Consumers are Changing their Minds about Data Breaches

Per this article in Fast Company, it now seems that some 72% of consumers expressed an impact in their perception of a retail brand following a breach announcement. However, only 12% actually stopped shopping at the breached stores.

This appears to be a rising tide in the mind of consumers, with an increase in both attention and action versus previous polls.

Add to that the feelings of fatigue that we have been following on social media when breaches are announced. TigerTrax often identifies trending terms of frustration around breach announcements, and even some outright hostility toward brands with a breach. Not surprising, given the media hype cycle today.

TigerTrax also found that a high percentage of consumers were concerned to a larger extent about information privacy than in the past. Trending terms often include “opt out”, “delete my data” and various other conversation points concerning the collection and sharing of consumer information by vendors.

Retailers and other service providers should pay careful attention to this rising tide of global concern. Soon, breaches, data theft and illicit data trafficking may show significant increases in consumer awareness and brand damage is very likely to follow…

Twitter Stream About Online Card Fraud & Crypto Currency

The other day, I was discussing the idea that as the world moves more strongly toward chip and pin credit cards, that the levels of online credit card fraud were likely to skyrocket. Joel, the @SCADAHacker took me to task, and I thought I would share with you our conversation (with his permission, of course.) Here it is:

@lbhuston: Time to Get Moving on Chip and PIN? <There are downsides to this too. It will help physical, but up online fraud.

@scadahacker: @lbhuston Please explain your reasoning on this and why it would be any different than current mag-based cards for online purchases. [sic]

@lbhuston: @SCADAhacker The threat won’t be different, but the criminals that now work physical card fraud will migrate their value stream to online.

@lbhuston: @SCADAhacker In other words, the crime rings powered by card fraud will simply compensate for the controls by switching fraud vector.

@lbhuston: @SCADAhacker This has been historically valid, & I think applies here. Most of those rings already have online fraud skills, they extend.

@lbhuston: @SCADAhacker Make sense? Sorry, hard in 120 char bursts. Sorry for the multiples. 🙂

@lbhuston: @SCADAhacker The really sad thing is that it is the best path forward. Chip cards work, for now. Also look for forgery to accelerate. 🙁

@scadahacker: @lbhuston Agree.  Good point my friend!

From there, I went on to discuss another concern that I am focusing on at the moment, crypto currency.

@lbhuston: @SCADAhacker Sadly, another thing I am watching closely is the impacts of crypto currencies on old school political corruption. Few controls

@lbhuston: @SCADAhacker Many law enforcement & govt watchdog groups don’t have digital chops to even understand something like bitcoin. 🙁

@lbhuston: @SCADAhacker Here’s my derby talk from 2 years ago. <The innovate crime 4 profit is why I follow a lot of this.

@scadahacker: @lbhuston Thanks bro!

As always, Joel and all of my readers are welcome. Thanks for reading what I have to say and for allowing me to voice my thoughts and concerns. If you don’t already follow Joel, you should, he is world class and in addition to being brilliant, is a heck of a nice guy, too. Reach out and Twitter and let me know what you think. Do you think card fraud is about to turn a corner? How will crypto currency influence the future political process? Am I just being paranoid? Give me a shout at @lbhuston and let me know what is on your mind.

PS – It looks like some of these ideas are being thought about around the world. Here are some other folks thinking along the same lines. Click here, here, here or here.

The Media Makes PCI Compliance “Best Defense”?

I have seen a lot of hype in my day, but this one is pretty much — not funny. Below is a link to a mainstream media trade magazine for the hospitality industry in which the claim that PCI compliance is the “best defense” hotels and the like can have against attackers and data theft.


Now, I agree that hospitality folks should be PCI complaint, since they meet the requirements by taking credit cards, but setting PCI DSS as the goal is horrible enough. Making PCI out to be the “best defense” is pretty ridiculous.

PCI DSS and other standards are called security BASELINES for a reason. That is, they are the base of a good security program. They are the MINIMUM set of practices deemed to be acceptable to protect information. However, there is, in most all cases, a severe gap between the minimum requirements for protecting data and what I would quantify as the “best defense”. There are so many gaps between PCI DSS as a baseline and “best defense” that it would take pages and pages to enumerate. As an initial stab, just consider these items from our 80/20 approach to infosec left out of PCI: Formalized risk assessment (unless you count the SAQ or the work of the QSA), data flow modeling for data other than credit card information, threat modeling, egress controls, awareness, incident response team formation and even skills gap/training for your security team.

My main problem with PCI is not the DSS itself, but how it is quickly becoming the goal for organizations instead of the starting line. When you set minimums and enforce them with a hammer, they quickly come to be viewed as the be-all, end-all of the process and the point at which the pain goes away so you can focus on other things. This is a very dangerous position, indeed. Partial security is very costly and, at least in my opinion, doing the minimum is pretty far away from being the “best defense”.

