Thursday, 14 October 2010
The Human Factor: Turning your Prime Weakness into your Prime Defence
The slides from my talk on information security awareness at RSA Conference Europe 2010
Sunday, 10 October 2010
Love it or Hate it, PCI DSS helps cut UK Card Fraud
UK card fraud is significantly decreasing, according to the “UK Cards Association” statistics UK card fraud is down 20% to £187m for the first half of 2010.
http://www.theukcardsassociation.org.uk/media_centre/press_releases_new/-/page/1037/
There are several reasons why card fraud in the UK has been dropping in my opinion:
1. Chip & Pin
Chip & Pin, known as EMV in the payments industry, has been highly successful in cutting "cardholder present" fraud, namely face to face debit and credit card transactions, since its adoption in the UK in 2005. Chip and Pin has forced card fraudsters to commit fraud against stolen UK cards in different ways, typically by using online payments or by creating counterfeit UK credit cards to use in countries where Chip and Pin hasn’t been mandated. However since 2005 more and more countries have observed the huge success of Chip and Pin in the UK, and have been adopting the same payment approach, this in turn is also helping to reduce UK card fraud, simply because the number of places where you are allowed to bypass Chip and Pin is reducing.
It has always been my strong view the US market should also take stock of the clear benefits and mandate Chip and Pin across North America. Aside from the clear security benefits of using two-factor authentication, it could finally lead to the removal of a biggest security weakness of all with our plastic, namely the black magnetic stripe on the back. The magnetic stripe has been around for 40 years and is not only a really outdated technology, but it seriously compromises the security of all debit and credit cards. The magnetic stripe holds the full credit card details in plain text, for one that it makes it very easy for the bad guys to steal card details in seconds by simply swiping any card within a £3 magnetic stripe reader. For instance the mag stripe allows for card skimming at cash points or within comphromised retail card readers. In addition that black stripe also makes it easy to create counterfeit cards, especially in comparison to the chip technology, which is very difficult to counterfeit. Unlike the magnetic stripe, the chip on our plastic is a constantly evolving technology, meaning it should keep a step ahead of the card fraudsters, not that card fraudsters have really ever managed to successfully crack a credit card chip yet, I mean why would they even bought at the moment when they can take advantage of the mag stripe weakness.
2. Anti-Fraud Systems
The increased anti-fraud schemes introduced by the card brands like Visa and MasterCard, and within banks is also having an affect in cutting card fraud. Schemes such as Verified by Visa and MasterCard’s SecureCode, known as 3D Secure in the payments industry, together with improved fraud detection systems operating behinds the scenes in the banks, is also playing a part in cutting cardholder not present fraud. These are typically ecommerce and over the phone transactions, where we can’t be certain the payee has their card in their possession or just simply has the details of the card in their possession, which may of course not be their card details.
3. Public Awareness
Public fraud and security awareness is improving; the UK public are being more security savvy when using their plastic, especially online, and so are becoming less likely to be victims of fraud techniques like phishing scams. I think the public are becoming more informed because they are learning the hard way after being hit with fraud, as opposed to any general security awareness that is going on.
4. Law Enforcement
Law enforcement is improving, more card fraudsters and hackers are actually being caught by the authorities. Despite the UK cyber enforcement still being very weak in my view, it is clear international card fraud law enforcement led by the US is improving, with many high profile card fraudsters being arrested during the last 12 months. Many of the top card fraudsters based outside the UK have world wide operations and often branch out into the UK market.
5. PCI DSS
Finally, and this is my main point, I think the adoption of PCI DSS is also playing a positive part. Many large scale credit card data breaches in the UK have occurred due to security neglect by UK merchants. The vast majority of UK credit card breaches are not disclosed to the general public because it is not in the interest of MasterCard or Visa, or merchant breached to do so, and there is no UK law which makes companies publically disclosure such data breaches.
However PCI DSS is helping medium and large UK merchants to become secure against card breaches. Even where UK merchants are not yet fully compliant with PCI DSS, there is still a vast improvement in the overall merchant IT security, pre-PCI DSS most merchants did little to secure cardholder data in their care. As I say on many occasions, there has been no known PCI DSS compliant merchants or payment processors that have ever been breached. Some folk believe Heartland were compliant at the time of their breach, which is untrue. One of the world’s most prolific card fraudsters, Albert Gonzales, who incidently is now behind bars, admitted to compromising and stealing card data from Heartland during their PCI assessment by exploiting SQL Injection vulnerability. The bottom line is you simply can’t have a SQL Injection vulnerability in your cardholder environment and be PCI DSS compliant.
Conclusion
To conclude, PCI DSS and the many other security measures is appearing to be making a serious impact on UK credit card fraud, however it is dangerous to rest on our laurels, as security is a continued game of cat and mouse; I know the bad guys are already becoming even more sophisticated in how they attack and steal credit card details. In addition less card compromises will probably lead to an increase in the value of credit card data on the black market, which in turn will fuel the demand and desire to steal card details all over again, where there is a will, there is always a way.
Today’s low hanging fruit for UK card fraudsters is generally the smaller merchants, who perhaps take card details in their hundreds and low thousands, typically businesses such as hotels and small online businesses, who often neglect basic security practices and either not aware or fully understand their PCI DSS obligations, turning them into easy pickings for card fraudsters frustrated in trying to compromise the bigger merchants, although having said that not all large scale merchants in the UK are not PCI DSS compliant or as secure as you may think, you indeed as they may think.
http://www.theukcardsassociation.org.uk/media_centre/press_releases_new/-/page/1037/
There are several reasons why card fraud in the UK has been dropping in my opinion:
1. Chip & Pin
Chip & Pin, known as EMV in the payments industry, has been highly successful in cutting "cardholder present" fraud, namely face to face debit and credit card transactions, since its adoption in the UK in 2005. Chip and Pin has forced card fraudsters to commit fraud against stolen UK cards in different ways, typically by using online payments or by creating counterfeit UK credit cards to use in countries where Chip and Pin hasn’t been mandated. However since 2005 more and more countries have observed the huge success of Chip and Pin in the UK, and have been adopting the same payment approach, this in turn is also helping to reduce UK card fraud, simply because the number of places where you are allowed to bypass Chip and Pin is reducing.
It has always been my strong view the US market should also take stock of the clear benefits and mandate Chip and Pin across North America. Aside from the clear security benefits of using two-factor authentication, it could finally lead to the removal of a biggest security weakness of all with our plastic, namely the black magnetic stripe on the back. The magnetic stripe has been around for 40 years and is not only a really outdated technology, but it seriously compromises the security of all debit and credit cards. The magnetic stripe holds the full credit card details in plain text, for one that it makes it very easy for the bad guys to steal card details in seconds by simply swiping any card within a £3 magnetic stripe reader. For instance the mag stripe allows for card skimming at cash points or within comphromised retail card readers. In addition that black stripe also makes it easy to create counterfeit cards, especially in comparison to the chip technology, which is very difficult to counterfeit. Unlike the magnetic stripe, the chip on our plastic is a constantly evolving technology, meaning it should keep a step ahead of the card fraudsters, not that card fraudsters have really ever managed to successfully crack a credit card chip yet, I mean why would they even bought at the moment when they can take advantage of the mag stripe weakness.
