14.6 C
London
Tuesday, September 26, 2017
Home Tags Digital Signature Standard

Tag: Digital Signature Standard

The latest Verizon Payment Security Report finds that while overall compliance with PCI DSS is improving, gaps still remain.
Verizon's 2017 Payment Security Report provides insight into the current state of PCI-DSS compliance and how it relates to data breaches.
A Verizon report highlights that more organizations are compliant with PCI DSS, but companies still struggle with security controls.
Host Identity Protocol based Identity Defined Network approach gets additional capabilities to help enable PCI-DSS compliance.
The Host Identity Protocol-based Identity-Defined Network approach gets additional capabilities to help enable PCI DSS compliance.
FARNBOROUGH – 9 May 2017 – Datum Datacentres, the Farnborough based provider of ultra secure, high resilience co-location data centres, today announced that it has achieved ISO 14001:2015 for Environmental Management for the provision of data centre space and supporting services.ISO 14001:2015 builds on Datum’s existing ISO accreditations; 27001:2013 (information security), 50001 (energy) and 9001 (quality).

These certificates along with PCI DSS compliance, EU Code of Conduct for Data Centres and DCA certification as a... Source: RealWire
HotDocs, the global leader in document automation software, has today announced its partnership with Codec-dss, a provider of enterprise scale applications and infrastructure that has served the Irish market for more than 30 years.This new partnership agreement will provide Codec-dss clients with HotDocs’ industry leading document automation technology, which enables enhanced compliance, minimised risk, improved quality and increased operational efficiency in the production of business-critical documentation.Steve Spratt, Chief Operating Officer at HotDocs, said: “We are... Source: RealWire
Odds are, software (or virtual) containers are in use right now somewhere within your organization, probably by isolated developers or development teams to rapidly create new applications.

They might even be running in production. Unfortunately, many security teams don’t yet understand the security implications of containers or know if they are running in their companies. In a nutshell, Linux container technologies such as Docker and CoreOS Rkt virtualize applications instead of entire servers.

Containers are superlightweight compared with virtual machines, with no need for replicating the guest operating system.

They are flexible, scalable, and easy to use, and they can pack a lot more applications into a given physical infrastructure than is possible with VMs.

And because they share the host operating system, rather than relying on a guest OS, containers can be spun up instantly (in seconds versus the minutes VMs require). A June 2016 report from the Cloud Foundry Foundation surveyed 711 companies about their use of containers. More than half had either deployed or were in the process of evaluating containers. Of those, 16 percent have already mainstreamed the use of containers, with 64 percent expecting to do so within the next year.
If security teams want to seize the opportunity (borrowing a devops term) to “shift security to the left,” they need to identify and involve themselves in container initiatives now. Developers and devops teams have embraced containers because they align with the devops philosophy of agile, continuous application delivery. However, as is the case with any new technology, containers also introduce new and unique security challenges.

These include the following: Inflow of vulnerable source code: Because containers are open source, images created by an organization’s developers are often updated, then stored and used as necessary.

This creates an endless stream of uncontrolled code that may harbor vulnerabilities or unexpected behaviors. Large attack surface: In a given environment, there would be many more containers than there would be applications, VMs, databases, or any other object that requires protecting.

The large numbers of containers running on multiple machines, whether on premises or in the cloud, make it difficult to track what’s going on or to detect anomalies through the noise. Lack of visibility: Containers are run by a container engine, such as Docker or Rkt, that interfaces with the Linux kernel.

This creates another layer of abstraction that can mask the activity of specific containers or what specific users are doing within the containers. Devops speed: The pace of change is such that containers typically have a lifespan four times shorter than that of VMs, on average.

Containers can be executed in an instant, run for a few minutes, then stopped and removed.

This ephemerality makes it possible to launch attacks and disappear quickly, with no need to install anything. “Noisy neighbor” containers: A container might behave in a way that effectively creates a DoS attack on other containers.

For example, opening sockets repeatedly will quickly bring the entire host machine to a crawl and eventually cause it to freeze up. Container breakout to the host: Containers might run as a root user, making it possible to use privilege escalation to break the “containment” and access the host’s operating system. “East-west” network attacks: A jeopardized container can be leveraged to launch attacks across the network, especially if its outbound network connections and ability to run with raw sockets were not properly restricted. The best practices for securing container environments are not only about hardening containers or the servers they run on after the fact.

They’re focused on securing the entire environment.
Security must be considered from the moment container images are pulled from a registry to when the containers are spun down from a runtime or production environment.

Given that containers are often deployed at devops speed as part of a CI/CD framework, the more you can automate, the better. With that in mind, I present this list of best practices. Many of them are not unique to containers, but if they are “baked” into the devops process now, they will have a much greater impact on the security posture of containerized applications than if they are “bolted” on after the fact. Implement a comprehensive vulnerability management program. Vulnerability management goes way beyond scanning images when they are first downloaded from a registry.

Containers can easily pass through the development cycle with access controls or other policies that are too loose, resulting in corruption that causes the application to break down or leading to compromise in runtime.

