A certified Information Security professional, with demonstrated experience spanned more than 10 years in financial, banking, consulting, and payment card industries in managing Information Security System Management ISMS.
A post graduate degree holder in Information Security Management (M.Sc); Certified Information Security Manager (CISM), Payment Card Industry Qualified Security Assessor (PCI QSA), SABSA Chartered Security Architect (SCF), ISO 27001 Lead Auditor, CREST Registered Technical Security Architect (TSA), CREST Registered Penetration Tester (CRT), and a member of ISACA.
Demonstrated to be reliable, trustworthy, and meticulous person; working in a controls-focused environment, multinational, and multicultural organisation over the years and gained a good understanding of what is required of the Information Security professional. .
ISMS based on ISO/IEC 27001/2
Payment Card Industry (PCI) DSS - QSA led services - PCI Scoping, Gap Analysis and Formal Assessment (RoC)
IT Governance, Risk and Compliance (GRC) Management
Enterprise Security Architecture
Technical Security Architecture
Recently, I had a conversation with an Executive, who has so may years of experience in Cybersecurity consulting, the topic of the discussion was that SABSA is alien to people, so it is useless and we should stop using it! From, his point of view, he doesnt understand SABSA hence the dismissal.
It is my personal policy that I dont comment on things that I dont understand. Whilst this is personal policy, I believe should be defacto for many like-minded people. Simply, because you dont understand a concept/technology etc, that means its adoption is not good.
SABSA is not a presciptive standard, with black or white implementation e.g. PCI DSS. SABSA is risk-based, and business focused information security architecture developnent framework. What this means, should be used as a guide, rather than set in stone blueprint to be used to build enterprise security architecture. As soon as Cybersecurity architect and consultants understand this, then SABSA can be useful for organisation, until then it will still be alien framework!
Note: This is first quick draft – further editing needed.
Most of newcomers to the security industry they tend have that security imposter syndrome, well I know it from first hand experience, as I was one of them. It is hard to shake it off, the sooner the better, otherwise it will stay on forever, is it good or bad?
First let’s get the definition right, according to the Dictionary.com — https://www.dictionary.com/browse/impostor-syndrome, impostor syndrome is anxiety or self-doubt that results from persistently undervaluing one’s competence and active role in achieving success, while falsely attributing one’s accomplishments to luck or other external forces.
Another good definition snatched from Stu Hirst’s presentations below
What is Imposter Syndrome? @stuhirstinfosec Impostor syndrome (also known as impostor phenomenon, impostorism, fraud syndrome or the impostor experience) is a psychological pattern in which an individual doubts their accomplishments and has a persistent internalised fear of being exposed as a “fraud”
I have been in the game since 2007, that’s about 14 years and counting (I don’t intend to leave this space for now and the foreseeable future 🙂 ). In the beginning, everything was new and the security concepts seem alien to me, and on top of that I was to ensure that the bank systems are secure. so was a bit of a tall task, and I needed to learn quick and provide assurance to the management that I knew what I was doing. So you can see how that came about.
Most of security practitioners, are not native security professionals, otherwise if you served in the military or police force, where most of the security controls/concepts where borrowed from, either from logical or physical security point of view. Hence, it is not a coincidence that most military men and women after retirement (active service), it is easy for them to transition into cybersecurity (civilian life).
Whilst the knowledge gap is massive, you will need to comeup with a strategy, plan however your call it to combat this. So how did I come out with a plan?
Have a plan – My plan was to do a security certification every year, it doesn’t mean i have to pass the exam, whether fail or pass, it means that i have acquired the knowledge. I think when you fail, you learn more, so at least i can confess that i have failed most of the exams i have attempted on the first try, but that set me good from knowledge.
Don’t afraid to try and fail – You need to understand that if you don’t experiment or try, you wont make progress. Of course, in any experiments there will be failures and success. SO there you go, you will fail anyway, so why don’t you try.
Read more books – Reading a book is one thing, but taking action from the books is the next most practical thing you can do. Once you have identified the list of books you need to read, make sure you make an actionable plan to implement the ideas from the book. It doesn’t matter if the book is technical or not, you should be able to try to try in a virtual environment or fictions made up company e.g. when doing a risk assessment.
What you do in your space time counts the most – I always believe in trial and errors, experiments, making mistakes and get something out of that as lesson learn or invention (whatever that maybe). If you take this as your key principle and setup e.g. a LAB if you are a pentester, trying new exploits, or if you are a Security GRC SME develop and test new models, will be a good way to enhance your skills. In addition, I would say read more and put things in practice, that’s the best way to learn and build confidence.