2. Anti-Fraud Systems
The increased anti-fraud schemes introduced by the card brands like Visa and MasterCard, and within banks is also having an affect in cutting card fraud. Schemes such as Verified by Visa and MasterCard’s SecureCode, known as 3D Secure in the payments industry, together with improved fraud detection systems operating behinds the scenes in the banks, is also playing a part in cutting cardholder not present fraud. These are typically ecommerce and over the phone transactions, where we can’t be certain the payee has their card in their possession or just simply has the details of the card in their possession, which may of course not be their card details.
3. Public Awareness
Public fraud and security awareness is improving; the UK public are being more security savvy when using their plastic, especially online, and so are becoming less likely to be victims of fraud techniques like phishing scams. I think the public are becoming more informed because they are learning the hard way after being hit with fraud, as opposed to any general security awareness that is going on.
4. Law Enforcement
Law enforcement is improving, more card fraudsters and hackers are actually being caught by the authorities. Despite the UK cyber enforcement still being very weak in my view, it is clear international card fraud law enforcement led by the US is improving, with many high profile card fraudsters being arrested during the last 12 months. Many of the top card fraudsters based outside the UK have world wide operations and often branch out into the UK market.
5. PCI DSS
Finally, and this is my main point, I think the adoption of PCI DSS is also playing a positive part. Many large scale credit card data breaches in the UK have occurred due to security neglect by UK merchants. The vast majority of UK credit card breaches are not disclosed to the general public because it is not in the interest of MasterCard or Visa, or merchant breached to do so, and there is no UK law which makes companies publically disclosure such data breaches.
Conclusion
To conclude, PCI DSS and the many other security measures is appearing to be making a serious impact on UK credit card fraud, however it is dangerous to rest on our laurels, as security is a continued game of cat and mouse; I know the bad guys are already becoming even more sophisticated in how they attack and steal credit card details. In addition less card compromises will probably lead to an increase in the value of credit card data on the black market, which in turn will fuel the demand and desire to steal card details all over again, where there is a will, there is always a way.
Today’s low hanging fruit for UK card fraudsters is generally the smaller merchants, who perhaps take card details in their hundreds and low thousands, typically businesses such as hotels and small online businesses, who often neglect basic security practices and either not aware or fully understand their PCI DSS obligations, turning them into easy pickings for card fraudsters frustrated in trying to compromise the bigger merchants, although having said that not all large scale merchants in the UK are not PCI DSS compliant or as secure as you may think, you indeed as they may think.
Thursday, 16 September 2010
An Evening with Samy, creator of the Samy MySpace Worm
Last night I was out talking security, drinking beer and eating curry with Samy Kamkar, following his presentation at an OWASP Chapter event in Leeds. Samy was responsible for writing and delivering the infamous Samy MySpace Worm in October 2005, which was one of the fastest growing malware infections to date.
What I found particularly interesting about his presentation aside from the vulnerabilities and clever exploits, was you got to see how his mind ticks, his thought processes in finding and exploiting vulnerabilities. We aren’t talking just a single vulnerability that is being taken advantage of here, but a whole jigsaw of different vulnerabilities, with many obstacles to be conquered before the final end game of successful exploitation. For those who wish to try to understand why certain people are so driven to hack, it is often for the thrill of the challenge. Some people like the challenge of Sudoko puzzles, crossword puzzles, video games, but there are some who just like breaking programming code and IT systems. Individuals like Samy don’t do it for personal gain or with thoughts of malice, he just does it for the sheer fun of it, in his own words “this is just a hobby to me”.
As far as I can tell when he created the Samy Worm he didn’t set out to hurt anyone or profit from it, he certainly didn’t have any grievances against MySpace at the time, nor did he even attempt to do anything anonymously, it was just a kid playing around with the new social media of the day and web code, and asking himself the question what if.
I asked Samy about the MySpace Worm, specifically about at what point did he think the situation with the Worm spreading go out of control. He told me after he launched the code he saw few signs of it being successful, and he went to bed only expecting a few hundred infections the next day at the best, but by the end of the next day, a million people’s MySpace accounts were infected with his code (Worm). The Worm displayed the text “but most of all, Samy is my hero” at the end of a victim’s profile, and when another MySpace user viewed an infected profile, their own profile was infected due to a MySpace web code cross-site script (XSS) vulnerability which the Worm exploited. The Worm code would also automatically send a friend request to Samy, leaving Samy with a million MySpace friends. There is a full account of what happened in Samy’s own words at the time still available on the Internet - http://namb.la/popular/
Samy went on to say it was a good six months before he was arrested and charged. In a scene reminiscent of the film Hackers, he talked about how he and his friends were arrested at gun point, and how he was banned from using a computer for two years, but fortunately avoided an actual prison sentence.
Samy is still only 24, and even though he only does security for a hobby, you are left with the distinct impression you will hear a lot more about Samy in future years. The same type of relentless problem solving thought processes, attention to detail, and the utter determination it takes to discover and successfully see through the exploitation of complex vulnerabilities, actually maps well onto the successful business persons mind.
Samy Kamkar
Samy delivered an excellent and fresh presentation at the OWASP Leeds Chapter meeting, highlighting several areas of new research and frankly new concern for us all. But I’ll save that for another blog posting once I’ve investigated it further, however you can read a little about one issue he discussed, which was highlighted in a recent BBC News report “The Web attack knows where you live” http://www.bbc.co.uk/news/technology-10850875
What I found particularly interesting about his presentation aside from the vulnerabilities and clever exploits, was you got to see how his mind ticks, his thought processes in finding and exploiting vulnerabilities. We aren’t talking just a single vulnerability that is being taken advantage of here, but a whole jigsaw of different vulnerabilities, with many obstacles to be conquered before the final end game of successful exploitation. For those who wish to try to understand why certain people are so driven to hack, it is often for the thrill of the challenge. Some people like the challenge of Sudoko puzzles, crossword puzzles, video games, but there are some who just like breaking programming code and IT systems. Individuals like Samy don’t do it for personal gain or with thoughts of malice, he just does it for the sheer fun of it, in his own words “this is just a hobby to me”.
As far as I can tell when he created the Samy Worm he didn’t set out to hurt anyone or profit from it, he certainly didn’t have any grievances against MySpace at the time, nor did he even attempt to do anything anonymously, it was just a kid playing around with the new social media of the day and web code, and asking himself the question what if.
I asked Samy about the MySpace Worm, specifically about at what point did he think the situation with the Worm spreading go out of control. He told me after he launched the code he saw few signs of it being successful, and he went to bed only expecting a few hundred infections the next day at the best, but by the end of the next day, a million people’s MySpace accounts were infected with his code (Worm). The Worm displayed the text “but most of all, Samy is my hero” at the end of a victim’s profile, and when another MySpace user viewed an infected profile, their own profile was infected due to a MySpace web code cross-site script (XSS) vulnerability which the Worm exploited. The Worm code would also automatically send a friend request to Samy, leaving Samy with a million MySpace friends. There is a full account of what happened in Samy’s own words at the time still available on the Internet - http://namb.la/popular/
A MySpace Samy Worm Infected Profile
Aside from the Samy text you can see,
there is script code you can't see which executes
Samy went on to say it was a good six months before he was arrested and charged. In a scene reminiscent of the film Hackers, he talked about how he and his friends were arrested at gun point, and how he was banned from using a computer for two years, but fortunately avoided an actual prison sentence.
Samy is still only 24, and even though he only does security for a hobby, you are left with the distinct impression you will hear a lot more about Samy in future years. The same type of relentless problem solving thought processes, attention to detail, and the utter determination it takes to discover and successfully see through the exploitation of complex vulnerabilities, actually maps well onto the successful business persons mind.
