Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
How PCI DSS 3.0 Can Help Stop Data Breaches
Newest First  |  Oldest First  |  Threaded View
Cthulhucalling
50%
50%
Cthulhucalling,
 User Rank: Apprentice
1/15/2015 | 1:14:12 AM
Re: DSSv3. Meh> evolutionary versus revolutionary
1. It's my experience that organizations try to attain the absolute minimum it takes to become compliant. I think the brands should be helping out more by clarifying a lot of the murk that the DSS has, and coming out with a security framework, or at least rewriting the DSS so it becomes more clear as to what the Council actually wants. Right now it's a mishmash of 200+ checks, that are usually attacked piecemeal.

Second, I'd like to see the brands get more aggressive on punishing companies that scoff the DSS and get breached. Home Depot has been breached how many times now? The breach at Target was rather offensive itself, they missed all the warning signs. Of course, the Council will do nothing to these companies as they would be missing all the revenue that thise companies make for them. I would guarantee that if one major retailer was to lose its merchant status, there would be a newfound vigor and zeal from the rest of the retail industry to get secured.


2. IT management is generally not ready for a revolutionary approach. They must be dragged, kicking and screaming into compliance because they will whine, complain, drag their feet and stall all they can until they have to get compliant. The cost of noncompliance needs to be greater than it takes to get compliant, otherwise it simply won't happen.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
1/12/2015 | 10:17:54 AM
Re: DSSv3. Meh> evolutionary versus revolutionary
@Cthulhucalling -- You raise some interesting points which prompts me to ask for your thoughts on 1.What do you think is needed to give PCI DSS 3.0 more bite? And 2. Do you think the enterprise IT could handle a more revolutionary approach?
Cthulhucalling
50%
50%
Cthulhucalling,
 User Rank: Apprentice
1/9/2015 | 8:28:57 PM
DSSv3. Meh
I'm a QSA and have been working PCI issues for clients for a few years now. What I'm seeing in v3 of the DSS is hardly revolutionary, merely evolutionary. Really, there is little changed from v2, some lip service to memory scraping, some improvements in some other requirements. But overall... meh. Without coming out and actually providing a security framework, all of this piecemeal "defense in depth" is difficult for organizations to comprehend, even when they have good engineers and security staff. Why? Because there is not overarching vision or framework that is included in the DSS, it's just 240+ requirements that are typically addressed piecemeal. An included framework would provide some context, to show management that Requirement 1 reinforces Requirement 5- when AV fails, the firewall or airgapped network will keep cardholder data from being leaked (barring extrordinary effort by the attacker)

Requirement 5 was a joke in my QSA training, the instructor called it the "microsoft rule", as the requirement states "for systems that are commonly infected by malware". Hey, AV software is nice tool for the toolbox, but I there seems to be some overeliance that it will catch malware. Any security professional will know this, but management at some of my clients have asked the question "If we have (antivirus software vendor) installed, why do we need to put our point of sale behind firewalls?". This usually goes into the defense in depth lecture, but by that point, everyone is looking at their phones, or arguing that all of this is going to cost money, and this is just security being negative and trying to scare people.

Until there is a breach.
Cthulhucalling
50%
50%
Cthulhucalling,
 User Rank: Apprentice
1/9/2015 | 8:07:10 PM
Re: PCI DSS is still badly lacking!
I just spent the last 2 years working on PCI remediation for a client. Despite being brought in specifically to work the client's PCI issues, the business focused on other things until almost literally the last hour. We did get them compliant despite a huge amount of work done the last few weeks of the year, but it was only because this was the last opportunity that the company could be audited against DSSv2.0 did we get management backing to get the work actually done.

