52 posts categorized "compliance"

July 27, 2011

The Case For Breach Insurance

For the last year or so at The CISO Group in addition to helping payment processors with their merchants PCI compliance needs we have been offering a low cost, no deductible breach insurance policy. 

For literally a few dollars a month, a small merchant can obtain a no questions asked breach insurance policy that will cover even the costs of a forensic audit in case of a suspected breach.

It amazes me how processors and merchants resist this no-brainer.  Of course the most common retort is that they don’t need it because a breach “would never happen to them”. Still others though try to claim that they already have insurance under their general liability insurance. I have told them repeatedly “go check the fine print” I don’t think it covers data breach.

Well now the Sony case is showing that indeed general liability insurance does not cover data breaches. My friend Ericka Chickowski had an article about this in Dark Reading the other day detailing how Sony’s insurers are stepping back from defending the various class action suits being filed against Sony.

In the case of processors and ISOs there is even more of a compelling reason. If any of their merchants can not meet the fines, losses and costs of a breach incident, they could be responsible. Spread that out over the thousands of merchants the represent and their exposure becomes pretty significant. Why would one not want to sleep well at night?

Anyway, anyone selling security knows what it is like to sell insurance. Even though it seems to be an easy decision, it is not always so easy.

Related articles
Enhanced by Zemanta

Posted at 09:37 AM in CISO, compliance, General Security | | TrackBack (0)

July 01, 2011

Marketing 2007 Security in 2011 or LCD Security Marketing

I was reading an interview with an executive from a nameless security vendor the other day and the point he was making was that their security products are necessary because “hacking is now a for profit enterprise”. How absolutely 2007.

Most of the examples of hacking incidents he brought up were attributed to LulzSec or Anonymous. Those are not examples of “for profit enterprises”. They were exactly the malicious and “to show we can” type of attacks that he said disappeared 15 years ago. Not to mention that while cyber-war, cyber-terror and cyber-espionage all have a “profit” in mind, it is not exactly the same “for profit" as the Albert Gonzalez gang stealing credit card data.

In fact recent attacks if anything show that we may in fact be entering a new era of hacking and security that calls the whole responsible disclosure and “ethical hacking” issues into a new light. So why talk about security drivers circa 2007 halfway through 2011?

At first I chalked it up to having people who really don’t have any security background and not living security being put in a position where they are forced to talk about it. But then I thought about it some more. It is more than just another empty suit talking about security, it is a chronic problem in the security industry.

I have heard it from other security executives too. When speaking to customers and the public they don’t think the audience is sophisticated enough to really “get it”. So instead of giving it to them straight, lets give them what they can understand. It is LCD (least common denominator) security marketing. Give them something simple enough that they can put their mind around it, that has examples that have already been established in the public consciousness. This way we don’t have to explain too much and we don’t have to open the kimono about our solutions being perhaps only an inch deep. KISS, keep it simple stupid. If only the world really worked like that though.

But why should we be surprised with least common denominator security marketing when too many security companies sell least common denominator security solutions. You know, the check box security that allows people to say they have complied, but leaves them defenseless when LulzSec and the like put them in their sites.

I think the whole thing is an outgrowth of the old enterprise security vendor approach of watering and “dumbing down” their solutions for the mid-market.  It didn’t work then and LCD security and LCD security marketing doesn’t work now. 

Yes, you may fool some people for some of the time, but you can’t fool all the people all the time and sooner or later it catches up with you.  The people and organizations relying on the security industry deserve better and we as an industry should be better than that!

Related articles
Enhanced by Zemanta

Posted at 04:44 PM in compliance, General Background, General Security, other security companies, Security Consulting, the security industry | | TrackBack (0)

March 29, 2011

Webinar about DLP for Mid-Size Health Care with Palisade Systems

Image representing Palisade Systems as depicte...

Image via CrunchBase

My friends at Palisade Systems are hosting a webinar on April 6th on mid-size health care organizations using DLP to comply with regulatory requirements and cost-effectively improve their security and data protection posture.

Richard DeRoche, information technology director for Lutheran Life Communities (LLC), a mid-size and growing provider of healthcare services, will be talking about how he has used the Palisade’s DLP solution.  I will be joining Richard on the panel, along with Guy Helmer, Ph.D., CTO of Palisade Systems.

Palisade Systems, besides being a great solution for the SMB DLP market is a big supporter of the Security Bloggers Network and has for years been a sponsor of the Security Bloggers Meet up at RSA.

