GETTING READY FOR PCI DSS 3.0 AND BEYOND: A NEW FOCUS ON TESTING

October 14, 2014

To get a sense of where the PCI Data Security Standard (DSS) is heading, it helps to take a look beyond the actual language in the requirements. In August, PCI published a DSS 3.0 best practices document that provided additional context for the 12 DSS requirements and their almost 300 sub-controls. It’s well worth looking at. The key point is that PCI compliance is not a project you do once a year just for the official assessments.

The best practice is for DSS compliance to be a continual process: the controls should be well-integrated into daily IT operations and they should be monitored.

Hold that thought.

Clear and Present Dangers

One criticism of DSS is that it doesn’t take into account real-world threats. There’s some truth to this, though, the standard has addressed the most common threats at least since version 2.0—these are the injection style attacks we’ve written about.

In Requirement 6, “develop and maintain secure systems and applications,” there are sub-controls devoted to SQL and OS injection (6.5.1), buffer overflows (6.5.2), cross-site scripting (6.5.7), and cryptographic storage vulnerabilities (6.5.3)—think Pass the Hash. By my count, they’ve covered all the major bases—with one exception, which I’ll get to below.

The deeper problems are that these checks aren’t done on a more regular basis—as part of “business as usual”—and the official standard is not clear about what constitutes an adequate sample size when testing.

While it’s a PCI best practice to perform automated scanning for vulnerabilities and try to cover every port, file, URL, etc., it may not be practical in many scenarios, especially for large enterprises. Companies will then have to conduct a more selective testing regiment.

If you can’t test it all, then what constitutes an adequate sample?

This question is taken up in some detail in the PCI best practices. The answer they give is that the “samples must be sufficiently large to provide assurance that controls are implemented as expected.” Fair enough.

The other criteria that’s supposed to inform the sampling decision is an organization’s own risk profile.

Content at Risk

In other words, companies are supposed to know where cardholder data is located at all times, minimize what’s stored if possible, and make sure it’s protected. This information then should guide IT in deciding those apps and software on which to focus the testing efforts.

Not only should testing be performed more frequently, it’s also critical to have a current inventory, according to PCI, of the data that’s potentially hackable—let’s call it data at risk—and users who have access.

For Metadata Era readers, this is basically the Varonis “know your data” mantra. It becomes even more important because of a new attack vector that has not (yet) been directly addressed by PCI DSS. I’m referring to phishing and social engineering, which has been implicated in at least one of the major retail incidents in the last year.

Unlike the older style of injection attacks that targeted web and other back-end servers, phishing now opens the potential entry points to include every user’s desktop or laptop.

Effectively, any employee receiving a mail—an intern or the CEO­­—is at risk. Phishing obviously increases the chances of hackers getting inside and therefore raises the stakes for knowing and monitoring your data at all times, not just once a year.


WHAT’S YOUR REPUTATION WORTH?

October 7, 2014

During this past year, we’ve been reminded (too) many times that data breaches are costly and damaging to a company’s reputation. According to the Ponemon Institute’s 2014 Cost of Data Breach Study, the average total cost of a data breach—which can include credit monitoring, legal fees, remediation, and customer loss—for the companies who participated in the research report increased 15%, to $3.5 million USD. Also, the average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9% from $136 in 2013 to $145.i In short: failure to protect sensitive data has a quantifiable cost, and the theft of that data has bottom line implications. However, are C-level execs viewing files and emails containing customer records and other sensitive information as bits and bytes on a disk, or do they view them as piles of unprotected cash?

Unfortunately, it has been much more of the former, based on the huge data heists of the last year. The tide, though, may finally be changing. Here’s what HP CEO Meg Whitman had to say about the cloud, security, and Big Data:

“When I am with my fellow CEOs…these are three areas that me and my colleagues are worried about…Every CEO lives in fear of a Big Data breach, loss of data, a hack into the system that compromises our company’s reputation. And reputations take years and years to build and can be destroyed overnight.”

Our guess is that executives will have no choice but to join Ms. Whitman and start weighing the potential impact of data loss and how it can evaporate years of trust and brand equity in a heartbeat.

Unsure if your environment is well-protected? Get a free 30 day risk assessment! Varonis will show you where your sensitive content is, who has access to it, and more.

[i]http://www-935.ibm.com/services/us/en/it-services/security-services/cost-of-data-breach/


Specialist Legal Application Hosting Provider, C24, showcases the latest in business intelligence software to Legal Firms.

October 1, 2014

C24, an Applications Hosting Provider, showcased their Business Intelligence analytics platform, BI24, to legal firms at the Alternative Legal IT Conference 2014 earlier this month.

Held annually at the Belfry in Sutton Coldfield, leading technology suppliers to the UK Legal sector were present to meet with law firms and demonstrate how the sector could benefit from next generation technology solutions.