Get involve in a community – There are number of security communities outthere for difference audience, and you can find them in LinkedIn or Professional Association such as ISACA, etc. Get involved and be active, and see how other security professional get on with their lives both professional and personal if they can to share.
I hope what I have discussed above make sense, and will help you to shake off that impostor syndrome, if not, please read some wise words below from Stu Hirst, one of the vets in this field.
Here is a link to one of the people i greatly admire in the security space, Stu Hirst, as I have been closely following up his rise in the corporate ranks as he grew into a house hold name, we tend to call them thought leaders. I first met Stu when he was working at SkyScanner as InfoSec Manger in Edinburgh, and now works at JustEat as Director of InfoSec.
In our daily lives the use of the eyes is often overlooked. Try to focus on two different objects, using one of your eye on one item and another eye on another item. For example, one eye looking at your phone and the other eye looking at a dining table, can you do it? I bet not, but when it comes to concentration, we tend to fool ourselves, that we can multitask, like watching a TV while holding a conversation. One might argue that we use different organs and senses for doing that, hears and eyes, but it has proven that you will loose one of the two either, you will not 100% comprehend what you hear or might not follow the plot on the tv program.
Personally, I have add problem concentrating when i try to do multitask, and I have read dozen of papers or ear talks, that it has proven scientifically that we cannot multitask and yet we try to do that. In my own little experiment, I have found that when you fixated your concentration on an object you tend to grasp the meaning of it (insert mindfulness), for example when. you bottle feed the baby, and have eye contact, you tend to unearth new features of your baby that were not even there. So what’s the secret? Well i would like to call this method 2 eyes – 1 object system.
<p value="<amp-fit-text layout="fixed-height" min-font-size="6" max-font-size="72" height="80">When you fix your eyes to a single object, you tend to concentrate on that object, your full attention should be there as if your life depends on it and by doing so, you are full immersed in the experience, full concentrated on the object and you shall be able to gain more from that interaction rather than your eyes wandering around. So next time, you want to elongate your attention span, fix your two eyes on a single object.When you fix your eyes to a single object, you tend to concentrate on that object, your full attention should be there as if your life depends on it and by doing so, you are full immersed in the experience, full concentrated on the object and you shall be able to gain more from that interaction rather than your eyes wandering around. So next time, you want to elongate your attention span, fix your two eyes on a single object.
A lot of companies big names are falling victims of ransomware and I am afraid most of organizations are not well equipped to fight these new waves of attack and ending up coughing €£$.
Garmin felt victim to one of these attacks, and as a user of its services I was affected for a few days without sync my data to the right cloud services. Sorry to use this example but I couldn’t stop asking myself questions such as how are they backup and restore capability? If they fall victim to ransomware, what is their Cybersecurity defense posture? If they ending up paying the ransomware are they likely to be attacked again? And again?
I am not saying Garmin paid the ransom but other victims they do pay the ransom but the bad guys are not guaranteed to keep the words. All is known is they will attack again and ask for more €££. Make sure your backup and restore strategy works this time around.
you cant build the house on a sandy foundation so the saying goes. I am not sure who said that but it makes sense you cant build a 100-floors building on shaky foundation. The same is for your security career. You need to have the basic foundation for whatever path you choose whether being a pentester or a GRC consultant. From Pentester’s view, you will need to understand how the computer, networks, applications, storage and cloud works at very rudimental and fundamental level. the good pentester is a crafty penetester just like an artist, picasso? Tools will help you but thinking in and outside the box is needed, that is only possible if you have the fundamental and know how the machine works. That’s been my approach in my career and i could see some progress since when i started back in 2007. Know the fundamentals and keep yourself updated.
This might not be a good comparison, or one may think it is a weird one. For the past three decades technologists and cyber security vendors have worked hard to produce the best of the breed when it comes to technical security controls based on hardware, and now transitioning to sofware based or software defined alternatives. Around the same time the bad guys, whatever hat colour they wear, they have also been busy trying to poke holes on these controls, and they only need one good strike out of 1000000 tries. To be fair, they have been successful to say the least.
But what have slowly evolved is the Human firewall as defense, where organisations still believe hardware or software based firewall is the only good security controls to stop bad guys from the internet getting in their organisations. Well, if you have been counting, this is the long war, and every now and then the good guys may win , but playing a long game, the bad guys have an upper hand.
Regardless of advancement of technology, the human still remains to be the weakest link in the chain, and the organisations should invest reasonable well in fortifying the human firewall, because at the end of the day, you may have all the hardware and software good shiny updated firewalls, but if you dont have strong human firewall, you will always fell victim.
