security incident to happen to justify the investment is just like waiting to buy car insurance AFTER you have an accident. My experience has been that small business has a lot to be concerned about.  Often with limited resources, a compromised web application can operate for weeks undetected due to limited monitoring resources in smaller companies. By the time the issue of security is discussed - it is more often during a crisis, rather than planning to avoid one.

I think perhaps one of  my favourite objections to security assessments has to be the following:

“My staff and I are so busy, we don’t have time for IT security scans or testing”.  Again, lack of resources is not an excuse for lack of planning. Security analysis is a highly specialized discipline and it is completely unrealistic to expect any day-to-day IT team could manage the depth of analysis a third-party consultant focused in this area could provide, likely for less cost to your business.

Many firms contract and outsource IT services, prepared on-demand, not when someone is capable of 'getting around to it'. The other advantage is that the detailed reporting provided makes your department look like geniuses, for identifying risks, and for obtaining an actionable plan for dealing with them. Let someone else do the work, you take the credit.

“I don’t have time to take care of IT security” is the the very reason why companies should seriously consider outsourcing this critical part of maintaining their organizations electronic assets. Your web applications and network aren't  going to fix themselves.

(Contributed by Emerson Killam, PCIS Web Security Analyst)

As I’ve mentioned before on this blog (What are Strangers Doing With All of Your Information?), when you willingly hand over your information to Google via Gmail or a third-party application, they own it. Once they own it, they can sell it.

But businesses, non-profits and individuals willingly provide this information because it’s convenient. They are assured that this information is protected, perhaps out of a projected sense that it ought to be protected.

So the development of Google Health has caught my attention. Now you can store your medical records online. When it comes to your medical information, some of the most private data you’ve got, when that info gets turned over by hospitals to a private company, the data is no longer protected by regulations like HIPAA (as noted in a recent Technologist column by Steven Levy). Nonetheless, there is definitely a trend for public institutions to put this information in third-party web apps like the Google Health project before we have better security.

Google has millions of dollars to spend on security, but simply by browsing hacked sites, the people uploading their data to the Internet have made the multi-million dollar investment in security pretty much irrelevant.

The point being, while there may be efficiencies, possibly even life-saving ones, from putting this data in third-party online databases, the framework isn’t quite there yet. So long as the vast majority of Internet users are vulnerable to spyware and other threats, the system is not ideal for storing of your most private information

The movement of all business functions to virtual apps is definitely happening, but my advice to businesses looking into it to hold off for a little while longer… at least until you're willing to accept the risk.

It is a scary time for those of us concerned with IT security. Just in time for Halloween comes a report that zombie PCs are spreading their evil about as fast as the rotting-flesh versions do in the movies. According to Microsoft’s Internet Safety Enforcement Team (quoted in the New York Times), it takes less than five minutes for computers to become infected and added to the horde of 300,000 computers worldwide that are already in the thrall of unscrupulous hackers.

Zombie PCs are computers that were then taken over by hackers in order to send out spam, look for private financial information and install malicious software to infect more PCs. Any computer that is used to go online is vulnerable.

As the NYT article suggests, computer owners are well-advised to run commercial malware detection programs, use a firewall and install security patches for operating systems and applications. As well, talk to your trusted IT expert. The more the better. Remember, a hacker has to get to your PC only once.

If all else fails, get the zombie in the head.