PCI Data Security Standard 1.2 not much better than version 1.0
September 24, 2008
According to various news reports, the PCI Data Security Standard 1.2 isn't much better than its previous version, and many are expecting commentary from security analysts and many others that are trying to promote the benefits that the extended guidance for compliance in 1.2 holds for the Internet community as a whole.
Overall, PCI has not kept pace with current threats or technological advances, allowing dangerous security gaps in the protection of consumer and corporate data, and this is unacceptable in the view of many.
Even with the increased guidance found in 1.2, which is really an explanatory measure for earlier versions of the standard, PCI still sells the security industry way short...
What's holding back the standard are a number of various issues that are common with all security standards that try to instill common safety measures across a disparate landscape.
As it's almost always the case, the lowest common denominator, well dominates...
In particular, there are no less than two serious weaknesses that are sticking out that PCI does not address: internal threats to data and targeted attacks on a database.
Overall, correctly understanding how each security threat operates is essential in providing an effective defense. The model that PCI uses for a data breach is one that most people would give as the de facto means by which data is lost: A potential hacker attacks a database through a weak spot in the firewall and steals data.
In that specific model, the key to protection is securing the perimeter of the network. That usually starts right at the firewall. If you can keep the threat on the outside of the firewall, your data is secure.
The insider threat may be surprising to some. However, it makes a lot of sense when you delve deeper. If you think about the amount of personal data that is collected for, say, a mortgage application, then you have an idea of what these databases are holding...
In the real world, insider threats are emerging as the greatest threat to stored data. Meanwhile, the world of direct attacks has become a lot more insidious as well, with attacks being made directly on the database level.
Careful analyzis of each threat and in minute details show why PCI falls short in its focus on external threats that use the network firewall as the primary point of access.
Ecommerce retailers sometimes don't have the controls that are necessary to accurately monitor who is accessing customer data internally. When you add this oversight with an environment in which a large premium is paid for financial and other information, you have a tipping point for large scale data theft from internal sources.
A few months ago, a worker at the financial institution that employed him was eventually caught downloading consumer application data, including names, personal addresses and even social security numbers for later resale to various third parties.
The employee in question didn't have the authority to access the documents but had managed to gain access through an unsecured computer. Over the course of the theft, which occurred over a period of three months, up to 2 million consumer records had been stolen and misappropriated.
PCI doesn't offer any provisions for database protection, but clearly this is where it is vital. The database contains the most valuable asset any retailer has: customer information. As the standard realizes, the compromise of this data will result in the loss of consumer confidence and a very negative effect on a brand.
But the standard has been very weak in extending its recommendations to ensure that the database has a holistic level of protection -- not just against outside threats.
The PCI Standard is largely silent on protecting data from internal threats. From a technological standpoint, controls can be put in place that would monitor for unusual activity patterns in addition to placing restrictions on individual users. These controls would alert database administrators when abnormal amounts or types of data are being moved or if data is being accessed in questionable circumstances.
In the case mentioned above, the employee frequently downloaded a large number of records on a Sunday. If the company had instituted internal access controls on the database level, then the activity would have resulted in alerts, and probably could have been prevented, or at least the resulting damage could have been lessened considerably.
The second threat in question is the one that is emerging to consumer data as an attack on the database level. Hackers and others are well-versed in the defenses created by the firewall. They know the weak points in firewall security and can bypass these points to launch an attack on the database.
Such similar attacks are quick and almost impossible to track. By the time the breach has been discovered, the data has been stolen and in many cases used on a large scale.
The case in point for the database attack is TJX. Hackers found weak spots in the organization's wireless networks and grabbed consumer data. Months passed before customers were alerted to the fact that their credit card information had been stolen.
In some cases, the way that TJX customers found out that their card numbers had been stolen was by seeing fraudulent charges on their bills. And there's been other similar cases lately, such as the data theft that happened at Forever 21 just a week ago.
A company that is serious about data protection will use PCI as a starting point, but it sure is a good checkpoint for the very basics. Companies that are more serious about protection will put more efficient controls in place that will greatly limit who can access data and when.
These controls would include alerts for specific behaviors and patterns that are beyond the norm, such as transfer of data or the large-scale deleting of records at large.
Source: IT Direction.
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing