Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
How PCI DSS 3.0 Can Help Stop Data Breaches
Newest First  |  Oldest First  |  Threaded View
Cthulhucalling
50%
50%
Cthulhucalling,
 User Rank: Apprentice
1/15/2015 | 1:14:12 AM
Re: DSSv3. Meh> evolutionary versus revolutionary
1. It's my experience that organizations try to attain the absolute minimum it takes to become compliant. I think the brands should be helping out more by clarifying a lot of the murk that the DSS has, and coming out with a security framework, or at least rewriting the DSS so it becomes more clear as to what the Council actually wants. Right now it's a mishmash of 200+ checks, that are usually attacked piecemeal.

Second, I'd like to see the brands get more aggressive on punishing companies that scoff the DSS and get breached. Home Depot has been breached how many times now? The breach at Target was rather offensive itself, they missed all the warning signs. Of course, the Council will do nothing to these companies as they would be missing all the revenue that thise companies make for them. I would guarantee that if one major retailer was to lose its merchant status, there would be a newfound vigor and zeal from the rest of the retail industry to get secured.


2. IT management is generally not ready for a revolutionary approach. They must be dragged, kicking and screaming into compliance because they will whine, complain, drag their feet and stall all they can until they have to get compliant. The cost of noncompliance needs to be greater than it takes to get compliant, otherwise it simply won't happen.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
1/12/2015 | 10:17:54 AM
Re: DSSv3. Meh> evolutionary versus revolutionary
@Cthulhucalling -- You raise some interesting points which prompts me to ask for your thoughts on 1.What do you think is needed to give PCI DSS 3.0 more bite? And 2. Do you think the enterprise IT could handle a more revolutionary approach?
Cthulhucalling
50%
50%
Cthulhucalling,
 User Rank: Apprentice
1/9/2015 | 8:28:57 PM
DSSv3. Meh
I'm a QSA and have been working PCI issues for clients for a few years now. What I'm seeing in v3 of the DSS is hardly revolutionary, merely evolutionary. Really, there is little changed from v2, some lip service to memory scraping, some improvements in some other requirements. But overall... meh. Without coming out and actually providing a security framework, all of this piecemeal "defense in depth" is difficult for organizations to comprehend, even when they have good engineers and security staff. Why? Because there is not overarching vision or framework that is included in the DSS, it's just 240+ requirements that are typically addressed piecemeal. An included framework would provide some context, to show management that Requirement 1 reinforces Requirement 5- when AV fails, the firewall or airgapped network will keep cardholder data from being leaked (barring extrordinary effort by the attacker)

Requirement 5 was a joke in my QSA training, the instructor called it the "microsoft rule", as the requirement states "for systems that are commonly infected by malware". Hey, AV software is nice tool for the toolbox, but I there seems to be some overeliance that it will catch malware. Any security professional will know this, but management at some of my clients have asked the question "If we have (antivirus software vendor) installed, why do we need to put our point of sale behind firewalls?". This usually goes into the defense in depth lecture, but by that point, everyone is looking at their phones, or arguing that all of this is going to cost money, and this is just security being negative and trying to scare people.

Until there is a breach.
Cthulhucalling
50%
50%
Cthulhucalling,
 User Rank: Apprentice
1/9/2015 | 8:07:10 PM
Re: PCI DSS is still badly lacking!
I just spent the last 2 years working on PCI remediation for a client. Despite being brought in specifically to work the client's PCI issues, the business focused on other things until almost literally the last hour. We did get them compliant despite a huge amount of work done the last few weeks of the year, but it was only because this was the last opportunity that the company could be audited against DSSv2.0 did we get management backing to get the work actually done.

