As mentioned in previous blog post, the payment card processing standard has some changes coming up. The standard should be issued in full next month, in the meantime and as promised, we are offering a free guide to the anticipated changes to allow you to get ahead of the curve.
We have today released version 3.0 of the popular and helpful ISO/IEC 27001:2013 mapping tool. This compares and maps controls, clauses and other areas from the 2005 version against the new 2013 version and vice versa.
The new version of the tool sees some additional information around documents and records.
Anticipated changes to the standard for payment card security have been announced and PCI Security Standards Council have issued some guidelines ahead of the final changes to help merchants get ahead y reviewing and understanding the changes ahead of their implementation. The revised standard (Version 3.0) is due to come come out in November
According to the Change Highlight Document, the updated version of PCI-DSS and PA- DSS will;
- Provide stronger focus on some of the greater risks in the threat environment
- Provide increased clarity on PCI-DSS & PA-DSS requirements
- Build greater understanding on the intent of the requirements and how to apply them
- Improve flexibility for all the entities implementing, assessing and building to the Standards
- Drive more consistency among assessors
- Help manage evolving risks/threats
- Align with changes in industry best practices
- Clarify scoping and reporting
- Eliminate redundant sub requirements and consolidate documentation
Key themes for the new version include
Education & Awareness – to help drive education and build awareness internally and with business partners and customers.
Increased Flexibility – Enabling organisations to take a more flexible approach on meeting requirements in common risk areas such as weak passwords, malware and poor authentication methods.
Security as a Shared Responsibility – Changes introduced to help organisations understand their entities’ PCI-DSS responsibilities when working with different business partners to ensure cardholder data security.
The PCI -DSS and PA-DSS are bult in a way that their principles can be applied to a variety of cardholder data environments, such as mobile or cloud. The PCI Special Interest Group issues separate and specific guidance for mobile via the PCI SSC Website (Mobile Payment Acceptance Security Guidelines for Merchants).
Phishing – do employees recognise it when they see it?
In the last week I have received around twenty phishing emails. These have varied from Linkedin connection requests, to Bank Account reset instructions and Paypal alerts that my security had been compromised…the irony of the last one did not escape me. In this period, I also took a worried phone call from a friend who had been called by someone who said they were working on behalf of Windows and that his PC needed to be remote cleansed and could they have access to it please…. they gave him a fake website address and refused a phone number for call back, then hung up. Its a scam that has been doing the rounds since about 2008 ( I’m sure you’ll correct me if I’m wrong!) He was working from home at the time and connected to his businesses network.
So in the first cases of the emails, it was fairly clear to me that these were phishing attempts. They were not targeted at me or at Advent IM specifically, just chancers doing what chancers do. The Paypal email was the most disturbing because it was better designed than the others. In all cases though, a brief visit to my Linkedin inbox, online bank account and paypal account respectively (and not through the ‘helpful’ links offered in the phishing emails) proved that each were fake and I reported them. It made me wonder how many businesses actually train their staff in recognising them as security threats and how to subsequently deal with them. I saw a debate on Linkedin recently about holding individual employees responsible for security breaches and terminating their employment as a result. It included a poll. Many felt that if adequate (no definition included, sorry) training were supplied and a properly enforced and educated policy were in place, the breach was felt to be a result of employee negligence and therefore they should be held accountable. ‘Adequate’ is a relative term I appreciate, I do feel however that it should include ‘regular refresh and update’ within it as well as regular review of the scope – threat changes.
The other part of the example I mentioned at the start was altogether more sinister. This was an individual actually picking up the phone and posing as an IT expert, offering a free service on behalf of a household name. It is easy to see how many people could be duped by this. Working at home in this case, means that the person was connected to their company’s email systems and information network. Luckily, the person concerned smelled a rat and asked awkward questions which resulted in the phishers exiting as quickly as possible. Not everyone might realise this was actually an attack and the result could be not only the loss of their personal information or even financial compromise but also potential compromise of their employers network. In this case, no training had been given in spotting an attack of this kind. If the individual involved had not realised this was nefarious, would it be fair to penalise them? After all this kind of attack was not included in the ‘adequate’ security awareness training they received.
This IT support approach was also employed in the recent attacks on Barclays and Santander, when an individual actually entered branches of those banks and installed or attempted to install desktop cameras to enable a hack. The individual was posing as an IT repair engineer in both cases. It is far more targeted and part of a concerted campaign. Phishing emails are also sometimes targeted toward individuals, again normally part of a broader campaign and not a scatter-gun phishing expedition to see who bites. This is more aligned to the Social Engineering approach. Specific information or access will be the target and so it differs from the mainstream approach and by definition makes it far more difficult to quantify and therefore provide training for awareness. That doesn’t mean that we shouldn’t do it. Particularly if we are keen to move down the road toward individual accountability.
Incidentally if anyone is interested in watching a video in which the ‘Windows/Microsoft” scammer tries it on the wrong person…..click here
We need another IA Practitioner Consultant to join our happy team.
If you would like full details of the role and how to apply please come to our vacancy section on the website
image courtesy of freedigitalphotos.net
We have issued an augmented version of the mapping document. It has more key findings and a reverse mapping tool so it is now possible to compare clauses 2005 against 2013 and 2013 against 2005.