Every transaction system used by a North American business that uses credit cards has to follow the Payment Card Industry (PCI)’s standards. But against the background of continuing breaches at retailers,the PCI’s latest version of standards, released last fall, was panned by experts at a Toronto security conference.

“I expected a lot more,” said Gregory T. McClean, information security officer for North America and Asia at bulk packaging manufacturer Transcom International told the SC Congress conference in Toronto on Tuesday. “When 3.0 (of the Data Security Standard and Payment Application Data Security Standard) came out I was extremely disappointed.” McLean noted that of almost 100 changes in the new version, only 17 could be called actual requirements. “I read PCI 3.0 as a guideline rather than a standard,” he said.

McLean used the example of authentication as one case where stronger language is needed – and the lesson could be applied to IT security anywhere. “There’s more of an encouragement here to use strong passwords – and people need to use good passwords – but PCI isn’t saying so definitively,” he said. Mclean called the authentication elements in PCI “a step in the right direction,” but said they could have been made stronger.

Asked about the state of security collaboration after the session, McLean told IT World Canada that he’s frustrated by the lack of communication between security professionals. “The black hats share information with each other all the time, any time,” he said. “But the white hats- the good guys – we just don’t share data and help each other out the same way.”

Omkhar Arasaratnam, chief security architect for TD Bank Group, also viewed the new 3.0 PCI standard as falling short on specific and strict requirements. “What strikes me about PCI – anywhere from 1.0 through to 3.0 – isn’t that there are any egregiously difficult requirements. If you look at this as a technical security person, it’s all common sense. What continues to get me is the PF Changs, the Macy’s, the targeted breaches that are just simply poor security.”

Arasaratnam contrasted the lack of rigour in PCI 3.0 to the Sarbanes-Oxley legislation in the U.S., which does include strong penalties for non-compliance. “Getting hit with non-compliance with Sarbanes-Oxley comes with real penalties, ones that can directly hit the bottom line by scaring off investors. That has teeth in it,” Arasaratnam said. “People may point to the fact that the Target CEO left his position after the company were breached, but that was tangential at best.”

Later in the day a three-person panel discussed what the panelists felt were the top three current security threats. Panelist Phil Umrysh, who is director of information security and compliance for Loyalty Group, which offers the Air Miles reward program, told IT World Canada that in his view the top three security challenges are “shadow IT,” third-party access to data and the IT environment, and endpoint security – especially when it comes to mobile devices.

“‘Shadow IT’ refers to users using cloud services – SaaS stuff where people send data to a service like DropBox and your DLP software shows that data being moved there,” Umrysh said. “There’s something like 15,000 different cloud service providers out there. How do you even stay in control of all that?”

The problem is compounded by the reluctance of cloud service providers to disclose to their own customers what they’re doing about security, Umrysh said. “We have a vendor questionnaire that asks about what the vendor is doing about security. Amazon just won’t provide the information. To me that amounts to a security problem, and we just won’t entrust anything sensitive to a cloud provider that won’t tell us what their security is. We might do small pilot tests with unimportant data but that’s it.”

The problem is compounded by the refusal of many cloud service providers to allow customers to encrypt their own data, Umrysh says. “That’s a real warning sign. You just can’t afford to trust a provider who not only won’t tell you about their security, but also won’t let you use your own encryption.”

Umyrsh believes that the time is ripe for a change in attitude, but, as with so much in security, it may not come in a positive way. “I think the first major breach in a cloud environment will be monumental,” he said. “It’ll go prime time. But I don’t want to be that first guy. We need to do a better job together on security as cloud customers. Why are we allowing a cloud provider to say they won’t tell us about their security – and after that, that we can’t use our own encryption?”

In a session titled “InfoSec Impact on Enterprise Strategic Goals,” Jamie Rees, director of information assurance and CISO for the province of New Brunswick described how his team ensures data security and privacy for the provincial government’s IT back-end, even during major transitions and upgrades.

As you might expect, the process is complex, with a host of variables and potential threats to the security of sensitive information. But Rees maintained that a big part of the job is a question of maintaining and building networks of mutually supporting relationships with other people in other departments within the bureaucracy. Sometimes that means overcoming the resistance of some colleagues who see the security function as essentially a matter of turning down their requests and making their lives harder – a perception echoed in other presentations.

