RSA Data Breach and Your Two-Factor Authentication

As we all know, breaches happen. In an open letter to its customers, RSA, the security division of EMC, announced that they had suffered a security breach:

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

I am not going to speculate on anything, but you should be aware of the situation and monitor developments. After RSA's own statement, a good place to go is the Securosis blog which has its own summary of the situation. Since they did a better job than I could, I'll let you read their analysis of the situation and open questions.

Clearly this is no fun for anybody. But if you use RSA 2-factor authentication -- and who doesn't -- it is worth your monitoring developments.

Your Campus Hotel is Targeted

If you have a hotel or conference center on your campus, assume it is targeted by criminal hackers who want to get the stash of payment card information they keep.

I've written about this issue before (see here, here, and here). Three major hotel associations issued a joint statement today warning of cybercriminal attacks. Their basic recommendations were:

1. Eliminate EVERY default password on EVERY machine on your network -- server, workstation, router, firewall, and any other device that has a password. The most important machines to check are the ones you think are NOT vulnerable, such as a PC on an engineer's desk for monitoring building systems, or the PC in the parking garage attendant's office, or the one in a closet running your keycard system.

2. Eliminate holes in remote access to systems inside your network.

3. If you don't have a firewall, buy one and install it. If you are connected to the Internet without one, then people you don't know, from around the world and many with malicious intent, are reaching into your network. A recent University of Maryland study counted more than 2,200 attacks on an average Internet-connected computer every day -- equating to one every 39 seconds. If that computer is in your hotel, and if their intent is to steal credit card data, they will probably succeed.

The release also endorses PCI DSS compliance. This is actually pretty smart given their three recommendations are pretty well covered by PCI Requirements: 2.1; 8.3 and 8.5.6; and 1.1 (and all its sub-sections), respectively.

The point is to share this information with your campus hospitality and conference organization. Let them know they are targeted, and to be PCI compliant every day -- not just the one day a year when you do your assessment. If you are not or cannot be PCI compliant today, do your best to protect your network perimeter and at least get rid of a lot of cardholder data that you probably don't need anyway.

Keep in mind the cybercriminals are very smart and well financed. You might also note that as far as I can tell, there are only two kinds of computer systems out there: those that have been breached, and those that are going to be.

Japan Earthquake and Phishing Scams

In the aftermath of the tragic earthquake in Japan, we can anticipate a swarm of fraudulent websites springing up offering video and opportunities to make contributions to victims. This might be a good time to warn everybody of the phishing risks. The bad guys have no morals, and you can expect your users to receive emails and be searching websites for videos.

The SANS Storm Center contains the following warning and advice:

There will probably be some emails scams and malware circulating regarding the recent Japanese earthquake that occurred overnight.

Be aware off

Fraudulent Organizations: If possible, donate to organizations you know and trust, not to new organizations just set up for this particular event. The IRS maintains a list of tax exempt charitable organizations [1]. This list is not 100% up to date, and it takes a while for a new organization to be added. But it can serve as a first sanity check.

Malware: Malware may be advertised as a video report of the event or come under other pretenses.

You might want to alert your users to be particularly vigilant during this period, both at work and at home.

Vote for NACUBO on PCI Board of Advisors

If your institution is a Participating Organization on the PCI Council, this post is for you. Specifically, I would like to ask you to vote for NACUBO's nominee to the Board, MaryFrances McCourt. Electing MaryFrances would not only add a very qualified professional (to an already impressive Board), it would give Higher Education a voice at the table where PCI decisions are made.

The PCI Council is holding elections for its Board of Advisors. There are nominees from merchants, financial institutions, and vendors. The top vote getters serve a 2-year term. This is why I am asking if your institution is a member, you make sure to vote for NACUBO's nominee as your top (and maybe only) choice.

Voting is open now and continues until April 8.

MaryFrances is Treasurer of Indiana University. She is active in industry and professional activities outside of IU, and she has been an active proponent of PCI compliance at IU and other forums nationwide. Her hands-on experience in dealing with achieving PCI compliance in an extremely complex environment (a large university) means she can represent Higher Ed's issues and perspective to the PCI Council. Please understand that while MaryFrances works for IU, as a member the PCI Board of Advisors she would represent NACUBO and all Higher Ed, not her institution.

If you are reading this blog and you are not a Higher Ed institution, that means that as a vendor, perhaps, Higher Ed is important to you. May I ask that you please consider voting for MaryFrances and NACUBO as being in both your and your customers' interest?

If your school is a are Participating Organization, make sure you vote for NACUBO's nominee. It is in your own self interest and that of your colleagues at Higher Ed institutions nationwide.

