Chaordic Mind

As the government struggles to debate and decide how to handle the fiscal cliff, I continue to think of how to save the industry from the mythical mobile payments cliff.  If you read the industry magazines they have been predicting mobile malware for years, and as this idea begins to snowball so to does the fear associated with anything that mobile touches.  The reality is that mobile systems are arguably *more* secure than their desktop computer counterparts.  Let’s examine how…

Mobile Security

The key thing to remember is that desktop personal computers and mobile devices have two entirely different security models and attack vectors.  Desktop personal computers enable the user full control of the system but they also enable each application to access the other application’s data and the ability for some applications to change other applications.  They also enable applications from any source onto the computer.  It enables extreme functionality at the cost of security.

Mobile devices on the other hand offer the following features by default that prevent many of the risks facing desktop personal computers:

• Application Provenance – This wonderful word means that applications must be signed by their creator.  Apple (iOS) only permits applications onto the device that are signed by an Apple-issued digital certificate.  In addition, the Apple App Store performs application verification to remove applications that try to perform malicious activity.  Imagine if we had something like that filtering applications people wanted to load on their personal computer.  Imagine the custom malware and rogue applications we could prevent from infecting and spreading on your home or work computer.
• Application Isolation (Sandboxing) – This wonderful feature means that one application cannot access or negatively impact another application or its data.  This is an amazing feature that means even if a rogue application did get through the application store(s) onto your device it would not be able to cause much damage because it could not alter or change any other applications or access the data from those applications.  Currently, if malware infects your home personal computer it has access to all your personal and financial data stored on that computer.  If a bad-actor application were to get onto your phone it would, at worst be able to access your personal contacts or photos.  It will not be able to access other applications that access your financial records or email.
• Host-based Firewall – Unlike most desktop personal computers and enterprise workstations that may only firewall at a corporate, department or group level each mobile device has a personal firewall installed and does not allow externally-initiated connections in.  This means that each device is firewalled from the other device and that a compromise of one will not lead to a compromise of many, as is often the case in desktop and server systems.  Imagine if each computer in your entire company was segmented from every other because they each had their own personal firewall.  Now imagine that each computer was a stand alone device and not even on the same network as the others, meaning even-if-everything-else-went-wrong a compromise of one system would not lead to a compromise of more than that one system.
• Encryption – That’s right, by default mobile systems support the encrypting file system meaning data and applications on the mobile device are encrypted by default.  You can’t say that about most desktop workstations.

Mobile Commerce

Mobile commerce can be as simple as leveraging the mobile device as a communications channel or as elegant as an ecosystem of products and features that enable trusted transactions in many different forms.  The difficulty is that many people, and even some data security professionals, are unaware of the risks and countermeasures involved in mobile phone security much less the security benefits of a mobile payments ecosystem.

The reason for going into incredible detail above about the mobile security architecture is because these days many people see mobile payments much like they did e-commerce.  People were terrified that we were putting payments on the Internet, with all those hackers, and accepting payments without the customer ever presenting their payment card in person.  Yikes!  A similar feeling manifests itself for all things mobile.

But the world didn’t come to an end with e-commerce.  In fact, many people see e-commerce data loss as considerably less than that of its card-present relative.  One can argue that e-commerce transactions are actually safer than card-present transactions.

We should begin to view mobile payments for what they are: a different paradigm with different data and different risks.  Imagine what having GPS can do to identifying fraud patterns.  Things like geofencing can enable transactions only when the buyer is physically present at the seller.  Or imagine if you didn’t even need the card to be present, much like the mobile analog to Amazon’s one-click checkout.  You don’t even enter your card number because it’s already stored on the back-end systems.

That simple idea is where we begin to see the real benefit of mobile commerce.  It ends up becoming more about the ecosystem of connected components that creates a more trusted transaction.  It’s one thing to use a secure reader on your mobile device or use a secure application on the mobile device but when you start to layer these features you begin to see how the traditional layered security model can manifest in the mobile payment ecosystem.

Conclusion

So have no fear of a mythical mobile payments cliff.  Mobile devices have security features that far eclipse those of their non-mobile counterparts. We should recognize that new technology will bring with it new data and by leveraging that technology and data can reduce the overall risk in a system. Instead of fearing a mobile cliff we should be embracing mobile payments as a way to increase acceptance and catalyze commerce in a time when we need it the most.

I’m thankful for my many friends around the world who take such great care of me. My global travels have all been the result of or under the hospitality of local friends who taught me that “you see what you know.”

I’m thankful for the many people who enter (and sometimes exit) my life on a regular basis. I’m thankful for those who taught me to “let go of expectations while holding on to passion, desire, and ambition,” who remind me that I’ll survive longer if I “be like the reed rather than the oak,” and who taught me that “competing with myself is easier and more rewarding than competing with others.”

It is my friends who regularly remind me of the words of Sir Isaac Newton: “If I can see further than anyone else, it is only because I am standing on the shoulders of giants.”

Letting go means not trying to control everything around you. It means giving up expectation and replacing it with hope, desire, and acceptance.

