Monday, November 16, 2015
Friday, November 6, 2015
Day one of the 2015 International Cryptographic Module Conference (ICMC) was host to more than twenty speakers on a variety of topics concerning cryptographic modules.
|The atsec Table in the Exhibits Area|
The speakers included Yi Mao, Ph.D., CST Lab Manager and Stephan Mueller, Principal Consultant and Evaluator, both of atsec information security corporation.
|Stephan Mueller Presenting||Yi Mao Presenting|
Stephan Mueller's speech presented an Analysis of Linux /dev/random. Yi Mao's presentation was titled "Enough Entropy? Justify It!" and concluded with a parody song and animation called "Let It Go (RNG Version)." The animation can be viewed on atsec's animations page.
Thursday, November 5, 2015
The 2015 International Cryptographic Module Conference (ICMC) started yesterday with a day of pre-conference workshops on FIPS 140 Projects, Breaking into Embedded Devices, and Addressing Unique Security Challenges through Standardization.
The main conference was opened today by Yi Mao, Ph.D., CST Lab Manager of atsec, followed by keynote speakers Phil Zimmermann (Creator of PGP, Co-founder, Silent Circle), Paul Kocher (President, Chief Scientist, Cryptography Research), and Marianne Bailey (Principal Director, Deputy CIO for Cybersecurity, DOD).
The next two days will see presentations from more than thirty speakers on a wide variety of topics concerning cryptographic modules. atsec information security is represented by Yi Mao, Stephan Mueller, Swapneela Unkule, and Di Li. For more information on the conference, please visit the ICMC website.
ICMC 2016 was announced with changes in season and location!. The conference will be held May 18-20, 2016, at the Shaw Centre in Ottawa, Ontario. ICMC grows into an expanded international venue, with a new late-Spring timeframe that avoids conflict with other industry events. The call for presentations is now open at Speaking at ICMC 2016 with a deadline of December 15, 2015.
Wednesday, May 27, 2015
Wednesday, May 20, 2015
|Ron Ross, NIST Fellow, delivers his keynote presentation|
The ISO/IEC 27001 standard is a globally accepted standard for ISMS. It is widely used in Europe and Asia, but to date it has not been as widely adopted in the United States, this first conference of its kind in the U.S. was held last week in Austin, Texas.
atsec initiated the organization of the conference due to the history of atsec and the ISO/IEC 27001 standard. Sal La Pietra, atsec CEO, in his closing remarks at the conference said, "We organized this conference because we believe in the 27K standard and atsec owes the foundation and growth of the company to the standard." Much of atsec's early business in Europe was related to the ISO 27001 standard. atsec was assisted in the development of the conference by Cyberdefenses and BSI.
A day of pre-conference workshops was followed by the conference opening with keynote presentations by
- David Cannon, President & CEO, CertTest Training Center,
- Ron Ross, Fellow, National Institute of Standards and Technology (NIST),
- Scott Bullock CCSK, CISSP, CISM, Information Security Manager, Websense Cloud Services,
The conference was capped with a summary panel discussion on the subject of Integrating ISO/IEC 27001 with Existing Management Systems. The panel was moderated by Vern Williams, Chief Security Officer of CyberDefenses, and consisted of Fiona Pattinson, VP of atsec information security, John DiMaria ISO Product Manager of BSI Group America, Timothy Woodcome, Director of NQA USA, and David Ochel, Senior Information Security Manager of Rêv Worldwide. It was clear from the enthusiastic participation and discussion of the attendees that a conference on the subject of ISO/IEC 27001 has been needed and was valued highly by the community.
|Vern Williams moderates the summary panel|
Thank you to everyone for attending! We are truly sorry that the typically beautiful Austin Spring weather chose not to cooperate on the week of the conference.
The conference organizers would like to thank Vern Williams and Willibert Fabritius for their invaluable contribution to the organization of the conference. We would also like to thank all of the conference sponsors: BSI, CyberDefenses, Inc., SGS, UL DQS Inc., DEKRA Certification, Inc., National Quality Assurance, The Open Group, SecuraStar, and Developing Telecoms. We are also grateful for the able assistance of Bill Rutledge of Cnxtd (“Connected”) Event Media Services.
Wednesday, May 13, 2015
The 27K: Security Summit for the Americas started off with keynote speeches from David Cannon, Ron Ross and Scott Bullock. The next two days will see presentations from thirty speakers on a wide variety of topics concerning ISO/IEC 27001. atsec information security is represented by Fiona Pattinson, Yi Mao and Helmut Kurth. For more information on the conference, please visit http://iso27001.com.
