7Security welcomes a new Qualified Security Assessor

At 7Security, we believe every success should be celebrated – from completing yet another successful project or hearing good news from our clients… to, in this case, having the pleasure of calling one of our colleagues a Qualified Security Assessor for the first time!

Yasen Georgiev, who joined us earlier this year as Information Security Auditor, recently added the QSA title under his belt, and we cannot be happier for him. Yasen is now officially part of our QSA team and will be working closely with fintechs, helping them maintain their PCI DSS compliance.

PCI DSS is a unique standard’, shared Yasen, ‘it’s not fully technical; there are many controls related to people – the way employees implement and follow their security policies. I find the human factor here very intriguing. What also thrills me is not just assessing a company’s compliance with the standard but seeing various architectures and solutions in the process. I especially enjoy the consulting part of my role – sharing my know-how and providing support where needed. It’s great to offer the client an angle they haven’t thought about that ends up saving them costs and effort in managing their PCI environment. It’s my personal contribution to the fintech industry.’

‘I can’t say becoming a QSA was an easy journey’, added Yasen, ‘It had its challenges, but throughout the whole process, I felt supported by my colleagues at 7Security, and I learned a lot from them and the PCI Council training. At 7Security, we are adept in cloud technologies and the ways they simplify compliance, especially for startups who are going through their first PCI DSS. I feel lucky to be working next to people with such vast experience and interests in modern cloud solutions. Here, I can put my skills to good use, but I am also challenged daily to learn and grow.’

We wish Yasen many exciting projects. We are confident we will have plenty of occasions to share more success stories about him in the future.

NEXT DIFI 2021: an overview

The last few weeks I’ve been busy with the various in-person events I attended (first Money20, then DigiPay2021), but I’m not complaining.  It’s energizing to speak in front of a live audience, while also reaching people online. On the 8th of October, I participated in Next Difi 2021, a hybrid event, dedicated to banking and fintech innovation, digital finance, cybersecurity, blockchain, and more.

I had the pleasure to moderate the Banking and fintech innovation, and cyber security and risk management panel. I enjoyed intriguing discussions with members of DSK, Acronis, and Sirma Business Consulting. They shared exciting insights, so make sure you watch the recording (link below 😉 ).

next-difi-2021-moderating
Moderating a panel with DSK, Acronis, and Sirma Business Consulting

I also participated in the Innovative Technologies, New Players, and Transformed Business Models panel, where I gave a presentation on Card Payments Security Standards. In particular, I discussed the PCI DSS, 3DS, and PIN security standards. I shared an overview of what they are, who needs them, and what common misconceptions most people have about them.

A big ‘thank you’ to b2b Media for organizing the event and for inviting me to participate. See you again on the Fifth Edition!

A full recording of Next Difi 2021 can be found here:

Author: Pavel Kaminsky, CEO of 7Security

DigiPay 2021 – Recap with Pavel Kaminsky

Digipay2021
Picture: Digi Pay 2021

It’s confirmed: live events are slowly making their long-awaited comeback, and they have become so much better! Just a few weeks ago, we attended Money20/20, where we were hyped to see our fintech friends in person and to find many new ones.

To give a flying start to October, we also attended DigiPay Conference 2021 on the Ist of the month. DigiPay is the event when it comes to secure and convenient digital payments in Bulgaria, and was packed with professionals from the payment and banking sector, who brought us up to speed with the newest fraud and security trends in digital payments.

To begin with, the audience enjoyed a valuable panel on Open Banking, where banks and fintech companies discussed the challenges they meet in its face, the new solutions it presents, and the extent to which the payment sector is, or is not, utilizing the new opportunities.

Speakers then discussed digital payments in regards to identification and customer journey, where we observed valuable insights and statistics, as well as exciting innovations to look out for.

To get a more elaborate overview of the Real Time Fraud Prevention panel and the related Live Demonstrations panel, I sat down with their moderator – our CEO and Founder, Pavel Kaminsky.

DigiPay Pavel KaminskyPavel, overall, how did you find the organization of the event and the topics discussed?

I think it went great. We had around 100 people attending in person, and around 200 joining online. The panels were organized in a logical way, with enough time for discussion and for the audience to participate and ask questions. I noticed the panels are getting more exciting compared to previous years – the audience is more involved, the professionals – more detailed, and the issues raised – truly relevant. The moderators were handling things well and contributed to the discussions. Catching up with friends in-between panels was also awesome.

What about the panel you moderated?

It was the best one : )

Haha, no doubt there. Care to elaborate, though? Could you tell the readers more about the topics that were discussed?

Sure. I moderated Real Time Fraud Prevention panel. We had six speakers, who had prepared strong presentations that I observed with interest. We saw the newest trends in cybercrime when it comes to online payments, including the ways cybercriminals are bypassing the 3D password, which was added as a multi-factor authentication scheme, but is already exploited by cybercriminals.

Speakers then discussed how difficult it is to combat fraud in real time transactions, as instant payments = instant fraud, and how trying to prevent all fraud types and tools is an unrealistic approach. Instead, being able to adapt to current threats, adopting flexible case management, not relying solely on AI, and focusing on threats most relevant to one’s organization proves to be a much wiser strategy according to our speakers.