“They have a whole lot more stuff going on than just IT security,” he said. “But I’ve taken a kind of ‘fake it until you make it’ theme – I decided I’m going to just keep showing up. Otherwise it’s just the security guys. I don’t ask – I tell them I’m coming and I work with them.”

The conference continues Wednesday.

Share on LinkedIn Comment on this article Share with Google+
  • Michael Heroux

    CANADIAN INTELLIGENCE CAN DO WHATEVER THEY WANT –

    PRIVACY COMMISSIONER OF CANADA – JUSTICE DEPARTMENT OF CANADA

    Michael Heroux said michaelheroux1967@gmail.com

    The Privacy Commissioner Of Canada finally got back to us after ignoring us for quite some time now. When we first contacted her office they wanted more specific information from us to prove to them that the 30-08 warrants Judge Richard Mosley issued were actually for us. We know they have the security clearance to find out and we know they know the warrants were for us but they keep saying prove it. We sent them the names of the first 2 agents they sent to investigate us in 2008 and they didn’t even acknowledge the agents in any way. They didn’t comment on the agents, they didn’t ask questions about the agents or nothing. They are just ignoring anything we tell them even though they keep asking for more information. The first 2 agents they sent to investigate us in 2008 were our daughters. Our 2 daughters came back home to live with us in 2008 and told us they were working for Canadian Intelligence. They told us the agent that they were working for wanted them to set us up. It has got us worried. We don’t know whether Canadian Intelligence is playing some sort of sick game with us but a stranger approached us out of the blue last year and told us our daughters have been murdered. We have not heard from our 2 daughters since they were sent back home to investigate us for Canadian Intelligence. All The Privacy Commissioner Of Canada is saying to us is prove it. They want us to name names of the Intelligence agents we met in 2008-2009 but they won’t offer us any protection against further assasination attempts against my wife and kids and I even though they know about the previous attempts. We are still being monitored as I write this and we have reason to believe they are using foreign spies from their international coalition. The last thing The Privacy Commissioner Of Canada did was refer us to the recommendations that she made to Parliament on our behalf. The same thing is going on with The Justice Department Of Canada, all they want from us is more information from us to prove the 30-08 warrants were for us but even though they know about our daughters working as agents for Canadian Intelligence and they know about the poisonings and assasination attempts against us and they know the 30-08 warrants were for us all they are saying now is they don’t have control over the 30-08 warrant information we are looking for against us and they are saying Canadian Intelligence has the information we are looking for. Both agencies have security clearance and they know everything but they are playing dumb but they still want us to name names about the agents we met between 2008-2009 and neither of them are willing to offer us protection against further assasination attemtps against us.
    After our daughters left our home when they were done investigating us in 2008 many agents were contacting us in the beginning of 2009 offering us large sums of money if we left Canada for a while. We knew they were trying to get us to leave Canada but not until Judge Richard Mosley decision did we realize why. They were offering us luxury vacations in the sun and basically anything we wanted just to leave Canda for a while. Now we realize it was just a ploy to get their International Coalition involved, we probably would never have been heard from again. They also wanted us to bring our kids along. The good agents were warning us that our life was in danger and they were telling us to move back to British Columbia for our own safety. The local police force would escort us home late at night when we left the downtown area and we always wondered why we were so special. We decided to listen to the good agents and move back to British Columbia for our safety. Just as we were getting ready to move a few agents approached us and offered us $250,000 dollars if we stay in Ontario. We couldn’t believe it. But we left anyways. Thanks for reading.

