However, let’s remember one thing: AETs depend on a vulnerable system inside the target environment.

Let’s be clear, criminals generally don’t need to resort to APT and AET to infiltrate a vulnerable environment: The Verizon DBIR 2011 states that 87% of attacks could be prevented using simple, proactive measures.

APTs (through AETs) are likely to target organisations where they would achieve the most financial or political gain. In my book, this means that the first step would be to understand what the critical assets are and the second one to understand the infrastructure deployed for those critical assets. Predictably, as you may expect it coming from me, the third step should be to protect the assets based on a risk assessment reflecting the organisation’s risk appetite.

So whilst it is a good idea to check whether your intrusion prevention appliances are or will be anti-evasion ready and capable of receiving current AET patches and security updates continuously and dynamically (and again, a lot of good research has been done in this area), look inside first… Have you fixed the basics?

Author: Neira Jones, Head of Payment Security – Barclaycard

Over 200 attendees are predicted to attend to hear valuable insights into Barclaycard’s new Risk Reduction Programme, a valid alternative to the traditional PCI DSS methodology.

Practical and interactive applications of innovative technologies will be demonstrated and explored to help reduce risk and fraud as part of the programme. Furthermore, integral reasons for adopting the Risk Reduction Programme will be presented by 7Safe’s Dan Haagman who will engage the audience to explain key business benefits for merchants, and the common issues that underpin managing compliance.

With a fantastic line up of further speakers including Visa, MasterCard, American Express, and the PCI SSC, the event will provide an exciting opportunity for you to gain knowledge and network with fellow attendees.

Merchants are invited to join us at One Drummond Street, London from 9.30am – 4.00pm on Wednesday 29^th September.

Pre-register: marketing@7safe.com. This event is free but registration is required. Book now to avoid disappointment.

This is a great opportunity for an experienced QSA to join our evolving PCI consultancy and undertake security audits and compliance assessments for a wide range of blue chip merchants and service providers. 

We offer independent expert advice and pragmatic solutions through establishing long-term partnerships with our clients in order to help them meet their transformation challenges with confidence.

Find out more about this exciting opportunity

With speakers including Dan Haagman, (7Safe Co-Founder and Director), Neira Jones (Head of Payment Card Security, Barclaycard), Stanley Skoglund (Senior Vice President, Visa Europe) and Jeremy King (European Managing Director, PCI SSC), many customers have already pre-booked.

“Security Matters” will be using innovative voting technology to enable instant “pulse taking” on topics such as eDiscovery and risk prioritisation.  Results of the surveys will be instant and go live on Twitter.

Additionally, the day will provide a range of new, innovative and award winning technologies that can help you keep your information assets safe.

Customer, prospects and partners are welcome to join us for a highly informative, interactive and thought provoking day at The Royal College of Surgeons from 9.30am-2.00pm in London on Thursday 30th June.

Pre-register: marketing@7safe.com This event is free but registration is required.

PCI DSS v2.0 communicates the Council’s intention to provide effective and efficient data security standards that, when implemented correctly, will protect payment card data.

The good news for organisations that are compliant with the existing standard PCI DSS v1.2.1 is that the changes made within v2.0 do not represent a step change in control requirements, simply evolution that recognises the maturity of the existing standard.

What the new standard does provide is additional flexibility in some areas, additional guidance in others and a reducing in duplication. In short, the new standard helps organisations bring some economies to their PCI DSS compliance through greater clarity.

The good news is that the intent of each requirement has not changed and therefore the underlying control structure implemented by organisations for compliance is not expected to change significantly. Secure technology, policies, procedures and practices to protect payment card data will continue to be required.
Organisations can assert their compliance with the PCI DSS v2.0 with effect from January 2011. For those organisations who are currently working with PCI DSS v1.2.1 they can continue to do so until December 2011. After this date, all organisations will be required to assert compliance with the PCI DSS v2.0.

“Greater clarity, recognition of evolving technologies, improved guidance, and extended lifecycle”*. … that’s the sign of a mature standard – something that business can plan and embed into their regular commercial activities.
Early transition to PCI DSS v2.0 is likely to be the best option for most organisations. Naturally, all new 7Safe engagements undertaken from this stage onwards will focus on v2.0 and for those who are “mid-journey”, our PCI Consultancy team will / have been in touch to discuss how the transition will affect current and on-going works.
*Michael Christodoulides – 5th November 2011

7Safe – Professional QSA Consultancy Services

7Safe is a leading Information Security firm based in Cambridge and London, UK and operates in the PCI DSS space for the provision of QSA Consultancy, Incident Investigation (QFI/QIRA) and PCI Compliance software (7Seec).

Barclaycard – Leading Payment Card Security

Barclaycard as an acquiring bank is industry leading in the field of PCI DSS with operations that drive compliance through its Merchant / Service Provider base and a key focus on reducing credit card fraud in the industry.

UK Security Breach Investigations Report 2010

The UK Security Breach Investigations Report 2010 is an analysis of data compromise cases over an 18 month period.  Some of the statistics that come out of the analysis are:

- 69% of organisations suffering breaches were retailers.

- The majority of organisations (66%) were small companies employing less than 100 people.

- In 85% of cases, payment card data (e.g. credit and debit card numbers) was compromised

- Where payment cards were at risk, the most common number at risk were between 20,000-50,000.

- 80% of  attacks on data came from sources external to the organisation, and 18% came from business partners

- SQL injection was found to be by far the most common factor across all data breaches

- 86% of compromises came from attacks on applications, with just 14% on the IT infrastructure

- The country where most attacks appeared to originate from was Vietnam (36%), followed by the USA (29%) and the UK herself (13%)

- All organisations that had payment card data compromised were not fully PCI DSS compliant at time of compromise.  Further, of the 12 PCI Data Security Standards, the most srequirements that any of the organisations complied with was 6.

You can download the UK Security Breach Investigations Report 2010 from www.7safe.com/breach_report.  It’s free.

As you can imagine, many companies taking credit card payment can inadvertently store such PANs in clear text and not be aware of this until disaster strikes.  Often this disaster comes courtesy of someone (hacker, employee, opportunist) infiltrating the systems that hold the card data, then taking a copy which ends up being used by fraudsters.  There is an active and ready market for stolen credit card numbers and it’s big bucks.

A way of minimising the likelihood of such disasters means ensuring that unencrypted card data is located and remedied, but where to begin?

We have been able to help a number of clients with a consulting service that utilises an internally developed software tool called 7seec.  In essence 7seec scans disks for unencrypted payment card data, is fast (up to 50MB per second), does not write to the disk,  opens and searches nested archives (e.g. zip) and even scans deleted files.  Our consultants are using 7seec on Windows and many Unix flavour systems on a regular basis now. 

Although it sounds simple, 7seec has been continually developed for 2 years and is proves invaluable in both data breach scenarios (being that it is forensically sound) and PCI compliance scanning exercises in searching for cardholder data.