GSI Blog: The Nest

Join GSI at the Kansas City Interface 2010 Conference... Because the Threat Never Sleeps

ckephart — Mon, 10 May 2010 13:04:00 -0500

We hope you can join GSI at Interface 2010, the industry's leading security and disaster recovery conference offered today. Interface is a single-day IT conference addressing the advances in information security, disaster recovery, business continuity, data storage and regulatory compliance. The conference is put on by Face-to-Face Events, and will truly hold up to that name. Interface prides itself on educating, as opposed to selling, and provides the optimal setting for “B2B matchmaking” and quality face-to-face time.

GSI will be exhibiting at the conference, so please stop by our booth to learn how we can help with your security and business needs. GSI's security and disaster recovery expertise is second to none. We were the first hosting company in the world to meet the stringent security criteria imposed by the payment card industry (PCI) in 2004, by becoming 100% PCI DSS compliant for managed services. Since then, we have helped numerous clients achieve and maintain their own security compliance, and we continue to perfect our processes and ability to address the critical security needs of our clients.

Interface will be held Thursday, May 13, at the Kansas City Downtown Marriott from 9:00 a.m. to 4:30 p.m. The event is by invitation only, so please contact Kristine Hansen, our business development manager, to RSVP. She can be reached at khansen@gsihosting.com or (816) 222-1210. Also, you can check out the events page on our website to RSVP: http://www.gsihosting.com/events

For more information about Interface 2010, you can visit http://www.f2fevents.com/. We look forward to seeing you there and hope everyone has a safe and secure day!

GSI Hosting Gets Fit

ckephart — Tue, 30 Mar 2010 18:28:00 -0500

Congratulations to GSI's own Candace Sheldon, who was honored with being the "Most improved woman 50 or older" in Ingram's 2009-2010 Fittest Executives and Fittest Companies Challenge.

Candace joined up with three other GSI folks – Mark Hotalling, Jerad Riggin and Adam Ward – to compete in Ingram's challenge, which ran from October 1 through the end of 2009. The competition was based on the belief that a "top-down corporate emphasis on employee fitness could help achieve bottom-line results with a fitter work force." During the three-month challenge, participants were armed with detailed measurements of their own health metrics, and focused on their primary areas of concern, such as losing weight, or improving blood pressure and cholesterol levels, aerobic capacities, strength and flexibility measurements.

Candace earned the "most improved" stature due to her improvement in all categories. She attributes her success in the program to both eating healthier and exercising regularly. She and her teammates committed themselves to working out in GSI's exercise facility 4-5 days a week – specifically following the P90X workout regimen. Candace also eliminated sugar, flour products, and alcohol from her diet – instead snacking on fruits, vegetables and more protein-rich foods. She followed the guidance of a nutritionist and also hit the tread mill every evening after work. And the results were great – she lost 9 pounds during the competition (even including the holidays) and another 6 since then. Not only that, but Candace is now seriously motivated to continue her fitness routine.

Candace signed up for the Ingram's challenge as part of GSI's corporate team, motivated by the thought of getting in better shape and losing a little weight, as well as the desire to set a good example for her GSI co-workers in promoting wellness. The support of her teammates, she says, made it easier to achieve positive results. Just like the premise GSI stands on as a company – that the support our GSI ServerHeroes lend one another enables us to collectively achieve great things for our clients.

"If you really decide you want to do something and are diligent in your approach, you can achieve anything," says Candace. Simply enough said, but a lesson for all of us in our personal and professional lives. Candace's success brings home the reason why I'm proud to work for a company like GSI with dedicated co-workers like her – true to GSI's tagline, "Let's get it done right," we have the desire to achieve, and we take the extra measures to do so.

Comparing managed service providers: SERVICES vs services

ewelsh — Mon, 22 Feb 2010 10:50:00 -0500

Part of selling GSI's managed services is dealing with the competitive comparison issue, as prospective clients attempt to determine which managed service provider is the best fit for their IT management needs. The need to compare GSI versus our competition is understandable, but what do you do when there is little to compare us against?

The old and overused idiom, "Apples to Oranges" comes to mind, but does not accurately describe the situation. GSI is most often compared to "hosting" companies because we have hosting capabilities, but to say we are just a hosting company is grossly inaccurate. GSI is a managed services company with hosting capabilities. We provide the entire service – soup to nuts. Most competitors, while they claim to offer a total solution, barely get to the soup.

Maybe a metaphor using the auto repair industry can help clarify our situation as it relates to comparison shopping.