Making Sense of Life

This is a realization I came to recently while trying to make sense of change in my life. I recently faced the greatest fear in my life and what happened as a result has changed my life.

You see I learned that I’ve been living, arguably the last 15 years of my life, on auto-pilot. I wanted to excel in everything that I did but never stopped to question if the values and goals in my head were my own or a reflection of others that interact and influence me. It is like that scene from the movie Fight Club where Tyler Durden explains how he go to where he is in life:

Tyler: My dad never went to college, so it was real important that I go.
Narrator: Sounds familiar.
Tyler: So I graduate, I call him up long distance, I say “Dad, now what?” He says, “Get a job.”
Narrator: Same here.
Tyler: Now I’m 25, make my yearly call again. I say Dad, “Now what?” He says, “I don’t know, get married.”

My dad did go to college, in fact he got his PhD and is a practicing doctor of medicine in addition to a scientific researcher. Perhaps that is part of the reason I worked so hard to excel in everything I could. This approach to living has served me well in life.

I took risks; some worked and some didn’t but overall my life graph has been moving up and to the right. Even situations that turned out bad I looked at as positive life experiences. Regardless of what life threw at me, it made me stronger. To the outside world I was a smiling center of zen in the universe. Inside, I had a secret fear that propelled me forward faster than ever. That fear was my greatest ally and my most heavy burden.

Facing Life’s Greatest Fear

My great fear in life was that my entire history and existence was nothing more than a house of cards and if I ever stopped moving forward everything would fall apart. It’s hard to explain this to others who cannot comprehend how a mind can view such a solid foundation as the most fragile of Fabergé eggs. You see I always compared myself to the next person at the next level.  Every achievement ever made was like a drug and I always needed more to keep me happy.

One day I faced a situation I could not overcome.  I tried every brute force method of change to no avail.  In the end, I did the only thing left to do.  I let go. I stopped trying to force the situation.  I said to myself, “everything you have tried hasn’t worked so maybe not trying is the thing to do.”

The moment I did this it was if everything started falling into place in a way I never imagined. I vividly recall being at a conference after party and someone asked me what I was drinking.  I paused for a moment looked at my drink and replied, “exactly what I want.”  It was an iconic moment for me that I could live my life in any way I wanted.

The trick to unlocking my life laid in listening to those voices in my head and being able to differentiate between my own and those of friends or society at large.  As I began to rebuff societal norms and expectations I began to unlock my own personal happiness.  This is still a work in progress – and one that takes work – but for me “letting go” of expectation has helped my find more joy and love than I ever could before.

Opening Up

I used to put people into Procrustean boxes.  There categories included: work colleagues, social friends, and personal relationships.  Sub-divided within those were family, close friends, acquaintances, and activity partners.  When I looked at each person I wanted to place them into a category and became frustrated when their entire existence didn’t fit into one of those boxes.

I had ‘close friends’ but some I didn’t see or speak with for years. I had ‘family’ that acted more like ‘friends’ and ‘family’ that acted more like ‘colleagues’.  For the most part it worked out but I really struggled with the overlap, or lack of overlap.  For example, there were people I wanted to put in the category of ‘close friends’ but we were really only close on one level and not much beyond that.  Can a uni-planar friend count as a close friend?

So again I used the key that worked for me in the past: letting go of expectation.

Instead of putting people into boxes, I simply want to embrace those parts of people who match with parts of me.  I no longer care if the overlap is 5% or 95%.  I’ve accepted that I can experience people in part or whole much more happily than I can searching for those few people who will match 99%.  Opening up my friendships and relationships in general has enabled me to experience parts of people I would have written off or simply never come in contact with because our worlds would never collide.

I want simply to experience more from those around me. I want to not limit myself by expectation. I want to love freely and share experiences with those closes to me.

The lack of expectation, outside of experience, is what prevents disappointment for me.

These days it seems like every time I work through a situation I say, “but this for sure must be a wall/limit” and then remind myself that life and love really are limitless.  Life and love are bound only by our own constraints, and thus our troubles are often times self-imposed.  By removing expectation and my own constraints I’m learning to truly live without limitation.

This year has been full of surprises.  Life has taught me that you never really exist in a state of calm or unrest, but some stratified grey area in between.  When life gets rough I think back to the “in between” that is water.

I’ve received a few questions about the 2011 sexy infosec geeks list, and last year was such a hit as was the year before that I thought we should do it again.  It is hard to keep a list to just 10 people when you really have a list about 50 long.

A friend asked me how I compiled the list.  I told her it was based on the people I know and those referred to me.  I’m easily influenced by recommendations of others, as are so many people in this world.  I solicited input, averaged out the outliers, and once again used biased weighting to determine the final set.  Again, these are only my opinions.  I encourage you to make your own list as well. As always, feel free to disagree or add your own using the comments.

Without further commentary and tangent, I give you the Third Annual Top 10 Secy InfoSec Geeks for 2011.

10. Halvar Flake (@halvarflake)

Halvar has many skills. He was denied access to the US in 2007 and prevented from teaching a class at BlackHat – probably because the information was much needed. He specializes in math, reverse engineering, and making friends with people who recommend him for lists list this.