Thursday, 9 September 2010
No Data Protection in Outer Space!
I just found out my name is on board the IKAROS spacecraft, which is currently solar sailing its way from Earth to Venus. Apparently this is a benefit of my membership of the Planetary Society – yes I do have other interests outside information security.
I don’t recall agreeing for my name to be sent into space, but I’m sure glad they did it, especially as this spacecraft may change course of interplanetary and interstellar exploration forever, plus the spacecraft could end up drifting in space for eternity, but I'll save further discussion on that for a different themed blog. So getting back to security, to be perfectly clear, an individual’s name on its own doesn’t require any protection and is not a requirement of legal acts such as the UK Data Protection Act. This is a common misnomer, it is only when you combine an individual’s name with another pieces of their personal information, such as a date of birth when it comes into scope of requiring protection. Although I have to say not many small UK businesses are up to speed with their legal data protection obligations.
I personally believe the Data Protection Act is outdated, and is in need of a major review and overhaul. The Act was written in the nineties before the Internet usage really took shape, and in this day and age of social networking and instant availability of UK citizen personal information, such within online electrical roll websites, there could be an argument there is actually little point in trying to make businesses protect certain aspects of our personal information anyway, because the horse has already bolted.
But even if my full personal details were along side my name on the IKAROS spacecraft, I would argue adequate data protection was in place. Due to the vacuum of millions of miles of space, my personal information isn’t exactly publically assessable. I consider my details to be certainly more secure in space than within the care of certain government departments and companies I could mention. I mean it’s not like I’m at risk of identity theft by extra terrestrials, or am I?
IKAROS
For more info visit http://planetary.org/programs/projects/solar_sailing
I don’t recall agreeing for my name to be sent into space, but I’m sure glad they did it, especially as this spacecraft may change course of interplanetary and interstellar exploration forever, plus the spacecraft could end up drifting in space for eternity, but I'll save further discussion on that for a different themed blog. So getting back to security, to be perfectly clear, an individual’s name on its own doesn’t require any protection and is not a requirement of legal acts such as the UK Data Protection Act. This is a common misnomer, it is only when you combine an individual’s name with another pieces of their personal information, such as a date of birth when it comes into scope of requiring protection. Although I have to say not many small UK businesses are up to speed with their legal data protection obligations.
I personally believe the Data Protection Act is outdated, and is in need of a major review and overhaul. The Act was written in the nineties before the Internet usage really took shape, and in this day and age of social networking and instant availability of UK citizen personal information, such within online electrical roll websites, there could be an argument there is actually little point in trying to make businesses protect certain aspects of our personal information anyway, because the horse has already bolted.
Wednesday, 25 August 2010
Zurich UK Data Breach: Are large fines good for Information Security?
Yesterday (24th Aug 10), one of the largest fines for a data breach in the UK was issued, with the Financial Services Authority (FSA) announcing a £2,750,000 fine of the UK arm of Zurich Insurance (Zurich UK). Some 46,000 Zurich policyholders had their unprotected personal data, which included bank account and credit card information, “go missing” during a routine data transfer to a South African data centre in August 2008, with Zurich only noticing the breach a year later. By the way Zurich were actually fined £3.25m but were given a 30% discount for settling the fine early, see the FSA press release for more details - http://www.fsa.gov.uk/pages/Library/Communication/PR/2010/134.shtml
But do large fines actually work and help businesses, and indeed industries to become more Information Security savvy, and help enforce businesses to operate with better information security practices? Well I think the answer is a clear and resounding YES. And even more so when data breaches and their associated fines are placed into the public arena and not covered up. I say this because many credit card data breaches and fines involving UK merchants are regularly not made public, leaving UK citizens scratching their heads trying to work out how that “Online Poker” fraudulent transaction was made on their credit card by a fraudster.
Of course fines and public scrutiny will not ensure data breaches never occur, nothing will, but I’m sure the pain Zurich has gone through in paying the fine, dealing with the hassle and high cost of quickly addressing their security failings, and then the PR damage, will be a major incentive across their entire mutli-national business, and will help to prevent future data breaches. I am fairly certain other insurance service businesses will be taking stock of this particular fine due to it being a 7 figure amount. I imagine Chief Executives in boardrooms asking their business directors “Could this happen to us?”, which in turn should lead to security reviews of their own business processes. It’s worth mentioning according to the Verizon 2010 data breach report, 96% of data breaches are avoidable. So if businesses did take information security more seriously and apply the industry standard security best practices, they would significantly reduce their risk of data breaches and certainly would not incur such larges fines in the event of a data breach, as how negligent a business was in their information security controls and practices is a major factor in determining the scale of a data breach fine.
Under UK law businesses do not have to publicly disclose personal data breaches, so the UK general public are not being informed and made aware when UK businesses lose or even worst have stolen their personal information. Zurich was only found out because they are regulated by the FSA, so the FSA forced for this breach to be publicly disclosed. Isn’t it about time all UK businesses were regulated for information security best practices and data breaches? Now the Information Commissioner’s Office (ICO) have been given extra powers recently, but this government run office is still a toothless tiger, because private companies do not have to disclose their data breaches to them under law. The ICO certainly doesn’t operate with the same big stick as the FSA does, and as a direct consequence the ICO are generally not respected and feared by UK businesses .
Another angle which proves large fines can make businesses comply, is to look at the history of business Health and Safety obligations. It is fair to say health and safety in the work place has vastly changed since the 1970s. The way businesses were made to apply proper health and safety controls was by solids laws and strong industry regulation, together with large fines and public scrutiny, this is still the case today. As with data breaches, fining cannot never fully prevent incidents, but it appears large fines can help bring about a culture change in the business world, and large fines do cut down the number of incidents.
The key point here, is that Health and Safety is backed up by strong regulations and law, at present in the UK both industry regulations and the legal requires for businesses to protect personal data is plain old out of date and weak. Sure we have the Data Protection Act but this was written before the Internet really took off, and without the big stick of heavy fines and clearer details of the required security controls in the modern age, many businesses simply do not take proper stock of their obligation to adequately protect UK citizen’s personal information in their care, and so businesses are not committing the financial resources to apply the necessary security controls. I predict (and hope), just as with the progress of Health and Safety, this will eventually change, but I fear it may take several more years yet, and no doubt a few more large and high profile data breaches will occur before we see any significant changes in our law, as the UK government in today’s information age are still in the dark ages when it comes to information security.
But do large fines actually work and help businesses, and indeed industries to become more Information Security savvy, and help enforce businesses to operate with better information security practices? Well I think the answer is a clear and resounding YES. And even more so when data breaches and their associated fines are placed into the public arena and not covered up. I say this because many credit card data breaches and fines involving UK merchants are regularly not made public, leaving UK citizens scratching their heads trying to work out how that “Online Poker” fraudulent transaction was made on their credit card by a fraudster.