The other day a friend ask me how should one start a security career? What is the best path, course to study or security certification to go to? Well, my answer always starts with do CISSP certification. Why do I say that ? Why not ISO 27001 why not SABSA?
One simple reason, CISSP cover a lot of domains originally about 10 domains and now squeezed to 8 domains. CISSP to me cover a big ground and good for security generalist and a good introduction to security as predatory course. Second reason is CISSP requires a lot of effort, preparation and time investment to pass the exam. Even when one don’t pass the exam the knowledge gained is valuable and eye open to security world.
So that’s basically my simple reasons. Security over the years have matured and now you can be a specialist in any of the below field
– penetration testing and threat hunting
– incident response
– threat intelligence
– security operations and devOps
– secure development
– cloud security
– security architecture
– Governace, risk and compliqnce
– and many more. All these domains have their own certifications, so find your passion and develop your area of competence and be called an expert. I guarantee you it won’t be overnight success. Good lucky.
Most businesses prefer to outsource some of the services because of cost, or resources reasons or combination of both. Some of the outsourced services, requires special skills, but nonetheless the data outsourced still remains in the eye of the outsourcing company, simply the service provider retain the data and are trusted to be the good custodian and keep the data safe (so it is thought to be the case).
Most of the companies have ‘right to audit’ clause embedded in the agreements and this take a form of third part assessment, you can call spot checks or due diligence or whatever the name fit. Over the years, I have been involved with these sort of assessments, from onsite assessments to reviewing questionnaires or some just send their ISO 27001 certificates and say we are secure, dont worry about your data.
Whilst the effectiveness of the assessment is based on organisation’s risk appetite, personally I have problems with the questionnaire based, which most are self-assessment questionnaire, when the service provider provide response without attaching evidence. I believe onsite assessment provide more value and it is more evidence based assessment.Whilst the issue of costs might be a limiting factor to conduct these sort of assessments, I would take the approach of questionnaire with additional remote assessment via video conference facilities and additional evidence uploading to backup the response.
On the next post I will cover the below aspects of the third party assessment. (1)What needs to be assessed, (2) Framework (3) Frequency of the assessment
Nobody makes it alone to the top in the corporate world but I know there exceptions for those one-man army. Regardless how you made to the top or how you joined security professional I think you feel some sort of responsibility of giving back to the community and this is my motivation to give it back tot he community by means of mentoring young professional or those in their journey.
I welcome anyone that needs my advice, please reach me at kinyoka at hotmail.com
This post have been sitting on my draft inbox for about 3 weeks, when things werent bad as it is right now. The public data for UK, death numbers are in excess of 9500 as of 11th April 2020. No news of vaccine or way to contain the virus, but my hopes are high and to play my part I follow what the UK government advises us to do.
So back to our little infosec/cybersec world, I think there is more we can do to help from defense side, including make sure the bad guys are not taking this difficult moments to get better of the people and the organisations e.specially the hospitals and medical care communities.
This post is more about what we can learn from this pandemic, and I will update the lessons as we go along.
How you prepare for the event
This maybe the the time when you thing of your DR , BCP and IRP plans, and wish you could have tested them as frequent as possible. The sad truth, these plans are hardly tested or when tested at least annually to satisfy some regulatory requirements. So there you go, increase the frequency of testing these plans, you may not know when you will need them.
How you respond to event
-Now you have your plan, and you get them tested once a year, but how do you test them? table top? one scenario? excuses might be thrown in saying you dont have resource nor time, but when disaster come you will need time and resources, hence test the plan as if your life depends on it, because how you are going to respond.
Controls do not always work
You should be able to test your security control effectiveness and establish how much you rely on them and improvement to meet the stated business requirements.
With the coronavirus disaster, a lot of business have suffered or other are going under, like those in leisure and airline industries, and form other businesses they needed to reinvent on the way they work, engage their customers.
Move faster than the attack
We are in the war against the corona virus, while all the protocols have been followed to contain the virus to some extent, in the business world, the defense teams should be able to move fast to contain attacks in the same way in order to defend the businesses otherwise the attacker would have upper hands, and completely paralyse your businesses. Think like an attacker, so move faster than them.
It is 15th March 2020, the headlines everywhere I can help to notice how the corona virus (COVID-19) is causing havoc to human first and business second, or the other way around, depending on your take. Yes, the businesses have been hit hard, from the travel industries to cyber security consulting (seeing some well known consulting firms share prices drop by 20% in a couple of weeks time! The situation is getting worse.
