Archive for June, 2008

Today’s Partnerships are Tomorrow’s Liabilities

June 26, 2008

“…so here’s the thing. If you can’t spot the sucker in your first half hour at the table, you ARE the sucker.”

Let’s say that your company, from an information assurance perspective, really has its act together.

Even your education and awareness campaigns are paying off, you’ve got security testing gates in the SDLC, new software isn’t built without InfoSec knowledge and involvement. You’ve got all the widgets and gizmos with the toys required to collect and process the logs they create. You’ve even got that WhiteHat / WAF thing rocking while the dev team cleans up vulns at the code level. COOL, good on ya!

Now, there is this other thing happening where you’ve involved a third party to help you reach out to a new customer segment- let’s say South America. You’ve partnered with a company that does this really slick language translation. All that got added was a link in the corner of the navbar that says ‘se habla espanol’.

The business development team is excited! This is SWEET, right??!! Everything you’ve done is now magically translated! This service just funnels your site through their systems, translates it, then forwards everything to the browser of your visitor.

As prudent security professionals, we take a stride back, and look at this. We do business through this platform. Like, this website is our online store, and stuff. So this is a good thing, right? Our shopping experience is now accessible to a bunch more people right? They can shop and spend money with us, in the language of their heart… and stuff. Hmmmmmmm…. <chin scratching begins…>

So that service- how does it handle that whole payment thing? You know, the part with the SSL stuff and the sensitive credit card stuff. And stuff. Uh-Oh.

Well, we have legal stuff with ‘em, so we’re probably okay, right? Why does the InfoSec team always get left to deliver the reality check? They tag all the data, and only translate what is necessary. ‘So, if they terminate SSL, they see that credit card stuff, right?’

Ronald Reagan was a sharp guy, “trust, but verify.” PCI Requirement 12.8 states that your service providers must adhere to the PCI DSS requirements. It calls them SERVICE PROVIDERS. It gets even better. That service is storing, processing, or transmitting cardholder data on behalf of your organization. THEY ARE A PAYMENT GATEWAY.

Payment Gateways are always classified as a Level One Service Provider. Level one service providers have the highest level of accountability to PCI- they have the most stringent requirements and audits. If a QSA has not performed a thorough annual onsite audit of this organization, BUYER BEWARE! Doing business with an organization that handles CHD (Cardholder Data) without acknowledging their level of accountability is only asking for trouble.

Please be careful who you share your sensitive data with! Business partners and service providers can open you up to immense liability. “Trust, but verify”

Then again, one of my favorite philosophers once said, “There are two people I trust. One of them is God. The other is not you.” (Doc Holiday)


The Next Best Thing to End of Quarter Madness…

June 23, 2008

OKAY, so I have pretty much been a big zero about staying on top of this blog thing.  This is the last full week of the quarter, so the worst is now behind my to do list, I am almost done moving, my travel calendar appears to be slowing down, and the PCI 6.6 countdown has taken its toll.  It appears my perfect storm of craziness is subsiding.

  • ISACA- Greater Houston Chapter
    Had a fantastic time with the ISACA crowd as we explored some of the trends in application security, the intricacies of why statistics are hard to gather, and some of the lessons we can learn from the data WhiteHat has collected.  Fantastic turnout, fun crowd, great discussion!
    Growing up in the Midwest, I had forgotten how much I enjoyed a good thunderstorm.  I was surrounded for four hours by other travelers at Houston Hobby as we lost power at the airport (yea, like four times) while I’m giggling like a little kid in the windows.  (note to non-California residents, you don’t storms on the coast like we do in the midwest…)
  • Shortest DFW Layover in History!
    Upon landing on my late flight, I sprinted to the skybridge, sprinted to the gate and managed to standby (for 37 seconds) to get called and board a delayed flight for SFO.  Time with my feet on the ground in DFW International Airport- less than fifteen minutes.  PRICELESS!

Now that I’m back in town and almost done with this whole moving-from-San-Francisco-to-Man-Jose thing, I will be a little more diligent about posting (hehe, promises, promises).  I have some massive posts I have discussed that need posted, so I’ll be off to the races blogging again shortly