Of course fines and public scrutiny will not ensure data breaches never occur, nothing will, but I’m sure the pain Zurich has gone through in paying the fine, dealing with the hassle and high cost of quickly addressing their security failings, and then the PR damage, will be a major incentive across their entire mutli-national business, and will help to prevent future data breaches. I am fairly certain other insurance service businesses will be taking stock of this particular fine due to it being a 7 figure amount. I imagine Chief Executives in boardrooms asking their business directors “Could this happen to us?”, which in turn should lead to security reviews of their own business processes. It’s worth mentioning according to the Verizon 2010 data breach report, 96% of data breaches are avoidable. So if businesses did take information security more seriously and apply the industry standard security best practices, they would significantly reduce their risk of data breaches and certainly would not incur such larges fines in the event of a data breach, as how negligent a business was in their information security controls and practices is a major factor in determining the scale of a data breach fine.
Under UK law businesses do not have to publicly disclose personal data breaches, so the UK general public are not being informed and made aware when UK businesses lose or even worst have stolen their personal information. Zurich was only found out because they are regulated by the FSA, so the FSA forced for this breach to be publicly disclosed. Isn’t it about time all UK businesses were regulated for information security best practices and data breaches? Now the Information Commissioner’s Office (ICO) have been given extra powers recently, but this government run office is still a toothless tiger, because private companies do not have to disclose their data breaches to them under law. The ICO certainly doesn’t operate with the same big stick as the FSA does, and as a direct consequence the ICO are generally not respected and feared by UK businesses .
Another angle which proves large fines can make businesses comply, is to look at the history of business Health and Safety obligations. It is fair to say health and safety in the work place has vastly changed since the 1970s. The way businesses were made to apply proper health and safety controls was by solids laws and strong industry regulation, together with large fines and public scrutiny, this is still the case today. As with data breaches, fining cannot never fully prevent incidents, but it appears large fines can help bring about a culture change in the business world, and large fines do cut down the number of incidents.
The key point here, is that Health and Safety is backed up by strong regulations and law, at present in the UK both industry regulations and the legal requires for businesses to protect personal data is plain old out of date and weak. Sure we have the Data Protection Act but this was written before the Internet really took off, and without the big stick of heavy fines and clearer details of the required security controls in the modern age, many businesses simply do not take proper stock of their obligation to adequately protect UK citizen’s personal information in their care, and so businesses are not committing the financial resources to apply the necessary security controls. I predict (and hope), just as with the progress of Health and Safety, this will eventually change, but I fear it may take several more years yet, and no doubt a few more large and high profile data breaches will occur before we see any significant changes in our law, as the UK government in today’s information age are still in the dark ages when it comes to information security.
Thursday, 22 July 2010
How to choose the right PCI DSS QSA
A few weeks ago (1st July 2010), I was a speaker and an expert panellist at PCI London. One particular subject which I spoke about generated a lot of interest from the mainly merchant delegates, and the QSA representatives, it was my views on PCI Qualified Security Assessors (QSAs). Specifically how merchants should go about selecting a quality QSA to help become and maintain their PCI DSS compliance. In my experience in working within the payment security field and with PCI compliance for many years, I find there are still far too many dodgy QSA individuals and QSA service providing companies out there, misadvising their clients with bad advice and providing merchants with what I personally call placebo PCI DSS compliance assurance.
Low Budget means PCI Fail
A QSA company should never be selected solely based on cost, as you tend to pay for what you get in the QSA provision world. Low budget tends to underpin a half hearted approach to PCI compliance, usually such an approach is just an attempt to tick the old compliance box; this is a sure way to PCI DSS failure. Typically in the QSA industry, I find the cheaper you pay the worst quality QSA you are likely to receive, although there are sometimes the odd exception, so I would recommend avoiding scrapping the bottom of the barrel if you are serious about PCI DSS compliance.
QSA status means little
An individual holding QSA status does not make them some sort of PCI god, the truth is, it is not too difficult to become QSA qualified, until recently the QSA exam was an “open book” exam. I find that individual QSAs are certainly not all cut from the same cloth, and there plenty of variation in their ability and dept of knowledge of the PCI standard, so do not blindly trust an individual knows all PCI DSS because he or she is QSA qualified.
The best QSA qualified individuals tend to be employed by the best QSA companies, typically companies which specialise in providing information security consultancy service, where QSA work is a core function of the business. This is as opposed to companies and security vendors which have "bolted on" a QSA business function just to get in on the PCI gravy train.
Selecting a QSA Partnership
Your QSA should be a partnership as opposed to a client auditor relationship. Certainly during the actual PCI DSS assessment process the QSA will be in an auditor mode, however prior and post your PCI DSS assessment your QSA needs to be acting as your PCI consultant, and not just for a month or two leading up to the assessment either, but 365 days a year, you should be able call on your QSA at anytime and obtain clear PCI advice on demand.
QSA Company Vetting Questions
The key question to ask a QSA company is not how many individual QSAs they have on their roster, but how many PCI DSS assessment, aka Reports of Compliance (RoCs), they have completed and submitted during the last 12 months. If the answer is over 20 then you know you are dealing with an organisation which has a specialism in performing top level PCI DSS assessments, anything less than 10, then to be brutally honest, you are likely to be dealing with an amateur QSA organisation, which may not be suitable if you are responsible for PCI compliance at a large and complex environment for instance.
There are many QSA companies out there which only ever submit a handful of RoCs each year. Interestingly along side the expected small time QSAs companies, there are several big name security vendors which fall into the category of performing less than 5 RoCs a year. So it is always well worth asking your QSA organisation, the question “how many RoCs have you submitted in the last 12 months?” so you are clear on the QSA organisation’s true QSA validity and general level of PCI expertise and experience.
Failing QSAs / QSAs in Remediation
The next part in vetting a QSA organisation before signing up, is to check whether they are in remediation on the PCI Security Standard Council's website – see direct link below, where the QSAs in remediation are marked on their listing.
https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
This is a list of QSA companies which have at least one individual QSA that has failed to perform an adequate PCI DSS assessment in the view of the PCI Security Standard Council (PCI SSC). The PCI SSC oversees the standard requirements, all QSAs and performs quality control against QSAs, specifically by checking QSA reports to ensure QSAs have done their job properly.
Where the PCI SSC find an individual QSA has done a poor job in assessing a company, the PCI SSC put that individual's QSAs entire company into remediation, as it is part of responsibility of the QSA organisation to ensure their QSAs are doing their job correctly. Remediation is not the end of the world for a QSA organisation, it just means they have to ensure they resolve the problems with the individual QSA, however if they don’t, the QSA company can be delisted as being a QSA provider. The idea here is for PCI DSS QSA assessment quality control, this process is all about weeding out the bad QSAs and poor QSA companies.
Vetting the Individual QSA
After selecting a QSA company, do not yet sign up to anything before assessing your assigned individual QSA. Ensure you meet that individual before signing any agreements, and carry out your own assessment on the QSA individual, either directly or covertly by asking questions. I recommend the following areas to assess your QSA against.
1. EXPERIENCE
How many past assessments have they done?
The best QSAs tend to have many years of industry and on the job experience in payment card security, and so should be able to reel off a list of previous clients they have assisted.
How complicated were their past assessment environments?
If you have complicated multi-site environment to validate against PCI DSS, it is no good having a QSA who has never assessed anything larger than a corner shop.
How long have they been with their QSA organisation?
The relationship with the individual QSA can be vital, as this is the person who you will have to explain your environment and payment processing operation to. Your environment and road to PCI DSS compliance is nearly always going to be unique to your business, if an individual QSA has a history of moving around between QSA organisations, which many do, then it is likely that you will be assigned a new QSA, and will have to start all over again in explaining your environment, payment operations and your approach to meeting PCI DSS compliance.Be aware that some individual QSAs may have different views on the way you should be meeting your PCI compliance in specific areas, such as with virtualisation, and so a new QSA may well disagree with your previous QSAs agreed approach, even if they work for the same QSA company. There is nothing worst than having a QSA leave their parent company a couple of days before your on site assessment; weeks of your preparation work can go down the pan, so it’s certainly worth asking this question, and being aware of the risk it poses.
