Chronicles of Cybersecurity Consulting - 3rd in series - Assessment Slips to Discovery

[Securing Things by M. Yousuf Faisal]

In partnership with

Disclaimer: All views presented here, in this newsletter, are my own.

Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.

M. Yousuf Faisal

Table of Contents

Hi Securing Things Community,

In this newsletter edition, I am continuing my Chronicles of Cybersecurity Consulting - 3rd in series from the field (more to come in future, so stay tuned). In addition, few interesting reference links, my recent most viewed social media posts from June/July 2024 and my asks.

In case you missed the earlier chronicles in the series, here are the links below:

Special Message:

Before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care and keep me motivated to publish more. Thanks!

Note: remember to validate your email address to ensure that you don’t miss any future newsletter editions.

Chronicles of Cybersecurity Consulting

Note: To ensure anonymity of the projects / end user businesses, I’ve kept industry anonymous & merged a couple of directly related experiences together.

Chronicle # 3 - Assessment Slips to Discovery

As you gain experience, sometimes you reflect on past experiences and mistakes you made and lessons you’ve learned. Today was such a day when I reflected the unintentional slips I made in the first decade of my career, performing some security assessment / reviews that lead to some crucial discovery / findings.

While performing a cybersecurity review / gap analysis for a global business, which had a specific emphasis towards PCI DSS, made few silly mistakes, at a sizeable facility during an onsite exercise. What I originally believed to be quite embarrassing, thought was damaging my image in front of client, and blamed / mentally beat myself over them; turns out to be some important finds.

(Note: Apart from these important discoveries, a long list of findings / gaps were already identified, as the client’s environment was approximately only <40% compliant against PCI DSS standard).

1st slip - “Triggering a physical intrusion alarm system

While going through Part 10 of PCI DSS - physical security monitoring and access controls part of the gap analysis and interview process, I noticed that some back doors / emergency entrance and exits of few critical office areas, where confidential information was handled and or was stored; were only protected by key locked doors and intrusion alarm system, without CCTV monitoring.

During the site walkthrough, while asking a question to the client’s whether these intrusion alarm systems are checked regularly or not, and how do they ensure that there’s a proper response process established in case of a physical intrusion scenario? unfortunately or fortunately, at the same time, I accidently touched the door, tripping the intrusion alarm system of a crowded office area. Some immediate recommendations for people in the room where necessary…

source: tenor

My point of contact tried to reach out to physical security team to disable the alarm. The physical security guy kept going back and forth between different floors to figure out the right keys. Feeling embarrassed, I offered testing some of the keys while he can bring others down. In those horrifying 30 mins of bells from hell; I felted my hearing was impacted / in fact was sure to have almost lost it, if I would have stayed 15 mins or more. Finally, we were able to find right key with hit and trial and save some of my hearing ability.

1st discovery - “Physical security gaps identified

This triggered a series of questions and provided evidence that physical security team never tested incident response for physical intrusion scenario, as keys were not marked appropriately and nor were ever checked. The physical access control and monitoring processes lacked maturity.

2nd slip - Claimed that certain CCTV recordings were missing”

As part of PCI DSS requirement # 10 for physical security monitoring - while reviewing CCTV controls and recordings, noticed the default settings. New to the interface, thought that recordings were missing for certain time periods. Informed the client, and the client, in their wisdom, showed me a few sample videos of the subject time slots. While observing some of these sample videos, I had a shocking discovery.

source: tenor

I realized that the physical security team, monitoring these recordings and/or live on camera, can actually see and record the entire credit card number being entered on operators keyboard, as majority of the cameras were put in an angle to focus on agents’ keyboards rather than agents themselves.

2nd discovery - “Potential Credit Card Fraud? - triggered an investigation

As with past credit card related incidents, there were signs of potential credit card fraud elements. This eventually triggered an internal investigation to see whether this was by design or by accident (do not know the conclusion).

A remediation plan was suggested to address this issue and alternate controls were suggested as well. At the time of this assessment I wasn’t aware of any solutions that could have automatically searched and removed those video segments (except doing it manually) while operators entered the credit card info.

3rd slip - “Wireshark analysis of database instead of webserver”

As part of ensuring that no card holder data (CHD) to and from card holder data environment (CDE) is sent in clear text; I selected the webserver as one of the sample machines for capturing web traffic for Wireshark analysis. From the asset inventory, I accidently picked up a wrong hostname, and requested network admin to provide at-least an hours worth of traffic data. So received traffic of hostname1 (which was the database) instead of hostname2 (which was the webserver - originally scoped).

3rd discovery - “Database credentials & Secret keys in clear”

Turns out that the actual credit card # was stored in the database with the table level encryption enabled. A corresponding token was issued for each entry to track and process repeat transactions. Another database server is used to offload processing power to handle encryption/decryption process.

