Friday, September 30, 2016

InfoSec Awareness - How old is your password?


 https://dlogic.ca/comics/pwdaging20160930.png


How we choose our password has changed over the years.  I remember in 1994 we were told in University that our Solaris sysadmin was turning on mandatory passwords and we revolted.  At first we tried all using the same password, and then that password got blocked.  Every new "group password" we created would cause another forced round of password resets.  In the end we resigned to it - if we wanted to share homework, it wasn't going to be by browsing to our friend's home folder and copying it over.  And as we all know now, these password controls ended up being for the best, as data became more valuable.  At first, a word and possibly a number seemed like enough.  Then dictionary attacks, which work by trying to bruteforce passwords based on common words, made it fairly easy to crack a one word password.

In the early 2000s we were being educated to create passwords that were harder to guess and immune to brute forcing by, wait for it, using two possibly unrelated words.  E.g. "umbrella cow"  Complexity rules were added to ensure we also had a capital letter, a number, and the special character was icing on the cake.  Though in most cases that special character was likely the ! at the end of the password. Umbre11acow!

By 2010 I began to hear about tips, like using the first letter of easy to remember phrases.  Based on song titles, based on funny phrases, or how about "pronounceable".  Okay these are probably better than the two words approach but each of these has their own weaknesses too.  For example, passwords based on bible phrases are certainly going to be less secure than passwords created from a sentence known only to you.  And I personally would never use an online tool to create a "funny phrase" for me to use as a password - why not just ask the password crackers to assign you a password?

It is 2016 and the truth is that there is overwhelming opinion that passwords are broken.  That is, the only good password is a random password.  Password vaults have made "memorizing" passwords a thing of the past.  For authentication, always use two factor or multi-factor options if they are available to you.  Welcome to the age of data phones where biometrics are protecting our password stores on our mobile devices.  Where we store our passwords, which I hope have been updated since we created them in 1998.  :-)

- AMW

Monday, September 26, 2016

My Top 10 Take-aways for PCI North American Community Meeting 2016



I had the pleasure last week to travel to Las Vegas and attend the PCI North American Community Meeting.

In honour of the PCI SSC's 10th anniversary, I have created my own personal top 10 take-aways.  This is my list of most important messages from the conference in reverse order.

Please feel free to respond in the comments.  What were your take-aways?

10) Emerging technologies:  we will see biometrics used more often, it will be used to authenticate transactions for mobile wallet.

9) Mobile payments, more specifically the practise of using the mobile devices as the point of interaction / point of sale, requires the use of an approved SRED device.  SRED is Secure Read and Exchange of Data, and allows for encryption at the point of capture.  The list of approved devices SRED devices is on the PCI website.  Go to https://www.pcisecuritystandards.org/.../pin_transaction_devices, and set "Functions Provided" pull down to "SRED."

8) David Phister of Diebold Nixdorf said that long edge card readers will be the way forward for ATM.  According to David, they do not carry the same risks for card skimming devices and can worked for EMV.  As an aside, this was my favourite talk overall - why are ATMs so interesting?  Just google "Diebold ActivEdge," to learn more about long edge card readers. Other tidbits from this talk - discussion of ATM malware, the need to sign ATM software, and boot process integrity checking.  Perhaps it just reminds me of my days working for a regulator of electronic gaming equipment.  Also, did you know and the 18-24 year old cohort have the strongest preference for cash at 40%?

7) Special Interest Groups (SIGs) for 2017 will be chosen by election after the European Community Meeting.  For next year, the choice of SIG will be from the pool of previous SIGs, so that in 2017 we can update these materials.  i.e. no new SIGS for 2017.

6) Talking to the Board of Directors - the Boards need to start asking questions, like why are we doing what we're doing, challenging assumptions, why are we keeping certain data, have we looked at how to devalue that data.

5) SDLC - 80% of attacks are at the application level.   Organizations should ensure documented secure SDLC is being followed.  I think the emphasis here is that requirement 6.3 may not be given the full attention that is needed and organizations would be well advised to strengthen their SDLC to improve overall security, not just to obtain PCI compliance.

4) Chris Novak, Verizon - up until now, organizations are concentrating on north / south protections.  Using Multi-Factor authentication helps protect against east / west threats. I agree.  Perhaps east / west threats should be examined more closely in our annual threat risk assessments and security shored up accordingly.

3) Chris Novak, Verizon said that we could be better at using our people in the line of defence as a type of human intrusion detection system.  This means educating them to speak up if they see anything unusual.  That is, it is not enough to just report confirmed security incidents...  Instead  "If you see something, say something." How catchy is that?!  I see it is a slogan of the Department of Homeland Security:  https://www.dhs.gov/see-something-say-something

2) Troy Leach in his state of the council keynote said that organizational focus has been (1) Get compliant, (2) Stay compliant, and (3) Simplify compliance.  More and more companies are now looking towards the simplify compliance stage.

1) The strongest theme throughout the conference was on moving past the "if you don't need it, don't store it" towards a push to devalue account information using tokenization or encryption.  I detected that there was a strong push towards tokenization, and secondly towards P2PE and end-to-end encryption solutions that protect card data at the point of capture.

So that's it - what was your top 10 take-aways from this year?  Please post in the comments below or connect with me on LinkedIn.

Picture Credit:  http://www.classism.org/wp-content/uploads/2014/03/cake.jpg