PCI Scope Reduction — Why not?

Bill Mathews, our Guest Blogger, is co-founder and CTO of Hurricane Labs (, an information security services firm.

Limiting your PCI compliance scope can be beneficial in several ways. First it minimizes the amount of assets where PCI is applicable, but primarily it limits the number of places you can find credit card data on your network. The latter is the most important. PCI isn’t some huge, scary thing you should run away from and scope reduction won’t solve all your problems – but it can get you to a point where you understand what is really happening on your network. There are a few caveats and “gotchas” you will encounter along the way but the journey is worth it.

In order to reduce your PCI scope you must first classify your assets. This is much harder than it sounds for most organizations. You have to figure out what data goes where and how it flows. This mapping is crucial for proper scope reduction.  This type of awareness not only helps you with reducing your PCI scope but also helps you with general troubleshooting. Ultimately it will improve your process, It’s a win-win. If you don’t know where the data is then the bad guys will help you find it.

After you’ve happily mapped out your data flow and understand where things are and why; then you can move  to segmentation. Segmentation essentially allows you to split up your network into smaller chunks. This splitting up of your network makes implementing our next goal that much easier. Our next goal is implementing the principle of least privilege which essentially says, “if you don’t need access, you don’t get access.” I’ve often argued that proper implementation of least privilege will not only solve nearly all your compliance issues but goes a long way in solving all your security woes as well. Notice I said “proper implementation.” Many implementations of it are flawed. Following up this segmentation with a good access control test is very important, it’s one thing to have controls. It’s quite another to have them properly implemented.

By no means are these the only things you should do; but in my opinion they are crucial for reducing your risk. Accomplish these few things and you’ll be well on your way to both reducing your PCI scope and having a well-balanced security posture on your network. Overall it is worth the effort it takes.

What Helps You with PCI?

Yesterday, at RSA much press attention was paid to a metric that 41% of all organizations tested needed temporary compensating controls to meet even the minimum security provided by PCI DSS compliance.

This led us to this discussion. If so many organizations need temporary controls to do the minimum, then what controls, in your experience, are the most worthwhile for those struggling to meet PCI?

Please leave a comment and tell us what controls you find most useful, easiest to leverage and worth the investment for PCI compliance.

As always, thanks for reading and we look forward to your input.

Bandwagon Blog: Why Isn’t Compliance & Regulation Working?!?

Everyone else seems to be blogging about it, so why not a “me too” blog from a different angle?

The main security questions people seem to be asking over the last few days are “Why are data theft and compromise rates souring? I thought that regulations like GLBA, HIPAA, various state laws, PCI DSS and all the other myriad of new rules, guidelines and legislation were going to protect us?”

The answers to these questions are quite complex, but a few common answers might get us a little farther in the discussion. Consider these points of view as you debate amongst yourselves and with your CIO/COO/CEO and Board of Directors in the coming months.

What if compliance becomes another mechanism for “doing the minimum”? The guidance and legal requirements are meant to be minimums. They are the BASELINES for a reason. They are not the end-all, be-all of infosec. Being compliant does not remove all risk of incidents, it merely reduces risk to a level where it should be manageable for an average organization. This absolutely does NOT mean, “have some vendor certify us as compliant and then we are OK.” That’s my problem with compliance driven security – it often leaves people striving for the minimum. But, the minimum security posture is a dangerous security posture in many ways. Since threats constantly evolve, new risks continually emerge and attackers create new methods on an hourly basis – compliance WILL NOT EVER replace vigilance, doing the right thing and driving defense in depth deep into our organizations. Is your organization guilty of seeing compliance as the finish line instead of a mile marker?

Not all vendors “do the right thing”. Vendors (myself included) need to sell products and services to survive. Some (myself NOT included) will do nearly anything to make this happen. They will confuse customers with hype, misleading terminology or just plain lie to sell their wares. For example, there are some well known PCI scanning vendors who never seem to fail their clients. Ask around, they are easy to find. If your organization is interested in doing the minimum and would rather pass an assessment than ensure that your client data is minimally protected, give them a call. They will be happy to send you a passing letter in return for a check. Another example of this would be the “silver bullet technology” vendors that will happily sell their clients the latest whiz-bang appliance or point solution for fixing an existing security need, rather than helping clients find holistic, manageable security solutions that make their organization’s security posture stronger instead of the vendor richer….

Additionally, many compliance issues reinforce old thinking. They focus on perimeter-centric solutions, even as the perimeter crumbles and is destroyed by disruptive technologies. Since regulations, laws and guidance are often much slower to adjust to changes than Internet-time based attackers and techniques, the compliance driven organization NEVER really catches up with the current threats. They spend all of their time, money and resources focused on building security postures and implementing controls that are often already ineffective due to attacker evolutions.

