Pre-Sales Consultant

Nettitude is a 120 man organisation with offices in the UK and US.  We deliver cutting edge cyber security services to some of the largest and most widely trusted organisations in the world.  We help organisations understand the risks from cyber and provide proactive guidance on how to reduce this risk through a series of professional services engagements.

Nettitude has historically focused on delivering Professional Services, and is transitioning in to 24×7 Managed Security Services business that delivers proactive detection and response services around the clock.  This provides us with a number of key differentiators in the market, that is fuelling double digit year on year growth.

Role Description

The role will report directly to the Pre Sales Manager. The pre sales consultants will support the sales team by delivering pre sales assistance to help close business.  This will be delivered both onsite in front of clients as well as remotely over the telephone.

Pre sales consultants will have responsibility for scoping engagements, and for larger requirements they will have responsibility for generating pre-sales proposals.

It is expected that suitable candidates will have a strong understanding of Penetration Testing, Incident Response and Risk management.  Nettitude will provide adequate training to help the presales consultant develop across all of the lines of business.

Essential Skills

  • Will be able to demonstrate strong technical assurance background.  Either CRT or CCT level CREST certification would be a benefit
  • Strong communication skills, both verbal and written
  • Strong understanding of wider infosec domains.  CISSP, CISM desirable
  • Understanding of Incident Response and SOC services would be desirable

Responsibilities

  • Undertake all technical pre-sales calls and meetings within their specialism
  • Provide accurate scoping information for the sales team
  • Provide technical due diligence information for incorporation into each sales proposal
  • Uncover new leads during the pre-sales process and load into CRM for action by the account manager
  • Ensure the highest possible rate of conversion of opportunities to ‘won’ business
  • Periodically develop and refresh the technical elements of sales proposals relating to their specialism
  • Be prepared to deliver presentations  during the sales cycle

The Technical Pre-Sales Consultant will also be required to:-

  • Remain up-to-date with specialist skills and market trends
  • Remain current with all required accreditations and certifications
  • Undertake rudimentary training in other technical pre-sales specialisms in order to provide cover as required

Key Working Relationships

The following groups represent the expected primary working relationships required for this job role.

  • Technical Pre-Sales Manager
  • Chief Commercial Officer
  • Sales Managers
  • Sales Teams UK
  • Sales Teams US
  • All Technical Teams

PCI DSS v3.2 – The One Year Countdown has begun! Again?

I am sure many of you are reading this title thinking “what is he talking about, v3.2 went live ages ago” and you would be correct, however version 3.2 of the PCI DSS continues with the concept of future requirements, meaning the one year countdown to the 31st January 2018 has begun.

Save the date

The PCI Security Standards Council introduced nine requirements in PCI DSS v3.2 which are best practice until 31st January 2018, after which time they become mandatory.

Now let’s be realistic, the majority of merchants and service providers are going to treat ‘best practice’ as ‘optional’ until they undergo an assessment after 31st January 2018; but please don’t wait. Compliance is not just the assessment with the Qualified Security Assessor (QSA); we should be striving to meet every requirement, at all times and they must be in place by the 31st January 2018 even if your assessment is not until after that date.

Do I need to do something now?

YES! The majority of these future dated requirements are for Service Providers, so if you choose to postpone doing something about them now, this is going to be highlighted in your Attestation of Compliance.

In this hyper-competitive world, can you afford to show this to your clients and the payment brands? Will it make the difference when touting your wares? If I was looking for a service provider, part of my due diligence requirement (12.8.3) would be to see how you’re doing with your future dated requirements.

Don’t forget, you have not only got these requirements going mandatory, you may also have the GDPR on the horizon too. So let’s get planning.

What are the requirements?

The table below was compiled from the PCI DSS v3.2, so be sure to get the full requirements from there:

Requirement Details Service Provider only?
3.5.1 Maintain a documented description of the cryptographic architecture. Yes
6.4.6 Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable. No
8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. No
10.8 Implement a process for the timely detection and reporting of failures of critical security control systems. Yes
10.8.1 Respond to failures of any critical security controls in a timely manner. Yes
11.3.4.1 If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods. Yes
12.4.1 Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program. Yes
12.11 Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Yes
12.11.1 Maintain documentation of quarterly review process to include: – Documenting results of the reviews – Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program. Yes

…and that means I have to do what?