2. KNOWLEDGE
Most merchants tend to be in a position where the QSA will know more about PCI DSS than they will ever do, however you can still research the latest hot and contentious topics in the PCI DSS industry, trust me there are always areas within the PCI standard which are in contention and in debate. Then ask your QSA for his or her view. If the QSA cannot provide a consist response and explain clearly the issues to you, then this is a tell tail sign of a lack of individual knowledge and confidence around the standard. QSAs which aren’t very confident about every aspect about the PCI standard tend not to have the experienced background, which in turn builds their knowledge around on the standard.
Consistency
If a QSA changes his or her views, provides inconsistence advice, this is a definite red flag, and tends to mean the QSA is not knowledgeable and experienced. I have heard of situations where companies have spent £100,000s on IT systems following the advice of an individual QSA, only for that QSA change their advice (and their mind) down the line, resulting in their PCI budget being completely misdirected.
A Good Information Security Professional does not equate to a good Payment Card Security Professional
QSAs from a general information or IT security background do not always make for a good QSA. Sure much of the PCI standard is industry information security best practices, but it is equally important that your QSA understands how your card payment systems work, and how cardholder data flows through your organisation's IT systems, from your cash offices, to PDQs, to Call Centres to your payment processor or acquiring bank, a regular industry information security professional knows very little about such areas, unless they have been specially involved in it.
3. ATTITUDE
Is your QSA helpful or acting like a typical auditor all the time?
If your QSA is worth his or her salt, they will go out of their way to obtain a thorough understanding of your environment from day one, so they are in a strong position to provide you with the correct advice you need.
4. TRUST AND CONFIDENCE
If a QSA is ever not completely honest with you, you must drop them like a stone. For instance I have heard of several QSAs which deliberately avoided telling their clients that their organisation has gone into remediation, as I said remediation is not the end of the world for a QSA. A decent QSA would tell you they have gone into remediation, why it happened and what they are doing to correct their issues, as oppose to taking a stance of deliberately not informing you.
Ethical
I once came across one individual QSA, who within minutes of first meeting him told me about specific PCI compliance issues with his existing and past clients, and then went on to give me details about a cardholder compromise that another client had suffered, which to date has never been publicly disclosed. Is this the sort of guy you want to trust as your QSA?
There needs to be a high level of trust between you and your appointed QSA, as after all you will be providing a high degree of sensitive information about your company’s IT systems and security. You certainly need to ensure your QSA company’s has it’s own security all in order to protect any information you share. Ensure you have a non-disclosure and data retention contract in place, and make sure your QSA is fully aware that you don’t want them to share your organisations information with any other third parties.
Another side of ethics I have encountered are folk calling themselves a QSA when they aren’t employed by a QSA organisation. You cannot be a QSA unless you work for a QSA organisation, there is no such thing as an independent QSA, anyone pretending to be QSA should be shown the door. You can check an individual’s QSA status by checking on the PCI SSC website, you must always make sure the QSA is currently qualified and is in good standing, see the PCI SSC link below.
http://www.pcisecuritystandards.org/qsa_lookup/index.html
Finally remember your QSA should be a 365 day a year “partner”, not a once a year auditor, PCI DSS compliance itself is not a once a year event but a 365 day a year continued state.
Low Budget means PCI Fail
A QSA company should never be selected solely based on cost, as you tend to pay for what you get in the QSA provision world. Low budget tends to underpin a half hearted approach to PCI compliance, usually such an approach is just an attempt to tick the old compliance box; this is a sure way to PCI DSS failure. Typically in the QSA industry, I find the cheaper you pay the worst quality QSA you are likely to receive, although there are sometimes the odd exception, so I would recommend avoiding scrapping the bottom of the barrel if you are serious about PCI DSS compliance.
QSA status means little
An individual holding QSA status does not make them some sort of PCI god, the truth is, it is not too difficult to become QSA qualified, until recently the QSA exam was an “open book” exam. I find that individual QSAs are certainly not all cut from the same cloth, and there plenty of variation in their ability and dept of knowledge of the PCI standard, so do not blindly trust an individual knows all PCI DSS because he or she is QSA qualified.
Selecting a QSA Partnership
Your QSA should be a partnership as opposed to a client auditor relationship. Certainly during the actual PCI DSS assessment process the QSA will be in an auditor mode, however prior and post your PCI DSS assessment your QSA needs to be acting as your PCI consultant, and not just for a month or two leading up to the assessment either, but 365 days a year, you should be able call on your QSA at anytime and obtain clear PCI advice on demand.
QSA Company Vetting Questions
The key question to ask a QSA company is not how many individual QSAs they have on their roster, but how many PCI DSS assessment, aka Reports of Compliance (RoCs), they have completed and submitted during the last 12 months. If the answer is over 20 then you know you are dealing with an organisation which has a specialism in performing top level PCI DSS assessments, anything less than 10, then to be brutally honest, you are likely to be dealing with an amateur QSA organisation, which may not be suitable if you are responsible for PCI compliance at a large and complex environment for instance.
There are many QSA companies out there which only ever submit a handful of RoCs each year. Interestingly along side the expected small time QSAs companies, there are several big name security vendors which fall into the category of performing less than 5 RoCs a year. So it is always well worth asking your QSA organisation, the question “how many RoCs have you submitted in the last 12 months?” so you are clear on the QSA organisation’s true QSA validity and general level of PCI expertise and experience.
Failing QSAs / QSAs in Remediation
The next part in vetting a QSA organisation before signing up, is to check whether they are in remediation on the PCI Security Standard Council's website – see direct link below, where the QSAs in remediation are marked on their listing.
https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
This is a list of QSA companies which have at least one individual QSA that has failed to perform an adequate PCI DSS assessment in the view of the PCI Security Standard Council (PCI SSC). The PCI SSC oversees the standard requirements, all QSAs and performs quality control against QSAs, specifically by checking QSA reports to ensure QSAs have done their job properly.
Vetting the Individual QSA
After selecting a QSA company, do not yet sign up to anything before assessing your assigned individual QSA. Ensure you meet that individual before signing any agreements, and carry out your own assessment on the QSA individual, either directly or covertly by asking questions. I recommend the following areas to assess your QSA against.
1. EXPERIENCE
How many past assessments have they done?
The best QSAs tend to have many years of industry and on the job experience in payment card security, and so should be able to reel off a list of previous clients they have assisted.
How complicated were their past assessment environments?
If you have complicated multi-site environment to validate against PCI DSS, it is no good having a QSA who has never assessed anything larger than a corner shop.
How long have they been with their QSA organisation?
The relationship with the individual QSA can be vital, as this is the person who you will have to explain your environment and payment processing operation to. Your environment and road to PCI DSS compliance is nearly always going to be unique to your business, if an individual QSA has a history of moving around between QSA organisations, which many do, then it is likely that you will be assigned a new QSA, and will have to start all over again in explaining your environment, payment operations and your approach to meeting PCI DSS compliance.Be aware that some individual QSAs may have different views on the way you should be meeting your PCI compliance in specific areas, such as with virtualisation, and so a new QSA may well disagree with your previous QSAs agreed approach, even if they work for the same QSA company. There is nothing worst than having a QSA leave their parent company a couple of days before your on site assessment; weeks of your preparation work can go down the pan, so it’s certainly worth asking this question, and being aware of the risk it poses.