  • Michael Heroux

    CANADIAN INTELLIGENCE CAN DO WHATEVER THEY WANT –

    PRIVACY COMMISSIONER OF CANADA – JUSTICE DEPARTMENT OF CANADA

    Michael Heroux said michaelheroux1967@gmail.com

    The Justice Department Of Canada finally got back to us after ignoring us for over a month. They are now saying they won’t give us our information they have on us to look over, and they told us they will not answer anymore of our requests and to get The Privacy Commissioner Of Canada to investigate why they won’t give us our information. We have contacted The Privacy Commissioner Of Canada numerous times since November 30 2013, the same day the former Privacy Commissioner Of Canada stepped down. We want them to investigate why the The Justice Department Of Canada won’t give us our information, but The Privacy Commissioner Of Canada won’t help us get our information. They keep telling us they need concrete proof for them to investigate to get our information. It doesn’t make sence to us. Since we were told to move back to British Columbia in 2009 from Windsor Ontario for our own safety, we have been kicked out of numerous apartments because of the agents harassment and we have been kicked out of Victoria B.C. and Kamloops B.C. by the police and they are now trying to kick us out of Vancouver British Columbia. They now have 2 apartments around us. They have one beside us and they have one above us. They use both apartments and they are working in shifts. They monitor us from the the above apartment and when the one agent is above us monitoring us the other agent is sleeping in the apartment beside us. Approximately every 12 hours they switch, the one upstairs will move to the lower apartment and rest and the one that is rested will take his place. It has been that way now for over 5 years. We know the agent above us is doing the monitoring because when we start talking about them they will start stomping on the ceiling until we stop talking about them. They will also stomp on the ceiling when we are posting online about them, they will try to block our postings by messing around with our internet and they will start stomping. That is the only time they stomp on the ceiling. They don’t like us talking about them or posting about them. The first assasination attempt against us was in January 2013 when we went to find our one daughter that was working for them to investigate us in 2008. We went back to Windsor Ontario to find her and we were there for a month looking for her but we couldn’t find her. Just before we came back to British Columbia they sent a gunman to murder my family and I. It was later that year in 2013 that a stranger approached us and told us our daughters had been murdered. We are not sure what to do now. We are on Government disability and we cannot afford a lawyer to represent us and the Government won’t give us our information for a lawsuit against them. They won’t let us post on certain forums anymore, not even Craigslist, they keep blocking our posts on there now. In 2008 an agent told us that the Canadian Craigslist servers were controled by the Harper Government. We were told they made a deal with Criag and that Buckmaster guy otherwise they would block them from Canada. Sounds strange to me. They won’t let us post on The Globe And Mail website anymore either. Thanks for reading.

  • Michael Heroux

    CANADIAN INTELLIGENCE CAN DO WHATEVER THEY WANT –

    PRIVACY COMMISSIONER OF CANADA – JUSTICE DEPARTMENT OF CANADA

    Michael Heroux said michaelheroux1967@gmail.com

    I don’t know why people are not talking more about why the watchdog of CSIS stepped down. Everyone is saying he stepped down because of a conflict of interest over the pipeline even though he was cleared of any ethics violations. My wife and I have filed numerous privacy complaints with the Privacy Commissioners Office Of Canada to investigate the RCMP CSIS and CSEC but they refuse to help us. They also refuse to help us get our information from The Justice Department Of Canada to look over to see if it correct. We first contacted the Privacy Commissioner Of Canada Jennifer Stoddart on November 26 2013 about our case against the RCMP CSIS and CSEC, then we contacted her again on November 28 2013 about our case and that day she changed her mind against BILL C-13, we submitted our case to her on November 30 2013 and that is the same day she stepped down. She was supposed to retire in 2 days after 10 years of service but she stepped down 2 days early because of our case. We read 5 different news articles on November 30 2013 saying she stepped down and when we went back to read those articles 5 news agencies deleted their story about her stepping down early. The Privacy Commissioner Of Canada sent us a letter and tried to tell us that we contacted her on November 19 2013 just before the bill was given to her but that was false, we never contacted her until November 26 2013 and then we contacted her again November 28 2013, and that day she decided against BILL C-13 because of the abuse and assasination attempts against my family and I. I find it strange the same day I revealed online my full complaint against the RCMP CSIS and CSEC the CSIS watchdog stepped down. Something that we also think is strange is when we contacted the Justice Department Of Canada looking for information they announced 2 days later they are appealing the decision from Judge Mosley and then they wanted to know why we wanted the information and where and what time we were going to use the information before they give it to us. Now they are refusing to give us our information and they said they will not answer any more of our requests. Something else we find funny is we don’t have to enable our browser history anymore. We can clear our cache and our browser history and cookies and all and it is being cached somewhere else downstream from our ISP or maybe upstream somewhere. We think it is probably being cached by the spy in the adjacent suite. Thanks for reading.