While we know on the good day, AI gets the praise and the good promises that it will help the mankind, I was wondering, maybe many of you are, how has the AI so far helped to fight this soon to be called pandemic, is there any way that AI can come to rescue?
The security departments and the business always crash when comes to justify security expenses in the context of business justification (why did you buy that NAC device for?) My idea is basically in everything that security department do, should be prefixed with the word business e.g. business cybersecurity , business security incident management , business penetration test (you get the idea). By doing this then the mindset shift from doing security for the security sake and becomes doing security for the business ( not in the business of information security). My simplify model below reflects this SABSA thinking and I will expand it more in the later date.
Ideally constructing a building (e.g. house), you start from 0 to 100, i.e. build a foundation, erect the structure then fit the windows, roof and finish off with the cosmetic tasks like painting, plumbing etc. While this kind of building up is ideally and feasible for physical construction of things like e.g. a house, aeroplane etc, might not be so ideally for building business information security programmes, given that information security for years, have been an afterthought practise e.g. systems were developed and then security folks been asked to add-on security controls or a layer of the security on top of insecure system, and this was not security by design or security by default.
While for the most organisations I have had an honour to visit or assess, they may have a formalised security programme or information security management system (ISMS) where they coordinate the information security activities coherently, or some of them may have not have a formalised security programme at all. The question(s) I have been asking myself, can someone start from the middle or put together whatever you have to have a completed business information security architecture?
YES – I think is the answer to this question according to me and what I have seen so far. In the next post, I will expand more on how the organisation can start in the middle and complete their business security architecture.
Sony, Target, Equifax, Facebook, Kaspersky, Iran Nuclear Plant , do these names ring a bell?
You might noticed them from the newspaper headlines (or a blog post somewhere like dark-reading, theregister). What they have in common is that there are big organisations, and all have been breached at one point in their business lifetime. The question is not whether you are going to get breached, it is matter of when? and the question to ask yourself, is do you have enough resilient controls to make your business sustain these attacks and continue serve your customers or the public?
If the reality hasn’t sunk in yet, I think it is the right time to review your Incident Response Plans and your infrastructure and processes resilience (and dont forget your PEOPLE, their resilience matters the most).
In preparation to build the resilience needed to respond to attack, it is better to start at the grassroots level with the following questions:
Why most organisations are not prepared to respond to security attacks?
What is the reasonable resilience look like from three dimensional of Technology, People and process (TPP)
On the next post, I will expand these two questions, for now let’s leave it here
Imagine this, as a Qualified Security Assessor, below is close resemblance of typical year scheduler for conducting assessment
January – March Service Provider Assessment (25 days)
April – May : Data Centre Assessment (15 days)
May – October: Retail Supermarket Assessment (60 days)
November – December: Service Provider Assessment (25 days)
A typical assessment average between 10 days to 100 days.
For the days that you are on the bench, these are typically compensated with 5 to 10 days short engagement such as conducting one of the below:
PCI scoping exercise
PCI Gap Analysis
Define a PCI Program for a client
ISO 27001 Scoping / Gap Analysis or Internal Audit. .
With this busy schedule, a consultant usual end up meeting or far exceeding the utilisation target, which for most consultancy is set to either 65% or 85%, in plain english it means out of 20 working days, you end up do all the 20 days.
In the security industry or at least from my personal experience, security consultants put in a lot of hours days in and out, which in the long run benefits the company as well as personal career growth, but what we fail to take into consideration, how you manage yourself physically and emotionally, so to minimise the burnout.
In order to minimise the burnout, it is important to make sure you have the right work/life balance. Whilst this is easy said that done, you have to create your own program (dont wait for the company do to this for yourself), where you make sure you have the time to exercise and engage yourself to do something outside of the cyber world.
For myself, I have manage to create a schedule where I can do physical activities during the week e.g. running, swimming, playing basketball and cycling. I also tend to read something outside of the cyber security world, which at least put my mind at easy, and mostly important my weekends are purely reserved for my family, during which I don’t check work emails or work on any report or sale pitch preparation. The trick, is to start small with a few routines, e.g. 10 mins walk/ running during lunch time and build from there. In order to perform higher and stay sharp, remember to take care well of your body and mind, DON’T BE A SECURITY BURNOUT APPLIANCE.
