Filed under Digital Evidence, GPS by Todd Glassey on July 16, 2010 at 5:53 pm
no comments
For those following this matter, the filing of the petition for the amendment of the California Utility Code to reflect the digital evidence requirements is in. The docket number is P1007015 and we invite any and all responses.
The vision behind this effort is to bring evidence-competence to the California Utility Grid as a part of Critical Infrastructure Protection efforts in the State of California.
Orange County
While this ruling is initially specific to the County of Orange and its Appellate Court District, it also impacts any electronic messaging or energy controls which flow through this area as electronic media of any form.
Khaled — as a standard or the collection o surveillance data of any form now creates a level-of-competence for any and all data used in surveillance or controlling systems which would come to be used as part of a Court process, whether Civil or Criminal in nature. Khaled then has wide sweeping impact in that all systems and processes, including contract disputes and other civil matters which the Superior Court would come to resolve or which would be tried in Superior Courts as part of a State lead prosecution in any matter, or a locally lead prosecution in any matter must also meet this new “trustworthiness”.
The “I Said So” Evidence Model
The days when it was just blindly accepted that the systems worked as the man in the White Coat said they do are over. Proof and reliable proof are now needed for all digital capture systems or data control models which the courts will accept as factual or at least reviewable and authenticated to one level or another. Without this data is just that unsupported and unprovable data.
It is Certichron’s intention to foster a better understanding of the needs or forensic controls in all systems which are intended to create what we call “Intentional Evidence”, that which is pre-approved court-admissible content. The California Power Grid is the most granular place to enforce that and is the basis of a model which touches us all and as such is a very important part of upgrading the US and California Utility Grid infrastructure.
The Certichron CPUC filing can be seen at
Filed under Certichron, Hotel Surveillance by Todd Glassey on July 9, 2010 at 7:08 pm
no comments
Certichron and Relify Security annoucnce the availability of Certichron’s SecureNTP services to Relify Security customers.
Certichron announces its partnership with Relify Security. Relify is a well established provider of commercial consulting and security review services for banking, credit union and other PCI-DSS type clients as well as other Financial Providers.
To quote Relify Security’s managing partner:
“Relify Security has recently launched a partnership to deliver what Relify believes is a pretty unique and needed service. It address a problem that we often don’t think about… Where do you get your time?”…
“Today the global evidence requirements create new levels of provable integrity that must be demonstrated continuously to meet today’s compliance requirements. For example, one of the primary goals of PCI DSS 10.4 is to ensure a strong and reliable evidence model that can be used to prove the timing of transactions. In most instances log management or SIEM vendors will not tell you if the time on your critical devices is out of sync. Even though every record they process has a time stamp, they do not analyze this data to identify anomalies, because most of the detailed time stamps are unreliable or inconsistent.”
“However, accuracy is not the only attribute you should be concerned with when it comes to time, especially in the commercial context. Time needs to be reliable and always available. Your time source is like any other third party that provides critical services to your organization. Time distributed over NTP without other controls is not provable and is subject to any number of attacks that make it impossible to rely on NTP as a control resource.”
Relify Security has partnered with Certichron to deliver SecureNTP Time cloud services. SecureNTP is a NIST(UTC) service provided from Certichron and Relify Security operations centers as a Trusted Digital Intermediary. The SecureNTP’s delivery service is based on a fully integrated suite of NTP, logging, packet filtration and log-event validation services, and the related system and network integrity tools needed to create a complete evidence model in the sourcing, transfer and tracking of time.
“SecureNTP provides one time source for all uses: What this means is that there is one time source for everything finally — from Building, Power, Security, IT Operations and at last uniform evidence across the entire entity. In most cases SecureNTP requires no installation of hardware or software, since your business is likely already running the NTP protocol. Once you have registered with Certichron, it only takes a few minor configuration changes and installation of the digital key, along with setting up audit logging and key management practices.”
