Ambiguities, Oxymorons and Anomalies within Payment Security

Sony Pictures Hack

Indeed it was the story late last week about Sony Pictures that really struck it home to me. In fact it was one particular picture, nothing gruesome, just a notice pinned to the door of one of their offices telling all employees not to logon that morning. 

(Picture from twitter/@JamesDeanTimes)

Please do not log onto your PC equipment or company Wi-Fi until firther notice.

I found that quite shocking, in so much as it meant that to all intents and purposes they were shut down until further notice ! A major corporation was reverting to pen and paper whilst the IT Security guys got their head around what was really going on. What’s more this was not a case of a single location being affected, but an entire global corporation. Now the cynic in me says that the world won’t stop revolving if an entertainment company is laid low for a few hours, however it serves to demonstrate in no uncertain terms that cyber security risks could prove to be far more calamitous than the more traditional risks we hedge against.

Around about the same time, here in the UK we were experiencing the ultimate in oxymorons and as described by a number of retailers in my local high street, ‘Black Friday Weekend’! For those of you reading this from a far, it is worth noting that this US phenomenon has just landed in the UK. Clearly, excluding our US expat community, we don’t celebrate Thanks Giving, so why ‘Black Friday’ fever has suddenly struck I really don’t know. Well if truth be known, clearly I do, we all do! What troubles me is that no one really gets what it means. ‘Black’ tends to have bleak connotations, we had ‘Black Monday’ when stock markets crashed back in 1987 and obviously the ‘Black Death’ back in the 14th Century. Positive connotations for ‘Black’ are generally limited to that of an accounting nature, and since the world now appears to revolve around a sea of debt, the term ‘in the black’ rarely figures in our daily lives!

What we saw was crowds of people ‘hoovering up’ every conceivable bargain they could lay their hands on. Retailers reported that it was great for business, consumers seemed happy with the deals they were getting so all well and good. Imagine however if you will, that one of the major retailers had befallen the same fate as Sony Entertainment ? That stores were shut, angry shoppers threatened to smash their way in, whilst fretful managers tried to establish what was going on. The media who had been dispatched to cover the buying frenzy were suddenly facing a completely different story ! Personally I’d like to think that 10 years of PCI DSS has gone a long way to averting this situation actually occurring to a major retailer, that said PCI DSS focuses on card holder data rather than the entire cyber security well-being of the retailer.

Non-IT Execs: Security Not My Problem

So when I read in a recent NTT survey (SC Magazine) that non-IT Executives generally consider information security as ‘Not my problem’ it does beg the question, why is that still the case? My guess is that if you don’t understand it, then you don’t really get it. Which is why the Sony Pictures notice was so powerful. Any exec walking into his HQ, seeing a sign that effectively says ‘Closed for business until further notice’ is surely going think this is ‘my problem’. Seeing is believing. That sign is 1,000 times more powerful than any message coming from one of the myriad of businesses that make up the cyber security industry. Seeing and experiencing is believing, just ask the former CEO of Target.

Incident Response Planning / Attack Simulation

The answer would appear to be more in the way of ‘attack simulation’ or as it is often described ‘Incident Response’. The key being that you involve senior management in the whole exercise. This should not be something that goes unseen within the IT department, but something that drives the message home right at the top. As they say, ignorance is no defence, and so it is that we need to establish a much better understanding of the implication of a cyber-security incident. Just as a fire drill does not excuse senior management, so an incident response simulation should be similarly inclusive.

Foregenix has recently launched an updated Incident Readiness Service, that is designed to support businesses when it comes to incident response.

Talking with one of our customers recently, his views very much supported the idea that a practical exercise to test out ‘Incident Readiness’ made sense for a number of reasons:

1. Firstly it enabled him to get everyone involved, even those who would otherwise be considered as on the extremities of PCI DSS compliance, such as PR and marketing.
2. Secondly, it also puts all the associated policies and procedures to the test, rather than simply walking through them theoretically via some sort of paper based exercise.
3. Thirdly it was a great chance to keep abreast of the ever changing ‘threatscape’ within which we all operate. Anecdotes and practical examples of what forensic investigators are actually seeing today can serve to galvanise management buy-in to securing the business!
4. Finally it served to enhance general ‘security awareness’, either directly to those involved in the exercise or indirectly where content from the engagement can be incorporated material for use across the company.

New, interesting and relevant material helps keeps things fresh and as our customer suggested, ‘keeps us all on our toes’. 

Do you have an Incident Response Plan?  Have you tested it recently?