09.  Felix ‘FX’ Lindner (@41414141)

FX is a well known member of the German security team Phenoelit and Head of Recurity Labs.  He is a mainstay in the security world, who along with the rest of the Pheloelit team has brought many others into security.  He participated in C3, speaks on security, and is overall a nice guy.

08. Jayson E. Street (@jaysonstreet)

Jayson Street, much like Zaphod Beeblebrox, is “just this guy, ya know”.  Jayson presents at conferences around the world and people attend his talks because of how entertaining he is, regardless of the topic.  He frequently speaks on the topic of social engineering, is never without his vest of pockets, and amazingly somehow able to find a Pizza Hut and Pepsi in every country he visits. He has received several accolades over the ages.

07. Andrew Jaquith (@arj)

Aside from being an all around likable guy Andrew has severed in various CTO positions, co-founder of @Stake, and industry analyst positions. Andrew authored the book Security Metrics, started MetriCon, manages Mini-Metricon, and is a full-time pundit.  If someone mentions the words metrics they will probably quote something that Andrew has said.

06. Joanna Rutkowska

Joanna made a splash in 2006 with her Black Hat presentation on an attack against Vista kernel protection mechanism and a technique dubbed Blue Pill, that used hardware virtualization to move a running OS into a virtual machine. In 2010 she co-created the Qubes security-centric operating system based on Disposable Virtual Machine.  In this era of virtual machines, we need more people to promote the need for security in virtual systems.

05. Alex Hutton (@alexhutton)

Alex Hutton has been involved in so many risky things, he is most certainly an infosec bad-boy. He graduated from the Jack Jones school of Factor Analysis and Information Risk (FAIR), former Research & Intelligence with the Verizon Business RISK Team, author on the Verizon Data Breach Investigation (DBIR) and PCI Compliance report (PCIR), and organized (Security Metrics) Metricon 2011. Now that is one risky dude!

04. Michelle Klinger (@diami03)

Michelle may like infosec as much as she likes cats – and that’s saying something.  She co-organized BSidesDFW two years in a row.  She is an excellent cat herder who never likes the lime-lite but always does what it takes to get things done.  She has sarcasm and charm to spare.  In 2011 she was nominated for an RSA Blogger award due to her post, Security B-Sides Turned Me into an Adult.

03. Kyle Creyts (@hushedfeet)

In a DO-ocracy Kyle would be King (or close to it).  Kyle is founder of BSidesDetroit, an event he started to bring together people in the greater Detroit to Ann Arbor area.  At a youthful age he stood up a conference in one of the most diaspora cities and created a conflagration of like minded people.

02. Marcia Hofmann (@marciahofmann)

Marcia is a Senior staff attorney at the Electronic Frontier Foundation (EFF) focusing on helping ensure that modern technology is used for liberation rather than control. She liaisons with hackers at security conferences and help guide them on how to proceed with sometimes sensitive topics. She has the legal perspective that every aspiring hacker needs.

01. Joseph Sokoly (@jsokoly)

Joseph has been my ‘poster guy’ for Security B-Sides.  In 12 months he took a presentation on how hard it is to break into the industry (BSidesAustin) to a followup on all the support he received (BSidesBoston) back to his home town and co-founded BSidesDFW.  I’ve always enjoyed out long one-on-one conversations about life, people, and leadership.

Dear friends,

We started Security B-Sides (BSides) to do something different. We wanted to create a platform to help the security community achieve things together that we could never do alone, and expand everyone’s opportunities.

Thanks to the incredible support of all our volunteers and sponsors, over the past two and a half years, the community organizers have held 37 conferences across four continents involving over 100 organizers, and thousands of participants. I am so proud to be a part of this, seeing people help each other and doing things they would never have done otherwise.

However, this week, some criticisms were published about BSides. As the person named in some of these statements, I want to set the record straight on items that are factually incorrect, as well as address some of the growing pains I mentioned above. BSides, as a community organization, has a responsibility to our community and our sponsors.

Not-For-Profit Status

BSides is not yet a not-for-profit (NFP) organization. It is true that I initially included language stating this on the website and Facebook page because that is the spirit in which the organization was developed. This has since been removed. We have not misrepresented ourselves as a NFP to any sponsors or vendors, nor have we provided them with a receipt claiming such.

We are in fact pursuing NFP status. Please know this: I took the initiative to file for California state acceptance, which is the first step to filing Federal 501c3. The state filing was approved this year after many cycles. Due to state budget cuts, we waited months for each reply.

I have recently engaged a third-party company who specializes in these types of organizations to walk us through the process of selecting Board members, drafting bylaws, and completing our Federal application.

I admit that I might’ve taken more time than needed to address some of these important administrative details, but this delay was never out of malicious intent; getting caught up in the growth of the organization delayed this process. The foundation of BSides was never lost along the way.

In the spirit of growth, and to further that foundation, I’m happy to announce that the three initial board of director members for BSides will be: Jack Daniel, Gene Kim, and myself. Gene is the newest member of the team, and is an experienced executive and well-respected member of the information security industry and has served as an adviser and board member for many organizations.