PCI DSS Webinars

I will be doing a series of four webinars for Heartland Campus Solutions. Here are the dates and times:

• March 4, 11 am Eastern
  Payment Card Industry Data Security Standard (PCI DSS):
  What it is and why it matters to Higher Ed institutions
  The first session in a 4 part webinar series helping campuses understand PCI DSS and how it impacts their campus.
  
  
• March 17, 11 am Eastern
  Validating your PCI Compliance:
  A Self-Assessment Questionnaire Clinic
  The second session in a 4 part webinar series helping campuses understand PCI DSS and how it impacts their campus.
  
  
• March 24, 11 am Eastern
  Third-Party Service Providers and Outsourcing:
  A fast track to PCI compliance?
  The third session in a 4 part webinar series helping campuses understand PCI DSS and how it impacts their campus.
  
  
• April 7, 11 am Eastern
  Your Campus PCI Survival Guide
  The fourth session in a 4 part webinar series helping campuses understand PCI DSS and how it impacts their campus.
  

You can learn more and register for one or more of the webinars here (you may need to scroll down a little). And before you ask, no you don't need to be a Heartland customer to listen and participate (lots of questions, please!) in any one webinar or the whole series.

For those of you new to PCI (or with colleagues in that situation), these will hopefully be a solid introduction to the standard, especially if they are attending the Treasury Institute's PCI Workshop in May.

I hope to "see" many of you there.

PCI at Educause Security Conference

I am looking forward to presenting at EDUCAUSE's 2011 Security Professionals Conference. The topic is PCI Compliance in Higher Education, and it will be a practical review of PCI DSS together with some best practices for achieving and maintaining compliance in a Higher Ed environment. Here's more on the conference:

The Security Professionals Conference connects information security professionals, security analysts and engineers, IT staff, privacy officers, C-level executives, and others from across the higher education community. It is the premier forum for strengthening the ability of the higher education sector to protect information assets from the changing threat vectors and respond to the ever-increasing compliance requirements imposed on the higher education community. The Security 2011 conference, "Setting a Course for Collaboration and Innovative Solutions," will focus on security topics that span the information assurance measures of people, process, and technology.

I am doubly excited to be presenting at EDUCAUSE's security conference. First, because they gave me a half-day (3.5 hours...better bring coffee!) at this premier event; and more importantly, because it is a chance to meet with a great group of IT and security people from institutions nationwide.

Here's the plan. The session is Seminar 01-P on Monday, April 4. I'll start out exploring the PCI ecosystem including PCI DSS, PA-DSS, and the card brand mandates. This will be a quick intro for some and review for others. I'll also cover some best practices for meeting what I call PCI Requirement 0 (Reducing scope). That will include outsourcing and related topics. I also plan to delve into changes in PCI version 2.0 and especially the new SAQ C-VT, as well as all the SAQs. I'm looking forward to lots of questions: the last time I did this I got to about my third slide before I was slammed with questions and we went off in whatever direction the audience wanted! I sure hope they have a whiteboard or flip chart.

If EDUCAUSE is in your plans, I hope you will register for my Monday afternoon seminar. Even if you don't like PCI, it's a chance to get to San Antonio a little early and enjoy that beautiful city a bit longer.

Level 2 Schools (And Maybe Everybody Else) - Read This

The PCI Council now has the full schedule of Independent Security Assessor training on its website (click here to view). Why is this important to all Level 2 Higher Ed institutions? Because under the new MasterCard validation requirements, you either have to have an ISA sign your Self-Assessment Questionnaire (SAQ), or you get to hire a QSA (did I give you my email???) to do it. And as everybody knows, if you are Level 2 for Visa, you are Level 2 for MasterCard even if you have only 1 transaction on that card.

It is great the Council has published the full 2011 schedule. Now you can plan which will be the best one for you. I recommend you surf over and have a look. The ISA training is a bit different this year:

Beginning in 2011 the New ISA training course will have a new look and feel to it to accommodate many of the suggestions the Council has received on the course. The course will consist of two parts: an on-line course followed by a short exam and a two-day instructor-led session ending with an exam.

You should note that only five of the courses are in the US. The other are at other cities worldwide, so depending on your budget you can choose between San Diego or Sydney. There are some basic requirements to qualify for the training, and you can learn all that at the PCI Council's website.

The training is not free: $2,595 for schools that are not Participating Organizations, and $1,595 for those that are. Yet another benefit for those Higher Ed institutions that become POs.

Speaking of price, did I mention that the Treasury Institute's PCI Workshop is a fraction of this price, although you don't get the 2-day in-depth training on every requirement, and you don't get the ISA certification. (Yeah, I know...it's a shameless plug, but what do you expect on the Institute's own blog!?!)

More and more larger institutions are finding that they are Level 2 merchants (over 1 million Visa or M/C transactions per year), and that they have a new PCI validation regime this year. I know this from my own experience with some of these institutions. If this describes your situation, you might want to take a look at this training.