In partnership with

Table of Contents

• Chronicles of Cybersecurity Consulting

  • Chronicle # 3 - Assessment Slips to Discovery

  • Outcomes:

  • Lessons Learnt:

• My Recent Most Viewed Posts:

• Ways in which I can help?

• My Asks

Hi Securing Things Community,

In this newsletter edition, I am continuing my Chronicles of Cybersecurity Consulting - 3rd in series from the field (more to come in future, so stay tuned). In addition, few interesting reference links, my recent most viewed social media posts from June/July 2024 and my asks.

In case you missed the earlier chronicles in the series, here are the links below:

• Chronicles of Cybersecurity Consulting - 1st in series - The Bleeding Password.

• Chronicles of Cybersecurity Consulting - 2nd in series - Shortest Consulting Engagement Ever.

Chronicles of Cybersecurity Consulting

Note: To ensure anonymity of the projects / end user businesses, I’ve kept industry anonymous & merged a couple of directly related experiences together.

Chronicle # 3 - Assessment Slips to Discovery

As you gain experience, sometimes you reflect on past experiences and mistakes you made and lessons you’ve learned. Today was such a day when I reflected the unintentional slips I made in the first decade of my career, performing some security assessment / reviews that lead to some crucial discovery / findings.

While performing a cybersecurity review / gap analysis for a global business, which had a specific emphasis towards PCI DSS, made few silly mistakes, at a sizeable facility during an onsite exercise. What I originally believed to be quite embarrassing, thought was damaging my image in front of client, and blamed / mentally beat myself over them; turns out to be some important finds.

(Note: Apart from these important discoveries, a long list of findings / gaps were already identified, as the client’s environment was approximately only <40% compliant against PCI DSS standard).

1st slip - “Triggering a physical intrusion alarm system”

While going through Part 10 of PCI DSS - physical security monitoring and access controls part of the gap analysis and interview process, I noticed that some back doors / emergency entrance and exits of few critical office areas, where confidential information was handled and or was stored; were only protected by key locked doors and intrusion alarm system, without CCTV monitoring.

During the site walkthrough, while asking a question to the client’s whether these intrusion alarm systems are checked regularly or not, and how do they ensure that there’s a proper response process established in case of a physical intrusion scenario? unfortunately or fortunately, at the same time, I accidently touched the door, tripping the intrusion alarm system of a crowded office area. Some immediate recommendations for people in the room where necessary…

My point of contact tried to reach out to physical security team to disable the alarm. The physical security guy kept going back and forth between different floors to figure out the right keys. Feeling embarrassed, I offered testing some of the keys while he can bring others down. In those horrifying 30 mins of bells from hell; I felted my hearing was impacted / in fact was sure to have almost lost it, if I would have stayed 15 mins or more. Finally, we were able to find right key with hit and trial and save some of my hearing ability.

1st discovery - “Physical security gaps identified”

This triggered a series of questions and provided evidence that physical security team never tested incident response for physical intrusion scenario, as keys were not marked appropriately and nor were ever checked. The physical access control and monitoring processes lacked maturity.

2nd slip - “Claimed that certain CCTV recordings were missing”

As part of PCI DSS requirement # 10 for physical security monitoring - while reviewing CCTV controls and recordings, noticed the default settings. New to the interface, thought that recordings were missing for certain time periods. Informed the client, and the client, in their wisdom, showed me a few sample videos of the subject time slots. While observing some of these sample videos, I had a shocking discovery.

I realized that the physical security team, monitoring these recordings and/or live on camera, can actually see and record the entire credit card number being entered on operators keyboard, as majority of the cameras were put in an angle to focus on agents’ keyboards rather than agents themselves.

2nd discovery - “Potential Credit Card Fraud? - triggered an investigation”

As with past credit card related incidents, there were signs of potential credit card fraud elements. This eventually triggered an internal investigation to see whether this was by design or by accident (do not know the conclusion).

A remediation plan was suggested to address this issue and alternate controls were suggested as well. At the time of this assessment I wasn’t aware of any solutions that could have automatically searched and removed those video segments (except doing it manually) while operators entered the credit card info.

3rd slip - “Wireshark analysis of database instead of webserver”

As part of ensuring that no card holder data (CHD) to and from card holder data environment (CDE) is sent in clear text; I selected the webserver as one of the sample machines for capturing web traffic for Wireshark analysis. From the asset inventory, I accidently picked up a wrong hostname, and requested network admin to provide at-least an hours worth of traffic data. So received traffic of hostname1 (which was the database) instead of hostname2 (which was the webserver - originally scoped).

3rd discovery - “Database credentials & Secret keys in clear”

Turns out that the actual credit card # was stored in the database with the table level encryption enabled. A corresponding token was issued for each entry to track and process repeat transactions. Another database server is used to offload processing power to handle encryption/decryption process.

Fun bit - the traffic captured included the database credentials exchanged between the 2 database servers and the decryption key (which was loaded in the RAM of main database server every time the database was initialized and remained there forever until the database was running).

Presented this finding to Database (DB) admin and he asked…

Upon showing him the details, the DB admin was confident that no one from outside the company will be able to get their hands on these. And that …

I asked - what about network admin that just provided you with this evidence? How about anyone getting full control of the machines via malware-less / malware-based attacks? And my recommendations were …

and that..

I was excited with these extra accidental finds / observations and quickly went back to start typing my observations in the report …

Outcomes:

> 60% non-compliance with PCI DSS. List of PCI DSS gaps identified including:

• Weak physical security controls, processes and practices (E.g. drills).