I've given numerous presentations and discussions with the client's management, and despite assurances that PCI was the #1 priority, they typically got sidetracked with other shiny objects, or balked at the amount of time/money/effort it would take to attain compliance, until it in itself became a problem. Good on them for eventually addressing the problem, but this couuld have been done much eariler without the rush to the finishline.
closcer
50%
50%
closcer,
 User Rank: Apprentice
1/8/2015 | 3:57:13 PM
Re: PCI DSS is still badly lacking!
In my case, I lead a security team for a fortune 500 financial company and for me its been very easy.  You just have to provide the right data points and stay away from annecdotal data.  Justifying everything with worst case and potential financial monetary loss has always worked with our leadership team.  Thus far we've adequately protected the business (and our FI's) with the right controls in place and teh right level of auditing.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
1/8/2015 | 3:20:02 PM
Re: PCI DSS is still badly lacking!
@n0md3plum, how do you make the case for PCI-DSS to your management? Or do you?
n0md3plum
50%
50%
n0md3plum,
 User Rank: Apprentice
1/8/2015 | 2:42:14 PM
Re: PCI DSS is still badly lacking!
@Closcer,  Try explaining that to management. That hey PCI is just the bare minimum of what needs to be done. We need to spend more $ on additional controls, policies, standards etc.  Unless you have other regulatory guidelines that you have to follow, PCI by itself might not be enough.
closcer
50%
50%
closcer,
 User Rank: Apprentice
1/8/2015 | 11:56:59 AM
Re: PCI DSS is still badly lacking!
Some of your statements are valid, but the majority show youre badly misinformed.  As with any other guidelines or standards it should be something to build on not a soup to nuts approach.  Whoever doesn't treat PCI DSS as the bare minimum barometer has some work to do to secure their enterprise.  The ideals and principles set forth on PCI DSS are sound and should give the experienced security engineer something to work off of - that's the true intent of the standards.
DCDawg
0%
100%
DCDawg,
 User Rank: Apprentice
12/24/2014 | 1:00:21 AM
PCI DSS is still badly lacking!
PCI DSS is a like the TSA: security theater! PCI DSS does NOT require a proper risk assessment such as the one required in the ISO 27001 framework. PCI DSS does NOT require recertification of changes like FISMA. PCI DSS does NOT require configuration management standards and certification for expanding new systems like DIACAP.

Under PCI DSS a cash register in New York can talk to a cash register in San Deigo. Why? Why are all the networks logically flat? For that matter, why is any data stored as close to the entry ways into the network as they are today? You wouldn't store the keys to your building in the lobby, why are you storing your password in what is essentially the lobby to the Internet?

The entire model is broken. Software vendors who create the whiz-bang tools do so in a way where they have to be the center of your universe. When they are not, they implement standards in such a way that dangerous decisions have to be made if a company is trying to build a system.

And speaking of building a system, what is wrong with custom code? Does you house have all the cookie-cutter pre-built options? Did you add on to it? Change the wallpaper? What about redoing the electricty to support networking and the upgraded air conditioner? Then why are you still insisting that you open the COTS box and it work without doing the same? You are building systems like they built houses in the post-World War II era. Pre-fabricated and thrown together as quickly as possible without regard for what would happen with the first really big storm, flood, or other disaster. Like the ol' saltbox built in 1950, you either have to spend tons of money to repair and maintain it while it is being attacked or you have to spend money to tear it down and rebuild it.

Why do it right when you can do it wrong for twice the price?!

You think I'm kidding? Ask Target and Home Depot how much damage would have been done if they isolated their point-of-sale networks from each other. What about Sony? How much damage was done because they left their open mail by the front door for the first person to walk in to take it from them?

Saying that PCI DSS can help stop breaches is like saying the TSA will stop terrorism on an airplane. Just like Haniford Foods was PCI DSS certified, the TSA did not stop the gun-running scheme between Atlanta and New York. It only came to light when the Brooklyn DA was investigating something else... sort of like how Neiman-Marcus found its problems. 

Security is NOT a checklist or a product. It is the result of a risk assessment to determine the risks and their mitigations. Security is a process, just like the physical security that every business maintains. Until these rank amatures understand this, there is no reason to think that PCI DSS in any of its forms will be nothing more than a band aid on a gushing wound!

 


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
CVE-2020-25598
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
CVE-2020-25599
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
CVE-2020-25600
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...