Space. Every auto repair shop must have a garage in which to put the equipment and vehicles involved. Much like IT hosting companies must have data centers. It is a given that one garage looks much like another. Picking an auto repair shop solely on the presence of a garage would not be prudent. The need for them to have a workable and available garage is a requirement, but you need more criteria to narrow down your comparison. The same goes for hosting companies and their data centers.
Range of services. Another area of comparison is the type of auto repair services and the expertise with which they are provided. A lot of shops provide standard services and have qualified technicians to provide those standard services on the most common vehicles. These services work fine for a standard high-production vehicle. What happens if your vehicle is a specialized, custom-built unit? The number of auto repair shops that can provide you services drastically decreases. Your selection now depends on the unique traits of the specialized services you require. This applies to IT services, as well. IT systems requiring advanced security and regulatory compliance necessitate specialized services, and narrow your service provider options.
Who performs the actual work? Let's muddy the waters a bit and carry the metaphor further. Say you have narrowed your auto repair provider selection down to three shops. They all three advertise knowledge of your specialized vehicle. Each shop defines their services using similar terms. Even so, as you dig into one shop's methods, you find that they provide work space and tools, but do not actually do the work. You and your brother-in-law will need to be available to actually perform any work. This kind of discrepancy can be very difficult to discover when picking an IT services provider, and it is painful to realize it after contracts have been signed with an auditor breathing down your neck.
Do they need direction from you? So, now you are down to two shops that may be able to perform work on your specialized vehicle. As you question the two, you again find a deficiency in one of them. They have the capabilities, the tools and the space, but they can only do exactly what you tell them to. They cannot or will not assist with designing your solution, and cannot point out issues you will encounter, much less account for them. This, again, puts you in a hot seat. Your services contract has turned into space and tools for you to implement.
Finally ... the needle in the haystack. The last shop you review meets all the requirements and represents the complete solution. Almost like having a dedicated race crew to work on your specialized vehicle. Clearly this is the best choice for the services you need, but it was not easy to identify them. There were not many clues to lead you to them. All the same terminology was used to describe the services, and all three shops were giving assurances that you would get the services you expect.

There are only a small handful of managed security service providers that actually take on the specialized tasks for regulatory compliance, yet you will find many claiming to do so. They all use the same language to describe what they provide, but many simply provide the tools. Since most regulatory requirements include an analysis component, any service provider that is not doing analysis along with data collection will not meet the requirements. Yet they will advertise a fully compliant service offering by assuming the client will spend the time necessary to cover the analysis needs.

When GSI states that a service we provide can meet a requirement, we mean that the service fully meets the requirement. Just as if a full IT team were hired on. The challenge is educating prospective clients on the difference when being compared to providers with less-developed ideas about services.

The Rising Costs of Data Breaches

ewelsh — Fri, 12 Feb 2010 10:58:00 -0500

When a company fails to show even basic security capabilities, causing a breach, a knowledgeable public takes their business elsewhere.

An interesting site to read through is the Ponemon Institute, which includes independent research on privacy and IT security issues.

One of studies that caught my eye involved the cost of data breach.

The study I reviewed dealt with data from 2008, and compared the data to 2007. It also reviewed the impact of both direct and indirect costs. Direct costs are the efforts taken to remediate the direct causes and cleanup of a breach. Examples would be: hiring consultants, implementing technologies, or providing credit protection. Indirect costs tend to be costs to business that are not directly attributable to a breach, yet still feel the impact of a breach. Examples would be: customer churn, lost prospects, reputational impacts, or additional support costs.

The overall result of the study shows that direct and indirect costs are rising. This reflects the vast amount of attention that has been given to breaches -- even as far as state governments legislating how the breach victims must be notified. As companies involved in data breaches learn the proper ways to handle the event, the costs will rise due to their increased engagement. In the past, a breach could be handled internally with little external involvement. No longer is this the case. A company with a breach had better be able to show due diligence by engaging professionals to remediate.

Additionally, the general public, which is increasingly plugged in and online, has become savvier regarding how their data should be handled and protected. When a company fails to show even basic security capabilities, causing a breach, a knowledgeable public takes their business elsewhere.

Something to note is that customer churn rates due to a breach event were highest in the healthcare industry. It seems folks care more about their doctors/hospitals losing their information than they do their financial institutions.

