topic Re: $724 for two beers in Industry News

$724 for two beers

denbesten — Tue, 01 Oct 2019 17:13:49 GMT

Interesting story of a control saving the day (or at least $724). A customer had his credit card pre-configured to send alerts to his phone. He orders two beers. An employee skims his card. The customer is alerted to a $724 charge, complains to the supervisor, and the employee is arrested.

From a CISSP perspective, is the control:

A) an audit control,

B) a detective control,

C) a preventative control,

D) a remediation control, or

E) a mitigation control?

---- stop ----- think ---- answer ---- proceed

A) Audit control is not really a thing, although it does bring to mind the concept of "Internal Controls", of which there are two types - preventative and detective.

B) The control in this case is the charge-alert, which is a detective control because it was designed to find the problem after it occurred.

C) A preventative control keeps the problem from happening in the first place. Although the control was set up in advance, that does not inherently make it a preventative control. An example of a preventative control would be the use of customer-facing terminals because the employee would no longer have the opportunity to skim.

D) In and of itself, remediation is not a "control". Remediation is repairing damage identified by a control. In this case, remediation was reversing the charge and comping the beers.

E) Again, mitigation is not a control. Mitigation is minimizing risk. In this case, mitigation was the customer signing up for charge alerts. Although mitigation often involves implementing either a detective or preventative control, mitigation refers to the implementation, not to the control being triggered.

Best Answer: B

Back to the story, the one annoying thing is that the employer gave kudos to the supervisor for calling the cops and highlighted their own security measures, whereas the credit truly goes to the customer for his/her diligence and perhaps to the credit card company for implementing mobile alerts.

I have long had charge-alerts enabled on my cards. You might consider enabling them too.

Re: $724 for two beers

dcontesti — Tue, 01 Oct 2019 17:28:33 GMT

Employer is probably concerned they will lose huge contract and need to make themselves look good.

As to the customer, glad to see they are at least aware of some of the measures available to protect themselves....too bad more folks aren't/

Re: $724 for two beers

JoePete — Tue, 01 Oct 2019 19:13:47 GMT

@denbesten wrote:
Interesting story of a control saving the day (or at least $724).

In truth, the consumer at the Dolphins game who discovered the fraud was on tap (pun intended) for likely $0. Fair credit reporting act limits someone's liability to $50 if their physical card is stolen, but if it is your number that is stolen (e.g. skimming), your liability is $0. The underlying premise is that you should be aware when a physical thing is stolen and thus have some responsibility to report it.

In a nutshell, all the garbage that banks and credit card issuers throw at consumers about ensuring "their security" is just that - garbage. They are really covering their own behinds because they are on the hook for the fraudulent charges.

And if the concern is identity fraud, the consumer should have called Federal Trade Commission and complained that the Miami Dolphins are impersonating a football team ...

Re: $724 for two beers

rslade — Tue, 01 Oct 2019 19:15:39 GMT

> denbesten (Community Champion) posted a new topic in Industry News on 10-01-2019

> Interesting story of a control saving the day (or at least $724).

OK, I don't trigger on beers, but, as the inventor of the controls matrix, you had
me at "control."

> A customer
> had his credit card pre-configured to send alerts to his phone. He orders two
> beers. An employee skims his card. The customer is alerted to a $724
> charge, complains to the supervisor, and the employee is arrested. From a
> CISSP perspective, is this: A) an audit control, B) a detective control, C) a
> preventative control, D) a remediation control, or E) a mitigation control?
> ---- stop ----- think ---- answer ---- proceed

And, in terms of posing this as a question, I am definitely looking at how well it
works as an actual exam question. (First point: questions have four options, not
five.)

> A) Audit control is not really
> a thing, although it does bring to mind the concept of "Internal Controls", of
> which there are two types - preventative and detective.

OK, you are hung up on vocabulary, here. While the jargon is, often, important,
there are many questions that deliberately do *not* use specific terms, in order to
determine whether you have the concepts down. True, audit does not appear on
either the mil/gov or the business list of controls. But audit is a specialized case of
detective control (from the mil/gov list) and also comes under administrative
(from the business list).

Audit is *not* preventive (not preventative) unless coupled with a specifically
preventive reaction in real time.

> B) The control in this
> case is the charge-alert, which is a detective control because it was designed
> to find the problem after it occurred.

Correct.

> C) A preventative control keeps the
> problem from happening in the first place. Although the control was set up in
> advance, that does not inherently make it a preventative control. An example of
> a preventative control would be the use of customer-facing terminals because the
> employee would no longer have the opportunity to skim.

Again, customer-facing terminals are not preventive: not unless you can guarantee
that the customer (read "user") would actually pay attention, undertand what was
being displayed, and react appropriately to an overcharge. Customer-facing
terminals would simply be another detective control.

> D) In and of itself,
> remediation is not a "control". Remediation is repairing damage identified by a
> control. In this case, remediation was reversing the charge and comping the
> beers.

"Remediation" is another word for "corrective" which *is* on the mil/gov list.

> E) Again, mitigation is not a control. Mitigation is minimizing risk.
> In this case, mitigation was the customer signing up for charge alerts.
> Although mitigation often involves implementing either a detective or
> preventative control, mitigation refers to the implementation, not to the
> control being triggered.

True, I'd have a bit of trouble with mitigation as a specific contol, but it comes
close to "compensating" or "preventive" on the mil/gov list.

> Best Answer: B

Overall, I'd agree, but I think you need to work on the question a bit before you
submit it to the exam committee.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
There is only one thing more painful than learning from
experience, and that is not learning from experience.
- Archibald McLeish
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: $724 for two beers

JoePete — Tue, 01 Oct 2019 19:33:12 GMT

@denbesten wrote:
From a CISSP perspective, is the control:

A) an audit control,
B) a detective control,
C) a preventative control,
D) a remediation control, or
E) a mitigation control?

I've been working in this industry since the '90s, and the only time I have ever thought in this kind of a framework was when taking the CISSP exam. Let the debate over the value of vocabulary begin. In the meantime I will ponder that a Mac never used MAC but obviously had a MAC address, that could be incorporated into a MAC, but I have no idea if it ever had a MAC unit.