Month: June 2013

What we can learn from Hollywood

One of my favourite actor is Chris Evans.

That was before he decided to wear blue spandex, carry a shield with the American flag on  it and became decidedly the wimpiest of Avengers.

But before that, he was in the film called The Losers and in one of the most epic scenes of the film, he showed us how the best security can be circumvented by the weakest link of all: human.

 

In the above scene, albeit dramatised, and of course, relevant only to 2:30 minutes (the chase around the office etc was boderline ridiculous, but hey, it’s hollywood), it’s quite an interesting breakdown.

So the scene was that these guys had to break into a high security office to download a key to decode a disk (or something). Seems fair I think, except in real life, you wouldn’t keep a base encryption key in your desktop. Put in a Hardware Security Module, or lock up the USB in a safe. OK anyway, assuming they don’t do that, so basically Chris Evans need to get into the office and steal the key.

1. Dress as a courier. A courier always has business in a company, right? I mean packages get delivered right and left. He rides a bicycle in, which is notable, since  it’s easier for him to access. But wait, where’s the physical security? Even in Malaysia, a guard will be at the front door telling him to park somewhere else. Ok, it’s trivial. He’d still get past the guard.

2. Getting past front desk. He acts distracted with singing Don’t stop believing and listening to the song. He quickly gets past the front desk by jotting down some stuff. Wait. the girl must be in love with Captain America or something, because how on earth can a courier just get past like that? What if he was carrying a bomb? Isn’t there a procedure to state that he had to leave the package down at the center? It’s ideal, but hey, I’ve gone into dozens of companies the same way, where they don’t have turnstiles, I would either follow a crowd to the elevator area, or I simply walk past the front desk like I was an employee. Some companies I’ve gone too even had their lifts access directly from carpark to office floors without going through front desk! So, yes, this is believable.

3. Making sure no one enters the lift with him. This is stretching. It’s not easy for this to occur, even if he’s a weirdo. People generally don’t like to wait, so yeah, I’d go into the lift with a weirdo. I wouldn’t go into the lift with a guy who looks like Danny Trejo holding a machete of course. So Chris Evans acts weird and everyone is miraculously not in a hurry and decides to wait for the next lift. OK, this is acceptable…I mean he could have taken the stair case with the same results anyway.

4. He changes in the lift and gets spotted by some ladies. The ladies should technically raise the alarm, but hey, it’s Chris Evans, right. So this is totally believable.

5. He talks on the phone in a lift to get the security head out of his room. Well this is dumb luck really. What if Mr Andersen was taking a pee? Plus, how did he get a reception? OK, on the security end, why is it so easy for the front desk to patch Chris Evans through? And when it’s all said and done, what happened to his backpack? It magically converts into a briefcase.

6. Tailgating. This is totally believable. Someone opens the door, and he slips right in. Done this a dozen times, because in Malaysia, it’s considered rude to question people, especially if they have a tag and look like Captain America.

7. Getting past personal secretary. This is pretty good. First, he introduces himself as Skippy, like a nickname to try to establish a personal affinity with the girl. He also throws down a few technical jargons to sound official and assume that the PA has no idea what he’s chattering about. The PA did right, she didn’t let him in the room. He immediately says, “Upstairs is riding him etc”. This is psychologically believable…this is how employees build trust, by defining a common enemy, in this case, upper management. Which lower level employee had not faced the brunt of unreasonable pressure from senior management? You immediately relate to Chris Evans, and as someone quoted, “Great peril brings light the fraternity amongst strangers.” Try it next time. Focus on a common enemy, and you’ll be making great friends in your workplace. He ends it with a compliment, and she is immediately besotted.

8. Getting past the desktop. OK, this is not great, because the guy doesn’t even lock his computer up. Plus, we’ll give the benefit of doubt that he had a pretty high tech program to immediately find the key and downloading it in 10 seconds. It’d take me like 30 minutes to go through someone’s folders. He also says something about going into the mainframe. OK, this is VERY high tech stuff to search for the key in a mainframe, and bypassing remote access security.

Of course, he gets caught in the end but ends up escaping anyway. We learnt three things here:

1) The weakest link to IT security is People.

2) Acting bat crazy can get you into high security areas.

3) Also, looking like Captain America will generally get past any type of physical or logical security.

Enjoy!

 

Don’t Break the Bank for PCI-DSS

Over the past couple of months, the team has been busy working on PCI-DSS related projects. Since 2010, we’ve been in touch with Control Case International, an international QSA based in Virgina, USA, that has its center of excellence in Mumbai, India to serve the ME and Asia Regions.

Back in 2010, nobody really cared too much about PCI-DSS. We’ve heard it bandied around our clients, and after researching on it, decided as a company to move forward with it as one of our core services. The first thing we did was to clarify our agreement with Control Case. While remaining independent of their audit, reports and opinion, we also want to know how they work so that we can assist our customers better in our project management services. Things like submission of evidences format, scheduling, expectation setting and budgeting were just as critical as the actual audit performed by the QSA.  We then trained and shadowed Control Case on assignments, eventually building up the technical skill base for consultancy and advisory work.

PCI-DSS isn’t rocket science. Neither is it a stroll in the park. But with proper planning, understanding and project management, you will be able to navigate PCI-DSS without breaking the bank.

Invariably, one of the first things our potential clients ask us is: How much will it cost?

While there is no simple answer, most will skirt the subject and says that it depends. And they are right. It really depends. However, the ballpark figure, from our perspective should still make economic sense. The first thing really is to figure out what is in scope and try to get only the necessary items in scope: cardholder data environment (CDE). The simplest suggestion is to move any function not related to card processing out of scope: either through plunking it into another network segment or moving it out altogether. Once done, you should be able to elicit some sort of price estimation from your QSA or consulting provider.

The rule we try to impose is to keep the gap assessment and certification below RM50K. This is a tall order, but quite possible, especially if the scope has been narrowed down to firewall->DMZ->App Server/Database server concept, without too complicated a CDE. But you shouldn’t be looking over 100K for gap and certification. Of course this applies to generally payment service providers, not banks. For banks, you’re probably looking out at forking RM100 – RM200K for gap and certification. Recurring fees are also applicable, so remember to ask as well…each year, there is a review, how much would that be? There should also be supplementary services like pentest, ASV scans etc. It generally should be the same or slightly less than first year compliance.

The reason why I write this post is that I’ve seen fees bandied around for service providers to the excess of RM120 – RM160K and for banks RM400 – RM500K. Now, I know things are varied, but some of these are just ridiculously high, after knowing the scope. And this is not including the remediation and implementation portion! The implementation portion is variable of course, depending on how much involvement we’re looking at. For instance we just completed a policies and procedures project between 30 – 35K for roughly one month, starting from scratch for a medium service provider. Your mileage may vary in implementation, but again, if you have in house expertise, then do it, else, look for consultants…and make sure the consultants include training and workshops to pass down their capability to you!

The short of the matter is, shop around and get quotes. Get references as well, and make sure they have local partners to help out and assist during the remediation period…you will need it. Oh, also, if you get external providers to help, keep in mind the with holding tax involved. That’s why we’ve evolved PKF  to be the PCI-DSS advisory of choice from gap to certification for Malaysia payment service providers looking for a cost effective and quality PCI-DSS services. While we do work with Control Case in a lot of our projects, there are many times we have worked with other QSAs or ControlCase  worked with other advisory, making us truly independent.

Drop us an email at avantedge@pkfmalaysia.com and we can work out a PCI-DSS package for you that won’t break your bank!

© 2024 PKF AvantEdge

Up ↑