Some of these requirements are nothing but forcing you to employ good practice. On first look this seems cheeky perhaps, but if it is good practice you can hopefully already demonstrate this either within your self-assessment or to your QSA.

3.5.1 – Documenting your cryptography

This is not a daunting as you might think. It is only going to apply to your organisation if you are storing encrypted cardholder data, and if you are a service provider; so you might be off the hook already. Pragmatically, this is only an extension of 3.6 so review that documentation and add details accordingly.

6.4.6 – This is an extension of change control

Possibly the EASIEST of the future dated requirements. Why you say? Because it is just good change management. If you are achieving a good change management posture, this goes without saying that you will be ensuring that PCI DSS compliance is being maintained on all changes, let alone those deemed ‘significant’.

Review the process, insert a reminder/action/decision point to say “Is this significant? Was all affected documentation from this change updated appropriately” and record.

8.3.1 – Multi-factor Authentication for Non-Console Administration

This could be an awkward one. Here’s the problem for Admin’s – sitting at the machine in the CDE, don’t need MFA to logon (but I won’t complain if you have it!). Sitting elsewhere and connecting to the CDE to administrate it, you will need something. Start planning now if this is not in place as it will affect a number of requirements and likely to attract the attention of 6.4.6 above.

10.8 & 10.8.1 – Find out that it is broken, why it happened and fix it without delay

This one is for service providers only – but once again I will not object to Merchants doing it too! You need to show how you are monitoring the monitoring systems for failure. This can go hand in hand with testing your incident management processes, particularly for things which do not get tested on a daily basis. Work out a control test to apply to each of those system where appropriate. If the monitoring processes do their job, you will not only be giving yourself evidence of testing the incident management plan, but you have checked the monitoring systems itself is working

11.3.4.1 – Segmentation Testing

This is a recurring activity to test your segmentation, only for service providers too. Check the requirements in the standards and have it done, either by an independent qualified resource, or engage the services of a penetration testing company.

12.4.1 – Executive Management and a PCI Charter

This is new, and not entirely unfamiliar. If you are running an ISO 27001 ISMS, you will know about Top Level Management needing to be part and parcel of the programme. A RACI matrix here will help, along with keeping top management in the loop; this requirement is a good place to start if you have not already.

12.11 & 12.11.1 – Perform reviews

Again, this is not a new idea but a real boost for maintaining compliance. Thinking again about ISO 27001, you are doing internal auditing as that is mandatory, then it is a control to go into your management system and you are covered. It is about assessing that you are performing BAU activities and can evidence this, so some evidence that change controls and BAU activities were observed in place and effective and that documentation evidence exists of such a review.

So it is all quite straightforward?

Yes – a general review of your day to day activities is going to ‘smash these out of the park’. And if you are struggling with where to start, contact your QSA Company for assistance; they will be happy to help.

If you have done nothing yet, please try and minimise your delay. Also, remember that these are all requirements designed to minimise risks, so pop an entry into your risk log (requirement 12.2) and as you work through them, drop them off; the assessment process will love you for it!

P.S. Save the Date – 31st January 2018, not only is it a significant day for PCI DSS, it is also a total lunar eclipse and in the UK we sadly don’t get to see too much of it.

 

To contact Nettitude’s editor, please email media@nettitude.com.

Nettitude partners with Parliament as Cyber Security Month gets underway

February will see a series of events organised as part of Parliament’s Cyber Security Month, which is aimed at raising awareness of the importance of cyber security as an issue that those in Parliament need to address in their personal and professional lives.

Organised by the Parliamentary Digital Service in collaboration with a number of partners, including Nettitude, Cyber Security Month is part of a wider series of initiatives planned for 2017.