Thursday, May 7, 2015
NIAP recently approved a new protection profile for network devices called the "collaborative Protection Profile for Network Devices"(NDcpp) version 1.0. This protection profile supersedes the older NDPP v1.1 protection profile. NIAP plans to sunset NDPP v1.1 on August 27, 2015.
The NDcpp contains most of the same requirements as NDPP plus several new requirements, several enhanced requirements, and a few optional requirements. The linked PDF presentation contains a comparison of the new NDcpp v1.0 to NDPP v1.1 Errata #3. It also contains a slide of a few SFR inconsistencies found in the new NDcpp.
cPP for Network Devices v1.0
Monday, December 8, 2014
During the PCI Community meeting in Sydney, Australia on the 18th and 19th of November 2014, atsec (Beijing) Information Technology Co.,Ltd (hereafter “atsec China”)* invited payment security experts from China to give a presentation on the topic of “payment security in China.”
The study focused on policies, regulations and standards related to payment security and risks in China. The presentation also included the experience and methodology for how atsec China performs PCI assessment in China, and a case study regarding Air China’s experience with PCI compliance.
This document includes an abstract of the study paper to share with the industry.
* atsec China is a Joint Venture between Mr. Yan Liu, Managing Director of atsec China and atsec information security GmbH, the atsec holding in Munich Germany. atsec GmbH is the majority shareholder of atsec China.
Disclaimeratsec China is an independent lab specializing in IT security evaluations.
The presentation was given by Yan Liu, Managing Director of atsec China Operations and Senior Consultant (atsec China), Gary Gu, Vice President (99Bill), and Tao Chen, PCI Project Manager (Air China).
The authors do not represent any Chinese government agency or Chinese government-controlled lab. All information used for this presentation is publicly available on the Internet, though most of the material is in Chinese.
The presentation consists of background, challenges, approach and summary.
BackgroundChina’s electronic payment space is currently growing rapidly. According to recent investigation, there are about 270 non-financial payment organizations in China, and this number continues to grow. The e-payment penetration rate keeps rising, Internet retail volume is growing rapidly, and the e-payment sector remains highly concentrated. There are different payment innovation patterns with underlying risk factors (e.g. Mobile POS, Biometric technology, etc.) The payment risk profile trends include, but are not limited to: security risk around mobile payment becoming increasingly critical, surge of CNP risk hitting domestic and cross-border e-commerce, data leakage protection continuing as a challenge to the industry, and cybercrime becoming more organized and sophisticated. The security risk management focus areas include product security, data security, transaction security, and fund security.
Starting in 2008, some of the payment service providers in China considered becoming PCI compliant because of the requirements of global payment business and branding. Currently about 80% of service providers in China who are supporting payment from global card brands are already PCI compliant. In 2012, the first bank’s credit card center passed PCI compliance for their acquiring business. ICBC (Industrial and Commercial Bank of China Limited) attained PCI compliance in 2013. ICBC has one of the largest and most complex cardholder data environments (CDE).
99Bill is one of the service providers that attained PCI compliance early, in 2009. The assessment was performed by atsec China QSA lab, and PCI DSS is the first data security standard 99Bill followed. In addition, 99Bill is currently compliant with some of other national and global programs including ISO/IEC 27001, classified security protection level-3 certification issued by the Ministry of Public Security, ADSS (Account Date Security Standard) issued by China UnionPay, and the license of a non-financial organization’s payment system issued by the People’s Bank of China.
The key national security standards in China include GB 17859-1999, “Classified Criteria for Security Protection of Computer Information System” and GB/T 20271-2006, “Information Security Technology - Common Security Technology Requirements for Information Systems”. Both standards are used for classified security protection certification. The standards classify the security protection capability of Computer Information Systems into five levels: Level 1 - Discretionary Protection, Level 2 - System Audit Protection, Level 3 - Security Flag Protection, Level 4 - Structure Protection, and Level 5 - Access Verification Protection. They outline the incremental requirements for each security protection level from security functions in ten aspects including Discretionary Access Control, Mandatory Access Control, Labels, Identification, Object Reuse, Audit, Data Integrity, Covert Channel, Trusted Path, and Trusted Recovery. In addition, GB/T 18336.1-2008, GB/T 18336.2-2008, and GB/T18336.3-2008 are the Chinese translations of Common Criteria Part 1, 2 and 3.