One of the most relevant discoveries in this report is that breaches involving third-party or partner mistakes are the most expensive to remediate, and that 44% of the breaches reviewed involved third-parties. There is not really a good reason as to why third-party involvement causes a breach to be more expensive, but we can guess that inefficiencies are introduced when a third-party must be taken into account. The lesson is to only share data with third-parties you are sure have a good security program that includes event handling capabilities.

Below are some statements directly from the report that I found relevant. These do not represent the full report, and an interested person should read directly from the links provided below.

Over the past four years, lost business cost component grew by more than $64 on a per-victim basis, or a 38% overall percentage increase. Our research finds organizations in highly trusted industries, such as banking, pharmaceuticals and healthcare, are more likely to experience a data breach with high abnormal churn rates. In contrast, retailers and companies with less direct consumer contact seem to experience a lower overall data breach cost.

The most significant cost decrease concerns ex-post response, which implies organizations are becoming more cost-efficient in their management of the data breach. Despite efficiency gains, consulting, legal defense and, as mentioned previously, lost customer business have increased in this year’s study.

The range of total cost among the 43 data breach incidents contained in this year’s study is a minimum of $613k to more than $32 million. The magnitude of the breach event ranged from 4,200 to 113,000 lost or stolen records. As in prior years, data breach cost appears to be linearly related to the size or magnitude of the breach event.

In this year’s study, average abnormal churn rates across all 43 incidents is 3.6%, which was measured by the loss of customers who were directly affected by the data breach event (i.e., typically those receiving notification). The abnormal churn or turnover rate in 2007 for customers receiving notification was 2.7%.

Healthcare and financial service companies have the highest average rate of churn at 6.5% and 5.5%, respectively. High churn rates reflect the fact that these industries manage and collect consumers’ most sensitive data. Thus, consumers may have a higher expectation for the protection and privacy of their financial and healthcare records.

Over 44% of all cases in this year’s study involved third-party mistakes or flubs. Data breaches involving outsourced data to third parties are the most costly. This could be due to additional investigation and consulting fees. As shown in Bar Chart 5, per victim cost for data breaches involving third parties is $231 versus $179, more than a $52 difference.

Internal Penetration Testing: Server Only Environments

ewelsh — Mon, 01 Feb 2010 14:14:00 -0500

PCI DSS requirement 11.3.1 indicates the need for annual network penetration testing, which includes an "internal" penetration test by an experienced security tester. GSI has always supported this activity by working with whomever our clients ask to perform the testing. This requirement can be met by using experienced internal staff or third-party professionals (see 11.3 Supplement), and we have seen both. Even though the selection of who does the testing is easy to make, the location in the network from which to perform the internal testing is another matter.

The environments GSI manages at PCI levels of security are particularly isolated with strong two-factor controls required for all administrative entry points. These environments are characterized by strict firewall change-control procedures and system hardening with accompanying audits. Another feature of these secure environments is the complete lack of desktop-level systems. Environments meant to house highly secure single-function payment processing systems do not require the abundance of services seen in systems that support desktop access for users. There are not any personal directory shares, email clients, productivity packages, or Internet user communication technologies present on these systems.

All of this culminates into a distinct lack of what the PCI DSS would determine to be an "internal" network.

So where does that leave us regarding internal penetration testing for requirement 11.3?

There are two scenarios that can play out:

One is for the client tester to be placed directly into the cardholder environment. This type of test assumes the attacker has compromised at least one system in the environment. The result of this test reflects how much information could be accessed post-compromise. Many QSAs will accept this as a proper internal test of the environment even though it is not strictly adhering to the intent of 11.3. In my opinion, it is not a valid test of risk exposure for the environment, because it completely disregards the security protections it is meant to test.

The second scenario is for the client's QSA to give them a "pass" on the internal penetration test requirement with the knowledge that, by definition, an internal penetration test is not possible. There is not an internal network to test from. We are starting to see more of this as QSAs better understand how the environments are managed at GSI. This decision is not arrived at lightly and even when the QSA gives a pass for an internal penetration test, it is only after the environment meets specific criteria. We must prove that administrative access is strictly protected by two-factor authentication and VPN connectivity. We also must show that there are not any desktop networks directly connected to access shares or services. At GSI, this is easily done with configuration diagrams and firewall configurations.

I have stated in a previous article that the PCI standards will inevitably lead to risk-based implementations. The ability for highly protected environments to forgo an internal penetration test is an excellent example of how a QSA can take the risk approach into their own hands and utilize the PCI standard in a flexible way to meet the intent, save clients money, and concentrate security where needed -- all at the same time.