Over the course of four all-day sessions, Members of both Houses and their staff will have the opportunity to brush up on their existing knowledge and learn new skills relating to cyber security.

Nettitude’s CEO, Rowland Johnson, will today host a session on the current cyber threat landscape, explaining the sophistication and motivation of today’s attackers, as well as organised cyber crime and the importance of threat intelligence in providing security assurance.

Rob Greig, Director of the Parliamentary Digital Service, has commented: “In a rapidly evolving cyber security threat environment, Parliament is committed to promoting good cyber practice wherever possible. We can all benefit from improving our understanding and it is great to be collaborating with a number of industry-leading organisations during Parliament’s Cyber Security Month, and I look forward to a successful series of events which I hope will be interesting and informative.”

To contact Nettitude’s editor, please email media@nettitude.com.

Soldier to Cyber

As an ex-serviceman myself, I’m often approached by numerous service leavers who’ve asked how they can best prepare themselves for a career as an IT Security Consultant (AKA Penetration Tester / Ethical Hacker).

I’ve created this post based entirely on my personal experience. The aim is to provide guidance to those, who like myself, intend entering this exciting and fast evolving industry as a complete beginner.

It was two years after leaving the Armed forces when I realised the career path that I wanted to take, and this realisation came after much deliberation into what actually motivates me. Unfortunately, as a result of this delayed realisation and lack of calculated direction, I didn’t effectively utilise my time in resettlement. Of which, I’d strongly recommend using the whole year to get the very most out of it! Resettlement is one of the most joined up processes the military offers, providing you apply thought to what you want out of it. I would encourage anyone in resettlement seeking a career as a Security Consultant to utilise all available opportunities and look into the training programs explained below.

  1. Sign up to the CTP (Career Transition Partnership) website and enrol on the CompTIA A+ course (10 days). Now I know what you may be thinking “A+ is primarily hardware related” and you would be right. But A+ also covers a lot of the basics such as virtualisation, networking and security practices – These “basics” will become part of your everyday working life as a Security Consultant. Besides, you’ll also become a competent IT Technician, armed with the skills and knowledge to repair your own PCs/laptops; saving yourself £££’s in the future. It will also prepare you for course number 2, outlined below.
  2. CompTIA’s Network+ and Security+ course (15 days). This course is designed to look into networks and then security best practices (both topics are vitally important as a Consultant, because you will need to advise your clients on how to remediate their security failures). It is during this course where you will begin to learn about testing network security with pen testing tools. I would also take the time to invest in attending the exams for any courses to gain your formal certification. This will impress any potential employer, whilst also demonstrating your commitment and aptitude. CTP receive a preferential discount on CompTIA exams to encourage ex-servicemen and women. Consider using your annual SLC to fund these exams.
  3. Sign up to Cybrary.it and study the Linux+ course. This is VITALLY important because the tools you will be using in the future as a Consultant are likely on the Operating System (OS) Kali Linux. Before you start to use Kali Linux, you really need to understand how a Linux OS works. Cybrary’s Linux+ course does just that. Don’t just give the course lip service, it’s so important to get used to the functionality of a Linux OS – You really need to understand exactly what you are running. Practice, practice, practice; this will save you so much pain in the long run.
  4. The allocated resettlement/GRT shouldn’t be viewed as “buckshee holiday”; you should be using this time to apply your technical knowledge in a practical way and applying to potential employers for work placements. Things like accommodation and travel, as well as food are all covered when you are using GRT for a work placement (I will caveat that with, this was the case 3 years ago).
  5. Using the whole year, this would take you into roughly 6 months of resettlement and you’d have gained the basic skills to further your development. It is now you should consider using one of your resettlement grants towards a course provider who offers CREST training in Penetration Testing / Ethical Hacking in order to work towards the CRT (CREST Registered Tester) exam. The fact you are leaving the military most likely with SC, or DV and a CRT qualification will make you highly desirable.
  6. You will now be armed with plenty of skills and certificates to be considered for a Junior Tester position. Whilst you’re applying for jobs or just seeing out the end of your time in the Armed Forces, download vulnerable Virtual Machines; Metasploitable2 is a great start. It’s purposely designed with plenty of security flaws to exploit and test your newly learned skills. Alternatively, there are plenty more vulnerable VMs.
  7. Should you want to excel and go above and beyond it would be worth considering studying for the OSCP (Offensive Security Certified Professional) exam. The OSCP certification is regarded as the best within the Pen Test industry. By successfully completing the OSCP certification, the holder will have clearly demonstrated their proficiency as a Penetration Tester. This course costs around £1200 and is a difficult course that requires 100% commitment.

