Endpoint

9/6/2017
02:00 PM
Jeff Hussey
Jeff Hussey
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Is Your Organization Merely PCI-Compliant or Is It Actually Secure?

The Host Identity Protocol might be the answer to inadequate check-the-box security standards.

Can you hear the clock ticking? It's the countdown to June 30, 2018, the deadline for all merchants to migrate their payment card-related operations to comply with version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS v 3.2). But what does that really mean?

Does it mean consumers will be able to hand out their credit cards to every food truck, t-shirt vendor, and street musician across the world and expect complete security?

Does it mean that hackers, bad actors, and all other cybercriminals will be rendered useless and forced to change from a life of cybercrime into a new life of altruistic intent?

Does it mean that the news broadcasts won't be inundated with stories of massive data breaches from retailers and government organizations?

The answer to all those questions is no, not really … actually, not at all. The most recent data security standard for credit card payment systems merely ensures compliance but not necessarily security. In fact, industry compliance and actual security are very different things. This isn't acceptable — the world must strive for compliance and security.

Compliant but Still Vulnerable
Although ensuring that all payment card systems are up to standard is a step in the right direction, it's not foolproof. Consider these recent incidents of PCI-compliant entities that were still breached:

Entity

Year of Attack

Method of Attack

Verifone

2017

Malware

AT&T

2017

Phishing

Google

2016

Phishing

Yahoo

2016

XSS cookies stealing and hijacking

Oracle

2016

Malware

Experian

2015

Broken encryption

As you can see, attacks are still effective at striking PCI-compliant entities. Better security is still needed to prevent intrusions into your organization's credit card information. Compliance standards usually mean just checking off the right boxes on a self-assessment checklist and periodically sending in screenshots of random encrypted values to "validate" those responses.

If only security were that easy. People with malicious intent want to expose any loophole within your system, regardless of PCI compliance. Realistically, compliance means only that your systems are updated to a level deemed as acceptable by the given standard. But cybercriminals are operating far past the level of acceptable or standard. They only have to find one weak link in a chain of otherwise acceptable practices. Your payment card systems may look good to the "standard" observer, but the advanced hacker may see numerous opportunities for access, and it takes only one.

The Problem with Address-Defined Networking
The problem stems from the way we've been networking our devices ever since the 1970s. Unfortunately, traditional, address-defined networking can achieve total compliance while continuing to be irresponsibly susceptible to many critical security issues. The weak link lies within its architecture, where an IP address serves as both a machine's location and its identity.

IP addresses are vulnerable to attack because they are "spoofable." That is, a hacker can gain access to your PCI systems by pretending to come from a valid IP address. It's akin to the virtual version of identity theft. Once they gain this unauthorized access, they're free to roam around your networked system, where they can steal credit card information from your customers. IT security stakeholders must think about how to overcome the vulnerability of the IP address with something "unspoofable." It’s also no secret that IP change management is an ongoing headache and prone to error.

HIP Technology Offers Compliance and Security
So, how do you increase your network's security to truly safeguard valuable credit card information, personal identifiable information, and other critical data? This where the Host Identity Protocol (HIP) technology, recently ratified by the IETF, comes into play. HIP gives you the ability to supply a trusted cryptographic identity (CryptoID) to every endpoint, which provides unprecedented capabilities in the world of networking. Not only can you make trusted endpoints invisible to the plethora of people with bad intentions, but you can also easily segment an individual device to create a perimeter of one. Centralized orchestration of CyrptoIDs is what makes it all possible and simple.

If you consider that address-defined networking has served as the foundation of communication for numerous decades now, that’s a big achievement. Not many technologies last that long and remain effective. The time has come for HIP-based communications to provide a more secure and compliant solution as we move to a world where connectivity and online commerce have no boundaries.

E-commerce lets us conduct credit card transactions from New Zealand to New England, but freely floating those transactions into cyberspace with recognition of mere compliance — not actual security — is like sending hard cash as a Christmas gift via snail mail. Is it within the compliant boundaries of federal law? Yes. Is it wise or secure to do so? Absolutely not.

HIP-based technology can be implemented across any network — legacy or state-of-the-art — as part of an identity-based solution to provide instant cloaking, local and wide area micro-segmentation, machine authentication and authorization, and end-to-end encryption.

A Cost Comparison
One of the biggest headaches we face regarding PCI compliance is the cost involved. Internal personnel usually need to be dedicated for a period of three to four months to address the requirements. Outside consultants also need to be hired for that timeframe, adding significant costs. Lastly, penetration testing must be performed to ensure total compliance. The cost of such a task for a typical medium-sized company amounts to an average of around $441,000, according to Marcum LLP, an independent public accounting and advisory services firms. By switching to an identity-based solution with HIP-based technology, the average cost of PCI compliance for a medium-sized company is reduced to $337,500, which is a conservative estimate, yet translates to significant cost savings.

Three Reasons to Adopt HIP-based Technology
Compliance, security, and cost-effectiveness are all valid reasons to adopt HIP-based technology going forward as a way to achieve both PCI-compliance andsecurity. Consider the following three advantages:

  1. Easy compliance by the PCI DSS v 3.2 deadline
  2. State-of-the-art security and control across all endpoints of your network
  3. Cost-effectiveness will be achieved in a number of ways:
    • Costly, brand-tarnishing data breaches and successful hacks of your payment card systems will be virtually eliminated.
    • Significant reduction of skilled IT staff required to ensure PCI compliance, as well as maintaining compliance

Yes, you can do something about the bad actors in cyberspace. Compliance and security don't need to be separated. Security-conscious organizations should and can have both.

Related Content:

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Jeff Hussey is president and CEO of Tempered Networks. Hussey, the founder of F5 Networks, is an accomplished entrepreneur with a proven track record in the networking and security markets. He maintains several board positions across a variety of technology, non-profit and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.