Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/19/2014
06:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

5 Ways To Think Outside The PCI Checkbox

New PCI Council GM plans to help organizations move their practices beyond compliance mentality into risk-based security.

This month the PCI Security Standards Council entered a new era with the installment of a new general manager as Bob Russo, its founding GM, prepares for retirement at yearend. Russo's successor is Stephen Orfei, a tech industry veteran with experience in telecommunications, emerging payment technology, and cyber security.

Orfei was introduced to PCI ecosystem partners at the North American PCI Community Meeting this month. He is coming to his new role with a fresh approach, and he hopes to build on Russo's work in a number of key areas. First on his list of priorities is evangelizing a mind shift away from, of all things, compliance.

Though the PCI SSC was originally created as a standards-setting body that existed primarily to maintain standards to which merchants, acquirers, and other payment entities need to adhere, Orfei says the time has come for a change. PCI standards will always exist as a baseline for compliance, but Orfei hopes to use the council to break out the soapbox and tout the importance of prioritizing risk-based security over simple compliance.

"I don't think we can go forward with the attitude of either you're compliant or you're not," he says. "I think a risk-based approach is one that makes sense and will allow us to take significant risks off the table." As he explains, he wants to avoid the situation where a business takes 10 of 12 risks off the table but, because it cannot immediately comply with the last two risks, it gives up being vigilant about risk reduction by saying, "I'm just going to throw the dice, because I can't bring the organization into compliance, and this effort is for nothing if I can't comply."

A center of excellence
Instead, he wants to urge organizations to still prioritize and take big threats off the table but continue to develop and execute plans for better risk reduction over time. He believes the council is in a good position to help them do that by shifting its position in the industry. Rather than simply being a global security standards organization, Orfei would like to build the council into what he calls a "center of excellence."

The idea is not only to tweak the baseline standards by which the payment ecosystem must comply, but also to develop and disseminate the best practices for a higher level of security.

"I want the market to look to us for the subject matter expertise, for the best practices, for the standards, for the vetting of solutions, for our laboratories to do the testing," he says. "The continuum is one of going to the market with best practices to get to a baseline standard, and then as a center of excellence, we also need to describe what a gold standard looks like for those who have the appetite and desire to take it to the next level."

In the meantime, Orfei believes that organizations can start down the path of risk-based security in five key areas:

  1. Monitoring and surveillance: Organizations must improve the way they monitor their network and data resources in order to stay on top of incoming threats.
  2. Patching: Patch management remains one of the most effective ways organizations can drastically reduce risk to their systems and PCI-relevant data.
  3. Using technology to devalue data: With EMV coming down the pike and technology like point-to-point encryption and tokenization more affordable and usable than ever, organizations need to leverage technology to make data worthless to attackers.
  4. Making security a KPI: Organizations that find ways to make security a key performance indicator, not just in IT but across the business, are more likely to develop a culture of security.
  5. Remaining vigilant beyond compliant point in time: Organizations need to remember that compliance is just a point-in-time metric. They have to remain vigilant with risk reduction even when the assessors are gone.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/23/2014 | 10:13:32 AM
Re: Checkbox mentality > Roadmap v Best Practices
Thanks for the example, @gabehernandez9. I'd love to hear more from the Dark Reading community about their advice and tactics for navigating DSS.
gabehernandez9
50%
50%
gabehernandez9,
User Rank: Apprentice
9/23/2014 | 9:19:34 AM
Re: Checkbox mentality > Roadmap v Best Practices
A roadmap need not be overly detailed with specific turn-by-turn steps.  It could be a composed of a series of sucessive milestones to help you on your way.  For example, a key tenant of PCI environments is the concept of "isolation".  Why not have a tactical and practical guide to explain typical steps to achive isolation at the network layer...something like this.

1. Create an inventory of all IP-enable devices that are part of a PCI environment

2. Create a separate environment (ideally physical with separate routers, switches, firewals etc, but must be logically separate) to host and enable the functionality of those PCI assets isolated from the coporate LAN

3. Apply the following hardening and access restrictions to the edge of the new PCI network in accordance with DSS section blahblahblah

4. Migrate the previously defined PCI assets to the new network.

4. Train network personnel how to access and support the new envionment with strong emphasis in maintainng isolation from coporate LAN systems and services.

 

And so on....

 

This is admittedly a very simplistic example but not far from what I've had to do multiple times with assorted teams to help them navigate the DSS.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/22/2014 | 12:17:21 PM
Re: Checkbox mentality > Roadmap v Best Practices
Are we splitting hairs about the difference between a road map and a best practices? Yes, best practices may be overly generic to be particularly useful. But on the other hand, a roadmap view with turn by turn directions might be too specific to be of value to various industry segments, or companies of different sizes. 
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
9/22/2014 | 11:03:12 AM
Re: Checkbox mentality
I agree, in some ways, perhaps having a recommendations guide where organizations can benchmark against what other industry folks are doing would help.  In many cases, PCI seems overly daunting, especially for small and mid sized organizations, so having better guidance on "here's some examples of what companies are doing to check off those boxes" would help, or at least help prioritize the technologies/policies that would help reduce the overall threat gap and give folks a better idea where to start.
gabehernandez9
50%
50%
gabehernandez9,
User Rank: Apprentice
9/22/2014 | 9:09:09 AM
Re: Checkbox mentality
Education is always valuable, but for my money the Council would increase it's value by providing a roadmap to help companies achieve compliance when starting from square one.  I've encountered a lot of frustration with the DSS, not because it sets some aggressive security standards, but because those standards don't provide enough guidance on getting there.  Admittedly, Standards are meant to only stipulate the "What" as far as Security controls objectives to meet, but we could all use a lot more help with the "How" of getting there.  Not necessarily with a list of products or tools, but a cohesive tactical roadmap template that any businees can use and modify (within reason) to get to the compliance finish line.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/22/2014 | 8:16:09 AM
Checkbox mentality
It's hard to argue with any effort that will up the card industry's game when it comes to data security. But I don't think education alone will turn the tables. The problems run deeper than an attitude shift and a new set of of best practices. Thoughts anyone?

 
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3006
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
CVE-2015-5361
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
CVE-2020-6803
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
CVE-2020-6804
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
CVE-2019-4301
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.