Expand your business network at the upcoming Accelerent breakfast!

khansen — Wed, 13 Jan 2010 15:25:00 -0500

If you aren’t already familiar with Accelerent, but you are interested in a fantastic avenue for getting to know the KC business community, I’d like to share some information with you. GSI is a member of Accelerent, which is essentially a corporate business development organization made up of C-level execs in the Kansas City area. Currently, the organization has about 35 members, consisting of a wide variety of companies in the KC area. While they continue to recruit new member companies, they are also diligent about making sure that no two member companies are from the same industry. This is a great practice as it means that the group represents a broad spectrum of industries -- and also creates a tighter relationship among member companies without the presence of a competitive factor.

The organization hosts about 9 or 10 breakfasts throughout the year for its members and guests. We get together, listen to a featured speaker (always someone truly inspirational with their amazing achievements) and spend time meeting corporate executives from our area – an excellent opportunity to learn more about their businesses, as well as educate others about our own. At the last breakfast, we had more than 300 attendees – a prime opportunity for corporate networking and opening up doors for new business!

The next Accelerent breakfast is Friday, January 22, at 7:00 a.m. in Overland Park, KS. Peter Vidmar, the former Olympic gymnast, will be the featured speaker – and I’ve been told he is wonderful. You have to be either an Accelerant member or an invited guest to attend. So if you have even the slightest interest in coming, please do so, as my guest. (Please email me to RSVP.)

Now for the particulars. Prior to the actual breakfast, there is an Expo from 7 a.m. to 8 a.m. This is where introductions take place. If you’d like to see a list of attendees, let me know and I can send you a list of those who have RSVP’d so far. The next step would be for you to let me know if there is anyone on the list that you would like to meet (yes, I’ll make sure that happens!). Obviously, you are welcome to roam the room and make your own introductions, which I also suggest.

If this is of any interest to you, email me at khansen@gsihosting.com and I can do the registration for you. In addition, you are welcome to invite up to three clients of your own.

I sincerely hope that you – or any of your coworkers or clients you invite – decide to join us. I promise you won’t be disappointed!

Clients, Not Customers

kkephart — Tue, 12 Jan 2010 11:48:00 -0500

I insist that our GSI associates refer to the people and companies who favor us with their business as clients. I admit...it's an obsession with me. I am so passionate about the client reference that when someone utters "customer" within earshot of me, the offending speaker generally knows that a well-placed rebuke will shortly follow. I've never sentenced anyone to spend an hour in time-out or put their nose in a circle on the wall; however, most everyone understands that employing "customer" in a conversation at GSI will generate a correction.

My devotion to client is all about respect – respect for the people who have trusted us with their mission-critical processes, respect for the close relationships that we have developed in supporting those processes, and respect for caliber of service delivery our ServerHeroes teams provide 24/7. We are not selling hamburgers or tanks of gas where one source is just about as good as the other. Nor are our associates manning the drive-thru lane or considering "have a nice day" as the ultimate measure of service at check-out. We are important components of our clients' businesses, and in order for GSI to exceed expectations, our associates need to understand and respect the confidence that our clients have placed in us.

Customers produce revenue – clients produce relationships. GSI is so devoted to getting the relationship right that we diligently work to know our clients' businesses, and the business processes that we are supporting. We employ our Service Quality Framework to not just define monitoring, management and escalation requirements, but to summarize the business functions and underlying dependencies that will allow our ServerHeroes to support those critical processes as if we were the clients' employees. We assign dedicated teams to specific clients in order to develop a deep knowledge of the clients' businesses, as well as their IT environments. We respond to requests and issues with haste, knowing that our clients depend upon us to do so around-the-clock. We do all of this because we desire to have long-term relationships built upon mutual respect and trust – it's about more than just the revenue.

So if you don't have a satisfactory relationship with your current service provider, go to their web site and see if you find "customer service" or "customer portal." That might indicate they are more interested in your revenue than your relationship. And then contact GSI and explore what a real service provider relationship can be.

Managed Hosting Compensating Controls

ewelsh — Mon, 28 Dec 2009 10:27:00 -0500

Briefly: What is a Compensating Control?

The Payment Card Industry Data Security Standard (PCI DSS) roughly defines compensating controls as a method to meet the intent of a DSS requirement, while not implementing the control as written by the PCI Security Standards Council. This was a smart move on the part of the Council. They are saying that the prescriptive requirements may not be the best way for all situations and allow implementers to work outside the box, as long as the intent of the standard is being met.