Embrace learning! The industry is constantly evolving and I haven’t stopped learning and I don’t think I ever will. Ensure you utilise your resettlement package wisely and invest the time and effort to prepare for your future.

I wish you all the success in your future. Please feel free to drop me a message should you need further guidance.

To contact Nettitude’s editor, please email media@nettitude.com.

Junior Developer

Role Description

We are looking for a Junior Developer to join our dynamic and enthusiastic research and innovation team involved in bringing to life cutting edge cyber technology solutions around threat intelligence, simulated attack platforms and bespoke tools. You will have +1 years development experience and will be keen to be involved in developing with Python. You will have the opportunity to help shape and define new work in the department and get involved with cutting edge technologies.

Essential Skills

  • Relevant degree in Software Engineering, Computing or similar
  • Ideally + 1years commercial development experience

General Skills:

  • Self-starter and able to work dynamically within a small team
  • Able to organise their own time and work independently

Desirable Skills

The following skills would be highly desirable:

  • Linux
  • Familiarity with Python
  • Familiarity with any of the JavaScript frameworks

Senior Security Information Consultant

Nettitude are looking for experienced Information Security Consultants with a deep passion and enthusiasm for InfoSec. Can you deliver exceptional technical and business leadership, pragmatic advice and in depth guidance directly to a wide range of customers? Do you enjoy, and can you effectively communicate strategy, effect technical and business changes and deliver impactful briefings to businesses?

Role Description

The role involves working closely with our multi-national clients to identify information security risks within their organisations, and act as a trusted advisor to prioritise and respond to those risks.

As part of our industry leading Information Security Consultancy team, you will be involved in guiding and leading clients within a range of security engagements including: Cyber strategy workshops, threat assessments, risk assessments, security assessments, C-Level briefings, secure network and system architecture design, consultancy around a range of security frameworks, SOC Maturity workshops, and serving as a trusted advisor or virtual CISO.

Essential Skills

  • Solid grasp of technical subjects around networks, servers, databases and software applications
  • Demonstrated thought leadership and the ability to influence, shape and guide security programmes and business owners
  • Solid understanding of risk, threats and vulnerabilities
  • Ability to communicate clearly, with impact, to both technical and exec/board level staff
  • Excellent written and verbal communication skills
  • 5+ years’ experience within security disciplines
  • Previous experience in a client-facing consultancy role
  • Excellent time management skills

Required Skills

  • You should hold, or be willing to obtain, at least one of the following accreditations: CISSP, ISO27001 Lead Auditor/Implementer, CISA, CISM. Qualifications such as GSNA, IRCA ISMS Auditor or higher (e.g., Auditor/Lead Auditor, Principal Auditor), IIA Certified Internal Auditor (CIA), Microsoft MCITP, Cisco CCNA, CREST and other offensive security qualifications or experience would also be an advantage.

Desirable Skills

  • In depth experience of security architecture, design and configurations
  • Solid understanding of breach detection and SOC maturity processes/models
  • Experience and understanding of both offensive (testing) and defence (monitoring & logging) security
  • Experience of conducting PCI DSS Assessments, RoC’s and Gap Analysis workshops
  • Experience delivering security awareness training to both end-user and technical audiences would be an advantage.
  • Experience of conducting threat assessments and OSINT/threat intelligence engagements would also be desirable.
  • Project management

Expectations

  • You will be out on client sites for 60-70% of the time with report and office days in between. Assistance with pre sales and working with the wider teams at Nettitude is essential.
  • As well as client-facing delivery, all consultants are encouraged to contribute to the wider infosec community, through the authoring of blogs, attending or presenting at industry events, and membership of professional bodies. Existing experience and demonstration of leadership, industry activities and/or blog articles/whitepapers are actively encouraged.