Mike Pearson, CISSP
Managing Partner
For more information contact Relify Security, LLC
O/F: 866.897.6900
M: 813.523.0151
www.relifysecurity.com
Reliable and Verifiable Advanced Security Solutions
Filed under CTO's Blog, PCI DSS by Todd Glassey on February 10, 2010 at 10:46 am
no comments
PCI DSS 1.2 is revised to 1.2.1
Last Summer the PCI DSS 1.2.1 was release and it specified that each key service in an infrastructure must have its own server which for Microsoft Operating Environments means they need to dedicate a AD PDCe (A “Primary Domain Controller Emulator” which used to be called Secondary Domain Controllers).
Notice also that the 1.2.1 version actually requires each key server providing Trust Services to the CDE (Card Data Environment) to be run from its own system meaning that each system has a provable set of controls and operating constraints within the larger merchant or processing/banking service operations.
Time Services are a part of trust services
Time Services are part of this and we think this is a great step forward for the PCI SSC in its recognition that time as a component of the transaction chain is made as important as privacy controlled information but from the aspect of being able to prove the event properly.
Our business is evidence
Certichron’s focus is this evidence and the ability to build reliable evidence of ephemeral acts in a cost effective manner that is the basis of our time-evidence service. Contact Sales@Certichron.COM or call us at 800−511−2301 for more information on building your own evidence-centric time management practice to offset or mitigate risks in your IT operations today!
Filed under PCI DSS by Todd Glassey on January 28, 2010 at 1:07 pm
no comments
PCI DSS 10.4 Compliance Services
|
|
The PCI DSS 10.4 compliance mandates the use of NTP, the Network Time Protocol for the synchronizing of all of the systems used in commerce within those who the PCI DSS standards effect. Certichron’s regionally deployed time-service center’s addresses and enables the use of the same source of time across the US uniformly.
|
Meeting the DSS 10.4.a Requirements
The PCI DSS 10.4.a requires the merchant or processor to use a reliable source of time. The definition of ‘reliable source of time’ quite simply is ‘one that is audited to the same standards’ that the party relying on it is. So that means the only online sources of time which are qualified are those which can meet the NIST-calibration standards from parties who are fully secured and audited.
Certichron’s operations are auditied to the same standards as Merchants are meaning that time data from Certichron meets the operational requirement for a commercial provider to rely on.
Merchants use commercial DNS services because of their need for security and auditability. Time from anything else that would be less than an equally qualified source would violate that same rule. As such time must come from a culpable source of which Certichron is certainly one of the best today!
Meeting the DSS 10.4.b Requirements
The PCI DSS 10.4.b requires the merchant to use a competent NTP operations model meaning the definition of the time-service practice, its reliability processes and the logging models for it.
Certichron’s services directly meet this by allowing for any deployment model, whether a single hierarchical service or flattened services where any number of key syetsms had their time-management outsourced. The service model provides a dialable security profile which can be tuned to the exact needs of the client and the compliance effort.
Meeting the DSS 10.4.c Requirements
The PCI DSS 10.4.c compliance requires the merchant or processor have to have a reliable security model for the time-setting process. The security model must also fit into any other securty models regularly used by that entity or being remediated into the Entitie’s operations. This model would be created by a QSA auditor and attested to by the QSA as an independant credentialed Industry Professional.
Certichron’s solutions meet these security requirement’s by continuously auditing the operations of the Time Service Center’s so that they meet the requirements of the PCI and other operations standards.
To address any further security concerns for using Open Internet based time services, Certichron also offers a DirectConnect service for larger client’s which provides a premium access over WAN and Broadband networking. Additionally for regional access Certichron provides a dial-up service which can be used through the Central Office as a shared public resource, or as an embedded service inside the Client’s PBX.
|
Filed under Frequently Asked Questions, Gaming by Todd Glassey on January 24, 2010 at 9:38 am
no comments
Q: The staged or delayed deployment practice model enumerated in the PCI DSS Prioritized Approach implies I can put 10.4 compliance off until later in the compliance practice — is that true?