I've given numerous presentations and discussions with the client's management, and despite assurances that PCI was the #1 priority, they typically got sidetracked with other shiny objects, or balked at the amount of time/money/effort it would take to attain compliance, until it in itself became a problem. Good on them for eventually addressing the problem, but this couuld have been done much eariler without the rush to the finishline.
closcer
50%
50%
closcer,
 User Rank: Apprentice
1/8/2015 | 3:57:13 PM
Re: PCI DSS is still badly lacking!
In my case, I lead a security team for a fortune 500 financial company and for me its been very easy.  You just have to provide the right data points and stay away from annecdotal data.  Justifying everything with worst case and potential financial monetary loss has always worked with our leadership team.  Thus far we've adequately protected the business (and our FI's) with the right controls in place and teh right level of auditing.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
1/8/2015 | 3:20:02 PM
Re: PCI DSS is still badly lacking!
@n0md3plum, how do you make the case for PCI-DSS to your management? Or do you?
n0md3plum
50%
50%
n0md3plum,
 User Rank: Apprentice
1/8/2015 | 2:42:14 PM
Re: PCI DSS is still badly lacking!
@Closcer,  Try explaining that to management. That hey PCI is just the bare minimum of what needs to be done. We need to spend more $ on additional controls, policies, standards etc.  Unless you have other regulatory guidelines that you have to follow, PCI by itself might not be enough.
closcer
50%
50%
closcer,
 User Rank: Apprentice
1/8/2015 | 11:56:59 AM
Re: PCI DSS is still badly lacking!
Some of your statements are valid, but the majority show youre badly misinformed.  As with any other guidelines or standards it should be something to build on not a soup to nuts approach.  Whoever doesn't treat PCI DSS as the bare minimum barometer has some work to do to secure their enterprise.  The ideals and principles set forth on PCI DSS are sound and should give the experienced security engineer something to work off of - that's the true intent of the standards.
DCDawg
0%
100%
DCDawg,
 User Rank: Apprentice
12/24/2014 | 1:00:21 AM
PCI DSS is still badly lacking!
PCI DSS is a like the TSA: security theater! PCI DSS does NOT require a proper risk assessment such as the one required in the ISO 27001 framework. PCI DSS does NOT require recertification of changes like FISMA. PCI DSS does NOT require configuration management standards and certification for expanding new systems like DIACAP.

Under PCI DSS a cash register in New York can talk to a cash register in San Deigo. Why? Why are all the networks logically flat? For that matter, why is any data stored as close to the entry ways into the network as they are today? You wouldn't store the keys to your building in the lobby, why are you storing your password in what is essentially the lobby to the Internet?

The entire model is broken. Software vendors who create the whiz-bang tools do so in a way where they have to be the center of your universe. When they are not, they implement standards in such a way that dangerous decisions have to be made if a company is trying to build a system.

And speaking of building a system, what is wrong with custom code? Does you house have all the cookie-cutter pre-built options? Did you add on to it? Change the wallpaper? What about redoing the electricty to support networking and the upgraded air conditioner? Then why are you still insisting that you open the COTS box and it work without doing the same? You are building systems like they built houses in the post-World War II era. Pre-fabricated and thrown together as quickly as possible without regard for what would happen with the first really big storm, flood, or other disaster. Like the ol' saltbox built in 1950, you either have to spend tons of money to repair and maintain it while it is being attacked or you have to spend money to tear it down and rebuild it.

Why do it right when you can do it wrong for twice the price?!

You think I'm kidding? Ask Target and Home Depot how much damage would have been done if they isolated their point-of-sale networks from each other. What about Sony? How much damage was done because they left their open mail by the front door for the first person to walk in to take it from them?

Saying that PCI DSS can help stop breaches is like saying the TSA will stop terrorism on an airplane. Just like Haniford Foods was PCI DSS certified, the TSA did not stop the gun-running scheme between Atlanta and New York. It only came to light when the Brooklyn DA was investigating something else... sort of like how Neiman-Marcus found its problems. 

Security is NOT a checklist or a product. It is the result of a risk assessment to determine the risks and their mitigations. Security is a process, just like the physical security that every business maintains. Until these rank amatures understand this, there is no reason to think that PCI DSS in any of its forms will be nothing more than a band aid on a gushing wound!

 


Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.