I love the cloud, I guess you do as well if you heard that security in the cloud is automated! That is very bold claim and might be a bit misleading. In the past couple of years, cloud adoption have been a cool trend, and very economical for businesses in saving money when comes to running IT infrastructure (may be we should do another post on the reality of cost saving of cloud vs on-premises). While cost saving is one of the main drivers, it should be noted there are other drivers such as fast way of go to market, testing new ideas, being able to expand or reduce (elasticity) of the resources on a will, and also security being the other big factor.
One thing to be clear here, cloud security is a shared model, which is embraced by all the big Cloud Security Providers (CSP) such as Amazon, Microsoft and Google just to name a few. What this means is, the CSP provide security for the cloud physical infrastructure e.g. data centre, hypervisors, networking tools, and the customer is responsible for the data. This is the simplest view, however it is more complicated to this depends on the deployment model such as IaaS, PaaS, SaaS or other Cloud-As-Service (see diagrams below). Hence the famous phrase “CSP will be providing security of the cloud and the customer will be providing security in the cloud”.
Organisations should understand these differences in terms of their core responsibilities when comes to the managing security in the cloud. The model below from AWS, illustrates this more clearly and the logical step is for organisation to map these responsibilities to the right roles/people within the organisation.
So the next time you hear, let’s move to the cloud, security is automated and taken care for us, remember it is a shared responsibility and you have large part to play as well, at the end the data is yours, YOUR RESPONSIBLE!
Over the years, as a security consultant or as an auditor or security assessors, I have assessed or helped more than 50 unique businesses span from Europe, East Africa, to New Zealand, I can certainly say that at least 80% of these organisation do not have a documented business security architecture!!!
The art or practice of designing and constructing buildings.
the complex or carefully designed structure of something.
(computing) the design and structure of a computer system and
ISO/IEC 42010:2007 defines “architecture” as: “The fundamental organization of a system, embodied in its components, their relationships to each other and the environment, and the principles governing its design and evolution.”
In TOGAF, “architecture” has two meanings depending upon the context:
A formal description of a system, or a detailed plan of the system at component level to guide its implementation.
The structure of components, their inter-relationships, and the principles and guidelines governing their design and evolution over time
6. According to SABSA , business security architecture is …
In my view putting all these definitions in context, an organisation will need to have a security architecture so that they have solid foundation of security that is align with business objectives and capability to piece together different components of security programs such as policies, technologies and other security controls. It has to be noted you can not build a house on shaky beach sand foundation as this will lead to unstable house with likelihood to crumple to pieces sometimes in the future. Same stance, should be adopted when build security programs that are based on well-designed business security architecture.
From security point of view, having a well designed and documented security architecture, in future will help to alleviate problems such as have to add on security solutions just for the sake of having a shiny appliance without realising what protection it provides for the business.
Whilst by default most organisations don’t have documented business security architecture, I would say it is not too late to start now, as you will find out you have already doing about 50% to 70% of what is required, why don’t you finishing piecing the pieces together to make that 100%? and don’t forget to document it.
I think it is that time of the year again when the security experts see the future and predict the present. I guess I should join the bandwagon, so can I have your attention please?
#1 Organisations will continue to be breached
It’s days away from 2020, and the rate of breaches are not likely to go down, organisations will still be breached, as much as I would love to believe that organisations are doing well protecting themselves, you will be surprised with how many organisations that cant even meet the minimum requirements that are set to comply with NCSC top 10 steps to cybersecurity (https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security), simple questions is your patch management program integrated with your vulnerability management process that cover that unpatched windows 2003 server? sorry I meant windows 2008?
#2 Increase spending in cyber security budget otherwise you will be breached
Increase budget in cybersecurity program is a good thing, but spending the money only in buying security appliances without first establishing ‘what assets’ need protecting is not a good move. Organisation should ensure that the security objectives are aligned with the business objectives, and establishing this is should be systematically done through documenting a business security architecture. So security execs (CISO/CSOs) should be able to trace back when they are asked why do we need to invest in ‘dark web monitoring service’ or ‘shiny security appliance’?
#3 Your applications are still vulnerable to OWASP Top 10 (of 2013)
A number of web apps are still vulnerable to the 2013 version of OWASP Top 10, and if you see any of the below during your testing, I guess you need to have a word with your dev team, should we say DevOps or DevSecOps? whatever the name, this means there is something wrong with the development practise and whole lifecycle.
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards
#4 Your Incident Response Plan have been table-top tested for the past 3 years, the real storm comes this January.
I have seen organisations end up doing only table top exercises in order to tick compliance tickboxes, while one may argue that invoking the full IRP may be costly, but it may cost you more, if the only test for the past 3 years you have done are just table top exercises.