On top of this, Guy Helmer blogs himself on the InfoLoss blog. If you haven’t read any of his stuff, you should check it out for sure.  He usually has some great content. Of course Guys’ blog is part of the Security Bloggers Network as well.

The webinar is at 11am eastern time on April 6th. It will be recorded and available to download and listen as well. Of course if you aren’t on live, you can’t ask questions.  So if you can, don’t miss it.

You can register for the webinar at http://palisadesystems.com/webinar-event/.

Please join me and learn a little bit about DLP and Palisades Systems.

Related articles
Enhanced by Zemanta

Posted at 10:59 AM in compliance, General Security, links and appearances, other security companies, security bloggers network | | TrackBack (0)

June 07, 2010

Ashimmy’s Law of PCI and Weasels

weasels So I have been dealing with merchants, PCI and payment processors for about the last 6 months.  During this time I have had the chance to speak to literally hundreds if not thousands of merchants. 

My observations have led me to a keener understanding of what is actually going on in the merchant world regarding PCI.  I call it Ashimmy’s Law of PCI and Weasels.  It states:

The more high risk and ethically questionable a merchants business is and the greater the risk of fraud and loss is, is directly inverted to the amount of money and resources they will designate for PCI compliance.

Think about it.  The very merchants who are the real targets of PCI compliance, the ones with the most to lose, are the same merchants who are always looking for an “angle” to skirt the compliance regulations and refuse to put any resources into becoming compliant.

Yet the poor level, 4 brick and mortar merchant who isn’t storing credit cards or anything is the one who wants to know what he can do to lower his risk of fraud.

Meantime the guy selling penis enlargement creams, anti-wrinkle lotion and magazine subscriptions is only looking to see how they can get out of putting any dollars towards protecting the customers credit card info. 

But of course it is these same merchants who are the ones keeping the credit card info on file.  I had one last week explaining to me the logic of why he has to keep his card data environment in front of the firewall, so that his people could access it, rather than putting it behind the firewall. 

Setting up a VPN and putting the data behind the firewall was just too much work for him.  Another weasel who doesn’t care about his customers card data, while he is raking in a half a million dollars a month selling “supplements”.

There should be a “weasel class” merchant whose liability will be enough to make them take PCI seriously.

Posted at 02:29 PM in compliance | | TrackBack (0)

April 16, 2010

The wild, wild west of PCI

Sorry for not blogging all week but I have been at the 20th annual ETA (electronic transaction association) conference at the Mandalay Bay Hotel in Las Vegas.  This was my first time attending the ETA show. I was very much looking forward to being at a non-security show of end users who are dealing with PCI everyday.

WOW! What an eye opener on many levels.  First the payment processors and merchant service providers. Even at this late date, they don’t believe the PCI Council is serious about enforcing PCI compliance on Level 3 and Level 4 merchants. After speaking to these people, I am convinced it is going to take the council making a few examples to show them they are truly serious.

Secondly, these same people just don’t see the lower level merchants as any appreciable risk. In spite of the fact that 85% of incidents take place at that level, they just refuse to acknowledge the fact.

Next, they believe that as long as they have a program in place, they have done their part. If the merchants don’t want to participate, so be it. They charge the merchant for the program. They pocket the money. Most of them only pay their PCI partner on completed merchants. The less amount of merchants who actually go through it, the more money the processor puts in his pocket. Risk be damned.

But the processors are not the only ones to blame here. There is a class of vendor who knows absolutely nothing about PCI who are the culprits here. They are offering ASV scanning and help with filling out SAQs for a dollar a merchant.

I spoke to two or three of these vendors. They were software developers who develop reporting software. They knew next to nothing about PCI or information security. They took the PCI council SAQs put them in a report format, cobbled together a scan or made a flat price deal with an ASV and that is it.

I asked them if they had ASV engineers reviewing the scans. They looked at me like I was crazy. One of these companies, DDS says they do this:

  • Merchant Services
  • Customer Service
  • Agent Bank Reporting
  • ISO Reporting
  • Fraud Monitoring
  • Management Reporting

Yet there they were pushing PCI compliance for a dollar a merchant. Sounds like they are security experts right?

Instead of taking the opportunity to reach perhaps the most important members in the payment card food chain, snake oil salesmen are pushing solutions that give a whole new name to checkbox compliance and security.

Faced with this, is it any wonder that PCI has not done enough at the Level 4 merchant level?