There are quite a few surveillance and authority organizations in China, and some of them are briefly introduced in this paper. First, the People‘s Bank of China (PBC) was established on December 1, 1948. In September 1983, the State Council decided to have the PBC function as a central bank. Starting from September 2010, the PBC issued licenses for payment organizations in China after an assessment (including requirements regarding information security, but also business, performance, etc.) according to the “non-financial institutions payment service management measures” (the Chinese name is 非金融机构支付服务管理办法). The list of licensed organizations can be found at: http://www.pbc.gov.cn/publish/zhengwugongkai/3580/index.html. Under the schemas, there are a few laboratories performing the testing and two major certification bodies for certification. Payment & Clearing Association of China (PCAC) was founded on May 23, 2011, upon the approval of the State Council and the Ministry of Civil Affairs of China. Registered at the Ministry of Civil Affairs as a national non-profit organization, PCAC serves as a self-regulatory body of the payment and clearing service industry of China, and operates under the business guidance and oversight from the People’s Bank of China. On February 28, 2014, PCAC, VISA China and atsec China held a payment security conference in Beijing. The conference materials can be found at (some of the information is in Chinese): http://www.atsec.cn/cn/news--361.html
The global card brands in China facilitate collaboration with industry and build a more secure and trusted payment network in China. For example, Visa’s qualified service provider (QSP) program was started on April 1, 2013. A list of who has passed the QSP certification by VISA can be found at: http://www.visa.com.cn/merchants/riskmanagement/accountsecurity.shtml. PCI QSA validation is one of the requirements for QSP. In addition to that, VISA will perform audits with respect to the requirements related to business operation, risk management and GBPP, etc. VISA acts as an additional oversight layer to acquirer due diligence. China UnionPay issued the Account Date Security Standard (full Chinese name of the standard: 银联卡收单机构账户信息安全管理标准) initially in 2008.
Currently more and more merchants are pursuing PCI compliance, including airlines, e-commerce companies, etc. Let’s take a look at Air China’s PCI compliance as a case study. Air China is the only airline with the National Flag marking on her planes. The business handles not only the transport of international and domestic passengers and goods, but also the task of state leaders’ official visits. As of October 2014, Air China has 512 aircraft, 323 air routes, and is open to 32 countries and regions in the world. In 2014, passenger volume is up to 77.974 million. The amount of e-ticket transactions was 874 billion Chinese Yuan last year.
There are six factors driving the need to achieve PCI DSS compliance.
- The transformation of commercialized e-business. With the development of e-business in China, Air China completed the quick transformation in ticket booking from agent selling to e-tickets.
- The sensitive payment data or information that needs to be collected during payment.
- The importance of reliability and data. With the ongoing growth of e-tickets, management began paying more attention to payment reliability and data security.
- Air China conducts e-business through multiple channels.
- With the high level of attention to information security, government regulations and industrial requirements are becoming increasingly strict.
- Our business partners, who have already achieved PCI compliance, are requesting it. Meanwhile, Air China is required to ensure the security of payment information during transmission.
ChallengesLooking forward, there are different challenges faced by the China payment sector: new rivals (domestic and abroad), product innovation, talent, compliance, the legal system, risk management, technology, and operational efficiency.
The PCI standards family was developed globally and smoothly. Nevertheless, due to quite a few differences between regions, it would not be easy and convenient for some Chinese organizations to understand and learn the standards requirements efficiently. On the other hand, it would also be a challenge for the world outside of China to understand the payment industry, and its surveillance requirements, regulations, etc. in China. As the global brand focusing on independent security assessment and evaluation, atsec China aims to be the bridge between China and the rest of the world for the information security industry. atsec China helps Chinese organizations to understand, apply and promote international standards (such as PCI, Common Criteria, CC, and FIPS 140) while assisting experts across the world to understand China. In addition to PCI QSA, ASV, PFI and PA QSA of atsec China, globally atsec offers evaluation and testing services leading to formal certification of information security technology, including evaluations under Common Criteria schemes in the U.S., Germany, and Sweden. The atsec U.S. organization also operates a Cryptographic and Security Testing Laboratory accredited under the Cryptographic Module Validation and the Cryptographic Algorithm Validation Programs of the National Institute of Standards and Technology (NIST) in the U.S. and Communications Security Establishment Canada (CSEC) in Canada for validating cryptographic modules under the FIPS 140-2 standard. atsec China achieved the China National Accreditation Service for Conformity Assessment (CNAS) and the China Metrology Accreditation (CMA) laboratory accreditations in order to ensure that the laboratory is competent to perform testing and produce reliable data.
