Today was Day Three of the 2018 North American PCI Community Meeting. You can read my recaps of Day One and Day Two.
Day Three was off to another exciting start. The keynote talk for the day was Jeff Skiles, the copilot from the “Miracle on the Hudson” flight. His talk was very engaging, and did include a few noteworthy takeaways. Things like Standard Operating Procedures and training “end-users” were critical factors in his success. These are things us security folks are constantly harping on for incident response.
Skiles also brought up a new process in the airline industry for self-reporting errors. Pilots have a process to report on errors in an anonymous way, which also protects them from legal action. This has led to many more reports and subsequent process changes. Pilots are able to catch small mistakes and work to find a fix before a bigger issue develops.
There was a panel discussion on Small merchants and how we, as the security industry, can support their security and compliance needs. There was not a whole lot of new information, but it is also disheartening to see the same issues brought up year after year. Folks are not changing default credentials, they’re not applying security patches, and they are not securing remote access methods into their networks.
These merchants are busy enough trying to run a business, and we can’t expect them to also be security and compliance experts. We can be better by partnering year-round with these clients to provide more support, more training, and be a real business partner with them.
The talk on the impact of “Dark Web” data sales had some interesting insights, specifically around the innovative ways criminals are looking to monetize stolen credentials. In addition to the classical approach of going right for e-commerce credentials, attackers are going after online gaming credentials to abuse the in-game purchase functions. Loyalty rewards accounts were also mentioned as an area of attack on the rise. As more brands have loyalty programs that can be redeemed for gift cards, in addition to redemption with the brand, we can expect attackers to go after this softer target. After all, who thinks of their hotel reservation account as a high value target?
Of course phishing is still a major tool for attackers, and this was further reflected in the research behind social media credential compromise. These may not be directly monetized, but if an account has a significant following, the attacker has a better chance of getting a hit on their campaign when it is sent from a “trusted source”.
Unfortunately, my hopes for the week were not met. Conversations with other Assessors carried the same sentiment – we live this stuff for work, and are looking for more technical insight at these conferences. Hopefully the feedback surveys will influence the Ssc to add more advanced topics for the 2019 Community Meeting.
The Personal Blog of Sean Goodwin 