C24’s Business Intelligence analytics platform was on display, with C24’s technical specialists offering live demonstrations to clients throughout the day. Demos included showing how legal firms were using their internal data to understand how they could achieve savings across Work In Progress cases, who their top fee earners were and general fee trends and operational statistics to help make better business decisions, amongst many other topics. BI24 is a business analytics platform that centralises data and information and provides search engine functionality across the entire organisation, and is particularly helpful to legal customers who require holistic visibility of client and internal operations.

C24 has worked with numerous legal clients to deliver innovative business intelligence and hosting solutions. A recent win at Wright Hassall, a leading UK law firm, uncovered a number of challenges common to the legal sector, such as increasing demand from clients for more granular visibility of case activities and the need to drive further efficiencies across the organisation.

Martyn Wells, IT Director at Wright Hassall LLP, commented, “Expedient and insightful analytics are now essential in an industry where data hungry clients demand precise and granular views of activities conducted on their behalf. It is becoming increasingly clear that the days of monolithic data warehouse are over, and we sought a much more contemporary and agile solution; one that our users would understand and use intuitively.”

David Ricketts Head Of Sales and Marketing at C24, commented “C24’s on-going focus on the legal sector means that we are continually developing a significant portfolio of legal and professional services clients, and events like the Alternative Legal IT Conference and the Thomson Reuters Vantage Show enable us to connect directly with our legal clients and showcase the next generation technology in the law industry. The response to the business intelligence demonstrations using live data that we delivered at the show was fantastic and we are already speaking to a number of large law firms about how they too can benefit from increased visibility and business insight across their organisation”.

About C24
C24 is an enterprise applications hosting provider based in the West Midlands, delivering infrastructure hosting, business intelligence software and document management capabilities to clients across the globe. C24 works closely with key technology vendors and partners to deliver best of breed private cloud hosting solutions to customers, and is a HP Cloud Agile Service Provider Partner and a Microsoft Gold Hosting Partner.


Wearable Quadcopter Drone Makes for Next-Level Selfies

September 30, 2014

Nixie, the work of team leader Christoph Kohstall, project manager Jelena Jovanovic, and team member Michael Niedermayr, is a flexible, lightweight quadcopter designed to be worn on the wrist until needed. As Kohstall explains in the project’s finalist introduction video, “you should be able, with a gesture, to tell the quadcopter to unfold. Then, it’s going to take off from your wrist,” and, with guidance from its Intel Edison chip, “it knows where you are, it turns around, [and it] takes a picture of you.” When the user is satisfied with the shoot, Kohstall adds, the gadget “comes back; you can catch it from the air, and put it back on your wrist.”

A range of camera-equipped quadcopters have been on the market for some time, but Kohstall realized, with the help of his team, that the next step toward convenience and an improved user experience would be making a quadcopter drone wearable. In the team’s videoed interview, Jovanovic remembers early brainstorming moments:

Christoph came over one day, and he said, ‘I have a new idea for a quapcopter. And he looked at me with this mischievous grin, and he said, ‘I want to make your quapcopter wearable.’ And I thought, what?

The other wearable finalist projects include an “emotional prosthesis” gadget, an open (source) bionic hand and even an infant-monitoring chip called Babyguard. The ten teams of young entrepreneurs and developers selected as finalists are now developing their proposals into working, marketable prototypes with Intel’s help. Winners will be announced during the project’s final event on Nov. 2 and 3, with just one team claiming top honors and the $500,000 Make It Wearable Grand Prize.

http://www.psfk.com/2014/09/wearable-quadcopter-takes-drone-selfies.html


C24 customer survey 2013 – 2014 are released

September 15, 2014

Great news from the team at C24. The customer survey results for 2013-2014 are in, an infographic of some of the highlights plus a company update is below. If you would like further information or would like to discuss C24 with one of the team please feel free to call or visit us at http://www.c24.co.uk

 


C24 add further law firms to their client portfolio

September 15, 2014

The team at C24 have also recently won the managed services and hosting contracts for two UK law firms. If you would like more information on the solutions we are providing in this space please visit our stand at:
22nd and 23rd – Thomson Reuters Elite VANTAGE 2014 EMEA Regional Conference, which will be held at the Park Plaza Westminster Bridge Hotel in London. Building upon last year’s success, we will continue to ensure our clients have a cohesive and similar conference experience no matter their location. When you attend VANTAGE, you can trust you are experiencing the highest quality events in the industry.
16th and 17th – The Alternative Legal IT Conference which focuses only on your needs, the needs of mid-tier firms. This ensures that all the speakers, case studies and solutions are appropriate to your size, your budget and your experiences.


Follow

Get every new post delivered to your Inbox.

Join 859 other followers