Posted at 08:48 AM in compliance, links and appearances, the security industry, tradeshows | | TrackBack (0)

April 08, 2010

Alert Logic Walks the Walk and Talks the Talk, Texas Style

Over the years I have hammered many a private company for putting out puffy press releases (usually right before RSA) touting “another record year”.  Just recently I came down on both Forescout and Bradford Networks for just these sort of “record number” releases without giving out the record numbers.

By the same token I feel obligated to call out a private company who put out a record year release and put up the goods to back up the talk.  Alert Logic, providing cloud security and compliance solutions, based down in Houston, evidently had a great Q1 in 2010. In fact it was the best quarter in the company's history.

Alert Logic is on track for a 13+million dollar revenue run rate. It promises to make its complete financial results public in a short time. Their CEO, Gray Hall attributes the record revenue to “doubling down” their bet on the hosting industry as their primary channel.  Seems like it is working for them.

I for one appreciate the transparency. If you are going to talk the talk, you should make damn sure you walk the walk and the Alert Logic crew is doing just that.  Good for them!

Related articles by Zemanta

Reblog this post [with Zemanta]

Posted at 12:50 AM in cloud, compliance, other security companies | | TrackBack (0)

November 17, 2009

The return of the Captain Renault award

It has been sometime since I have handed out a Captain Renault award. I thought they were going to be retired. For those who don’t remember the immortal Captain from the film Casablanca:

casablanca Rick: How can you close me up? On what grounds?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
[aloud]
Captain Renault: Everybody out at once!

So who is so deserving to pull this award out of its retirement? None other then the Ponemon Institute (I am sorry I just think of Pokemon whenever I hear that name, but it may have to do with me having young sons).  They were recently commissioned by Lumension Security to conduct a survey on the global state of endpoint security.  Some of the results they came up with were not surprising to say the least:

In the US, for both IT Security and IT Operations personnel only about 40% of the respondents felt that their organizations CEO was a big supporter of security and data protection. 

No kidding Sherlock, welcome to the world of the security pro. Isn’t that the biggest problem in security, getting executive buy-in to do what has to be done?  But here is the real irony and problem in security, go ask those CEO’s from the 60% of organizations where the IT staff does not think the CEO is a big supporter - and they will tell you with a straight face, that they absolutely are big fans of security. In fact it is one of our top three priorities!  How long have we all heard that fairytale?  How many times are analysts and institutes and others who sit and talk to these people going to swallow and regurgitate to us that our CEOs think security is a top priority? There is an old saying where I come from.- actions speak louder than words! Until we see more action and less talk around supporting security, things are not going to change.

There were equally dismal responses around whether an organization was putting enough resources in place for security and data protection and whether security was strategic across the organization.  Again obvious to those of us doing this everyday, but shocking to the crowd who keep telling us security is a top priority all the time. One thing interesting is that across the board, international responders were more optimistic then their US counterparts. That is encouraging.  In fact consistently the responders in Germany had the most encouraging responses about security and data protection. Not sure what they are doing right over there, but good for them.

There is actually a ton of other good data that the Lumension folks have made available in both a pdf of the report and a ppt file. If you get a chance, you should really download and have a look.

Posted at 10:30 PM in compliance, General Security, other security companies, the security industry | | TrackBack (0)

August 21, 2009

SAS 70 Type II – Should you care?

SAS70Logo In technology and certainly in government we seem to live by an alphabet soup of acronyms. Often times these names take on a life of their own and people don’t even remember what they stand for and why they are important. A great example is HIPAA (or as some people refer to it, HIPPA).  People will tell you vaguely it is regarding health care information and that is very often good enough.  So what does complying with HIPAA mean?  Well that is for another article, but another example is the SAS 70, Type II.  We see this one all the time.  Is a type 70 better than a type 69? Would a SAS type 71 better than a 70? Is there a type 69 or 70?  Do you even care? What about Type II versus Type I? What is the difference?

Lets start with some basics for those of you reading this and too ashamed to admit that you have no idea about the answers to these questions. I found an excellent site called SAS70.com (surprise). Here are some definitions:

Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA).  A service auditor's examination performed in accordance with SAS No. 70 ("SAS 70 Audit") is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes.  In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers.  In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.

SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format.  The issuance of a service auditor's report prepared in accordance with SAS No. 70 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm.  The service auditor's report, which includes the service auditor's opinion, is issued to the service organization at the conclusion of a SAS 70 examination.