    My wife and I are the two people Justice Richard Mosley was refering to when he ruled CSIS was end running the law. We have been following this decision very closely, we are being spied on right here in Canada. My wife and I and our 3 children have been abused by the RCMP CSIS CSEC and other police forces in Ontario and British Columbia for over 5 years now. I have a mental disability and the police started harassing my family and I when I started using Craigslist 5 years ago, what can I say, we’re swingers. My wife slept with a few of them while I watched. We are not terrorist. It sounds strange but I have been poisoned and my wife has been poisoned for speaking out publicly about the abuse. We have also been assaulted numerous times in the last 5 years. They are listening to us in our bedroom and living room because they let us know by telling us what we are talking about in the privacy of our home. We contacted the BC Human Rights and Civil Rights office last year because the police were trying to run me and my family over on the streets, but they never got back to us. We got a lawyer a couple years ago and the lawyer was able to get them to lay off for a bit. They sent a gunman to murder us last year, we managed to evade him. It also sounds strange but we have a spy monitoring us right now in the adjacent suite to us and they have been there for 15 months now. Since Judge Mosleys decision they quit harassing us but they are still messing around with our internet and phone communications. Thank God for Judge Mosley, I think he saved our lives. We think the reason they are still watching over us is because of what Judge Mosley refered to as “invasive survailence techniques” used against the people who had those warrants issued on them. They don’t want us to tell anyone about the techniques used against us for the last 5 years. Pretty sophisticated alien technology if I do say so myself. Pretty cool actually but we don’t plan on telling anyone. We are patriotic Canadians and we hate terrorist like everyone else but we don’t want to see people abused. Caught up in the fish net so to speak. They have tried to set us up numerous times for arrest over the last 5 years to get their hands on us and make us look like the bad guy’s but we have managed to evade those attempts also.

    My wife and I are concerned because Canada Post is being scaled back and it has got us worried. We use open source software for our operating system. In the last 5 years our privacy has been majorly violated. We are most concerned about our communications being sanitized. We no longer have control over who we can make contact with through electronic means. We can only contact people in person for representation so most people not within our city are off limits to us. We realize we are being followed and are being listened to in the privacy of our own home and our home has been entered numerous times when we are not home by intelligence but our means of communications are being sanitized. 5 years ago we noticed rootkits being installed on our operating systems and I was able to set up honey pots and found they were being installed by the military. Since, we switched to virtual machines from static medium verified with sha512sums (DEBIAN KNOPPIX) to get a malware free system each boot. The only website we use is Craigslist and we have met RCMP agents through Craigslist who wanted us to work for them to help them entrap people from terrorist to gangsters. We believe they were just looking for patsies though. I used to work for the RCMP over 20 years ago to infiltrate criminals and make arrests but I quit working for them because they wanted me to set people up that weren’t even breaking the law. For the last 5 years we have used Gmail and we have had numerous internet suppliers and numerous Gmail accounts and we have noticed people we have been emailing and people emailing us have not been getting the emails even though Gmail says they have been sent. We use an SSL connection so our communications are encrypted. The same thing applies to our text messages, we have used Rogers for internet, text and phone for the last 5 years. We have noticed our posting on certains forums are not showing up or they are being deleted as we are writing them right before our eyes or our browsers are being closed as we are writing stuff. Our computers are being shut down and our cell phones are being shut down as we are trying to correspond with people. We have realized that people have been contacting us through our email and our cell phones claiming to be people we know like family members for instance but we know they are imposters. We have tried contacting Human and Civil Rights advocates through electronic means but have had no replies. We have even tried to contact legal representation through electronic means but have never heard anything back over the years. It sounds strange but a gunman was sent to kill us early last year but we managed to evade him. Shortly after that someone tried hiring a hitman through the SILK ROAD website to kill us. At first when the website was taken down by the FBI the owner said the hit was for a father of 3 from Vancouver but later he admitted it was for the whole family of 5, a husband, wife and 3 children. We have been poisoned numerous times in the last 5 years and I have numerous painful swollen lumps throughout my body. Strangers have come up to us on the streets and have told us I have cancer. I went to the emergency room last year because my brain was swelling in my head and my eyes were bulging and I was having severe headaches and the doctor didn’t want to treat me and sent me home. Thanks for reading.