Real-life test maybe needed to mimic if the actual disaster happen or data breach happen? Maybe a question to ask yourself, how is that public relation department prepared? do you have one? do you have a forensic expert internally or do you need to have external experts comes in? do you have a retainer arrangement in place? they may be busy!
#5 My people are security trained at least once a year
Most organisations now have information security trainings, that happens at least once in a year. As you know, this involve sitting down in front of the computer go through slide decks, or CBT , with an exam to complete at the end or maybe a coupe of policies to read. Whilst these are good practises, organisations should aim to conduct social engineering tests on frequent basis to test how well their human security defense is effective.
How much do you think data is worthy of companies such as Google or Facebook? You might be surprised, according to a Netflix documentary the Great Hack, Data for these companies is worth more than the price of oil! The question is how valuable is your data?
In this modern age of big data and analytics, data is the queen, which should be protected securely. What I have found is before the enforcement of EU GDPR, in the context of personal data most organisations do not know where their data resides (data storage), how much they process (number of records), what type of data they process, which critical business processes that are processing the data, hence the question comes how can you protect your data?
In my view, first, everything starts with architecture, data architecture for this matter will drive everything in regards to people, processes, and technology from the data strategy, data protection strategy, and data breaches response plans. Do you have data architects? Do you use a data architecture framework such as DAMA, TOGAF? Maybe that’s the best resources to start at https://dama.org/ ; https://pubs.opengroup.org/architecture/togaf91-doc/arch/chap10.html
Secondly, organisations need to map the flow of the data from the time when the data enters the organisation, processed, go out of the organisation or if it requires to be disposed of securely. On all these processes, security should be embedded by design and not an afterthought.
Data as your queen needs to be protected all the time, the same way this applies in chess, the same way applies in the real life, the way monarchies are being protected over the centuries, use the same concept when protecting the organisation’s data that matter to you. All the best 🙂
I have been a QSA for the past 6 years and before that I have been involved in managing PCI programs for more 3 years in the banking environment. So it is fair to say I have experience PCI from QSA ,and merchant/issuer point of view. During this time I have worked with a pool of QSAs and I have conducted a handful PCI assessment covering organisations in different industries including healthcare, retail, insurance, TV/media, government/public, mobile service providers and many more.
regardless of the complexity of the environment and payment channels, most of the organisations either service providers or merchant have fundamental technologies e.g. database, virtualisation, cloud computing, networking etc which should comply with the PCI DSS standard. So the QSA is expected to understands these technologies at least to the basic level i.e. understand how it works prior to go onsite and conduct the assessment, the reason being, is you understand the technology, processes and people that you are going to audit. Whilst this sounds common sense, you will be surprise how many QSAs do not take this into consideration. Below are the five common mistakes made by QSA.
(1) Dont understand the scope of the assessment
(2) No enough time allocate to conduct the assessment.
(3) Not understanding the underling technologies used by the audited organisation i.e merchant / service provider.
(4) Do understand the in-scope payment channel and the applicability of PCI requirements / eligibility as per SAQ.
(5) Do not follow the audit procedures on the PCI DSS reporting template.
I will expand on each of these mistakes one by one in the updated post. For now I would like to make you aware of a nice PCI blog by PCI Guru here — https://pciguru.wordpress.com/which goes into details to specific requirements and guidelines or any discussion in regards to PCI DSS.
Most organisation have either regulatory / industry requirement to do penetration testing on annual basis or when significant change happen to their environment. Whilst this is consider a good practise, the coverage of the test usual include the technology infrastructure both externally and internally. The question remaining how many organisation test their own people?
In today world of beefy technological security solutions, penetrating the external perimeter (for traditional model) is very hard comparing to the previous years. This also apply the same to the cloud services. As the results, the attackers, have focused their attacks on people, who as you may know present the weakest link in the security chain such attacks including spear phishing etc.
Business understand this but regardless they have not invest in protecting people with security controls such as security awareness training , and targeted security training per job role e.g. CEO specific training, Bank Teller specific trainings. Failure to do so open doors for attackers.
So next time you do penetration test, ensure you include the people testing, and this can be social engineering test by specialised organisations. while these tests can be done once a year, the organisations are encourage to have internal tests done at least quarterly to keep human at very defensive mindset to understand that security attacks can happen anytime and they are the one targeted the most.
Incident Response (IR) is the decision away from having your business go down under or resurface after a few hours.
Most organisations have IR shelved somewhere collecting dust. The IR is good to the extent to be shown to auditors for compliance tick box, however not to the extend to save the business when it comes the time to do so.