Financials

Regarding the financials and banking issues, quick factual clarification. Shortly after forming BSides I applied for an Employee Identification Number (EIN) with the IRS. I then opened a separate bank account for BSides into which we deposited funds received. Since some sponsors wished to pay via credit card we used PayPal to accept these funds. I linked the PayPal account to the BSides bank account to be able to transfer funds.

This quarter we engaged a third-party bookkeeper to review the bank account and help us create an event-by-event accounting of all funds received and expenditures made. Let me emphasize, all BSides funds have gone directly to the events, to cover administrative costs, or were donated to charitable organizations. To go a step further, neither myself, nor Amber, have received any compensation for our time or effort and all of the funds have been kept in a separate account from our personal funds.

Another important piece to the financials is the management of events. When we had 5-10 events spread out over the year, it was easy to manage all invoices and all accounts from one central location. This process broke down and we ended up paying for one event using funds raised from the last as we tried to collect on committed funds. Going forward, we have discontinued the “global” sponsorship and will require each event to raise their own funds and cover all expenses. There will be no co-mingling of finances.

Responsibility and Accountability

Although we are not yet a NFP and not required to publish financials, we will publish a report in accordance with typical NFP practices. We are diligently working on this and our hope is to have it completed in the next couple of weeks. If any sponsor would like to know how their funds were used, we are also ready to provide a full itemized accounting details for them.

I am not perfect, and many of the changes that occurred in the last two years came from extreme growth and change. I agree with Bill Brenner that this is an opportunity to build something better. We learn, we evolve, we move on. We now have a formal board of directors, a third party bookkeeper, an organization that will help us complete the 501c3 paperwork and filings. We have new processes for each event operating independently. I think the good we have created should not be abused or ignored.

The Future of BSides

My main concern is what the future holds for the many event organizers whose sponsors may question their involvement in BSides. I will continue to assure our sponsors that BSides remains a worthy investment and that we are laser focused on making this a better and more transparent organization for the benefit of the security community and broader industry.

I would like to encourage others to continue to be collaborative, and help each other do good things. If you want to volunteer and participate in our improvement, please contact me at mike@securitybsides.org or join the BSides Google group.

If you have any questions about BSides or any of the accusations, please email me. In the spirit of total transparency, I will attempt to reply to all of your questions.

Going forward, I hope the community can help itself heal, band together, and continue to help others do together what they could not do alone.

Sincerely yours,
Mike Dahn

This is a re-post of an article I wrote for IT Compliance Advisor, a part of TechTarget.com, in August 2009.  I find the material to be just as applicable now as it was then.  You can find a list of reference material here.

One of the problems that many companies face is staying ahead of the information security curve. Go too fast and you run the risk of wasting capital, but run too slow and you run the risk of being compromised. So how a company can escape the hamster wheel of pain? Be proactive in managing risk and implementing a maturity framework for the organization.

In an attempt to balance the two domains of cost and security, a continual tradeoff, many companies have implemented regulatory compliance standards. These are good tools for measuring ones security to a known industry baseline. The classic example of this is the Payment Card Industry Data Security Standard (PCI DSS). Using standards like PCI DSS, companies can measure their adherence to eliminating sensitive data and protecting the remaining in-scope systems.

There are two problems with aligning an entire information security model along any singular guideline. It should be noted that, in the absence of any information security program, PCI DSS is a very good baseline standard.

The first challenge is the 0-to-100 problem. Some companies start with no information security program and try to adhere to something like PCI DSS. Much like measuring the acceleration of a car by how fast it can go from 0 to 100 miles per hour, these companies struggle with getting from 0 to 100 percent compliance in under 12 months. For these companies this means implementing security for the sake of a deadline, which means not always having the time to test what works and what does not.

The second challenge is the security limiter problem. Once companies reach 100 percent adherence to a given standard, many times they stop developing their information security program. These companies then enter a vicious cycle of identification and remediation. Each year, their auditors alert them to a new set of issues and, each year, the companies fix those and then relax until the following year.

So how do we escape this endless cycle of identification and remediation? How do we provide a way for companies to go from 0 mph to 50 mph in year one, 50 to 100 in year two, and still be inspired to go from 100 to 150 in year three? How do we become proactive instead of being reactive? One option for addressing these problems is the capability maturity model (CMM) that involves risk management.

A CMM is nothing new or innovative. It’s a useful approach for managing the maturity in a system. The Computer Security Handbook 4th Edition reveals that CMMs originated from software development. This book states that a CMM “can be used as a way to assess the soundness of a security product builder’s engineering practices during the many stages of product development.” If a CMM can be used for measuring the soundness of engineering practices, then why not leverage it to measure the soundness of information security practices?

A maturity model encourages continual growth rather than strict adherence to Procrustean boxes of information security. It’s the mathematical equivalent of the integral or the continual variable transmission of an automobile. It provides a smooth curve instead of designated endpoints of information security. For companies suffering from the 0-to-100 problem, a maturity model enables growth from 0-to-50 initially, with the projection of moving from 50-to-100 at a later date. Companies that suffer from the security limiter problem have the ability to continuously and proactively plan information security development to parallel growing business needs, instead of an independent set of criteria.

