Friday, November 18, 2016

Becoming a Payment Card Industry Professional (PCIP)


I am very proud to say that I now hold the Payments Card Industry Professional (PCIP) certification. This is a journey that took me about 6 months to complete and I'll share some tips and experience I've picked up on my way to becoming certified.

The registration process starts by submitting your application as well as supporting documentation to the PCI Council via their website. The approval typically takes about two weeks and it might be that they ask you for proof of work experience and additional security certifications. In my case I've been fortunate to have about a decade of experience in the InfoSec field in general, and 3 years working for clients who need to be PCI-DSS compliant.

What do you need to do?

Once your application is approved you need to attend the PCIP course. This can be either on-line or classroom based. If you are new to the PCI-DSS field I would strongly suggest attending the classroom training, as access to the instructor as well as conversing with peers in the industry can be invaluable. If you have PCI-DSS experience then the on-line course will suffice.

Once you have completed the course, the PCI Council will register a user ID for you on the Pearson Vue website and provide you with a voucher to take the exam. It is up to you to do the booking on the Vue website. It is important to note that you have to use this voucher within 30 days of your training. If you fail the exam you can book to take it again at your own cost. If, heavens forbid, you fail it a second time you will have to attend the PCIP course again.

Preparing for the exam

First and foremost, know the PCI-DSS 3.2 Standard inside out. You do not have to know things like requirement 3.2.1 states that etc. You will however need to know how to successfully meet every requirement. In my case there was also a strong focus on the various Self-Assessment Questionnaires (SAQs) and in which cases they would be applicable. I was not tested on Reports of Compliance (ROC) or Attestation of Compliance (AOC) at all.

You should also know when encryption, strong cryptography, hashing, tokenization and masking should be used as well as the difference between all these. Make sure you know exactly when Compensating Controls are allowed, as well as what are the requirements for acceptance of those. I got maybe one or two question from the supplemental (Virtualization and TLS specifically). You don't have to study them in depth, but do read through them and understand the intent.

Next Steps

I find assisting our clients on their path towards PCI-DSS compliance to be an extremely challenging and rewarding endeavour. As such, the next step on my journey is to become a PCI Internal Security Assessor. I believe this will add tremendous value over and above that which we already provide to our clients in the financial services sector.

Thursday, November 17, 2016

Mitigating the BlackNurse exploit on Cisco and Fortigate equipment


"Blacknurse is a low bandwidth ICMP attack that is capable of doing denial of service to well known firewalls.  Most ICMP attacks that we see are based on ICMP Type 8 Code 0 also called a ping flood attack. 

BlackNurse is based on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly effective even at low bandwidth. 

Low bandwidth is in this case around 15-18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1 Gbit/s Internet connection." – as per 

Securing Fortigate

Andras the Techie created an Fortigate IPS signature to detect and drop this traffic:

config ips custom
    edit ICMP.Blacknurse
      set signature "F-SBID( --name \"ICMP.Blacknurse\"; --protocol icmp; --icmp_type 3; --icmp_code 3; --rate 250,1;)"
        set severity medium
        set location server
        set application Other
        set action block
        set status enable

His blog post also contains instructions on how to apply it to you policies.

Securing Cisco

Best is of course to filter this traffic upstream, before it hits your firewall.  This is what you’ll need to do on an Cisco IOS router:

config t
ip icmp rate-limit unreachable 100 1000
do copy run start

For Cisco IOS-XR you will need to do this:

icmp ipv4 rate-limit unreachable 2000