Service Auditor's Reports
One of the most effective ways a service organization can communicate information about its controls is through a Service Auditor's Report.  There are two types of Service Auditor's Reports:  Type I and Type II.

A Type I report describes the service organization's description of controls at a specific point in time (e.g. June 30, 2003).  A Type II report not only includes the service organization's description of controls, but also includes detailed testing of the service organization's controls over a minimum six month period (e.g. January 1, 2003 to June 30, 2003).  In a Type I report, the service auditor will express an opinion on (1) whether the service organization's description of its controls presents fairly, in all material respects, the relevant aspects of the service organization's controls that had been placed in operation as of a specific date, and (2) whether the controls were suitably designed to achieve specified control objectives.

In a Type II report, the service auditor will express an opinion on the same items noted above in a Type I report, and (3) whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified.

That is a great start. In the next article in this series we will examine why its important to you.

Reblog this post [with Zemanta]

Posted at 08:04 AM in compliance, General Background | | TrackBack (0)

August 12, 2009

Heartland CEO thought QSA’s would make him compliant and secure

Bill Brenner (one of my favorite real media types) has a great interview up on CSO online with the CEO of Heartland. Robert Carr, Heartland Payment Systems CEO blames his QSA’s for not investigating the already known “common attack vector” that allowed the malware to be planted on his systems. In reading the article it was pretty apparent to me that he made a common mistake. He thought the QSA’s where there to make him both secure and compliant.  They are not the same and the QSA job is tomake him compliant. I guess they did, but that didn’t help him be secure.

Of course after the fact everyone gets religion.  Carr says that PCI is just a minimum set of standards and does not make you secure.  Mr Carr that does not make your QSA audits fraudulent as you call them though. It just means you were only compliant. But PCI was not the only thing Carr was compliant about. He was compliant with not taking security seriously.  Doing the minimum and spending the minimum to do what he had to. Now of course he is creating industry groups to share security info. He is spending millions on security products to protect and encrypt.

Isn’t that the real travesty of our industry though?  Only after the cows have run out and the barn has burned down does anyone really give a crap.  Even by his own admission with what happened to him and his company, when he goes to talk to others in his industry the feeling is still it can’t happen to them. What will it take? Does every single one need to to have a security incident?

I am sorry to say that this just proves what many of us already knew. People don’t take security seriously until it is too late!

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 11:17 PM in compliance, Current Affairs, General Security, identity theft | | TrackBack (2)

August 06, 2009

Do SMB’s (or others even) want to move beyond the checkbox?

There has been much discussion lately about the fact that being PCI compliant does not necessarily make you secure.  The simple answer is of course it doesn't. It does make you compliant perhaps, but not truly secure. The regulations were meant as a minimum, not as the be all, end all.  But with that being the case, what makes you think that most businesses, especially SMB’s give a hoot.  For most of these people being compliant is where its at.  They have not budget or will to move beyond that whether it be SaaS, MSSP or anything else.

So it was with a chuckle I read Steve Smith’s Alert Logic blog post on how and why SMB’s should be moving beyond checkbox compliance. Steve what makes you think they want to? In fact the evidence is overwhelmingly that they don’t.  Once you get past Steve’s somewhat annoying incessant Alert Logic selling (hint: Steve be a little less “sales-y” in your blog posts), Steve reverts to a FUD argument.  Citing the Pokemon (spelling mistake intentional on my part) Institute, Steve talks about how expensive a data breach can be.  But my experience is that most SMBs and even larger companies don’t believe it will happen to them. Getting them to spend money based upon the fact they could suffer an incident is a tough sell in the current economic environment. It is the herd mentality. They know someone is going to get burned, but there are so many, what are the odds of it happening to them.  It is only after the fact that they believe it can happen to them.

Here is the bottom line: The best customer for a security vendor – product, SaaS or MSSP (and Steve MSSPs give customers control over their security too, if they want it, which is a whole other story) is one who has already had a security breach.  They get religion real quick after an incident.  But trying to convert one who has not had an incident is better left to missionaries.  In other words, companies are told they have to meet PCI guidelines to do business. That is the bar they are going to aim for.  Asking to them go beyond that is pushing rope up the hill I am afraid.

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 10:48 AM in compliance | | TrackBack (1)

« Previous | Next »
My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search

Categories

Blog powered by TypePad
Member since 10/2005

About