The Information Security Management Maturity Model (ISM3, or ISM-cubed) provides us with the intersection of information security and a maturity model for growing an information security program. ISM3 describes the process this way:

“Rather than focusing on controls, it focuses on the common processes of information security, which are shared to some extent by all organizations.

Under ISM3, the common processes of information security are formally described, given performance targets and metrics, and used to build a quality assured process framework. Performance targets are unique to each implementation and depend upon business requirements and resources available. Altogether, the performance targets for security become the Information Security Policy. The emphasis on the practical and the measurable is what makes ISM3 unusual, and the approach ensures that ISM systems adapt without re-engineering in the face of changes to technology and risk.”

In fact, the ISM3 is based in part on extending the Systems Security Engineering Capability Maturity Model (SSE-CMM), which is ISO standard 21827. The SSE-CMM “describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering.”

In addition, consider the Building Security in Maturity Model (BSIMM), which is “designed to help you understand and plan a software security initiative.” As well there is the, Open Software Assurance Maturity Model (OpenSAMM) project that can “help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization.” These frameworks exist as tools for helping develop the maturity of organizations and software through the use of measured metrics.

And metrics is where all the magic really happens. Only by measuring the maturity of an organization and matching it to the development and progress of known attacks can we demonstrate that we are maintaining the balance between costs and security. There is a saying that if you and your friend are being chased by a bear, you don’t need to outrun the bear — you need only outrun your friend. In the world of ever-increasing compromises, many companies struggle to stay ahead of the curve. A maturity model, with proper metrics, can help your organization do just that. The best part? Companies that implement a maturity model and show measured growth are many times more likely to adhere to industry standards such as the PCI DSS.

This post clarifies an earlier one “Considering an Opt-Out Program on PCI Validation“ and helps explain how PCI compliance validation is changing based on risk measures present in the merchant’s environment.  Regulation and deregulation cycles happen in response to market forces.  In this case selective deregulation is happening in the form of reduced validation based on risk and fraud reduction measures present in merchant organizations.

Present State

When many companies think of PCI compliance they immediately think of a third-party QSA auditor.  For mature organizations this is the old way of thinking as both Visa and MasterCard permit merchants of any level to self-assess.

• Visa (Inc. and Europe) permits a report on compliance from an internal auditor provided it is signed off by an officer of the corporation.
• MasterCard permits self-assessments but internal auditors must “attend PCI SSC ISA Training and pass the associated accreditation program”

Although organizations must validate annually, they are relieved of this in the following  situations (as noted by Simon Sharp):

• Visa Inc.: merchant does 75%+ EMV transactions = no requirement for ongoing external assessment (major abbreviation)
• Visa Europe: merchants meet 1-4 milestones of Prioritized Approach are in a safe harbor even if breached (major abbreviation)
• Visa Asia: merchants who implement end-to-end encryption or process EMV chip transactions in countries where iCVV penetration is >75% have the following options:
  • Validated compliance with milestones 1-4 of the PCI SSC’s Prioritized Approach are recognized as fulfilling Visa PCI DSS validation requirements.
  • Attested to not storing prohibited data and process EMV chip transactions in markets where iCVV penetration is higher than 75 percent – you may define merchant level by the annual volume of non-chip transactions.

Reducing Risk = Reduced Validation

Visa Inc’s Technology Innovation Program (TIP) notes organizations that reduce fraud risk using technologies such as EMV (Chip/PIN) no longer need to validate compliance annually.  Visa Europe has their own version of TIP that goes a step further to say that for merchants who validate against the Prioritized Approach 1-4, Visa Europe will:

• waive penalties for non-compliance or non-progression
• grant ‘safe harbour’ from penalties and allocation of incremental counterfeit fraud losses in the event of a data compromise

Sure there are caveats and I’m not certain what “allocation of incremental counterfeit fraud losses” entirely means, but the idea that a merchant will achieve safe-harbor from anything is a pretty big carrot with which to lead merchants.

Certainly the pendulum has moved from encouraging compliance to encouraging risk and fraud reduction.  To this end the Visa has changed from incentivizing compliance, via the Visa CAP program in 2007, to incentivizing risk and fraud reduction, via the Visa TIP programs in 2011.

PCI Deregulation

Perhaps it’s premature to say that PCI compliance as an industry is in a deregulation phase.  Clearly PCI compliance for regions that have not seen wide adoption such as Asia/Australia still need movement towards full compliance and validatoin.  Conversely, if a merchant has >95% of transactions using EMV (Chip/PIN) with iCVV and CDA authentication – the need for PCI compliance may be limited.

Although deregulation may never fully occur, the need for annual third-party validation is no longer necessary for companies that have either: reduced the risk to payment card data or have highly-mature internal controls and validation capabilities.

Abstract

As regulation-deregulation cycles rise and fall, it is important to understand how the evolving landscape of compliance impacts your future. This post proposes maintaining compliance but making validation an opt-out optional component – a radical change from the status quo.  Evidence already suggests the industry is moving in this direction and changes to compliance are necessary for the continuance of risk management.

Please understand that when I say opt-out, I am referring to mandated external, third-party validation requirements. I think internal validation is more important than ever.