• Identified credentials & secret keys exchanged in clear, for crown jewels assets.

• Potential credit card / CHD fraud or leakage.

Provided a list of prioritized remediation recommendations per PCI DSS requirements.

I was told to be cooperative, was threatened to be removed, reminded that may not get additional PCI business, that am not being reasonable, too tough on the findings etc.. One person from my side even asked if I understand the meaning of empathy. Till date I am still not sure what that meant😁given the scenario above.

Lessons Learnt:

Whether you are a consultant and or internal stakeholder, tasked to identify gaps and help secure your organisation, remember the following:

• Keep an open mind, do not ignore even trivial details that may lead to great discovery.

• Do yourself a favour, everyone makes mistakes and learns from them. Sometime they are blessings in disguise. Do not beat yourself over them. No one cares and its damaging to self-confidence.

• Do not (/ & never) compromise. Its unethical; your own reputation is at stake. If there’s compromise and or later investigations that reveals that you didn’t do a good job, is more hurting, compared to some angry faces and words that you get from those that wants to cut corners, or do not take assessments like PCI DSS seriously and or do not actually understand.

After a bit of back and forth, findings were accepted, remediation recommendations were considered, alternatives were given, and few parked as progressive future improvements.

How would you help the end user ? what best practices in terms of people, process and technology controls were missing? what you’ll recommend them in addition, as short, medium-to-long term remediations? and why? Comment below.

Do subscribe to ensure that you don’t miss the 4th in series on Chronicles of Cybersecurity Consulting - Titled “My Shortest Consulting Gig Ever”.

My Recent Most Viewed Posts:

In case you’ve missed - here are some of my recent most viewed social posts.

• Use of AI in Cybersecurity - insights, guidance, news, certain cybersecurity tools and all. To be updated further in future.

• 2 years of Independent Cybersecurity Consulting - Progress, Challenges and lessons learned.

• Poll on Crowdstrike / Microsoft BSOD incident causing widespread disruption to businesses worldwide on 19th July 2024.

• Chronicles of Cybersecurity Consulting - Shortest Consulting Engagement Ever - 2nd in series.

• Getting started in IT & OT Cybersecurity - a blueprint / framework to 2x / 5x / 10x your cybersecurity career. Links in comments of the above post.

• Internal Audit and IT & OT Cybersecurity Program - suggested approach for an internal audit team towards building their knowledge / skill base and be able to ask relevant questions towards an IT & OT Cybersecurity / transformation programs activities.

(Sponsored)

If you are looking for a development, data science and design studio that works to create custom software, machine learning and BCI solutions. Hire AEStudio’s team that works closely with founders and executives.

Your Brilliant Business Idea Just Got a New Best Friend

Got a business idea? Any idea? We're not picky. Big, small, "I thought of this in the shower" type stuff–we want it all. Whether you're dreaming of building an empire or just figuring out how to stop shuffling spreadsheets, we're here for it.

Our AI Ideas Generator asks you 3 questions and emails you a custom-built report of AI-powered solutions unique to your business.

Imagine having a hyper-intelligent, never-sleeps, doesn't-need-coffee AI solutions machine at your beck and call. That's our AI Ideas Generator. It takes your business conundrum, shakes it up with some LLM magic and–voila!--emails you a bespoke report of AI-powered solutions.

Outsmart, Outpace, Outdo: Whether you're aiming to leapfrog the competition or just be best-in-class in your industry, our custom AI solutions have you covered.

Ready to turn your business into the talk of the town (or at least the water cooler)? Let's get cracking! (And yes, it’s free!)

Ways in which I can help?

Whenever you are ready - I can help you / your organizations’ or your customers’ secure digital transformation journey through:

A - IT & OT Cybersecurity Advisory / Consulting services 

• vCISO / fractional CISO or CISO security advisor services, GRC, Assessments / Reviews / Gap Analysis, Advisory, Strategy, Security / AI Policy or standards development, ISO 27001, PCI DSS and other frameworks, architectural reviews, configuration hardening for IT & OT cybersecurity engagements. (few examples - IT & OT Cybersecurity - Strategy, Program, Execution and Management, for SME manufacturers - OT Cybersecurity Best Practices Requirements Specification OTCBPRS Toolkit, 3 step process for evaluating & implementing OT IDS / Anomaly detection / network security monitoring solutions → here; OT Cybersecurity Management System → OT CSMS and Cybersecurity SMB toolkits includes ISO 27001, etc.).

B - IT & OT Cybersecurity Trainings & Education

• General Security Awareness Training & Phishing Awareness Portal for SMBs. Start your cybersecurity journey with a free cyber heath check / questionnaire based review that would help in building a cybersecurity roadmap and security awareness program.

• Securing Things Academy (STA) - Training, Coaching and digital downloads for IT & OT Practitioners - pre-launch coming soon.

• Securing Things Newsletter - providing insights and educational content on IT / OT / IOT / IIOT cyber-physical and AI security.

Reach out at info[at]securingthings[dot].com or DM via LinkedIn.

My Asks

I invite #SecuringThings community to share their feedback.

Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer and smarter digital society. Thank you for your trust and continued support.

Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a future course giveaway.

Thanks for reading - until next edition!

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Take care and Best Regards,

M. Yousuf Faisal.

Follow: #securingthings on LinkedIn | @securingthings on X/Twitter & YouTube.