We have heard a lot of stories on the internet and front-pages of data breaches, the most prevalent theme is the difference between detection time and discovery time, that is the time when the incident actually happen(when the hacker breached your systems and resides in) and the time when the organisation when actually discovery the breach happen. Organisation takes long to detect the breaches and when they do, they can’t get their IR plan running as expected. This boils down due to the fact that the IR plan have not been tested on frequent basis (not annually :), this need to be more frequent than that).
IR coordination activities is not only to be managed by the cybersecurity department, the activities need to be organisation wide, this should include senior management (CxO officers), public relation, business units, IT and cybersecurity departments.
My 2cents, organisation need to to the below when comes to IR
– Draft IR plan which should include all the critical business unit
– The IR plan should have communication plan and assign the ultimate decision maker e.g. CEO, CIO or C-Level executive
– Test different scenarios e.g. state-sponsored attacks, physical attacks, insider attacks etc.
– Test more than twice a year (not table top exercise, actual war games)
– Improve your plan once tested, from the lesson learned.
I am PCI QSA,
part of PCI assessment require assessment of physical security controls for
systems, this include but not limited to visit facilities e.g. data centres,
computer rooms where CDE is hosted. I have had a good share of visiting these
data centres and computer rooms. I have seen the best physical security
controls from acoustic wire, bomb shelters, shutter proof windows, mantrap
insider the mantraps, to the computer rooms locked with a key which is not
under any dual control. While most of the data centre are secure by design, the
service offerings from these data centre are also standard, including offering
dedicated suites, shared halls, shared cabinet (yes, not open your eyes wide
open) and some other companies will basically say or my system and data are in
the cloud (where? AWS, yes where? I don’t know, let’s ask our account manager).
organisation e.g. merchants and service providers who have system hosted by
third party co-location providers, may or may not understand the offering in
detail or the security department may not be involved in the decision making or
the client may have no idea from physical security point of view how the data
centre security looks like, it worthy visiting it.
This is where the all the suite
is dedicated to an organisation.
Security controls like CCTV and
access controls are pretty tight.
This is where a shared space, a
bunch of racks from different customer are on shared space.
What to look out for, how the
cabinets are secured, some are secured with padlock with keys, other with
padlock with combination, other both, and I have even since fingerprints.
Sometimes CCTV are not
installed on the aisle, for the fear of seeing client system? How? I don’t know
Organisation should understand
the co-location services offered.
Should visit the data centre if
Security dept. should be
involved in making decision in selecting security controls.
It is best to have controls
such as frequently / quarterly auditing including checking the inventory, and
have automated security controls to check for system tampering, and whether any
physical devices have been plugged to the data centre.
The UK National Cyber Security Centre (NCSC) have published the 10 steps to Cyber Security (originally published by CESG) in 2012. The 10 steps are basic security controls that that organisations can use to build a security program as minimum baseline.
The ten steps are build arounf the risk management regime and as follows.
User education and Awareness
Removable media controls
managing user priviledges
home and mobile working
While these may seem very basic and every organisation should already have in place, you will be suprised how many organisations they dont have these controls in place, including small and large organisations.
From experience point of view, most organisation they dont have mature security programs and they want to make a big jump, without starting with the basics! The proper way is to start small and build up the security program, and it should be top down approach, which the 10 steps to cybersecurity start with Risk Management Regime which should be driven by the senior management.
As SABSA reaches it’s 21st birthday, it’s worth taking a few moments to look back over its birth and development. The very first publication of SABSA was in October 1996 at the COMPSEC conference: John Sherwood: “SALSA: A Method of Developing the Enterprise Security Architecture and Strategy”; COMPSEC 96, London, October 1996. SALSA? That’s right – SALSA. But, more about that in a bit. So where did that spring from? Was it out of nowhere? No, not quite. The seeds were planted a year earlier. At that time, in autumn 1995, I was working as a consultant at S.W.I.F.T. headquarters in La Hulpe, Belgium. S.W.I.F.T. had recently been reorganised to create a new department called Global Information Security (GIS) to address some issues raised by the then external auditors. Although there had been an Inspection Department for many years (effectively an internal audit function), there had been no explicit and proactive security function. The new department was created to fix that omission. It will tell you a lot about the cultural status and popularity of ‘Information Security’ at the time that many people would say that ‘GIS’ was short for ‘get it stopped’. That was the reputation that ‘Information Security’ had gathered over three decades since its emergence in the late 1960s. The corporate information security team was seen (often for good reason) as the ‘business prevention department’. “No, you can’t do that, it’s not secure” was the catch phrase that had earned that reputation in many organisations. The newly appointed Director of GIS at S.W.I.F.T. (Erik Guldentops, previously the Chief Inspector) was keen to make sure that this poor reputation was dispelled, and that Information Security was seen as adding a positive contribution to the business of S.W.I.F.T. That business was, and still is, the transfer on a global scale of several trillion dollars per day between the world’s largest banks. (Yes, that eye-watering number is correct).