Lastly, I would reinforce  that there are still many organizations out there that just simply will not “do the right thing”. They believe that profit surpasses the need to protect their assets and/or client data. They do not spend resources on real security mechanisms, fail to leverage technologies appropriately, remain careless with policy and processes and do little in terms of security awareness. There are a lot of these organizations around, in nearly every industry. They do security purely by reaction – if they have an incident, they handle that specific issue, then move on. Since consumer apathy is high, they have little to no incentive to change their ways. The only way to enhance the security of these folks is when everyday buyers become less apathetic and veto insecure organizations with their spending. All else will fall short of causing these organizations to change.

So there you have it. A few reasons why regulation is not working. I guess the last one I would leave you with comes from my 16+ years in the industry – good security is hard work. It takes dedication, vigilance, attention to detail, creative AND logical thinking and an ability to come to know the enemy. Good security, far beyond compliance, is just plain tough. It costs money. It is rarely recognized for its value and is always easier to “do the minimum” or nothing at all…

Commentary on Security Assessment/PCI Scanning RFP Processes

Since MSI is a PCI scanning vendor, we are often included in various RFP/RFQ processes for the purchase of network scanning and assessment services. Over the last couple of years, one problem continually seems to raise its ugly head in RFP after RFP.

That issue is the lack of clarity in the RFP. Usually, the RFP issuer does not want to clarify the number of systems, applications, IP addresses or other relevant materials to the vendors. They want to keep that information private until after they award a contract. Below is a response I wrote this morning to a particular RFP issuer who is following this same pattern. Please read it and feel free to comment on the process, my response or any other items. I truly believe that only through communication, debate and eventual education can we find ways to take the customer and vendor pain out of these processes. Here is what I wrote in response to their posting about not wanting to reveal the number of IP addresses, except to the winner after the contract is awarded:


While I appreciate your process, I would suggest to you that your approach is not likely to achieve the best value for your organization.

Since you are choosing not to disclose the number of IP addresses to be assessed until after the winner is chosen, you essentially remove the very metric that the majority of scanning vendors use to create pricing models.

Thus, you force vendors to either respond with an hourly rate, or you force them to estimate the work and resources required. There is a risk to them and you in this estimation process. Their risk is that they could under estimate, thus causing themselves undue financial burdens. Your risk is that they will consistently overestimate, thus raising the prices that you get for a comparison and increasing the overall cost of the services you receive.

Of course, another possibility exists – that some vendors with ethical issues might respond to your lack of information by attempting to footprint your network and IP spaces to gather the relevant information themselves. Depending on their skills, tools and moral compass could cause a myriad of problems ranging from network congestion to denial of service attacks (inadvertent) as the various vendors who fit this model identify and map your visible Internet presence.

In our experience, the more information and clarity you can achieve in your requests for pricing information, the better. The clearer the scope of work, the more focused and relevant the responses will be and the more “real world” the costs. In every situation where we have seen prospects use the RFP process as a veil, the resulting engagements are damaged by scope creep, misunderstandings, miscommunications and higher than average costs in money AND relevant resources.

The most often quoted reason for RFP ambiguity that we have heard over the last 15 years is that the issuer did not want to “expose details to attackers”. After more than a decade and a half in this business, I have learned from experience that attackers already have exposure information. If they want it, they will simply map the network and gather it. They will also do so in ways that have little to no respect for your business processes, customer uptime commitments, maintenance schedules and other potential impacts to your business.

All of this said, again I respect your process and your right to proceed however you choose. Perhaps your intentions or requirements are not as presented above – which is fine. I simply wanted to address RFP/RFQ processes at large and I hope this information sparks discussion and comment among vendors and end-customers of security services alike.

*End Paste*

I went on to thank them for their inclusion in the process and to invite them to comment on this blog about the content. I hope they, and others do so. Please let me know your thoughts on this and other issues around RFP ambiguity. I would love to create a discussion between both vendors and customers about their ideas and feelings on the process!

Cisco’s PCI Ultimatum Movie was a Big Hit!

The movie premiered in Columbus yesterday and seemed to be a great way to learn about PCI requirements.

It was hilarious to see people you know on the big screen.

Check it out when it comes to a city near you. You can check out the trailers and such at

We have put up a separate blog site to follow the movie as it tours and to give follow up info. You can check it out at!

Respond in comments and let us know what you thought of it!

Added Note: It is our CEO who gets killed in the opening scene, persistent isn’t he…  😉

Also, the movie premier followed our State of the Threat presentation yesterday morning, adding even more info to what has quickly become one of the leading edge security presentations around!