2. KNOWLEDGE
Most merchants tend to be in a position where the QSA will know more about PCI DSS than they will ever do, however you can still research the latest hot and contentious topics in the PCI DSS industry, trust me there are always areas within the PCI standard which are in contention and in debate. Then ask your QSA for his or her view. If the QSA cannot provide a consist response and explain clearly the issues to you, then this is a tell tail sign of a lack of individual knowledge and confidence around the standard. QSAs which aren’t very confident about every aspect about the PCI standard tend not to have the experienced background, which in turn builds their knowledge around on the standard.
Consistency
If a QSA changes his or her views, provides inconsistence advice, this is a definite red flag, and tends to mean the QSA is not knowledgeable and experienced. I have heard of situations where companies have spent £100,000s on IT systems following the advice of an individual QSA, only for that QSA change their advice (and their mind) down the line, resulting in their PCI budget being completely misdirected.
A Good Information Security Professional does not equate to a good Payment Card Security Professional
QSAs from a general information or IT security background do not always make for a good QSA. Sure much of the PCI standard is industry information security best practices, but it is equally important that your QSA understands how your card payment systems work, and how cardholder data flows through your organisation's IT systems, from your cash offices, to PDQs, to Call Centres to your payment processor or acquiring bank, a regular industry information security professional knows very little about such areas, unless they have been specially involved in it.
3. ATTITUDE
Is your QSA helpful or acting like a typical auditor all the time?
There are QSAs out there who tend to be from strong auditor backgrounds, and as such may often be very poor in providing clear advice and guidance on how to address any issues they uncover or highlight to you. For instance they tend to say “No you can’t do that find another way”, whereas a quality QSA will say “No you can’t do that, but here's how you can do it”, then provide you with the right solution for your environment in a high degree of detail.
4. TRUST AND CONFIDENCE
If a QSA is ever not completely honest with you, you must drop them like a stone. For instance I have heard of several QSAs which deliberately avoided telling their clients that their organisation has gone into remediation, as I said remediation is not the end of the world for a QSA. A decent QSA would tell you they have gone into remediation, why it happened and what they are doing to correct their issues, as oppose to taking a stance of deliberately not informing you.
Ethical
I once came across one individual QSA, who within minutes of first meeting him told me about specific PCI compliance issues with his existing and past clients, and then went on to give me details about a cardholder compromise that another client had suffered, which to date has never been publicly disclosed. Is this the sort of guy you want to trust as your QSA?
There needs to be a high level of trust between you and your appointed QSA, as after all you will be providing a high degree of sensitive information about your company’s IT systems and security. You certainly need to ensure your QSA company’s has it’s own security all in order to protect any information you share. Ensure you have a non-disclosure and data retention contract in place, and make sure your QSA is fully aware that you don’t want them to share your organisations information with any other third parties.
Another side of ethics I have encountered are folk calling themselves a QSA when they aren’t employed by a QSA organisation. You cannot be a QSA unless you work for a QSA organisation, there is no such thing as an independent QSA, anyone pretending to be QSA should be shown the door. You can check an individual’s QSA status by checking on the PCI SSC website, you must always make sure the QSA is currently qualified and is in good standing, see the PCI SSC link below.
http://www.pcisecuritystandards.org/qsa_lookup/index.html
Finally remember your QSA should be a 365 day a year “partner”, not a once a year auditor, PCI DSS compliance itself is not a once a year event but a 365 day a year continued state.
Wednesday, 26 May 2010
Facebook's Privacy U-Turn
Facebook, one of the world's most successful online businesses, has been pushing our personal privacy boundaries continually since its launch in February 2004. Today, thanks to mainly public pressure, Facebook's owners finally held its hands up to the privacy issues it faces, and have backtracked on their relentless push against their user's privacy, by launching more simple and powerful privacy settings for all 400 Million Facebook users.
The heart of the Facebook business model like all social networking models, is the encouragement of its users to sign up and connect with as many individuals as possible, aka "friends". Facebook users are rewarded by adding “Friends”, especially the Facebook’s third party applications which actually profit for the practice. For them individuals with larger audiences of friends means larger advertising revenue. This causes the privacy problem, in that many Facebook users add friends which aren’t actually their real friends and sometimes individuals which are outright strangers, and so unwittingly they go on to share their personal information with them. Facebook’s privacy settings haven't helped their users, these privacy settings have been over complicated and out of the way controls, settings which are defaulted to a privacy "switched off" setting. http://blog.itsecurityexpert.co.uk/2009/12/facebook-privacy-settings-change.html
Facebook is a world where settings called “Friend of Friends” means even though you might be ultra careful about the friends you choose to add and share your personal details with, can mean your privacy is still unknowingly compromised by one of your friends who isn’t as careful about the friends they have added. Perhaps Facebook should have introduced a new category called “strangers”, so we could have a list of real life friends as "friends", and a separate list of strangers, who you still might like playing games with, but perhaps not share our holiday snaps of our children with. A list called "strangers" would certainly make people think twice about their own privacy and what they share.
The Facebook privacy threat is very real and people from many different walks of life have approached me asking for advice after falling foul on Facebook. Facebook is a favourite tool of identity thieves, private investigators, stalkers and unscrupulous reporters, and a tool often used by employers to screen future employees, and bosses to spy on existing employees, not to mention the whole cyber bully and child protection issues. http://blog.itsecurityexpert.co.uk/2009/11/child-facebook-safety.html
But know I am not anti-Facebook, in fact I’m a Facebook user myself. But understand this, if you use Facebook, understand it is not free, understand you pay for it by giving up your own privacy, how much privacy you give up is up to you to control, if you understand this and simply do not care what you share with the world, well I’m certainly not going to judge you. My own opinion on Facebook has been tarnished by those privacy victims I have met and helped, most of them did not realised what they were giving up at the time, so I’m certainly pleased to see Facebook are waking up to the whole privacy issue and are starting to step in the right direction.
Using Facebook is like drinking alcohol, if used responsibly and in moderation, it can be great fun, used irresponsibility, it can burn you down the line, perhaps even many years down the line.
The heart of the Facebook business model like all social networking models, is the encouragement of its users to sign up and connect with as many individuals as possible, aka "friends". Facebook users are rewarded by adding “Friends”, especially the Facebook’s third party applications which actually profit for the practice. For them individuals with larger audiences of friends means larger advertising revenue. This causes the privacy problem, in that many Facebook users add friends which aren’t actually their real friends and sometimes individuals which are outright strangers, and so unwittingly they go on to share their personal information with them. Facebook’s privacy settings haven't helped their users, these privacy settings have been over complicated and out of the way controls, settings which are defaulted to a privacy "switched off" setting. http://blog.itsecurityexpert.co.uk/2009/12/facebook-privacy-settings-change.html
Facebook is a world where settings called “Friend of Friends” means even though you might be ultra careful about the friends you choose to add and share your personal details with, can mean your privacy is still unknowingly compromised by one of your friends who isn’t as careful about the friends they have added. Perhaps Facebook should have introduced a new category called “strangers”, so we could have a list of real life friends as "friends", and a separate list of strangers, who you still might like playing games with, but perhaps not share our holiday snaps of our children with. A list called "strangers" would certainly make people think twice about their own privacy and what they share.