I was curious to also see a seminar, demonstrating a bank-level payment security program, which not only focuses on compliance and software but also on training employees and constantly testing their knowledge in practical ways. Such dedication to security is very impressive.

Towards the end of the panel, the audience found out how DeFi can be a more secure payment solution, mostly because there’s no centralized control, therefore no opportunity for human error. At the same time, we were reminded we shouldn’t see DeFi as 100% safe. Unfortunately, there are exploitation risks involved, that shouldn’t be underestimated.

To finish off, the panel concluded with a blockchain talk, discussing how blockchain solves many cybersecurity issues, but it presents new ones, and we already have examples of scams. This summarized the panel nicely – we concluded that there are no perfect solutions to solve all security issues, and while blockchain and other innovations can greatly reduce risk, it is never eliminated.

After that, I moderated a second panel with live demonstrations, where speakers gave the audience a live show for fraud prevention and showed them current trends in phishing attacks.

That was a nice summary, thank you. Besides the lack of a magical pill for payment security fraud, I noticed another ongoing theme that came up in all the talks – the human factor.

Yes, absolutely. All security and fraud prevention experts highlighted that we shouldn’t forget that on both ends of technology we have a human being. Compliance with established security standards and investing in good software solutions are important. However, focusing solely on getting more certificates and buying the most expensive product will not prevent your employee from making a costly mistake, or your customer from clicking on a fraudulent link.

Cybercriminals have realized for a long time now that trying to attack an organization is not easy, but attacking its customers often is. What came up over and over again throughout the panel is that many fintechs and banks fail to educate their employees and customers on how to recognize and report fraud, and how to carry out safe digital transactions.

As I mentioned, I was impressed by the dedication of some of the speakers, who presented us with the ways they keep their employees educated on cybersecurity. Unfortunately, overall I rarely see an organization that really focuses on the human factor when creating a security program. I sincerely hope the panel raised awareness on that.

Correct me if I’m wrong – this is a topic you have been discussing for a while now?

Yes, and I was glad it came up during the panel, because underestimating the human factor is a serious flaw of most payment organizations, and it’s vital to talk about it more. I’m more than happy to help all my clients achieve compliance with PCI DSS and consult them on how to follow the requirements, but it’s no less important for them to teach their users not to click on suspicious links and recognize and report fraud.

Indeed! Any final remarks?

I’d like to say thanks to Raya Lecheva – the main person to ‘blame’ for DigiPay, along with all the organizers and participants who made it happen. Being able to meet in person, discuss, network, and simply communicate with such inspirational professionals within our industry, was invaluable. I’m already looking forward to DigiPay 2022, bigger and better.

Author: Tanya Klyasova, Payment Security Enthusiast at 7Security

Protecting Telephone-Based Payment Card Data

For those businesses that deal with card data through mail order/telephone order (MOTO) transactions, particularly those conducting sales over the telephone, including the ones using VoIP solutions, The PCI Security Standards Council has come up with an update to the Information Supplement: Protecting Telephone-Based Payment Card Data in order to help these businesses secure card data in a manner that is consistent with PCI DSS.

This update emerges after over seven and a half years since the original document came into play in March 2011. It is definitely an improvement on the progenitor, inasmuch as it provides detail where said progenitor didn’t. And rightly so. Although, technically speaking, not much has changed and VoIP still runs over UDP, these days we are witnessing a new, tighter integration of these systems with everything else. Including but not limited to CRMs, billing, mailing, customer reward schemes, customer behavior tracking systems, etc.

WHY DOES IT MATTER?

It matters because these systems may have some sort of access to card data. Or, simply because when PCI DSS says your VoIP is in scope, you need to look at all these other systems that are connected to the network or can impact the security of the CDE, scratch your head, and think of magic words, such as “segmentation”.

HOW IS VoIP A CHANNEL FOR ATTACK VECTORS?

Well, it is an unlikely channel, or rather, not overtly popular yet, but a channel nevertheless. UDP provides a nice stateless connection that can be (and is) used to disguise malicious code in streaming sessions. The reason we don’t hear much about these types of attacks is they probably just haven’t gained speed yet, or even worse, businesses are simply not aware they are happening.

Telephone systems touching card data have always been required to be in the scope of PCI DSS. Up until now, they have largely been neglected or avoided altogether.  In light of all we said so far, it is evident this needs to change. There are a number of pointers in the guide that are prone to raise an eyebrow, seemingly because they would ask the business to bear the brunt of some more stringent and resource-consuming alterations to technology, people, and process in their organizations.

Yet, with telephony systems in scope of PCI DSS, now more than ever, and the new detail provided in the November 2018 release of Supplement, owners and QSAs alike are faced with the need to come up with clever and doable ways to segment their VoIP systems, where possible, so they comply with PCI DSS without it costing them an arm and a leg.

What is Penetration Testing?

In the world of information security, Penetration Testing is the practice of checking and testing the organization’s network, servers, and services for possible loopholes and vulnerabilities that an attacker may exploit.

