Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/19/2014
06:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

5 Ways To Think Outside The PCI Checkbox

New PCI Council GM plans to help organizations move their practices beyond compliance mentality into risk-based security.

This month the PCI Security Standards Council entered a new era with the installment of a new general manager as Bob Russo, its founding GM, prepares for retirement at yearend. Russo's successor is Stephen Orfei, a tech industry veteran with experience in telecommunications, emerging payment technology, and cyber security.

Orfei was introduced to PCI ecosystem partners at the North American PCI Community Meeting this month. He is coming to his new role with a fresh approach, and he hopes to build on Russo's work in a number of key areas. First on his list of priorities is evangelizing a mind shift away from, of all things, compliance.

Though the PCI SSC was originally created as a standards-setting body that existed primarily to maintain standards to which merchants, acquirers, and other payment entities need to adhere, Orfei says the time has come for a change. PCI standards will always exist as a baseline for compliance, but Orfei hopes to use the council to break out the soapbox and tout the importance of prioritizing risk-based security over simple compliance.

"I don't think we can go forward with the attitude of either you're compliant or you're not," he says. "I think a risk-based approach is one that makes sense and will allow us to take significant risks off the table." As he explains, he wants to avoid the situation where a business takes 10 of 12 risks off the table but, because it cannot immediately comply with the last two risks, it gives up being vigilant about risk reduction by saying, "I'm just going to throw the dice, because I can't bring the organization into compliance, and this effort is for nothing if I can't comply."

A center of excellence
Instead, he wants to urge organizations to still prioritize and take big threats off the table but continue to develop and execute plans for better risk reduction over time. He believes the council is in a good position to help them do that by shifting its position in the industry. Rather than simply being a global security standards organization, Orfei would like to build the council into what he calls a "center of excellence."

The idea is not only to tweak the baseline standards by which the payment ecosystem must comply, but also to develop and disseminate the best practices for a higher level of security.

"I want the market to look to us for the subject matter expertise, for the best practices, for the standards, for the vetting of solutions, for our laboratories to do the testing," he says. "The continuum is one of going to the market with best practices to get to a baseline standard, and then as a center of excellence, we also need to describe what a gold standard looks like for those who have the appetite and desire to take it to the next level."

In the meantime, Orfei believes that organizations can start down the path of risk-based security in five key areas:

  1. Monitoring and surveillance: Organizations must improve the way they monitor their network and data resources in order to stay on top of incoming threats.
  2. Patching: Patch management remains one of the most effective ways organizations can drastically reduce risk to their systems and PCI-relevant data.
  3. Using technology to devalue data: With EMV coming down the pike and technology like point-to-point encryption and tokenization more affordable and usable than ever, organizations need to leverage technology to make data worthless to attackers.
  4. Making security a KPI: Organizations that find ways to make security a key performance indicator, not just in IT but across the business, are more likely to develop a culture of security.
  5. Remaining vigilant beyond compliant point in time: Organizations need to remember that compliance is just a point-in-time metric. They have to remain vigilant with risk reduction even when the assessors are gone.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/23/2014 | 10:13:32 AM
Re: Checkbox mentality > Roadmap v Best Practices
Thanks for the example, @gabehernandez9. I'd love to hear more from the Dark Reading community about their advice and tactics for navigating DSS.
gabehernandez9
50%
50%
gabehernandez9,
User Rank: Apprentice
9/23/2014 | 9:19:34 AM
Re: Checkbox mentality > Roadmap v Best Practices
A roadmap need not be overly detailed with specific turn-by-turn steps.  It could be a composed of a series of sucessive milestones to help you on your way.  For example, a key tenant of PCI environments is the concept of "isolation".  Why not have a tactical and practical guide to explain typical steps to achive isolation at the network layer...something like this.

1. Create an inventory of all IP-enable devices that are part of a PCI environment

2. Create a separate environment (ideally physical with separate routers, switches, firewals etc, but must be logically separate) to host and enable the functionality of those PCI assets isolated from the coporate LAN

3. Apply the following hardening and access restrictions to the edge of the new PCI network in accordance with DSS section blahblahblah

4. Migrate the previously defined PCI assets to the new network.

4. Train network personnel how to access and support the new envionment with strong emphasis in maintainng isolation from coporate LAN systems and services.

 

And so on....

 

This is admittedly a very simplistic example but not far from what I've had to do multiple times with assorted teams to help them navigate the DSS.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/22/2014 | 12:17:21 PM
Re: Checkbox mentality > Roadmap v Best Practices
Are we splitting hairs about the difference between a road map and a best practices? Yes, best practices may be overly generic to be particularly useful. But on the other hand, a roadmap view with turn by turn directions might be too specific to be of value to various industry segments, or companies of different sizes. 
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
9/22/2014 | 11:03:12 AM
Re: Checkbox mentality
I agree, in some ways, perhaps having a recommendations guide where organizations can benchmark against what other industry folks are doing would help.  In many cases, PCI seems overly daunting, especially for small and mid sized organizations, so having better guidance on "here's some examples of what companies are doing to check off those boxes" would help, or at least help prioritize the technologies/policies that would help reduce the overall threat gap and give folks a better idea where to start.
gabehernandez9
50%
50%
gabehernandez9,
User Rank: Apprentice
9/22/2014 | 9:09:09 AM
Re: Checkbox mentality
Education is always valuable, but for my money the Council would increase it's value by providing a roadmap to help companies achieve compliance when starting from square one.  I've encountered a lot of frustration with the DSS, not because it sets some aggressive security standards, but because those standards don't provide enough guidance on getting there.  Admittedly, Standards are meant to only stipulate the "What" as far as Security controls objectives to meet, but we could all use a lot more help with the "How" of getting there.  Not necessarily with a list of products or tools, but a cohesive tactical roadmap template that any businees can use and modify (within reason) to get to the compliance finish line.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/22/2014 | 8:16:09 AM
Checkbox mentality
It's hard to argue with any effort that will up the card industry's game when it comes to data security. But I don't think education alone will turn the tables. The problems run deeper than an attitude shift and a new set of of best practices. Thoughts anyone?

 
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19619
PUBLISHED: 2019-12-06
domain/section/markdown/markdown.go in Documize before 3.5.1 mishandles untrusted Markdown content. This was addressed by adding the bluemonday HTML sanitizer to defend against XSS.
CVE-2019-19616
PUBLISHED: 2019-12-06
An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment fun...
CVE-2019-19617
PUBLISHED: 2019-12-06
phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php.
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.