The Facebook privacy threat is very real and people from many different walks of life have approached me asking for advice after falling foul on Facebook. Facebook is a favourite tool of identity thieves, private investigators, stalkers and unscrupulous reporters, and a tool often used by employers to screen future employees, and bosses to spy on existing employees, not to mention the whole cyber bully and child protection issues. http://blog.itsecurityexpert.co.uk/2009/11/child-facebook-safety.html
But know I am not anti-Facebook, in fact I’m a Facebook user myself. But understand this, if you use Facebook, understand it is not free, understand you pay for it by giving up your own privacy, how much privacy you give up is up to you to control, if you understand this and simply do not care what you share with the world, well I’m certainly not going to judge you. My own opinion on Facebook has been tarnished by those privacy victims I have met and helped, most of them did not realised what they were giving up at the time, so I’m certainly pleased to see Facebook are waking up to the whole privacy issue and are starting to step in the right direction.
Using Facebook is like drinking alcohol, if used responsibly and in moderation, it can be great fun, used irresponsibility, it can burn you down the line, perhaps even many years down the line.
Monday, 26 April 2010
New Podcast: Home PC Malware (Virus) Protection
I released my "monthly" Podcast, yes it's officially a monthly Podcast now. Although I cheated and used a recent radio interview for the content.
The Podcast is about basic Home PC Malware (Virus, Worm, Trojan, Keylogger) Protection, and where to obtain decent Windows Anti-Virus Protection for Free.This podcast is aimed at day to day people outside the security industry.
Podcast: Home PC Malware (Virus) Protection
ITSecurityExpert on iTunes
To go with this Podcast I have the following links and recommendations.
Microsoft Windows Security Essentials
Anti-Virus & Anti-Spyware
https://support.microsoft.com/en-us/help/14210/security-essentials-download.
Requires licensed copy of Windows
Requires Windows XP, Vista and Windows 7
Windows XP, a PC with a CPU clock speed of 500 MHz or higher, and 256 MB RAM or higher.
AVG
Anti-Virus
www.AVG.com/FREE
AVAST
Anti-Virus
http://www.avast.com/
Spybot Search & Destroy
Anti-Spyware/Anti Adware Protection & Spyware/Adware Removal
http://www.safer-networking.org/en/download/
FURTHER INFORMATION & HELP
For more information read my blog posts Anti-Virus: Completely Free as it should be and Does Apple Mac need Anti-Virus
The Podcast is about basic Home PC Malware (Virus, Worm, Trojan, Keylogger) Protection, and where to obtain decent Windows Anti-Virus Protection for Free.This podcast is aimed at day to day people outside the security industry.
Podcast: Home PC Malware (Virus) Protection
ITSecurityExpert on iTunesTo go with this Podcast I have the following links and recommendations.
Microsoft Windows Security Essentials
Anti-Virus & Anti-Spyware
https://support.microsoft.com/en-us/help/14210/security-essentials-download.
Requires licensed copy of Windows
Requires Windows XP, Vista and Windows 7
Windows XP, a PC with a CPU clock speed of 500 MHz or higher, and 256 MB RAM or higher.
AVG
Anti-Virus
www.AVG.com/FREE
AVAST
Anti-Virus
http://www.avast.com/
Spybot Search & Destroy
Anti-Spyware/Anti Adware Protection & Spyware/Adware Removal
http://www.safer-networking.org/en/download/
FURTHER INFORMATION & HELP
For more information read my blog posts Anti-Virus: Completely Free as it should be and Does Apple Mac need Anti-Virus
Monday, 19 April 2010
Does the Apple Mac need Anti-Virus Protection?
If you are running on the latest Mac OS X at home and you allow Apple to automatically update Mac OS X on demand, then my advice is No, you don’t need anti-virus protection on your Mac at home, well not at the moment anyway. Apple themselves go out of their way to state Mac OS X is not effected by viruses and protects itself from other malicious applications - "The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box" - Apple.
A word of caution with my view, which will be highly controversial to some, the Mac malware situation could change in the future should the bad guys decide to target the Mac OS in anger. Theoretically this may happen if the bad guys started to find they aren’t getting any joy out of attacking Microsoft Windows PCs, however this is currently not the case, there are no significant shifts in the malware OS attack vector occurring. In my view, I feel the bad guys will actually move onto targeting the smart phone market in the future, of course this is a market which is well occupied by Apple. In the meantime Mac users should guard against complacency, especially when considering all software will have it faults and therefore will have vulnerabilities to be exploited. Where we have an operating system, we are talking hundreds of thousands lines of code, which is ultimately written by human beings, so it can never be perfect, while operating systems by their nature are a highly complicated pieces of software. So it is safe to conclude no operating system can never be regarded as being ‘secure’ and therefore cannot never be guaranteed to be vulnerability free; there is just no such thing as 100% security. The answer to this problem is to continually fix (patch) the operating systems as vulnerabilities become known, hence the importance of ensuring your Mac OS is automatically updated. Going back to the lead question, today if I was a ‘home’ or mobile Mac user running OS X, I personally wouldn’t bother with deploying anti-virus protection, as the risk is currently extremely low, while Mac OS X itself does have good malware protection built in. I certainly wouldn't criticise anyone who wants to deploy anti virus on your home Mac as matter of precaution, of course the trade off in doing this is an impact on system performance and the cost of purchasing an anti-virus product.
Why aren’t Macs at the same risk of Windows
The fact is the vast majority of malware (including viruses) are written specifically to exploit the world’s most popular operating systems, namely the Microsoft Windows range. There are well over a million documented* “viruses” which specifically target the Windows operating system, while there is only a handful of known viruses which targets the Apple Mac operating system range, and of these, some are actually concept malware produced by good guys, but to my knowledge none currently work against the latest version of Mac OS X. The folk behind writing and deploying malware target the largest market share and the lowest hanging fruit, namely the easiest OS they know is the easiest to exploit from. Microsoft Windows operating systems are by far the most used operating system on this planet and has arguably been one of the weakest for security in comparison to other operating systems like Mac OS.
A third point often raised in this debate, is Windows users are less technologically savvy than Mac users (in other words more stupid!) and therefore are more easier to be "conned" into clicking links which execute and install malware. I think this might have been true in the past, but today I note that many non-techies are using Macs, many people are simply choosing a Mac over a PC as a status or even fashion symbol, so I no longer buy the PC users on average are more stupid than Mac users argument.
Anti Virus Protection is no Guarantee
Anti virus does not guarantee complete protection against all known viruses and malware, AV protection is only as good as AV's latest update, and even then may not be able stop all of the latest malware. So you could well have anti virus installed on your Mac which is bang up-to-date, but if a new type of virus suddenly appears on the scene, the anti virus may not detect the virus anyway, the truth of how ineffective some anti-virus products on Windows PCs is actually quite alarming, but I'll save that one for another post.
Do business Macs need Anti-Virus Protection?
The short answer in my opinion is Yes. Medium to large businesses which have Apple Macs deployed in a mixed Microsoft Windows environment, may well want to consider deploying and running anti-virus protection on their Mac estate.