Special thanks to idea people: @lennyzeltser, @mckeay, @alexhutton, @kindervag, @joshcorman

Background

I recently read Lenny Zeltser’s blog titled “Could Regulatory Compliance Encourage Weaker Security?” This is a valid question and one that needs addressing. The question can be rephrased as, “Who does compliance work best for?” To answer that question we need to understand why compliance exists.

In a blog post I wrote on How Compliance Regulations Gets Made we focus on the natural regulation-deregulation cycles and how they exist in response to an increase or decrease in data breach/loss. The ultimate goal of compliance is to set a baseline of standards within an industry. The question Lenny raises is one I’m often asked by opponents of such standards, “what about the big/little guy (who do not fall within the Bell Curve norm for best practices)?”

It’s true that regulatory compliance is targeted not only at setting a minimum standard for technical security (firewalls and IDS) but also a minimum standard for security maturity (policies and procedures) within an organization. So let’s think about this graphically. There are four quadrants within which to place organizations: those with either high/low-level of security and high/low-level of maturity.

Security vs Maturity

For the purpose of this conversation let’s assume that maturity encompasses the Check and Act aspects of the PDCA Cycle and security refers to the Plan and Do components. The reason I break it down this way is to directly reflect the results of the Verizon PCI Compliance Report (PCIR). This report found that:

“Organizations are better at planning and doing than checking. If the check phase is broken, they cannot act to maintain the state of security over time.”

The Verizon PCIR found that organizations are great at Planning and Doing but not great at Checking and, as a direct result, Acting on those changes. To me this disconnect is the difference between organizations with a high-level vs low-level of maturity within their security practice.

With this in mind, let me suggest that regulatory compliance standards should most impact those organizations with a lack of either security or maturity, but not both. So let’s break this down and the types of organizations they embody.

1. High-Security / Low-Maturity: These companies care about security but have never documented policies and procedures. They have log management systems but have slowly stopped reviewing them. Regulatory compliance can have a positive impact here.
2. Low-Security / High-Maturity: These or organizations run well but with little funding for sorely needed security projects. There has never been a “hammer” to drive spending. Regulatory compliance can have a positive impact here.
3. Low-Security / Low-Maturity: These are organizations that do not care about security or compliance. Perhaps they are too small (mom-and-pop companies) or those that will validate compliance but never maintain it through the year. There is no changing these companies and little that compliance can do for them. Validating compliance for them is a waste of time and money and since there is no driver to maintain a state of security.  (Instead new technologies such as tokenization, end-to-end encryption, and validated payment applications will have the highest impact here.)
4. High-Security / High-Maturity: These are companies at the top-tier of their breed. They don’t manage security, they manage risk! They adopt and implement custom risk management solutions based on careful analysis of data classification and impact analysis reports. These companies see regulatory compliance as a roadblock and implementing industry “best practices” as a deviation from their perfect path.

I propose that regulatory compliance will most help groups 1 and 2, but not groups 3 and 4.  (Unless you consider regulatory compliance the driving force for said technologies above, though I would argue data breaches and word of mouth have a higher impact here than compliance.)

Although I believe in the need for increased education, flexibility of controls, and more data for risk modeling – I’m going to save us a bit of time and skip to the chase.

• Companies in group 3, who do not care about compliance or security, will not change their tune by forcing them to validate compliance.  Instead the end result will most likely be in them checking a box and ending up in the 80% of companies (see: Verizon PCIR) that do not maintain their state of compliance.
• Companies in group 4, who care passionately about risk and security, need a reprise from continually validating against a standard that is built for the average individual. Although, the stated way to address this for PCI compliance is through documenting a set of Compensating Controls, what other options do we have out there? What other ways are there for such companies dealing with compliance validation?

Remember, the stated goal of regulatory compliance, taken from regulation-deregulation cycles, is to reduce the number of data breaches and data loss. In both groups 3 and 4, continual validating against a standard may, in my opinion, have little to no impact on the number of data breaches/loss. The reason is that group 3, though validating will not maintain that validation, and group 4, treat validation as an exercise in documentation.

Other Options

On February 6, 2011, Visa launched its Technology Innovation Plan (TIP) “to recognize and acknowledge merchants in Visa Inc. regions outside of the United States that have taken action to prevent counterfeit fraud by investing in EMV technology.” (Since Visa Europe is a franchise, the “outside the US” may only apply to Asia-Pacific and Latin-America & Caribbean, but it’s a bold change we should view as the tip of an iceberg.)

In essence, they are saying that organizations that have achieved the following, need not continue to validate their compliance against the PCI DSS standard:

• Implemented a sufficient level of controls so as to reduce fraud* (see: EMV)
• Validated their state of compliance once
• Have not suffered a data breach

* Yes, fraud is discernibly different from data breaches but one leads to the other and as a result are interconnected.

Wow, what an innovative approach. I’ve talked about the TIP program with industry insiders and they are mostly in agreement that we don’t know if this will result in positive or negative changes. I feel it will be a great success and here is why.