A: This is a really good question and from my perspective I understand the intent in the prioritized approaches language in making it easier for smaller Merchants and lower-volume entities to comply, but I think there are other underlying issues which make it imperative to address time management in the security model and control/default service/password changes in the configuration report process of Requirements 1 and 2. Let me explain this logic… the Payment Industry Council (www.pcissc.org) only controls the use of the PCI DSS standard within the Payment Industry. That use of the PCI DSS is contractually controlled by the CARD Brands themselves as partners and founding members of the PCI SSC. Any use of the PCI DSS standard then outside of that narrow contractual use would be constrained by whatever other constraints control that other model.
PCI DSS is a standard — The Prioritized Deployment Approach is an Consortia Opinion, and the two are separate
The same technical standard is now referenced under Law in several States in the US most prominently Nevada which functionally took the Payment Counsel’s ability to allow parties to only meet parts of the Data Security Standard (now a part of Law and Practice therein) is moot, since those same parties must meet all of the DSS and that is based in Privacy Law and not the contractual controls of the Payment Counsel’s member credit/payment card brands.
It’s not true!
Before arguing this isn’t true, lets walk the walk. Take the perspective that the PCI SSC is an industry consortia and not a Legislative Body so the first thing to do is to perfect the question so we can come to a real answer.
Perfecting the right question
The real question here to answer is “are there any legislative or regulatory requirements which are codified in Law or practice which would make me implement the Time Management Solution portion of the PCI DSS (section 10.4) immediately rather than second or third year as the Prioritized Approach guide implies???” and in my opinion there is an answer and its YES.
Operating in a manner which ensures (and insures) Court Admissibility of Digital Data.
My assertion is that the compliance with the PCI DSS is not the core compliance issue here because you have to operate legally. Because of this you cannot wait until the third year to implement a practice which insures court admissibility of your data records because you have a legal obligation which extends beyond the PCI DSS requirements to insure your records are court admissible,
Follow the logic — Because this is above and beyond what the PCI DSS requirements may put in place, while the PCI compliance process may defer proper time management you cannot because you must always operate your business or digital transaction systems in a manner which makes them provably controlled under the local or specific Jurisdiction’s requirements. No contract with any other party (including the CARD Brand Provider you do business with can eliminate that need, nor can the PCI DSS requirements either.
Nevada Compliance tops it all
Likewise if those records have Nevada State Resident Personally Identifiable Information in them then they likewise would also need to comply to the controls of the PCI DSS and that also cannot be delayed. Nevada State Privacy requirements mandate the use of the PCI DSS process control technology and more importantly not its recommended low-effort roll out timeline for easy merchant acceptance and this is important to understand the immediate implication of. I am not a lawyer and you should get real good legal advice on this but I am betting that the Payment Counsel cannot absolve you of any legal responsibilities to implement controls to address keeping privacy impacted information as well as your financial controls. The PCI SSC lost control of how the DSS controls are rolled out when they allowed the State of Nevada to write them into law meaning that State of Nevada pushed the roll out as a national standard therein.
Now everyone with online services or national operations which may include Nevada State protected information must immediately meet those Nevada State Legal requirements to insure their data is both secure and is Court Admissible. Those issues are now are defined in before higher tribunals than an Industry Consortia like the PCI SSC. The real question is how you comply. I suggest you send us email to EvidenceNow@certichron.com and Certichron will send you back a package on making your infrastructure evidence ready in today’s newly emerged digital integrity world.
Filed under Alert Service, PCI DSS by Todd Glassey on January 3, 2010 at 12:34 pm
no comments
Overview
ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons.
Impact
CVSS Severity (version 2.0):
Impact Subscore: 4.9
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification; Allows disruption of service
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009–3563
Filed under Alert Service, PCI DSS by Todd Glassey on January 3, 2010 at 12:23 pm
no comments
CERT Alert for NTP Versions before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled. This directly impacts PCI DSS compliance practices using NTP with OpenSSL and autokey to identify end-nodes in NTP service topologies.
CERT 2009–1252