A rigorous vulnerability management program is a proactive initiative with multiple checks from “cradle to grave,” triggered automatically and used as gates between the dev, test, staging, and production environments. Ensure that only approved images are used in your environment. An effective way of reducing the attack surface and preventing developers from making critical security mistakes is to control the inflow of container images into your development environment.

This means using only approved private registries and approved images and versions.

For example, you might sanction a single Linux distro as a base image, preferably one that is lean (Alpine or CoreOS rather than Ubuntu) to minimize the surface for potential attacks. Implement proactive integrity checks throughout the lifecycle. Part of managing security throughout the container lifecycle is to ensure the integrity of the container images in the registry and enforce controls as they are altered or deployed into production.
Image signing or fingerprinting can be used to provide a chain of custody that allows you to verify the integrity of the containers. Enforce least privileges in runtime. This is a basic security best practice that applies equally in the world of containers. When a vulnerability is exploited, it generally provides the attacker with access and privileges equal to those of the application or process that has been compromised.

Ensuring that containers operate with the least privileges and access required to get the job done reduces your exposure to risk. Whitelist files and executables that the container is allowed to access or run. It’s a lot easier to manage a whitelist when it is implemented from the get-go.

A whitelist provides a measure of control and manageability as you learn what files and executables are required for the application to function correctly, and it allows you to maintain a more stable and reliable environment. Limiting containers so that they can access or run only pre-approved or whitelisted files and executables is a powerful nethod to mitigate risk.
It not only reduces the attack surface, but also can be employed to provide a baseline for anomalies and prevent the use cases of the “noisy neighbor” and container breakout scenarios described above. Enforce network segmentation on running containers. Maintain network segmentation (or “nano-segmentation”) to segregate clusters or zones of containers by application or workload.
In addition to being a highly effective best practice, network segmentation is a must-have for container-based applications that are subject to PCI DSS.
It also serves as a safeguard against “east-west” attacks. Actively monitor container activity and user access. As with any IT environment, you should consistently monitor activity and user access to your container ecosystem to quickly identify any suspicious or malicious activity. Log all administrative user access to containers for auditing. While strong user access controls can restrict privileges for the majority of people who interact with containers, administrators are in a class by themselves. Logging administrative access to your container ecosystem, container registry, and container images is a good security practice and a common-sense control.
It will provide the forensic evidence needed in the case of a breach, as well as a clear audit trail if needed to demonstrate compliance. Much of the notion of “baking security into IT processes” relates to automating preventive processes from the onset.

Getting aggressive about container security now can allow for containerized applications to be inherently more secure than their predecessors. However, given that containers will be deployed ephemerally and in large numbers, active detection and response -- essential to any security program -- will be critical for containerized environments.

Container runtime environments will need to be monitored at all times, for anomalies, suspected breaches, and compliance purposes. Although there’s a growing body of knowledge about container security in the public domain, it’s important to note that we’re still in the early stages.

As we discover new container-specific vulnerabilities (or new-old ones such as Dirty COW), and as we make the inevitable mistakes (like the configuration error in Vine’s Docker registry that allowed a security researcher to access Vine's source code), best practices are sure to evolve. The good news, as far as container adoption goes, is it’s still early enough to automate strong security controls into container environments.

The not-so-good news is security teams need to know about container initiatives early enough to make that happen, and more often than not they don’t.

To realize the potential security improvements that can be achieved in the transition to container-based application development, that needs to change ... soon.

Educating yourself about containers and the security implications of using them is a good start. New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth.

The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers.
InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content.
Send all inquiries to newtechforum@infoworld.com.
Shamoon, a piece of malware that tries to turn infected computers into unusable bricks, is back. Earlier this month, a number of cybersecurity firms reported that hackers had used the malware against thousands of computers in Saudi Arabia's civil aviation agency and other government bodies. According to Bloomberg, the attacks, like previous ones involving Shamoon, seemingly originated from Iran. Now, the Defense Security Service (DSS), part of the US Department of Defense, has issued a bulletin to cleared contractors warning them of the threat. “Between 2 and 7 December 2016, DSS was given information from another government agency regarding Indicators of Compromise (IOC) associated with a Shamoon malware variant and may be used in computer network exploitation attempts,” the bulletin, distributed on Thursday and obtained by Motherboard, reads. It does not specify the government agency that provided the information. These bulletins are sent to contractors to alert them to threats from foreign intelligence entities (FIEs), and in particular, FIEs' infrastructure, malware, tactics, techniques or procedures. “This information is being shared by DSS in order to enable potential targets of possible espionage activity to detect, disrupt or deny FIE's exploitation of cleared contractor information systems, networks or personnel,” it reads. In 2012, the “Cutting Sword of Justice,” a suspected Iranian hacking group, used Shamoon to aggressively wipe tens of thousands of computers belonging to Saudi Aramco. Aramco is the state-owned oil company of Saudi Arabia. In the wake of the attack, Armaco had to take itself entirely offline. “No emails, no phones, nothing,” Chris Kubecka, a consultant who worked with Aramco, told an audience at the Black Hat hacking conference last year. The hackers also replaced emails and documents with a picture of a burning American flag, according to The Register. The new version of Shamoon, however, displays a picture of a Alan Kurdi, the 3-year-old Syrian boy who drowned while trying to cross from Turkey to Greece, according to a report from security company Symantec. Neither the FBI or the Department of Defense provided comment in time for publication, and the NSA did not respond to a request for comment.