Let’s zoom in on Air China’s challenges encountered during the beginning of PCI compliance. There are several payment channels and these businesses are run in different systems according to the initial analysis. In addition, the cardholder data is also located in different systems, which made it necessary to segment the network. All of these factors made PCI compliance rather complicated. Therefore, the first principle is simplicity.
We noted that the key payment process is the integrated e-payment platform. It is the core of all the payment information transmission and storage. After consideration, discussion and decision, a project implementation plan was created.
Initial compliance will focus on the core platform, and then extend to other payment channels. The goal of Air China is to achieve PCI compliance on all the payment systems, and enhance overall security. Last August, Air China completed initial compliance for the core platform, and will continue the work with atsec China to complete PCI compliance for the e-business website and call center system soon.
ApproachAn initial readiness assessment is always important for any security assessment or evaluation project. The scope definition and detailed gap analysis for the cardholder data environment were completed during the beginning of the project. The general project process is diagrammed in the following image.
It is also very important for the assessed entity to assign a Project Manager who understands the standard itself, and who will also push forward the implementation within the organization. Especially within large-scale organizations, communication and coordination between different internal departments (e.g. security team, system administrators, developers, and operators) are always key for success of the compliance implementation.
The PCI implementation of Air China started with data optimization. The business departments were led to recognize the confidential payment data, meanwhile helping them review business procedures regarding when sensitive data should be deleted. Practical solutions were provided, so as to achieve business sustainability and reduce conflict from the business departments to the greatest extent.
During the establishment of new technical measures and business, Air China combined the existing ISO/IEC 27001, the information security protection procedure and the technical requirements, and took advantage of current regulation and technical measures to integrate the multi-security system. PCI requirements are the foundation for improving secure data protection in Air China as a whole. In this way, an established and stable payment environment is available for compliance with various standards.
That is also atsec China’s methodology on establishing an integrated and unified management system. Payment organizations could consider using PCI standards as the baseline for data protection. In addition, national or local standards and regulations should be met. ISO/IEC 27001 could be established for high-level information security management systems, Common Criteria could be used for secure development and risk management, FIPS 140-2 could be referenced as a best practice on cryptography, and O-TTPS could be considered as the supply chain security practice to mitigate maliciously tainted and counterfeit products, and so on. Overall, the management system serves the organization’s own operation, business and culture; different standards and regulations could be compliant respectively.
Remarks and SummaryIn addition to the protection of the cardholder data environment, Air China plans to use the standard requirements as a best practice to all data control and management within Air China’s IT system, not just for a certificate. According to the three-year plan for data security construction made by Air China, it will continue and extend PCI compliance, and apply the experience to wider data security construction in Air China. Combined with the PCI standard, Air China will take two steps and carry it out in five phases in order to achieve the whole data lifecycle management. As a result its business can benefit from reliable data security. A diagram explaining the plan for after Air China’s initial compliance is shown below.
In general, the values of security compliance are summarized below.
- Meet the mandatory requirements defined by external cooperating organizations like card brands and related customers.
- Increase confidence during business cooperation with:
- Surveillance organizations or authority organizations;
- Customers, partners, suppliers; and
- Internal organizations or departments.
- Further improve internal management and control by:
- Improving security management, and integrating high level policy into the business process efficiently;
- Establishing measurable methods for management and technology;
- Enhancing the assurance of security control within the organization;
- Enhancing the security awareness, and benefit for corporate culture; and
- Enhancing the investment confidence.
- Reduce costs by:
- Reducing the cost and investment for security incidents and risks; improving processes on risk management, business continuity, and incident response;
- Reducing the cost on the audit or assessment in other areas, like due diligence;
- Reducing the insurance cost;
- Clarifying the security roles and responsibility;
- Improving competitiveness; and
- Establishing trust and recognition globally.
- Harmonization with national standards and global standards;
- Further industry collaboration including governments, authority agencies, standards organizations, certification bodies, and especially the card brands, banks, service providers, and merchants in the payment industry.
- CDE Scope and implementation plans are important for the initial implementation of PCI DSS compliance.
- A risk-based approach is suggested for security technology implementation and management.
- PCI SSC: https://www.pcisecuritystandards.org/
- atsec: www.atsec.cn
- VISA: http://www.visa.com.cn/index.shtml
- The People’s bank of China: http://www.pbc.gov.cn/
- MPS information classified security protection: http://www.cspec.gov.cn/web/
- UnionPay: http://cn.unionpay.com/
Thursday, November 20, 2014
|The Second International Cryptographic Module Conference (ICMC)|
|Yi Mao presenting "Making Diamonds Out of Coal: CST Labs Are Under Pressure"|