Opting Out of Validation (Not Compliance)

Presently companies that validate their state of compliance need to submit two things: a validation document (either a self-assessment questionnaire or a report on compliance) and an attestation of compliance (AOC) document. The AOC is nothing more than a memo that reiterates that organizations commitment to following the payment-brand rules for protecting payment card data.

I think organizations that choose to opt-out of compliance validation should still need to sign the Attestation on Compliance (AOC) to reaffirm their social contract and commitment to protecting payment card data. If they fail to achieve this within their, alleged, super-robust security and risk program then they deserve to undergo the same forensic review and financial implications that come with any other organization. If they instead achieve in protecting payment card data and are able to repel the wily-hacker then they should continue their reprieve from annual compliance validation (perhaps they can externally-validate every 2 or 3 years).

The reason I suggest this is because, and here’s the kicker, you cannot tell the difference between a PCI compliant organization and one that has let security and compliance lapse until they experience a data breach. Until that point, both organizations appear, from the outside, to be operating in the same manner.  (Sure, you can tell a difference internally, but so far very few organizations that achieve compliance once organically maintain it year-over-year.)

But Wait – It Already Exists

The PCI Council has already rolled out the Internal Security Assessor (ISA) program and MasterCard has begun listing this qualification as part their validation program requirements.

“Effective 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC ISA Training and pass the associated accreditation program annually in order to continue to use internal auditors.”

(Ok, so Visa has not adopted the same stance and companies that store, process, or transmit payment card data for both brands must adhere to the minimum standard for both, but still it’s a change.  Also, the payment card brand validation guidelines are guidance for the acquiring banks who have the ability to manage their validation programs on a case-by-case basis.)

This means that many organizations (there are exceptions) who wish to opt-out of formal validation can do so leveraging their internal assessor team.

Conclusion

What we have is a directional movement towards, what I will call, selective deregulation. Step 1 is the PCI SSC ISA program.  Step 2 is the Visa TIP program.  What is the next step? The only way to know is to wait and see.

I’m not proposing that we do away with validation entirely, but instead that we move into a hybrid approach towards validation that is based on risk, maturity, pas performance, and future commitment.  The market has spoken and the Council and payment brands are already responding.

My suggestions for you?

If you fall into category 1, 2, or 4 above – prepare the following:

• Develop a “heat map” of your internal risks, data types, and exposures
• Adopt a risk management strategy, however rudimentary or advanced
• Attend the PCI SSC ISA training ASAP

If you fall into category 3 above – investigate the following:

• Are you using a PCI validated payment software and hardware?
• Are you using PCI DSS validated service providers?
• Are you area of technologies that reduce the need for PCI compliance such as: tokenization and end-to-end encryption?

As January of this year rolled around, I hadn’t planned on changing jobs but I knew the year ahead would be interesting.  During my tenure at Verizon Business I learned quite a bit and met many wonderful people.  When I decided to join the company two years prior I did so because of the people.  One lesson I learned long ago is to rank my job by: (1) what I will be learning and (2) who I will be working with.

Tenure with Great People

The most wonderful thing about working for Verizon Business was working with the RISK Intelligence team, led by people like Wade Baker and Alex Hutton.  These gentlemen and their team are responsible for the famous Data Breach Investigations Report (DBIR) and the Verizon Enterprise Risk and Sharing (VERIS) risk modeling tool.  Many companies put out research reports but few focus so much on making their methodology transparent and unbiased.

One of my favorite projects from 2010 was working with the Verizon RISK team on the first annual Verizon PCI Compliance Report (PCIR).  It was hard work, and needed to happen alongside an already heavy work load, but it’s one of the most important projects I’ve worked on.  The reason why is that it analyzed reports and data over the two years prior – of actual assessments – and portrayed the results openly.  This year, Martin McKeay is taking over the PCIR and kicking it up a notch by providing even more ways of splicing the data.  I can’t wait to read it!

My eternal three items for improving the information security industry (in response to Josh Corman asking) have been:

1. Education, education, education
2. Flexibility of controls
3. More data for risk modeling

It’s the #3 that the RISK Team at Verizon is famously known for.  In fact, security researcher, Anton Chuvakin recently referred to the DBIR as “a piece of juicy awesomeness that only comes once a year”.

It’s Good to have Options – but hard to Choose

I hadn’t planned on moving on but when a good opportunity came along for me to grow and learn, I had to take it.  I received a number of casual job offers during RSA 2011 week, during which Martin and I presented on PCI compliance in the Cloud and the entire Security B-Sides team had a successful BSidesSanFrancisco event.  Nothing was compelling enough to make the big switch.  Then came Square.

Thanks to Sam Quigley, I had the awesome opportunity to contract at Square, a mobile payments startup in San Francisco. Square is not just another startup, it’s a company that is going to revolutionize the payments and social landscape.  They make payments simple and elegant.  Check out the TechCrunch post/video of Jack Dorsey’s famous “bridge” speech as to why they will be the Apple of payments.

Why will Square succeed?  Because they are a company of people following their passion and have a community of customers who love them.

