PCI, Risk Management & “The Blackberry Arsenal”

October 21, 2008

Recently I was assigned to a special project to be the information risk management representative for a payment card processing provider RFP.

One of the vendors was an organization based out of a prominent US city with loads of financial institutions. I will refer to this vendor as N; of which one of their subsidiaries – referred to a n – is the actual business unit that provides the actual card processing services. So, for practical purposes – n does the real work; but N is responsible for the big RFP responses and on-site sales pitches. For blog purposes, I will refer to the combined entity as Nn – sort of like me and mini-me…bad attempt at humor – but you get my point.

As to be expected Nn showed up in force. Color coded apparel, great shoes, smiles, and the type of financial savviness one would expect from a reputable financial services provider. I was pretty impressed and to be honest, a show in force like this is what I expect given the size of the company I work for and the attention PCI-DSS commands. After the typical hand-shaking niceties and genuine attempts to find commonality between each other – the love fest started.

About 90 minutes into vendor Nn’s presentation, I asked some of my basic due diligence questions. Now keep in mind from previous posts, that I consider information risk management professionals to be intelligence analysts – always gathering intelligence about threats, attack vectors, etc. For a vendor not to think that potential clients are not checking up on them is mind-boggling – but more on that later.

One of my typical questions for any vendor that I assess for risk is: “How does your information security organization manage information security risk?” It is a fair question from my perspective and acceptable answers can be very simple or very complex. I prefer simple but complex is OK as long as they answer it and try not to dodge the question. In this case, vendor Nn answered the question sufficiently. But I still had some reservations regarding the big N and the little n. So, the follow-up question was this:

“In 200X your company (N) suffered a security breach. What has company N done to ensure the same vulnerability does not exist or cannot be exploited moving forward within company N and its subsidiary n?”

Well my friends (a McCain’ism), the love fest came to a halt right then and there.

The talking stopped!

The deer in the head lights look overcame the faces of the team representing Nn.

Nervous glances started being cast.

The Nn sales team lead responded with the following: “What breach?”

My response: “The breach in 200X that shows up in a simple Google search phrase “Nn security breach PCI”.

Nn sales team lead response: “I am not aware of that!”

My response: “We would like a formal statement regarding the security breach, the business unit impacted, and what has been done to prevent a repeat occurrence within the impacted business unit and any other business units owned by N.”

Nn sales team lead response: “Let us follow-up with you!”

My response: “Thank you!”

At this point, the Nn sales team broke out their Blackberry arsenal. And over the next 60 minutes there was more Blackberry thumbing then I have ever witnessed in a 60 minute period. The love fest had migrated to the sales team, their Blackberries, and other entities miles away; though deep down inside I would not be surprised if there were one or two messages between the Nn sales team to each other talking about the new A-hole they just stumbled upon.

Two hours later…during a break… (the love had still not returned to its original levels…)

Nn sales team member X: “I am sorry we could not speak to your question earlier today.”

My response: “That’s OK. I appreciate any follow-up responses you can provide.”

Nn sales team member X: “Well, we really did not know about this security breach, but our legal and PR departments will prepare a response. We really did not know about this.”

My response: “Thank you, we look forward to receiving it! You know, there is a neat Google service that let’s you set up email alerts based on keywords you define. I use it all the time to keep tabs on my company as well other companies. It is a great sales information tool.”

Nn sales team member X: “Thanks I will look into that!”

A few hours later, and some more Blackberry thumbing, the Nn sales team left. Only half of the team bothered saying bye to me and shaking my hand. I cannot blame them – I understand the frustration. In a previous consulting role (that included sales engineer responsibilities) – I saw my share of blown sales pitches and uncomfortable situations.

So here are a few thoughts:

1.    Companies that experience security breaches – of which the acknowledgment that it occurred is public – need to educate their sales team / marketing folks (the entire company it can be argued) that their reputation matters and that they could face tough questions. To not think that other financial services companies or companies looking to use their card payment services will not ask them about recent breaches is ludicrous.

2.    The fact that Nn recently suffered a breach but could not speak to it right then and there does NOT disqualify them from further consideration. It is important to point this out and underscores the importance of being objective and looking at all aspects of one’s security posture. In addition, this underscores the power of taking a risk-based approach to assessing risk.

3.    Ever heard the term “hate the sin, not the sinner”. It is somewhat applicable here. I honestly believe the Nn sales team did not know about the breach. A simple Linked-In search on the Nn sales team (at least three of them) confirms they were with Nn at the time of the breach – but that does not mean they had privileged knowledge of it.

4.    Don’t be afraid to be the friction point – by asking tough questions. Tough questions can be asked – but asking with a sense of humility and tact goes a long way. The reality is that sometimes, tough questions cannot be asked unless you are direct and to the point. A lot of us are getting paid good money to perform an appropriate level of due diligence – let’s earn it.

5.    At the end of the day, there are a few things the Nn might say they learned from their trip:

  1. A-hole’s company cares about security.
  2. We need to be better prepared to know about security in our company and how to speak to past incidents.
  3. Just because we are PCI compliant does not make our sales efforts easy.
  4. We need to stop at the airport bar before the flight takes off.

So there you have it. Another day, another dollar – I love my job.


“Threat Event Frequency”

October 1, 2008

In mid-September, most of Ohio encountered a weather anomaly. The remnants of Hurricane Ike collided with a cold front coming down from Canada that resulted in sustained winds of between 35-65 MPH for about 4-5 hours. It was quite an extraordinary event – the closest thing to a hurricane the Midwest has probably ever witnessed by its human residents. As a matter, earlier this year, I heard a statistician / actuarial make an analogy that a 1-in-100 (or maybe it was 1-in-250) event was like a hurricane hitting Indianapolis – nearly happened in Ohio – minus the rain and coastal water surge.

Throughout the wind storm my wife and I went outside frequently to secure loose debris and objects that posed a threat to our cars and home. Besides some Bradford Pear trees (30+ feet tall) that managed to not get blown over, the closest call we had was a chimney cap we found lying next to my brand new Honda FIT.

Being the geek that I am, once I got back inside I wrote down a note to myself to blog about this; specifically, in the context of “threat event frequency” (TEF).  Over on my risk vernacular page there are definitions for “threat event frequency”, “action” and “contact” (action and contact make up TEF).

The reason TEF is on my mind is because the chimney cap / Honda FIT scenario is a great illustration of various information security risk assessment concepts. I have witnessed many risk assessments where the assessor errors on the side of possibility versus probability. Thus – and in the context of possibility – because there are bad things out there that can inflict harm against my assets, then surely its going to happen. This sound like “crying wolf” to me and is something I always double check myself on for each and every risk scenario I assess. During the windstorm, I was worried about my home (business context, my network / my assets) – not the homes a few blocks away or in another part of the state. Now make no doubt about it, TEF is not the simplest topic to wrap you brain around and a lot of folks confuse TEF with loss event frequency (LEF) – which is really the frequency, or number of instances within a time frame, that the threat was able to overcome the resistance of the security controls.

So, whether it’s the threat of zero day viruses, a virtual machine security vulnerability, or the slew of other threats that take up memory space in our brains – properly analyzing threat event frequency in the context of the environment at risk (or that you have oversight for) and not confusing TEF with LEF is a must and in my mind is the difference between a seasoned and unseasoned information security risk analyst.

I am still compiling a few risk scenarios to post. Stay tuned and have a great day!