SOC Security Engineer/Technical Consultant

We’re looking for a driven individual who is highly organised and has a desire to learn and grow within the role.

Role Description

Nettitude provides leading edge cyber security assurance services through our SOC, NOC and Testing teams. We are looking for highly capable consultants to join the team who have a passion to build and shape the industry. Defining what good looks like within a SOC, providing technical consultancy, understanding and applying Threat Intelligence and guiding customers to better and improved security postures are all focused areas of skills we are looking for.

A blended role incorporating the delivery of cyber security consultancy from risk and threat assessments, through to technical network design and management, to focused SOC/Product delivery. This is a very exciting role with room to develop, expand knowledge and work with a cross section of expert teams within Nettitude.

Required Skills

  • Demonstrable Security consulting experience around risk, security products (Firewalls, IPS/IDS, Logging, etc), secure network design, threat intelligence
  • At least two years’ 2nd/3rd line support experience with LAN/WAN including switches, routers & Wi-Fi.
  • Configuration and maintenance of IPS/IDS solutions including signature/rule base tuning for specific threats
  • At least two years’ experience of configuring firewalls such as Cisco ASA’s, Palo Alto or Checkpoint.
  • Solid security understanding of both security principals and security products
  • Demonstrable experience of secure and resilient network design including VLAN’s, NAT, routing, switching and IP addressing.
  • An ability to work under pressure and take ownership of issues through to resolution.
  • A proactive attitude and ability to communicate with a variety of individuals and skill levels.
  • At minimum a CCNA or CCSA.
  • On-site client consultancy experience

Desirable Skills

  • CCNP, CCSE or PCNSE or other security related exams/qualifications
  • Experience of working in a SOC or with incident response/cyber investigations
  • Knowledge and experience of PCI environments
  • Understanding use of incident response products (CarbonBlack, Tanium) & SIEM platforms/tools
  • Working knowledge of Yara rules

Expectations

  • Office based in Leamington Spa, Warwickshire but with customer site visits as required.
  • Flexible hours of work between 0800-18:30

The Big Freeze Is Coming – PCI DSS and change freezes

With the festive period rapidly approaching, many people will no doubt be looking forward to an extended break and some well-earned time away from work. The run-in to Christmas can be a relatively peaceful time of the year for many people, with organisations reluctant to kick-off large projects, or make significant change at a time when their employees are taking leave.

Many businesses will implement, what is referred to as, a change freeze over this period; completely stopping all but the absolutely unavoidable, hoping to minimise the risk of unexpected downtime. After all, nobody wants to be rolling back a system upgrade on Christmas Eve, or recovering backups on Boxing Day.

Probably the most common justification for a change freeze is found in the retail sector. With the Black Friday madness now behind us, the busiest shopping day of the year is predicted to be December 23rd. Crowds of hopeful last minute shoppers are expected to rush to the high-street, and possibly even more will go online and put their trust in next day delivery.

It’s at this time of year, where the impact from any technical glitches will likely cost more than at any other time. Last year, over a third of all shoppers waited until the final week before Christmas to complete their shopping, resulting in a significant loss for any retailer whose website or shops are unable to satisfy their customers desire to spend.

It’s easy to see why those tasks, considered not to be “absolutely unavoidable”, are delayed. Updates, upgrades, migrations, new installations – they’ll have to wait until January. But this can prove to be problematic, especially if your business is trying to comply with PCI DSS.

There are many ongoing requirements that must be met to maintain PCI DSS compliance, and some of them could fall victim to the change freeze. The most significant issue is applying critical security updates within one month of their release. In my opinion, PCI DSS is already very forgiving on this requirement, arguably one month is an overly long window in which to apply a critical security update. However if your business runs a change freeze from mid-December until January, failing to install updates could leave you (and your Qualified Security Assessor (QSA)) with a problem, come the time of your next on-site assessment.