Erik’s mandate in his new appointment was to create a five-year information security strategy and get the S.W.I.F.T. Board to approve a significant budget to achieve this objective. The currency at the time (pre-Euro) was the Belgian Franc (BEF), which had a low exchange rate versus the dollar or the pound sterling. Thus the budget numbers tended to be large ones, quoted in millions of BEFs (MBEFs) or mega-BEFS as we affectionately referred to them. Erik needed to justify a multi-mega-BEF budget, for which he needed a plan that could be shown to the Board.
One grey, drizzly November afternoon in 1995 I was working in my office at La Hulpe and Erik came in to see me. “Hello John. What do you know about security architecture?” he said. “Well”, I said “I know there is an ISO standard 7498-2 that talks about OSI (open systems interconnection) security architecture. ISO 7498-1 is the well-known description of the 7-layer OSI network architecture model, but part 2, about OSI security architecture, is less well known. And that’s about it”. So Erik says to me: “Please dig around and see what you can find because I need to develop an information security architecture for S.W.I.F.T.”
Those of you who are relatively new to the game of research will be thinking “Why didn’t they just Google it?” The answer is: because there was no such thing as Google in those days, or HTTP, or WWW. There was a public internet-searching tool called gopher, which pre-dated HTTP and the World Wide Web as the document-structuring platform. Using gopher, I managed to find no other useful references to ‘security architecture’. You people today don’t know how lucky you all are with the tools now available.
So we had a starting point: ISO 7498-2: OSI Security Architecture. What’s amazing about that is that it was an outstandingly sound conceptual model from which to build a full-scale security architecture model and framework. It may have been the only document we could find, but it was the best possible. It forms the heart of the SABSA layered stack even today.
Of course, at this stage we were working on a security architecture model for S.W.I.F.T. It was only a year later, when I published the paper at COMPSEC in London, that this work was presented outside of S.W.I.F.T. under the name SALSA. Yes, the first publication was called SALSA, which stood for Sherwood Associates Limited Security Architecture. It was Andy Clark’s (a co-author, along with David Lynas, of Enterprise Security Architecture: A Business-Driven Approach) idea to use that name and we liked it. The original paper was published by Elsevier Science in their Computers and Security journal, as: “SALSA: A Method of Developing the Enterprise Security Architecture and Strategy”; Computers & Security, Volume 15 No. 6, 1996. Apparently that article is still available today.
Some time later I received a ‘cease and desist’ letter from an aggressive firm of New York lawyers that claimed I was abusing the trademark of their client. The client had a general business software package of the same name. I wrote back and politely pointed out that there was no conflict, but an even more aggressive letter threatening court action followed. I spoke to Andy and we decided we had two choices: spend the rest of our lives defending the action or change the name. Guess what we did. At least it showed that the published article was being read. And so, SALSA became SABSA. Right from the very first synthesis of the SABSA framework, security services have been one of the most important central concepts of the work. The reference to the relevant standard is: ISO 7498-2:1989: Information Processing Systems – Open Systems Interconnection – Basic Reference Model – Part 2: Security Architecture. ISO 7498-2 introduces the concept of security services, security mechanisms and security management. More importantly, it makes clear differentiations and relationships between these three concepts. The core conceptual relationships described in ISO 7498-2, as extracted for the original SABSA layered security architecture framework, are summarised in Figure 1.
Figure 1 – Core ISO 7498-2 Conceptual Relationships
We extended the ISO 7498-2 model by adding a business layer and a strategic layer above the services layer, added a products and technologies layer below the mechanisms, and extended the management both up and down to indicate that it is required at every layer of the model. Thus, was born the first SABSA architecture model. This was developed further in subsequent iterations, but more of that later on.
Figure 2 – Original SABSA Layered Model from 1996 Publication
The SABSA story now spans 21 years and has had many pivotal turning points along the way. What you see today is the result of much work and input from many different sources. In the next blog article, I shall track that development path that took SABSA from these early beginnings to the present day. Figure 3 shows just how far this original model had evolved, with multiple backplanes of overlaid additional models and frameworks. The layers are now considered as ‘views’ according to the roles and ‘viewpoints’ of the leading role-players at each layer.