Fun bit - the traffic captured included the database credentials exchanged between the 2 database servers and the decryption key (which was loaded in the RAM of main database server every time the database was initialized and remained there forever until the database was running).

Presented this finding to Database (DB) admin and he asked…

source: tenor

Upon showing him the details, the DB admin was confident that no one from outside the company will be able to get their hands on these. And that …

source: tenor

I asked - what about network admin that just provided you with this evidence? How about anyone getting full control of the machines via malware-less / malware-based attacks? And my recommendations were …

source: tenor

and that..

source: giphy

I was excited with these extra accidental finds / observations and quickly went back to start typing my observations in the report …

source: tenor

Outcomes:

> 60% non-compliance with PCI DSS. List of PCI DSS gaps identified including:

  • Weak physical security controls, processes and practices (E.g. drills).

  • Identified credentials & secret keys exchanged in clear, for crown jewels assets.

  • Potential credit card / CHD fraud or leakage.

Provided a list of prioritized remediation recommendations per PCI DSS requirements.

I was told to be cooperative, was threatened to be removed, reminded that may not get additional PCI business, that am not being reasonable, too tough on the findings etc.. One person from my side even asked if I understand the meaning of empathy. Till date I am still not sure what that meant😁given the scenario above.

Lessons Learnt:

Whether you are a consultant and or internal stakeholder, tasked to identify gaps and help secure your organisation, remember the following:

  • Keep an open mind, do not ignore even trivial details that may lead to great discovery.

  • Do yourself a favour, everyone makes mistakes and learns from them. Sometime they are blessings in disguise. Do not beat yourself over them. No one cares and its damaging to self-confidence.

  • Do not (/ & never) compromise. Its unethical; your own reputation is at stake. If there’s compromise and or later investigations that reveals that you didn’t do a good job, is more hurting, compared to some angry faces and words that you get from those that wants to cut corners, or do not take assessments like PCI DSS seriously and or do not actually understand.

After a bit of back and forth, findings were accepted, remediation recommendations were considered, alternatives were given, and few parked as progressive future improvements.

source tenor

How would you help the end user ? what best practices in terms of people, process and technology controls were missing? what you’ll recommend them in addition, as short, medium-to-long term remediations? and why? Comment below.

Do subscribe to ensure that you don’t miss the 4th in series on Chronicles of Cybersecurity Consulting - Titled “My Shortest Consulting Gig Ever”.

My Recent Most Viewed Posts:

In case you’ve missed - here are some of my recent most viewed social posts.

(Sponsored)

If you are looking for a development, data science and design studio that works to create custom software, machine learning and BCI solutions. Hire AEStudio’s team that works closely with founders and executives.

Your Brilliant Business Idea Just Got a New Best Friend

Got a business idea? Any idea? We're not picky. Big, small, "I thought of this in the shower" type stuff–we want it all. Whether you're dreaming of building an empire or just figuring out how to stop shuffling spreadsheets, we're here for it.

Our AI Ideas Generator asks you 3 questions and emails you a custom-built report of AI-powered solutions unique to your business.

Imagine having a hyper-intelligent, never-sleeps, doesn't-need-coffee AI solutions machine at your beck and call. That's our AI Ideas Generator. It takes your business conundrum, shakes it up with some LLM magic and–voila!--emails you a bespoke report of AI-powered solutions.

Outsmart, Outpace, Outdo: Whether you're aiming to leapfrog the competition or just be best-in-class in your industry, our custom AI solutions have you covered.

Ways in which I can help?

Whenever you are ready - I can help you / your organizations’ or your customers’ secure digital transformation journey through:

B - IT & OT Cybersecurity Trainings & Education

Reach out at info[at]securingthings[dot].com or DM via LinkedIn.

My Asks

I invite #SecuringThings community to share their feedback.

Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer and smarter digital society. Thank you for your trust and continued support.

Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a future course giveaway.

Thanks for reading - until next edition!

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Take care and Best Regards,

M. Yousuf Faisal.

Follow: #securingthings on LinkedIn | @securingthings on X/Twitter & YouTube.

The Newsletter Platform Built for Growth

When starting a newsletter, there are plenty of choices. But there’s only one publishing tool built to help you grow your publications as quickly and sustainably as possible.

Beehiiv was founded by some of the earliest employees of the Morning Brew, and they know what it takes to grow a newsletter from zero to millions.

The all-in-one publishing suite comes with built-in growth tools, customization, and best-in-class analytics that actually move the needle - all in an easy-to-use interface.

Not to mention—responsive audience polls, a custom referral program, SEO-optimized webpage’s, and so much more.

If you’ve considered starting a newsletter, there’s no better place to get started and no better time than now.

Reply

or to participate.