Conversation with Branden Williams on PCI and the Cloud, Part 3

VPN Haus continues its conversation with Branden Williams, a seasoned information security specialist. Today we go beyond the cloud and get Branden’s thoughts on other gaps in PCI 2.0, as well as other network security trends.

VPN Haus: Other than cloud, what do you think was missing from PCI DSS 2.0? What are the most/least useful updates?

Branden Williams: I believe there are still a few things that need to be addressed in PCI DSS. This version introduced language around Virtualization, but completely missed the cloud discussion which as you noted above is more important to fix right now. The Council may get left behind without either appropriate training for QSAs, better Q/A around the process of an assessment with respect to cloud services, or guidance specific to what QSAs should look for in a compliant cloud solution. Sampling is also still a big issue. I believe one of the issues around variance is the fact that there is no standard sampling methodology—it’s up to the QSA to describe their methods and come to some sense of feel-goodery around the population of systems they must assess. A statistically valid sampling methodology would produce more consistent results. Wireless (specifically Wi-Fi) security still falls abysmally short on the detection and protection side. The encryption is where it should be as a baseline, however, companies can easily add additional layers of encryption stronger than the implementations of WPA or 802.11i.

VPN Haus: Is there anything else related to network security that you’d like to mention?

Williams: Big trends for the next few years until the next revision of PCI DSS include things like a push to cloud/utility computing and cloud-based services, a push to mobile computing where the device is not important (and potentially not even owned by the business, yet allowed to work on business assets), and more inspection of data flows and ownership. For example, with technologies like tokenization making it in the mainstream payment processing environment, merchants may no longer need to be an authoritative source for payment card data, their process would. Companies will look to find providers to own the responsibility of shepherding the data throughout its lifecycle instead of doing it themselves to reduce risk.

Conversation with Branden Williams on PCI and the Cloud, Part 2

This week, VPN Haus continues its conversation with Branden Williams, a seasoned information security specialist, about PCI and the cloud.

VPN Haus: Because of PCI 2.0’s lack of clarity on the cloud, do you think most merchants will only move non-PCI related data to the cloud – until they get more guidance from the Council?

Branden Williams: Frankly, I don’t think the virtualization bit should have been added into PCI DSS 2.0. That’s a training issue. But since they did add it in, I bet merchants and service providers will look to the Council to provide guidance on cloud. Companies should approach cloud from a security and data perspective. Regulated data should probably not be put into a public cloud, but catalogue or other public data could certainly be. It’s not an all or nothing approach. Savvy IT and IS managers will look at the spread of options and implement what makes most sense for each type of service. Companies waiting for the Council to tell them what to do will be missing out on one of the biggest economic shifts in IT services of our generation. Their competitors will pass them by.

VPN Haus: You’ve compared physical security with network security. What are some lessons learned from physical security that IT administrators can use? Obviously you can’t use someone’s body language to determine intent with network security…or can you?

Williams: Interesting concept, could you use body language to determine intent? I think it depends on the distance we are talking about. If you can physically observe the body language of the individual, you may be able to determine intent. But if you cannot see the individual, you can use analytics of their activities to determine intent. Most companies avoid this activity because they struggle with justifying the cost versus the risk. The cost gets a bit out of control when you have multiple entry points with multiple applications and business lines. It would be pretty easy to do this for a small company with only one corporate location and a website with a single function. Attackers get crafty and disguise their gentle testing of the environment, and without context or other types of fingerprinting, it’s difficult to track one individual over a period of time. If you assume people are already in the network or always knocking on your door, you create a layered approach to security just like you would in the physical world (supply closets, data centers, and other sensitive areas often require additional badge access).

RSA 2011: Video Interview with Walter Conway

VPN Haus spoke to Walter Conway of 403 Labs on the show floor at RSA 2011, and he said “cloud, cloud, cloud” is this year’s key trend.

Companies are still wondering what to put in the cloud—low value applications, such as an HR system or high value applications, like payment systems or information with PII (person identifiable information).  Discussions about cloud still linger because people know the economics behind it, but are unsure on how fast or where to move.

Forward Thinking with Anton Chuvakin: Network Security Predictions for 2011, Part 2

By Anton Chuvakin

• Mainstream security in the cloud:  Yes, Qualys and a few others have been doing it since 1999 and a few cloud security providers has been absorbed into large entities (latest, sort of). But I suspect that in 2011 we will see much more of “ approach to security of … now in the cloud.” By the way, I mean REALLY using SaaS/PaaS/IaaS cloud options and not “press-release cloud” like many do today.

• “New” types of incidents:  Going on limb, I predict a few large (and very damaging) breaches, NOT involving regulated PII, but good old secrets. Wikileaks mentality + cybercrime resources = a fun year!

• SIEM for dummies:  OK, this is another risky one. As you know, there is no leader in the SMB/SME SIEM market and I am really looking for somebody to climb on that hill. The world needs a penultimate “SIEM for dummies.” As of today, SIEM is decidedly not.

• Security vendors:  Despite the silly 2007 predictions by the RSA CEO, there will still be hundreds of security companies around. However, some of the players will definitely feel like they “overstayed the market’s welcome” (e.g. some legacy SIEM vendors) and will either die or firesale.

• Risk “management”: Every past year, I predicted that we will remain dazed and confused about how to apply risk to information security in an objective manner (objective, not necessarily quantitative). This year…. drumroll… I am laying these dark thoughts to rest – at least for a while. Maybe, just maybe, we are starting to see both data and approaches that will eventually give us something to work with. And no just whine about it.

For Part 1 on this series, click here.

Forward Thinking with Anton Chuvakin: Network Security Predictions for 2011, Part 1

Editor’s Note: This post is part of the Forward Thinking series, which features expert opinions on the top security trends of 2011.

By Anton Chuvakin

My past forecasting experience shows that I am a cowardly, extrapolating predictor – and can get a lot of the easy, obvious stuff right. Great! Even so, I will do some predictions now, since there is nothing wrong with extrapolation and the “Feynman prediction methodology” [=predicting that whatever is there now will stay the same in the future]). But I will try to be a bit wilder, like I was in my 2020 (!) security predictions.

Here are my top issues/ top security predictions for 2011:

• PCI DSS 2.0 marches on: This is the year when PCI DSS gets even bigger (if you can imagine it!). And smaller too, as smaller businesses will start to “get” PCI. Great news! On the not-so-good side of PCI, I predict that a few of “validated compliant” companies will be found abysmally non-compliant and insecure – after a breach or otherwise. Maybe some QSA heads will roll as a result, especially those “remote-assessing” “easy-graders.” The challenges of compliance in non-traditional environments (virtual, cloud, mobile devices, non-traditional payment methods, etc) will rise to prominence as well.

• HIPAA teeth: Yes, this is one of those things that people have been predicting since 1996 (yes, really!). But somehow I feel like this time – in 2011 – HIPAA/HITECH enforcement will be for real. OK…you can call me an idiot in a year, if I am wrong here.

• Application security and application security monitoring: The Gunnar paradox on firewalls+SSL may finally start to break in 2011. I predict that not only web application security — but also many internal “enterprise” applications — will get in scope for SIEM, correlation, near-real-time monitoring, etc. And not just at “adventurous” security leader companies, but also in the early and mainstream ones.

• Still no mobile malware deluge: Enough about this one. Enough! Enough! For sure, there will be isolated (and possibly pretty bad) malware incidents, but nothing like “Slammer for iPhone” or “Blaster for Android” in 2011. I suspect that PCs will still have more “money” and more holes and so this is what the bad guys will continue to steal.

Stay tuned for more predictions from Anton Chuvakin.