Any organisation which enforces a change freeze that might impact on security (never mind compliance) should complete a comprehensive risk assessment. Consider what additional risks exist as a result of the freeze, and any mitigation work required (wherever possible). Make sure that you assess the risks of both making and not making changes, and use the same risk assessment process for a consistent result.

Keeping with the example of not installing security patches, you should consider the exposure of each system affected (a public-facing server versus an internal server), as well as the time immediately before and after the change freeze. It should go without saying that your ‘house’ should be in order prior to the change freeze, and that all patches should be applied and verified. Another recommendation is to complete additional vulnerability scanning to provide extra visibility and assurance.

While the change freeze is in place, your teams should be actively monitoring any alerting systems you have, as well as the security bulletins provided by vendors. If critical updates are released, assess whether they justify breaching the change freeze. If they don’t, then at the very least you should consider applying them to any test environments.

Schedule in any required maintenance windows in advance, and when the change freeze lifts, apply any critical updates to the most exposed systems first, and work back from there.
As for your PCI DSS and compliance, it’s important to “show your working”. Don’t simply hope your QSA won’t notice that some tasks haven’t been completed. Each QSA’s approach and expectations may vary, so work with them on an ongoing basis and at the time of your assessment, and show that you’ve acted appropriately.

Performing a risk assessment doesn’t have to mean pages and pages of documentation, but you should be able to demonstrate that you considered the risk and acted appropriately. You may also need to complete a compensating controls worksheet, but again this is something to discuss with your QSA. PCI DSS should never stand in the way of your organisation achieving its goals, and taking a pragmatic and open approach to this should help to ensure that the change freeze doesn’t leave you out in the cold.

To contact Nettitude’s editor, please email media@nettitude.com.

Cyber Threat Update 14-21 November 2016

Cyber News Summary

There have been several high profile data breaches over the past week.

The group behind the $1 billion theft from financial institutions in 2014 is now targeting the hospitality and restaurant sector. Mobile network provider Three confirmed eight cases of upgrade fraud, though roughly 133,000 accounts may also have been compromised. Adult Friend Finder data was leaked which affected 339 million accounts with passwords stored in plain text. It appears that iPhone’s and iPads are still susceptible to passcode bypass vulnerabilities that involve the use of Siri.

 

Carbanak switches focus to hospitality sector

The gang behind Carbanak, who stole $1 billion from financial institutions in 2014, have switched focus to the hospitality and restaurant sector. Call centers have been targeted with elaborate ploys to get customer service representatives to accept emails with malicious macro-laced documents. This latest campaign is believed to have started in early October 2016. Read the rest of the article here.

What can I do to protect myself and my organisation?

1. adsfADFdf
2. adfADFdafF
3. ADFadfADFdf
4. ashfdoAHFODAHF

 

Massive data breach at Three

Fraudsters managed to access data at the UK mobile phone network provider Three. Eight customers were unlawfully upgraded to new devices that were stolen and sold by fraudsters. 133,827 accounts were breached. Three maintains that the primary purpose of the fraudsters was to steal upgraded phones rather than customer data. Read the rest of the article here.

What can I do to protect myself and my organisation?

1. adsfADFdf
2. adfADFdafF
3. ADFadfADFdf
4. ashfdoAHFODAHF

 

Siri helps attackers bypass iPhone passcodes 

Users with Siri enabled are vulnerable to a passcode bypass. Physical access is required to the device and they need to know your phone number. Discovering the number can be achieved by holding down the iPhone button and asking “Who Am I?” to which Siri helpfully responds. Now an attacker is only a few steps away from accessing contact details, photographs and messages. Read the rest of the article here.

What can I do to protect myself and my organisation?

1. adsfADFdf
2. adfADFdafF
3. ADFadfADFdf
4. ashfdoAHFODAHF

 

To subscribe to receive the ‘Cyber Threat Update’ directly to our inbox every week. Please click here.