Why? Macs have been known to harbour Windows based malware, malware which could make its way from the Mac via file sharing on to Windows PCs. Just because Windows malware does not work on the Mac, it does not mean it cannot be stored on a Mac drive, and if that Mac has no anti-virus protection, then the malware files on the Mac drive are never checked for Windows malware, which in turn means the malware files are never removed, and leaving any Windows malware present and dormant on the Mac drive. Should that malware data file make its way onto out of the Mac drive, perhaps via a network share, USB memory device, or server storage, and then onto Microsoft PCs, then there can be real issues in store for the PC estate.
Also there are information security regulations and standards which insist on the deployment of anti-virus protection regardless of the operating system and your perceived risk.
Where can I get Mac Anti-Virus Protection
If you feel you need anti-virus protection on your Mac at home, or within your business environment, most of the usual big commercial anti-virus vendors provide a Mac OS anti-virus client, personally I'm independent of security vendors, which is important, as I try to keep my advice independent and objective, so I'm not going to be suggesting any vendors here. But there is a free home Mac anti-virus client called ClamXav - http://www.clamxav.com/, as I said in my blog post last week, I believe anti-virus protection should be free for all home users and provided out of the box by the OS vendor - http://blog.itsecurityexpert.co.uk/2010/04/home-anti-virus-is-completely-free-as.html
The Biggest Threat to Mac Users
Finally home Mac users should be still be wary of attacks made through their web browser and their email client. For instance phishing attack is just as likely to be successful against a Mac user as it is a Windows user, always remember many online fraudsters are targeting your personal information, your credit card details and your online bank account login details, which are often obtained through attacks through web sites (the web browser) or through the Email client, either way by conning the person into sending the details. Some third party applications on Mac can also provide a way in for malware, such as file sharing apps, to be wary about what you agree to install.
This is an interesting topic, and has been hotly contested in the security industry for years, especially between AV vendors with Mac anti virus products to pendle, and Apple enthusiasts (BTW I'm neither!), so if anyone has any different views whether in agreement or not, or indeed recommendations, please post in the comments - Thanks.
* April 2008, the BBC News reported Symantec now claimed "their anti-virus programs detect to 1,122,311 http://news.bbc.co.uk/2/hi/technology/7340315.stm
A word of caution with my view, which will be highly controversial to some, the Mac malware situation could change in the future should the bad guys decide to target the Mac OS in anger. Theoretically this may happen if the bad guys started to find they aren’t getting any joy out of attacking Microsoft Windows PCs, however this is currently not the case, there are no significant shifts in the malware OS attack vector occurring. In my view, I feel the bad guys will actually move onto targeting the smart phone market in the future, of course this is a market which is well occupied by Apple. In the meantime Mac users should guard against complacency, especially when considering all software will have it faults and therefore will have vulnerabilities to be exploited. Where we have an operating system, we are talking hundreds of thousands lines of code, which is ultimately written by human beings, so it can never be perfect, while operating systems by their nature are a highly complicated pieces of software. So it is safe to conclude no operating system can never be regarded as being ‘secure’ and therefore cannot never be guaranteed to be vulnerability free; there is just no such thing as 100% security. The answer to this problem is to continually fix (patch) the operating systems as vulnerabilities become known, hence the importance of ensuring your Mac OS is automatically updated. Going back to the lead question, today if I was a ‘home’ or mobile Mac user running OS X, I personally wouldn’t bother with deploying anti-virus protection, as the risk is currently extremely low, while Mac OS X itself does have good malware protection built in. I certainly wouldn't criticise anyone who wants to deploy anti virus on your home Mac as matter of precaution, of course the trade off in doing this is an impact on system performance and the cost of purchasing an anti-virus product.
Why aren’t Macs at the same risk of Windows
The fact is the vast majority of malware (including viruses) are written specifically to exploit the world’s most popular operating systems, namely the Microsoft Windows range. There are well over a million documented* “viruses” which specifically target the Windows operating system, while there is only a handful of known viruses which targets the Apple Mac operating system range, and of these, some are actually concept malware produced by good guys, but to my knowledge none currently work against the latest version of Mac OS X. The folk behind writing and deploying malware target the largest market share and the lowest hanging fruit, namely the easiest OS they know is the easiest to exploit from. Microsoft Windows operating systems are by far the most used operating system on this planet and has arguably been one of the weakest for security in comparison to other operating systems like Mac OS.
A third point often raised in this debate, is Windows users are less technologically savvy than Mac users (in other words more stupid!) and therefore are more easier to be "conned" into clicking links which execute and install malware. I think this might have been true in the past, but today I note that many non-techies are using Macs, many people are simply choosing a Mac over a PC as a status or even fashion symbol, so I no longer buy the PC users on average are more stupid than Mac users argument.
Anti Virus Protection is no Guarantee
Anti virus does not guarantee complete protection against all known viruses and malware, AV protection is only as good as AV's latest update, and even then may not be able stop all of the latest malware. So you could well have anti virus installed on your Mac which is bang up-to-date, but if a new type of virus suddenly appears on the scene, the anti virus may not detect the virus anyway, the truth of how ineffective some anti-virus products on Windows PCs is actually quite alarming, but I'll save that one for another post.
Do business Macs need Anti-Virus Protection?
The short answer in my opinion is Yes. Medium to large businesses which have Apple Macs deployed in a mixed Microsoft Windows environment, may well want to consider deploying and running anti-virus protection on their Mac estate.
Why? Macs have been known to harbour Windows based malware, malware which could make its way from the Mac via file sharing on to Windows PCs. Just because Windows malware does not work on the Mac, it does not mean it cannot be stored on a Mac drive, and if that Mac has no anti-virus protection, then the malware files on the Mac drive are never checked for Windows malware, which in turn means the malware files are never removed, and leaving any Windows malware present and dormant on the Mac drive. Should that malware data file make its way onto out of the Mac drive, perhaps via a network share, USB memory device, or server storage, and then onto Microsoft PCs, then there can be real issues in store for the PC estate.
Also there are information security regulations and standards which insist on the deployment of anti-virus protection regardless of the operating system and your perceived risk.
If you feel you need anti-virus protection on your Mac at home, or within your business environment, most of the usual big commercial anti-virus vendors provide a Mac OS anti-virus client, personally I'm independent of security vendors, which is important, as I try to keep my advice independent and objective, so I'm not going to be suggesting any vendors here. But there is a free home Mac anti-virus client called ClamXav - http://www.clamxav.com/, as I said in my blog post last week, I believe anti-virus protection should be free for all home users and provided out of the box by the OS vendor - http://blog.itsecurityexpert.co.uk/2010/04/home-anti-virus-is-completely-free-as.html
The Biggest Threat to Mac Users
Finally home Mac users should be still be wary of attacks made through their web browser and their email client. For instance phishing attack is just as likely to be successful against a Mac user as it is a Windows user, always remember many online fraudsters are targeting your personal information, your credit card details and your online bank account login details, which are often obtained through attacks through web sites (the web browser) or through the Email client, either way by conning the person into sending the details. Some third party applications on Mac can also provide a way in for malware, such as file sharing apps, to be wary about what you agree to install.
This is an interesting topic, and has been hotly contested in the security industry for years, especially between AV vendors with Mac anti virus products to pendle, and Apple enthusiasts (BTW I'm neither!), so if anyone has any different views whether in agreement or not, or indeed recommendations, please post in the comments - Thanks.
* April 2008, the BBC News reported Symantec now claimed "their anti-virus programs detect to 1,122,311 http://news.bbc.co.uk/2/hi/technology/7340315.stm
Subscribe to:
Posts (Atom)