Saturday, June 18, 2011

PCI - Information supplement on virtualization

PCI Council has released a new information supplement on virtualization. This is definitive guide for organizations looking to implement virtualization in their card holder data environment. Some of the highlights from the document:

There are four simple principles associated with the use of virtualization in cardholder data
a. If virtualization technologies are used in a cardholder data environment, PCI DSS
requirements apply to those virtualization technologies.
b. Virtualization technology introduces new risks that may not be relevant to other technologies,
and that must be assessed when adopting virtualization in cardholder data environments.
c. Implementations of virtual technologies can vary greatly, and entities will need to perform a
thorough discovery to identify and document the unique characteristics of their particular
virtualized implementation, including all interactions with payment transaction processes and
payment card data.
d. There is no one-size-fits-all method or solution to configure virtualized environments to meet
PCI DSS requirements. Specific controls and procedures will vary for each environment,
according to how virtualization is used and implemented.

The document lists the general recommendations as follows:

General Recommendations

  • Evaluate risks associated with virtual technologies
  • Understand impact of virtualization to scope of the CDE
  • Restrict physical access
  • Implement defense in depth
  • Isolate security functions
  • Enforce least privilege and separation of duties
  • Evaluate hypervisor technologies
  • Harden the hypervisor
  • Harden virtual machines and other components
  • Define appropriate use of management tools
  • Recognize the dynamic nature of VM’s
  • Evaluate virtualized network security features
  • Clearly define all hosted virtual services
  • Understand the technology

The document can be downloaded from here.

Another wave of attacks and breaches

Back in April, I wrote about a wave of attacks and breaches (you can read it here). This month we are seeing a whole new wave of attacks and breaches, some of which include Citigroup, Sony, IMF, Lockheed Martin, etc.

2011 definitely brought many high profile breaches, one interesting development is that, these breaches not only benefit the adversaries but people who are involved in the investigations as well. WSJ reports that an “industry of experts”—from lawyers to forensic investigators—have emerged to help companies deal with the painful job of informing customers that their data has been hacked.

We also started to see the re-emergence of so called hacking groups. Some of the new groups such as Anonymous and LulzSec, are reported to be active participants. This is definitely a concern for information security practitioners as suddenly we have a much stronger and a determined opponent to deal with. 

US lawmakers are getting busy as well. Congresswoman Mary Bono Mac, Chairman of the House Subcommittee on Commerce, Manufacturing and Trade,early this week released a discussion draft of the Secure and Fortify Data Act (SAFE Data Act), which establishes uniform national standards for data security and data breach notification. A key feature of the SAFE Data Act requires notification to the FTC and consumers within 48 hours of the time that a breach has been secured and scope of the breach assessed.  The FTC would also be given the authority to levy civil penalties if companies or entities fail to respond in a timely and responsible manner. 

So, what can we as corporate information security professionals do? As I have mentioned in this blog many times, there is nothing new to be done here, follow the simple steps and go back to the basics - identify what and where your sensitive data is, apply minimum controls to thwart simple attacks, monitor the sensitive information, both at the asset level and network level and finally keep up with the new threats and learn how to defend against these new threats.

Sophistication of information threats are only going to increase, adversaries looking to steal sensitive information are only going to increase, and the market for such sensitive information are only going to increase. Better preparation and bringing in capabilities to defend, and recover from these attacks should be primary concern for information security departments. Many organizations concentrate on a compliance and check-list centric methodology, which will only lead to more such attacks and breaches. The time has come for organizations to develop capabilities and talent within the organization.

States and local governments also have a bigger role to play. Organizations need help from government agencies in the form of intelligence and investigations, and more importantly working with foreign governments in identifying and containing the threats and threat agents. Announcement such as this from NSA is promising and they should start developing tools and processes to share intelligence with private sector as well.