New deals for UK payment technology provider include multi-million dollar contract with Fortune 500 insurer

Guildford, UK – December 7 2016Semafone, which provides secure payment software for call centres, has reported three new client wins in North America worth $7.5 million, only six months after opening its headquarters in Boston.

The company’s substantial investment in its North American operations has contributed significantly to Semafone’s 30 per cent growth in its customer base worldwide.

The new US customer deals include:

  • A Fortune 500 insurance company, which will use Semafone’s solution to shield payment card information from agents and recordings, maintain regulatory compliance and minimise the risk of data breaches.
  • One of the most recognisable retail brands in the US.

    This company will work with Semafone to simplify PCI DSS compliance and help its call centres provide a better customer experience.
  • A large US telecommunications service provider, which Semafone will help to reduce the scope of PCI compliance in two of its call centres.

“This past year has been one of remarkable growth for the business,” said Tim Critchley, Semafone CEO. “Opening our North American headquarters and hiring high-calibre people has given us the foundation to extend our reach to some of the largest and most respected US companies within the insurance, communications and retail spaces.

“We look forward to continued success in 2017 as we help companies secure their call centres, fight fraud, maintain a positive brand reputation and keep customers’ most sensitive data safe.”

In addition to significant customer deals across the globe, Semafone has also formed strategic partnerships with other leading call centre solution providers, including BT Wholesale and Secure Co, to support a growing roster of worldwide clients.

In another testament to Semafone’s successful year in North America, the company won three 2016 CNP Awards, recognising its market-leading patented payment method for call centres.

Semafone recently expanded its global accreditations by gaining Level 1 Service Provider Status against v3.2 of the PCI DSS in North America.

Already a Level 1 Service Provider in Europe, a Visa (Europe) Merchant Agent and a global ISO 27001 company, Semafone attained this accreditation to mirror and extend current and new services into North America.

This includes Semafone’s in-house development and existing Payment Application Data Security Standard (PA DSS) products.

As a result, customers can rapidly access unique enhancements and updates to Semafone’s products, created with the PCI standards in mind.

For more information about Semafone, please visit: www.semafone.com

About Semafone
Semafone believes in the phrase, “You can’t hack what you don’t hold.” The company’s patented payment method enables call centres to secure sensitive payment card data to comply with PCI DSS, while providing positive experiences for customers and agents alike.

By shielding callers’ payment card information and other PII from agents, and keeping sensitive data out of the call centre’s infrastructure, Semafone’s solution helps to minimize the risks associated with potentially brand-damaging data breaches and fraud.

Semafone has achieved the four leading security and payment accreditations: ISO 27001:2013, PA DSS certification for its payment solution, PCI DSS Level 1 Service Provider and is a Visa Level 1 Merchant Agent.

The company was founded in 2009 and serves a wide range of industry sectors including financial services, media, retail, utilities, travel and tourism and the public sector.

Customers include Sky, TalkTalk, AXA and Virgin Holidays. North American customers include Rogers Communications, Consolidated Communications, Aviva Canada, Aimia, Amica and TVG.

BT offers a hosted version of Semafone’s technology - BT Cloud Contact PCI. Major investors include Octopus Investments and BGF (Business Growth Fund).

###

For more information please contact:
Xanthe Vaughan Williams / Lisa Coutts
Fourth Day PR
Xanthe@fourthday.co.uk / lisa.coutts@fourthday.co.uk
020 7403 4411

According to the 2016 State of Compliance survey conducted by data management and integration provider Liaison Technologies, one-quarter of top executives are unclear who in their organization is responsible for compliance. And nearly half (47 percent) of respondents to the survey of 479 senior and C-level executives said they don't know which compliance standards apply to their organizations. “As leaders in the compliance domain we thought it was important to share our findings on how U.S. companies perceive their regulatory obligations—and examine ways to help improve their compliance postures,” Hmong Vang, chief trust officer with Liaison, said in a statement. “What we found was rather concerning." Among other notable findings from the survey: Just 3 percent of respondents said that PCI DSS applied to their organization, a number that Liaison says is "surprisingly small" because it is a security standard that "applies to all entities that store, process or transmit cardholder data." 51 percent of respondents said they believe their data is secure in the cloud, a concern that was echoed in a recent survey by CSO's parent company IDG, in which 46 percent respondents "said that they need to ensure that cloud service providers’ security meets their compliance requirements before moving ahead with deployments." 85 percent of respondents said they do not feel their job security is at risk due to compliance issues. Liaison says this number shows gross underestimation of personal liability. Register now to download the infographic from Liaison Technologies and learn more about the state of compliance.
The new Helix platform will become the core of FireEye's product offerings integrating intelligence and visibility tools that will help improve security operation. Security vendor FireEye announced its new Helix platform on November 29, in an effort t...