Penetration testers are called white hats. They perform hacking in ethical ways, without causing any damage to the computer system, thereby increasing the security perimeter of your organization.

WHY IS PENETRATION TESTING NECESSARY?

Penetration Testing is required because it helps you highlight the flaws related to hardware and software system design and operation, and quite importantly, personnel readiness. Early identification helps protect the network. If the vulnerabilities aren’t identified early, then they become an easy intrusion point for the attacker.

HACKING VS PENETRATION TESTING (ETHICAL HACKING)

Hacking refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to the system resources. It involves modifying a system’s or an application’s features to achieve a goal outside of the creator’s original purpose.

Ethical hacking involves the use of hacking tools, tricks, and techniques to identify vulnerabilities so as to ensure system security. It focuses on simulating techniques used by attackers to verify the existence of exploitable vulnerabilities in system security.

THE BUSINESS CASE

Penetration testing will make sense if you want to achieve the following goals:

  • identify the threats facing an organization’s information assets;
  • reduce the organization’s IT security costs and provide a better Return On Security Investment (ROI);
  • provide the organization with assurance: a thorough and comprehensive assessment of organizational security covering policy, procedure, design, and implementation;
  • gain and maintain certification to an industry regulation;
  • adopt best practices by conforming to legal and industry regulations;
  • test and validate the efficiency of security protections and controls. May lead to changing or upgrading the existing infrastructure of software, hardware, or network design;
  • evaluate the efficiency of network security devices such as firewalls, routers, and web servers;
  • focus on high-severity vulnerabilities and emphasize application-level security issues to development teams and management;
  • provide a comprehensive approach of preparation steps that can be taken to prevent upcoming exploitation.

PENETRATION TEST TYPES

Network Services Test: One of the most common types of penetration tests. Involves finding target systems on the corporate network, searching for openings in their base operating systems and available network services, and exploiting them. Some of these tests take place remotely across the Internet, targeting the organization’s perimeter networks. Others are launched locally, from the target’s own business facilities, to assess the security of their internal network or the DMZ from within, seeking the kinds of vulnerabilities an internal user could find.

Web Application Test: Looks for security vulnerabilities in web-based applications and/or programs deployed and installed, operational, and running on target environment and resources.

Wireless Security Test: Involves discovering a target’s physical environment, searching for unauthorized wireless access points, or authorized wireless access points that have security weaknesses or other issues.

Social Engineering Test: Attempts to get a user to reveal sensitive information, such as a password or any other sensitive data. These tests are quite often conducted over the phone, targeting selected help desks, users or employees, evaluating processes, procedures, and user awareness and reaction readiness.

HOW IS IT DONE?

During penetration testing, a pentester analyzes all security measures currently employed by the organization, searching for any design weaknesses, technical flaws, and other critical or predefined by the organization’s decision-makers vulnerabilities. There are three classic ways penetration testing is performed:

  • Black Box testing – simulates an attack from someone who is unfamiliar with the system, establishing externally “available” backdoors or other perimeter-breach opportunities.
  • Grey Box testing – simulates an attacker that has partial knowledge about the system.
  • White Box testing – simulates an attacker that has knowledge about the system.

Once all the tests are conducted, the pen tester prepares a comprehensive report that includes:

  • tests conducted;
  • test results;
  • testing methodology;
  • all vulnerabilities found;
  • respective countermeasures.

Finally, the pentester delivers the report to the executive, management, technical, and all other authorized audiences.

Besides standard scenarios based on the type of Pentesting (white box, gray box, black box) and territory (network, application, wi-fi, etc.), it is good to engage in developing and implementing scenarios that are most relevant to your environment and in accordance with your specific information risks. For example, the concept can be changed to reflect the possible behavior of a particular type of perpetrator that is important to you, taking into account various starting points:

  • Externally located person: has no initial knowledge of your infrastructure. They start by going to the coffee shop next to your office, and commence hacking…
  • Your own employee: usually receives standard pre-configured IT tools (laptop, tablet, phone, etc.) and human access – email, corporate portal, etc. Testing can show you how far such person can go with these tools and what possible damage they can inflict.
  • Your business partner: has access to your ERP system, service provisioning team, etc. Again, testing will evaluate how much this person can roam around and beyond their authorized access, and what they can inflict.
  • Any other starting point that is important to you in relation to your business operations.

For each starting point, your testing vendor should be able to, on your command, apply all types and variations of pentesting.

PROCESS OF PENETRATION TESTING

The course of Penetration testing involves defining the Scope, signing an Agreement, and working on Recommendations.

ESTABLISH SCOPE

Determine which critical systems are to be tested and prepared for mitigation under an attack scenario. The scope can be determined by an external certification or compliance requirement (PCI DSS, for example), or simply by what management has chosen in order to achieve adequate security assessment.

 

SIGN AGREEMENT

A formal expression of will and agreement to proceed with testing under the determined scope, timing, and method. This is followed by a comprehensive report on the risks facing information systems that provides the necessary insight and guidance to secure operations.

 

RECEIVE REPORT

 

In order to proceed to the next step, you should review the report that contains test results and proposed recommendations, filter through risk management mechanisms and follow up with appropriate governance or integration endeavors.