They Recommended What?!

I dare say that anyone who has ever held any kind of professional job can attest to the fact that there are varying degrees of skill sets. Some lawyers for example are better than other lawyers, some doctors are better than other doctors, and some <fill in the blank> are better than other <fill in the blank> . Likewise, there are some IT Consultants who are better than other IT Consultants.

The difference here is that some of these, shall we say “lower skilled professionals” get paid a lot of money for the “advice” that they give. This also seems to occur more often than not in upper management teams where the people giving and taking the advice control millions of dollars in budgets. I guess I can’t complain too much since they are providing me some good material to blog about.

For example, I’m still sitting in on discussions between different business units for a client (at no charge mind you) where some paid “consultants” still don’t think it is wise to recommend a more secure wireless networking approach for a retailer since that retailer is under financial pressure. What?! Now, I’m going to keep this consulting company information private as well as the customer they are consulting to, but I am quite simply dumbfounded by the quality of advice coming from a supposed leader in the IT industry. Even as of last summer, they are still deploying wireless networks at retailers using WEP-128 encryption.

I on the other hand, provided an alternative suggestion. This customer can still implement a secure 802.11i infrastructure using the same equipment they already have with VLAN segmentation. What would be required is some simple modifications to their existing switch configurations, self-signed certificates, and some additional firewall rules. A white paper could even be supplied that explains how to do this with an 800# for technical advice if needed. Any IT consultant should understand that this configuration is not rocket science, and with proper guidance, this financially challenged retailer could be guided in an appropriate direction with very minimal costs.

I understand the economy is hurting a lot of businesses today, and budgets are being minimized if not put on hold entirely; however, that still doesn’t mean that as IT professionals our advice shouldn’t be sound. The fact of the matter is, as the economy has dropped IT crime has risen to almost epidemic proportions. “Police went from hearing 1 to 3 cyber crime complaints a week to an average of 20.” ( http://www.crime-research.org/news/02.09.2009/3709/ ). There’s another great article on this epidemic at http://www.crime-research.org/news/08.22.2008/3526/.

Needless to say, the end of the story is that we were able to negotiate a compromise recommendation document for this customer that made everybody happy (at least as related to wireless networking). However, the next Chapter is on another portion of this document where the paid “Consulting Firm” is recommending that the client run their desktops with accounts that have Administrative privileges. Ugh, I can’t wait….

categories Advice | brian.klumpp | datetime March 12, 2009 5:50 pm | comments Comments (4)

PCI - The More I Learn, The More I Realize What I Don’t Know…

I recently completed the training class to become a PCI-SSC QSA, or a Payment Card Industry Security Standards Council Qualified Security Assessor (whew what a mouthful).  Basically, a PCI-SSC QSA is an employee or an organization that has been certified by the Council to validate an entity’s adherence to the PCI DSS. The Council has qualified over 100 companies and trained and certified over 1500 assessors.  Prior to attending the training, I thought I had a pretty good understanding of the PCI-DSS requirements as outlined on their website http://www.pcisecuritystandards.org.   After taking the class, however, I learned how much I didn’t know, and what some pretty common misconceptions are.

For starters, I’ve heard from many merchants the excuse that they are too small, so PCI does not apply to them.  The fact of the matter is size doesn’t matter.  Currently, anybody that handles cardholder data (no matter the amount) is expected to comply with the PCI-DSS requirements by 2010.

Next, there is a misconception that the PCI-SSC would frown upon a QSA being involved in remediation of any gaps during the assessment process.  What I learned, was that this couldn’t be farther from the truth.  In actuality, the Council actually encourages the QSA doing the assessments to be involved in efforts to correct their clients shortcomings.  With that being said, the Council still doesn’t want QSA’s stating, that the company being assessed must purchase XYZ to become compliant; rather, instead the QSA should provide options for them to become compliant, but can include options from the QSA’s service offerings.  For example, if the QSA has a logging solution that meets PCI requirements, then the QSA is encouraged to offer their solution as an option for remediation.

Another example, applies to requirement 9.7.2 - When distributing media that contains cardholder data, send the media by secured courier or other delivery method that can be accurately tracked.  In this example, let’s look at a scenario where an IT administrator or other approved employee takes backup media home on a regular basis as their offsite backup procedure.  For purpose of PCI-DSS requirements, this would not be considered a “secure courier”; therefore, this requirement would not be met.  In this case, I was under the incorrect assumption that an approved network security administrator would satisfy the “secure courier” requirement.  Once again I was mistaken.

Next, is requirement 11.1 - Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.  For the QSA testing procedure here, 11.1a states to verify that a wireless analyzer is used at least quarterly, or that a wireless IDS/IPS is implemented and configured to identify all wireless devices.  Many QSA’s were under the impression that if an organization had more than one physical location, such as retailers, that a sample of networks could be analyzed on a quarterly basis to detect the presence of unapproved wireless devices.  The fact of the matter is that all locations must be scanned on a quarterly basis for unapproved wireless devices - even if that retailer has 1,000’s of locations.

There are many other examples that I could go into here to highlight misconceptions or inadequacies of my previous PCI-DSS knowledge.  I’m sure others may have had some of these same misconceptions.  The lesson learned here, is that when it comes to PCI-DSS compliance, don’t take this lightly.  Organizations should seek the assistance of a trained Qualified Security Assessor if they want the assessment done right.  The requirements are put in place to better protect cardholder data.  Organizations that handle such sensitive data, should go through this assessment process not simply for the purpose of passing an assessment, but additionally to ensure they are doing what is possible to adequately secure cardholder data.

categories PCI Blogs | brian.klumpp | datetime March 6, 2009 9:20 pm | comments Comments (0)