Drive My Information Security Car

Maintaining your vehicle

Modern day information security can be likened to vehicle maintenance; with a business being the vehicle and the various lubricants and fluids being the different forms of data and regulations. The Payment Card Industry Data Security Standard (PCI DSS), is just one example of these data types.

Figure 1: VW Beetle Cutaway

Figure 1: VW Beetle Cutaway

What happens if these different types of data are not maintained?

A simple ball exercise, with the different coloured balls represents different types of data, and the people represent the different processes required to move this data around a business. No rules = ANARCHY!

Figure 2: Data Flow exercise (Red=PCI; Blue=PII, etc.)

Figure 2: Data Flow exercise (Red=PCI; Blue=PII, etc.)

Okay, so PCI DSS v3.2 is much like your annual MOT (roadworthiness) test, with specific terminology for their testing criteria, for example:

1.1.1.a Examine documented procedures to verify there is a formal process for testing and approval of all:

• Network connections
• Changes to firewall and router configurations

Identify the document(s) reviewed to verify procedures define the formal processes for:

• Testing and approval of all network connections
• Testing and approval of all changes to firewall and router configurations

This is all somewhat confusing….

It is a given that most QSAs would expect every organisation that processes, stores or transmits cardholder data (or who it might impact) will fully understand the intent of all these specific controls.

However, the Information Security Consultancy (ISC) team at Nettitude takes a slightly different viewpoint and understands that not all companies can afford to employ the expertise of a master mechanic and may have more inexperienced apprentices who are running their information security departments. However, no matter what their expertise, the thing that these information security professionals have in common, is that ‘want’ to do their jobs to the best of their abilities and to ensure that the environments they support are as secure as possible.

Hence, Nettitude’s ISC team has been forged from members with wide-ranging skills and experience but that also have a commonality:

“To meet and maintain a minimum standard of skills, experience and expertise and the pursue excellence as standard”

In order to achieve these goals, the team is consistently scouring the web, white papers, industry standards and more to ensure that all of our knowledge is current and accurate.
As a result, we are able to impart this knowledge and provide myriad supporting references, enabling our clients to attempt to safely service and maintain their own motor vehicles.
More importantly, clients are empowered with the knowledge and can deal with regulators, auditors and their banks with confidence.

Creating your own service manual

Much like the motor industry today, there are resources available to assist you in creating your own ‘Haynes Manual’. For example, if I were needing to create a chapter, in support of 1.1.1.a, where might someone look?

Figure 3: VW Beetle Haynes Manual

Figure 3: VW Beetle Haynes Manual

How about in para 5.3, page 5-6, of NIST SP-800 ‘Guidelines on Firewalls and Firewalls Policy’?

“5.3 Test
New firewalls should be tested and evaluated before deployment to ensure that they are working properly. Testing should be completed on a test network without connectivity to the production network. This test network should attempt to replicate the production network as faithfully as possible, including the network topology and network traffic that would travel through the firewall. Aspects of the solution to evaluate include the following:”

How easy might it be to turn that paragraph into a policy statement, just through the use of the words MUST or SHALL?

Remember, PCI DSS is designed to provide a minimum baseline (defense in depth) for the protection of your card payment (or supporting) operations and uses industry guidance, such as NIST.

Conclusion

If you are struggling to understand the specifics of PCI DSS v3.2 (brake fluid) and how to effectively and efficiently maintain it within your company (VW Beetle, Porsche 911, etc.), why not have a professional come in and give your vehicle a well-earned service, by seasoned professionals?

Imagine the scene:

“You’re driving down the highway, at 70 mph, and you see the traffic in front is stopped. You apply the brake and NOTHING HAPPENS! At the time you need the brake fluid to operate as it is intended, it has been contaminated (integrity) or the brake reservoir is empty (availability)”.

It may turn out to be one of your best information security investments of 2017.

Authored by Jim Seaman, CISM, CRISC, QSA – Security Consultants Team Lead, Nettitude.

To contact Nettitude’s editor, please email media@nettitude.com.