Compensating controls have become necessary for situations where the combination of technical and business constraints prevent a control from being implemented. The typical reason for implementing compensating controls is the inherent expense involved with implementing the original DSS controls. This is not surprising considering the requirements for such things as automatic access control management, centralized logging, integrity monitoring, and all the vulnerability management technologies.

QSA's Perspective on Compensating Controls

QSAs (Qualified Security Assessors) really dislike compensating controls. It has been my experience that the dislike is due to the additional effort required to report compensating controls. For a QSA, the DSS is a list of requirements for which they test the controls. A compensating control does not have a clean pass/fail and must be fully documented in the Report on Compliance (RoC) in such a way to fully explain how it meets the intent of the requirement it replaces. Further, the QSA cannot simply use documentation provided by the merchant/service provider. The QSA must fully understand the new control so that they can make a judgment call as to whether it meets the original intent, as well as document it for the RoC. An assessment that involves multiple compensating controls will drag out much longer than one without them. Many assessment engagements use a fixed project pricing method, which means the longer an assessment takes, the thinner the profit margin for the assessment company.

Managed Hosting Impact on Compensating Controls

Compensating controls all by themselves are a wrench in the PCI DSS assessment process. Add in a third-party managed hosting provider and things get real sticky. Especially if the hosting provider does not fully support the PCI requirements, leaving the client to dig details out of a set of offsite tools that only partially describe an environment. A managed hosting provider utilized for systems requiring PCI DSS compliance will need a capability to deal with compensating controls. It means providing reasonable customization with the expertise to understand how that customization will affect a PCI DSS assessment.

Being a managed services provider, GSI must deal with the engineering, documenting, and implementation of compensating controls for client PCI DSS environments. It is not easy and there are many challenges. Any customization that pushes the boundaries of our standard operating procedures risks failure, and we must be vigilant with our audits and reporting to catch any discrepancies. Still, without doubt, it is worth having the capability to do it. Having that flexibility really tells the story when our clients continually pass PCI DSS assessments year after year.

False Positives and Data Security

crickel — Thu, 12 Nov 2009 12:09:00 -0500

This came up as a rather entertaining political science question the other day. "It is better for N many criminals to go free than for 1 innocent person to be punished." This concept goes way back to the 18th century, originated by English judge William Blackstone. It is now known as Blackstone's Ratio in criminal law.

A few years ago, the National Center for State Courts ran an experiment where they compared cases when both the judge and the jury could submit guilty/not-guilty verdicts. Through signal analysis, they could predict not only what percentage of the time they disagreed, but predict who was wrong. The results pointed to approximately 17% of the jury verdicts being incorrect and "N" equaling roughly 1.43 guilty parties let go per innocent punished. On the other hand, about 12% of the judge's verdicts were incorrect leading to an N of 0.1 (1 guilty person let go for every 10 punished innocent people).¹

Blackstone's pick for N was 10. My assumption for the reason behind the change in this ratio is that in the last 200 years, with tools such as modern forensic evidence, DNA sampling, fiber testing and omnipresent video cameras, we have made significant strides in being able to exonerate innocent people before the fact, and only bring guilty parties before the court.

In data security, we're continually bombarded with "false positives." We get false positives when our tools are set to be too sensitive – but most admins prefer this to the alternative of having them not be sensitive enough and miss an event entirely! This is not a new problem – what is new is that our tools are evolving in a way to reduce the amount of alerts we receiving, letting us take more time to analyze the ones that really need our attention.

As technology advances, we'll continue to lower the number of false positives we get, improving our organization's Blackstone Ratio – and this ratio is something that you can measure and prove to others that your security is improving over time. In the last year at GSI, we've dropped our false positives by 73.6% through reconfiguring and tuning our current monitoring systems. Additionally, we recently installed more security appliances that are even more accurate, so I expect this trend to continue. All of this adds up to data center security that's more accurate, more effective – and more measurable.

Footnotes
1. Spencer, Bruce, On Measuring the Balance between Wrongful Convictions and Wrongful Acquittals in Criminal Trials (November 7, 2007). 2nd Annual Conference on Empirical Legal Studies Paper. Available at SSRN: http://ssrn.com/abstract=997188

Hosting Biz Apps Online

rgreenhagen — Thu, 05 Nov 2009 14:01:00 -0500

GSI founder Robin Greenhagen discusses cloud computing for small businesses in the November 2009 issue of KC Small Business magazine. The online version is available here: http://bit.ly/5nGcBP