Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
How PCI DSS 3.0 Can Help Stop Data Breaches
Oldest First  |  Newest First  |  Threaded View
DCDawg
DCDawg,
 User Rank: Apprentice
12/24/2014 | 1:00:21 AM
PCI DSS is still badly lacking!
PCI DSS is a like the TSA: security theater! PCI DSS does NOT require a proper risk assessment such as the one required in the ISO 27001 framework. PCI DSS does NOT require recertification of changes like FISMA. PCI DSS does NOT require configuration management standards and certification for expanding new systems like DIACAP.

Under PCI DSS a cash register in New York can talk to a cash register in San Deigo. Why? Why are all the networks logically flat? For that matter, why is any data stored as close to the entry ways into the network as they are today? You wouldn't store the keys to your building in the lobby, why are you storing your password in what is essentially the lobby to the Internet?

The entire model is broken. Software vendors who create the whiz-bang tools do so in a way where they have to be the center of your universe. When they are not, they implement standards in such a way that dangerous decisions have to be made if a company is trying to build a system.

And speaking of building a system, what is wrong with custom code? Does you house have all the cookie-cutter pre-built options? Did you add on to it? Change the wallpaper? What about redoing the electricty to support networking and the upgraded air conditioner? Then why are you still insisting that you open the COTS box and it work without doing the same? You are building systems like they built houses in the post-World War II era. Pre-fabricated and thrown together as quickly as possible without regard for what would happen with the first really big storm, flood, or other disaster. Like the ol' saltbox built in 1950, you either have to spend tons of money to repair and maintain it while it is being attacked or you have to spend money to tear it down and rebuild it.

Why do it right when you can do it wrong for twice the price?!

You think I'm kidding? Ask Target and Home Depot how much damage would have been done if they isolated their point-of-sale networks from each other. What about Sony? How much damage was done because they left their open mail by the front door for the first person to walk in to take it from them?

Saying that PCI DSS can help stop breaches is like saying the TSA will stop terrorism on an airplane. Just like Haniford Foods was PCI DSS certified, the TSA did not stop the gun-running scheme between Atlanta and New York. It only came to light when the Brooklyn DA was investigating something else... sort of like how Neiman-Marcus found its problems. 

Security is NOT a checklist or a product. It is the result of a risk assessment to determine the risks and their mitigations. Security is a process, just like the physical security that every business maintains. Until these rank amatures understand this, there is no reason to think that PCI DSS in any of its forms will be nothing more than a band aid on a gushing wound!

 
closcer
closcer,
 User Rank: Apprentice
1/8/2015 | 11:56:59 AM
Re: PCI DSS is still badly lacking!
Some of your statements are valid, but the majority show youre badly misinformed.  As with any other guidelines or standards it should be something to build on not a soup to nuts approach.  Whoever doesn't treat PCI DSS as the bare minimum barometer has some work to do to secure their enterprise.  The ideals and principles set forth on PCI DSS are sound and should give the experienced security engineer something to work off of - that's the true intent of the standards.
n0md3plum
n0md3plum,
 User Rank: Apprentice
1/8/2015 | 2:42:14 PM
Re: PCI DSS is still badly lacking!
@Closcer,  Try explaining that to management. That hey PCI is just the bare minimum of what needs to be done. We need to spend more $ on additional controls, policies, standards etc.  Unless you have other regulatory guidelines that you have to follow, PCI by itself might not be enough.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
1/8/2015 | 3:20:02 PM
Re: PCI DSS is still badly lacking!
@n0md3plum, how do you make the case for PCI-DSS to your management? Or do you?
closcer
closcer,
 User Rank: Apprentice
1/8/2015 | 3:57:13 PM
Re: PCI DSS is still badly lacking!
In my case, I lead a security team for a fortune 500 financial company and for me its been very easy.  You just have to provide the right data points and stay away from annecdotal data.  Justifying everything with worst case and potential financial monetary loss has always worked with our leadership team.  Thus far we've adequately protected the business (and our FI's) with the right controls in place and teh right level of auditing.
Cthulhucalling
Cthulhucalling,
 User Rank: Apprentice
1/9/2015 | 8:07:10 PM
Re: PCI DSS is still badly lacking!
I just spent the last 2 years working on PCI remediation for a client. Despite being brought in specifically to work the client's PCI issues, the business focused on other things until almost literally the last hour. We did get them compliant despite a huge amount of work done the last few weeks of the year, but it was only because this was the last opportunity that the company could be audited against DSSv2.0 did we get management backing to get the work actually done.

