Endpoint

9/6/2017
02:00 PM
Jeff Hussey
Jeff Hussey
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Is Your Organization Merely PCI-Compliant or Is It Actually Secure?

The Host Identity Protocol might be the answer to inadequate check-the-box security standards.

Can you hear the clock ticking? It's the countdown to June 30, 2018, the deadline for all merchants to migrate their payment card-related operations to comply with version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS v 3.2). But what does that really mean?

Does it mean consumers will be able to hand out their credit cards to every food truck, t-shirt vendor, and street musician across the world and expect complete security?

Does it mean that hackers, bad actors, and all other cybercriminals will be rendered useless and forced to change from a life of cybercrime into a new life of altruistic intent?

Does it mean that the news broadcasts won't be inundated with stories of massive data breaches from retailers and government organizations?

The answer to all those questions is no, not really … actually, not at all. The most recent data security standard for credit card payment systems merely ensures compliance but not necessarily security. In fact, industry compliance and actual security are very different things. This isn't acceptable — the world must strive for compliance and security.

Compliant but Still Vulnerable
Although ensuring that all payment card systems are up to standard is a step in the right direction, it's not foolproof. Consider these recent incidents of PCI-compliant entities that were still breached:

Entity

Year of Attack

Method of Attack

Verifone

2017

Malware

AT&T

2017

Phishing

Google

2016

Phishing

Yahoo

2016

XSS cookies stealing and hijacking

Oracle

2016

Malware

Experian

2015

Broken encryption

As you can see, attacks are still effective at striking PCI-compliant entities. Better security is still needed to prevent intrusions into your organization's credit card information. Compliance standards usually mean just checking off the right boxes on a self-assessment checklist and periodically sending in screenshots of random encrypted values to "validate" those responses.

If only security were that easy. People with malicious intent want to expose any loophole within your system, regardless of PCI compliance. Realistically, compliance means only that your systems are updated to a level deemed as acceptable by the given standard. But cybercriminals are operating far past the level of acceptable or standard. They only have to find one weak link in a chain of otherwise acceptable practices. Your payment card systems may look good to the "standard" observer, but the advanced hacker may see numerous opportunities for access, and it takes only one.

The Problem with Address-Defined Networking
The problem stems from the way we've been networking our devices ever since the 1970s. Unfortunately, traditional, address-defined networking can achieve total compliance while continuing to be irresponsibly susceptible to many critical security issues. The weak link lies within its architecture, where an IP address serves as both a machine's location and its identity.

IP addresses are vulnerable to attack because they are "spoofable." That is, a hacker can gain access to your PCI systems by pretending to come from a valid IP address. It's akin to the virtual version of identity theft. Once they gain this unauthorized access, they're free to roam around your networked system, where they can steal credit card information from your customers. IT security stakeholders must think about how to overcome the vulnerability of the IP address with something "unspoofable." It’s also no secret that IP change management is an ongoing headache and prone to error.

HIP Technology Offers Compliance and Security
So, how do you increase your network's security to truly safeguard valuable credit card information, personal identifiable information, and other critical data? This where the Host Identity Protocol (HIP) technology, recently ratified by the IETF, comes into play. HIP gives you the ability to supply a trusted cryptographic identity (CryptoID) to every endpoint, which provides unprecedented capabilities in the world of networking. Not only can you make trusted endpoints invisible to the plethora of people with bad intentions, but you can also easily segment an individual device to create a perimeter of one. Centralized orchestration of CyrptoIDs is what makes it all possible and simple.

If you consider that address-defined networking has served as the foundation of communication for numerous decades now, that’s a big achievement. Not many technologies last that long and remain effective. The time has come for HIP-based communications to provide a more secure and compliant solution as we move to a world where connectivity and online commerce have no boundaries.

E-commerce lets us conduct credit card transactions from New Zealand to New England, but freely floating those transactions into cyberspace with recognition of mere compliance — not actual security — is like sending hard cash as a Christmas gift via snail mail. Is it within the compliant boundaries of federal law? Yes. Is it wise or secure to do so? Absolutely not.

HIP-based technology can be implemented across any network — legacy or state-of-the-art — as part of an identity-based solution to provide instant cloaking, local and wide area micro-segmentation, machine authentication and authorization, and end-to-end encryption.

A Cost Comparison
One of the biggest headaches we face regarding PCI compliance is the cost involved. Internal personnel usually need to be dedicated for a period of three to four months to address the requirements. Outside consultants also need to be hired for that timeframe, adding significant costs. Lastly, penetration testing must be performed to ensure total compliance. The cost of such a task for a typical medium-sized company amounts to an average of around $441,000, according to Marcum LLP, an independent public accounting and advisory services firms. By switching to an identity-based solution with HIP-based technology, the average cost of PCI compliance for a medium-sized company is reduced to $337,500, which is a conservative estimate, yet translates to significant cost savings.

Three Reasons to Adopt HIP-based Technology
Compliance, security, and cost-effectiveness are all valid reasons to adopt HIP-based technology going forward as a way to achieve both PCI-compliance andsecurity. Consider the following three advantages:

  1. Easy compliance by the PCI DSS v 3.2 deadline
  2. State-of-the-art security and control across all endpoints of your network
  3. Cost-effectiveness will be achieved in a number of ways:
    • Costly, brand-tarnishing data breaches and successful hacks of your payment card systems will be virtually eliminated.
    • Significant reduction of skilled IT staff required to ensure PCI compliance, as well as maintaining compliance

Yes, you can do something about the bad actors in cyberspace. Compliance and security don't need to be separated. Security-conscious organizations should and can have both.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Jeff Hussey is president and CEO of Tempered Networks. Hussey, the founder of F5 Networks, is an accomplished entrepreneur with a proven track record in the networking and security markets. He maintains several board positions across a variety of technology, non-profit and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14633
PUBLISHED: 2018-09-25
A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The at...
CVE-2018-14647
PUBLISHED: 2018-09-25
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming larg...
CVE-2018-10502
PUBLISHED: 2018-09-24
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Galaxy Apps Fixed in version 4.2.18.2. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exist...
CVE-2018-11614
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Samsung Members Fixed in version 2.4.25. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists wit...
CVE-2018-14318
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S8 G950FXXU1AQL5. User interaction is required to exploit this vulnerability in that the target must have their cellular radios enabled. The specific flaw exists within the handling of ...