Although I love the company, and will pimp them every chance I get, I decided to take another path.  I still love the people I met at Square and the lessons I learned.  So here are a few of those lessons:

1. Follow your passion, passionately.
2. Everyone in the company is part of idea creation, but it’s the leader’s job to be the “editor” of these ideas.
3. Ideas that are not used do not get discarded, they go “on the shelf” for later use or re-evaluation.
4. Measure everything.  ”If you cannot measure it, you cannot improve it” – Lord Kelvin
5. Don’t fail fast; iterate fast.
6. Know and tell your story well.

I cannot emphasize this last part enough.  Watch Jack Dorsey tell his story at Stanford.  He does so without slides or prompts.  He knows his passion and his direction and can articulate it easily.  How many of us can tell our story this well?

Knowing your story and being able to articulate it helps us live the direction we want to go instead of just zig-zagging through life.

Conclusion

Although Square is a great company and will change the world, I believe that my work there would not be as impactful as it would at another company.  I’ve decided to take a job as Director of Threat and Vulnerability Management (TVM) at PricewaterhouseCoopers (PwC).  Here I will be able to follow my passion and have an enormous impact.

My fundamental passion is empowering people to have a greater impact on the world around them.  At PwC, mentor programs are built into the DNA of the company and I’ll be able to help grow a team.  Much like I do with Security B-Sides, I’ll be able to leverage a team of people to be more than the sum of their parts.  I have some great plans for working in a leadership position at a multi-national and well-respected firm.

Much like at Verizon, at PwC I’ll be able to work with a smart team of professionals such as Gary Loveland and Mark Lobel who curate the PwC Global Information Security Survey.  I’ll be able to move beyond PCI compliance and focus on helping companies manage risk, however it makes the most sense for their company.

Most of all, we as a firm will leverage the talented and ambitious professionals that make up PwC.  I always thought that the Big4 sold products and services, but the reality is that their only service is their people.  I look forward to working with a group of talented professionals and helping them grow as a team.

When interviewing at PwC, I was asked a question I will never forget.  “Anyone can sell themselves.  How will you sell your team?” It’s true that you reach a point in your career when it’s simple to sell yourself, but the true measure of a leader is how well they grow, position, and market their entire team.

I look forward to the challenge and am excited to see what the future brings.

I’m between jobs right now (purposefully) and looking to relax.  As other friends are away at the beach enjoying the sun, I decided to go camping for a weekend.  Mt. Tamalpais (Mt Tam) is a great place to walk among the historic redwoods and is the backyard of San Francisco.

The camping area is drive-in meaning you can bring as much as you want and not have to worry about over packing.  We kept it light with all our loyal REI supplies, especially my favorite which is the Quarter Dome 3 Plus tent.  It’s probably the best tent I’ve ever owned based on our criteria.  The “Plus” is not for us larger Americans but adds an additional 4 inches to the length of the tent, which really helps out for us tall people.

The first day we did a long hike, got lost, got found, and enjoyed a long day-hike in the woods.  One of the more interesting things we came across was this Newt Crossing sign.

I sometimes wonder if anyone what variety of signs exist out there.  My first thoughts were, “how will the drivers see them?”  Newts are rather small and even at 15 miles per hour I don’t see how a car driver could differentiate them from the concrete road.

None the less it was fun to peek out from the trees into this road-side view of the ocean and historic Highway-1.  We drove home over Hwy-1 and remembered why it’s important to drive slow.  The road twists and turns around the edge of the hill in such a way that there is little to no distance between the edge of the road and the cliff.  It is here that the wrong turn does not result in your car crashing into a ditch but reaching terminal velocity before splashing into the ocean.

The newt crossing was just around the bend from, I-kid-you-not-on-the-name, Steep Ravine Environmental Campground.  We didn’t stay here but by the photos you can see this is the place to stay.

I should remind you that in addition to a beautiful landscape and picturesque views, this area is very windy and thus rather cold even during the day.

Ok, back to the woods.

The redwood trees are most widely known for their gigantic size.  If you have not seen these before it’s really something of awe to stand beside a tree that is not only over 1,000 years old but also wider than the length of your car.  There is no doubt these are the king of trees, but what you may not know is that they have almost a personality about them.

Redwoods tend to grow in groups or clusters.  This helps them leverage the shade each brings and secure a more firm base.  If a tree or tree-cluster is blocking the light of another tree it simply grows around them. I’ve seen trees growing at a straight-diagonal or diagonal and then once they reach the light, straight up.

Hiking along Steep Ravine Trail you see many trees that exhibit an extreme resilience.  For example, this photo of me standing on a fallen redwood.  Although only about 25% of the root structure is still in the ground the branches of this tree are already sprouting into full-grown trees.

We saw another fallen tree where the branches had sprouted into even bigger individual trees.  All I could do is stop and think to myself how even with only partial root structure the single fallen tree was supplying water to the entire set of new trees growing out of its branches.

I can’t help but stare in amazement.

I really enjoy camping Mt Tam and will go back over and over.  A few friends have mentioned camping in Salt Lake City, UT which I would really enjoy.  Until then I’ll be camping in the beautiful backyard of San Francisco where there are plenty of new paths to hike and sites to see.  I hope you make it out this way and try some of the great camp grounds in the area.