I've given numerous presentations and discussions with the client's management, and despite assurances that PCI was the #1 priority, they typically got sidetracked with other shiny objects, or balked at the amount of time/money/effort it would take to attain compliance, until it in itself became a problem. Good on them for eventually addressing the problem, but this couuld have been done much eariler without the rush to the finishline.
Cthulhucalling
Cthulhucalling,
 User Rank: Apprentice
1/9/2015 | 8:28:57 PM
DSSv3. Meh
I'm a QSA and have been working PCI issues for clients for a few years now. What I'm seeing in v3 of the DSS is hardly revolutionary, merely evolutionary. Really, there is little changed from v2, some lip service to memory scraping, some improvements in some other requirements. But overall... meh. Without coming out and actually providing a security framework, all of this piecemeal "defense in depth" is difficult for organizations to comprehend, even when they have good engineers and security staff. Why? Because there is not overarching vision or framework that is included in the DSS, it's just 240+ requirements that are typically addressed piecemeal. An included framework would provide some context, to show management that Requirement 1 reinforces Requirement 5- when AV fails, the firewall or airgapped network will keep cardholder data from being leaked (barring extrordinary effort by the attacker)

Requirement 5 was a joke in my QSA training, the instructor called it the "microsoft rule", as the requirement states "for systems that are commonly infected by malware". Hey, AV software is nice tool for the toolbox, but I there seems to be some overeliance that it will catch malware. Any security professional will know this, but management at some of my clients have asked the question "If we have (antivirus software vendor) installed, why do we need to put our point of sale behind firewalls?". This usually goes into the defense in depth lecture, but by that point, everyone is looking at their phones, or arguing that all of this is going to cost money, and this is just security being negative and trying to scare people.

Until there is a breach.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
1/12/2015 | 10:17:54 AM
Re: DSSv3. Meh> evolutionary versus revolutionary
@Cthulhucalling -- You raise some interesting points which prompts me to ask for your thoughts on 1.What do you think is needed to give PCI DSS 3.0 more bite? And 2. Do you think the enterprise IT could handle a more revolutionary approach?
Cthulhucalling
Cthulhucalling,
 User Rank: Apprentice
1/15/2015 | 1:14:12 AM
Re: DSSv3. Meh> evolutionary versus revolutionary
1. It's my experience that organizations try to attain the absolute minimum it takes to become compliant. I think the brands should be helping out more by clarifying a lot of the murk that the DSS has, and coming out with a security framework, or at least rewriting the DSS so it becomes more clear as to what the Council actually wants. Right now it's a mishmash of 200+ checks, that are usually attacked piecemeal.

Second, I'd like to see the brands get more aggressive on punishing companies that scoff the DSS and get breached. Home Depot has been breached how many times now? The breach at Target was rather offensive itself, they missed all the warning signs. Of course, the Council will do nothing to these companies as they would be missing all the revenue that thise companies make for them. I would guarantee that if one major retailer was to lose its merchant status, there would be a newfound vigor and zeal from the rest of the retail industry to get secured.


2. IT management is generally not ready for a revolutionary approach. They must be dragged, kicking and screaming into compliance because they will whine, complain, drag their feet and stall all they can until they have to get compliant. The cost of noncompliance needs to be greater than it takes to get compliant, otherwise it simply won't happen.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Creating an Effective Incident Response Plan
Security teams are realizing their organizations will experience a cyber incident at some point. An effective incident response plan that takes into account their specific requirements and has been tested is critical. This issue of Tech Insights also includes: -a look at the newly signed cyber-incident law, -how organizations can apply behavioral psychology to incident response, -and an overview of the Open Cybersecurity Schema Framework.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-45939
PUBLISHED: 2022-11-28
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in t...
CVE-2022-43705
PUBLISHED: 2022-11-27
In Botan before 2.19.3, it is possible to forge OCSP responses due to a certificate verification error. This issue was introduced in Botan 1.11.34 (November 2016).
CVE-2022-45934
PUBLISHED: 2022-11-27
An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets.
CVE-2022-45931
PUBLISHED: 2022-11-27
A SQL injection issue was discovered in AAA in OpenDaylight (ODL) before 0.16.5. The aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/UserStore.java deleteUser function is affected when the API interface /auth/v1/users/ is used.
CVE-2022-45932
PUBLISHED: 2022-11-27
A SQL injection issue was discovered in AAA in OpenDaylight (ODL) before 0.16.5. The aaa-idm-store-h2/src/main/java/org/opendaylight/aaa/datastore/h2/RoleStore.java deleteRole function is affected when the API interface /auth/v1/roles/ is used.