Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
How PCI DSS 3.0 Can Help Stop Data Breaches
Newest First  |  Oldest First  |  Threaded View
Cthulhucalling
50%
50%
Cthulhucalling,
 User Rank: Apprentice
1/15/2015 | 1:14:12 AM
Re: DSSv3. Meh> evolutionary versus revolutionary
1. It's my experience that organizations try to attain the absolute minimum it takes to become compliant. I think the brands should be helping out more by clarifying a lot of the murk that the DSS has, and coming out with a security framework, or at least rewriting the DSS so it becomes more clear as to what the Council actually wants. Right now it's a mishmash of 200+ checks, that are usually attacked piecemeal.

Second, I'd like to see the brands get more aggressive on punishing companies that scoff the DSS and get breached. Home Depot has been breached how many times now? The breach at Target was rather offensive itself, they missed all the warning signs. Of course, the Council will do nothing to these companies as they would be missing all the revenue that thise companies make for them. I would guarantee that if one major retailer was to lose its merchant status, there would be a newfound vigor and zeal from the rest of the retail industry to get secured.


2. IT management is generally not ready for a revolutionary approach. They must be dragged, kicking and screaming into compliance because they will whine, complain, drag their feet and stall all they can until they have to get compliant. The cost of noncompliance needs to be greater than it takes to get compliant, otherwise it simply won't happen.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
1/12/2015 | 10:17:54 AM
Re: DSSv3. Meh> evolutionary versus revolutionary
@Cthulhucalling -- You raise some interesting points which prompts me to ask for your thoughts on 1.What do you think is needed to give PCI DSS 3.0 more bite? And 2. Do you think the enterprise IT could handle a more revolutionary approach?
Cthulhucalling
50%
50%
Cthulhucalling,
 User Rank: Apprentice
1/9/2015 | 8:28:57 PM
DSSv3. Meh
I'm a QSA and have been working PCI issues for clients for a few years now. What I'm seeing in v3 of the DSS is hardly revolutionary, merely evolutionary. Really, there is little changed from v2, some lip service to memory scraping, some improvements in some other requirements. But overall... meh. Without coming out and actually providing a security framework, all of this piecemeal "defense in depth" is difficult for organizations to comprehend, even when they have good engineers and security staff. Why? Because there is not overarching vision or framework that is included in the DSS, it's just 240+ requirements that are typically addressed piecemeal. An included framework would provide some context, to show management that Requirement 1 reinforces Requirement 5- when AV fails, the firewall or airgapped network will keep cardholder data from being leaked (barring extrordinary effort by the attacker)

Requirement 5 was a joke in my QSA training, the instructor called it the "microsoft rule", as the requirement states "for systems that are commonly infected by malware". Hey, AV software is nice tool for the toolbox, but I there seems to be some overeliance that it will catch malware. Any security professional will know this, but management at some of my clients have asked the question "If we have (antivirus software vendor) installed, why do we need to put our point of sale behind firewalls?". This usually goes into the defense in depth lecture, but by that point, everyone is looking at their phones, or arguing that all of this is going to cost money, and this is just security being negative and trying to scare people.

Until there is a breach.
Cthulhucalling
50%
50%
Cthulhucalling,
 User Rank: Apprentice
1/9/2015 | 8:07:10 PM
Re: PCI DSS is still badly lacking!
I just spent the last 2 years working on PCI remediation for a client. Despite being brought in specifically to work the client's PCI issues, the business focused on other things until almost literally the last hour. We did get them compliant despite a huge amount of work done the last few weeks of the year, but it was only because this was the last opportunity that the company could be audited against DSSv2.0 did we get management backing to get the work actually done.

I've given numerous presentations and discussions with the client's management, and despite assurances that PCI was the #1 priority, they typically got sidetracked with other shiny objects, or balked at the amount of time/money/effort it would take to attain compliance, until it in itself became a problem. Good on them for eventually addressing the problem, but this couuld have been done much eariler without the rush to the finishline.
closcer
50%
50%
closcer,
 User Rank: Apprentice
1/8/2015 | 3:57:13 PM
Re: PCI DSS is still badly lacking!
In my case, I lead a security team for a fortune 500 financial company and for me its been very easy.  You just have to provide the right data points and stay away from annecdotal data.  Justifying everything with worst case and potential financial monetary loss has always worked with our leadership team.  Thus far we've adequately protected the business (and our FI's) with the right controls in place and teh right level of auditing.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
1/8/2015 | 3:20:02 PM
Re: PCI DSS is still badly lacking!
@n0md3plum, how do you make the case for PCI-DSS to your management? Or do you?
n0md3plum
50%
50%
n0md3plum,
 User Rank: Apprentice
1/8/2015 | 2:42:14 PM
Re: PCI DSS is still badly lacking!
@Closcer,  Try explaining that to management. That hey PCI is just the bare minimum of what needs to be done. We need to spend more $ on additional controls, policies, standards etc.  Unless you have other regulatory guidelines that you have to follow, PCI by itself might not be enough.
closcer
50%
50%
closcer,
 User Rank: Apprentice
1/8/2015 | 11:56:59 AM
Re: PCI DSS is still badly lacking!
Some of your statements are valid, but the majority show youre badly misinformed.  As with any other guidelines or standards it should be something to build on not a soup to nuts approach.  Whoever doesn't treat PCI DSS as the bare minimum barometer has some work to do to secure their enterprise.  The ideals and principles set forth on PCI DSS are sound and should give the experienced security engineer something to work off of - that's the true intent of the standards.
DCDawg
0%
100%
DCDawg,
 User Rank: Apprentice
12/24/2014 | 1:00:21 AM
PCI DSS is still badly lacking!
PCI DSS is a like the TSA: security theater! PCI DSS does NOT require a proper risk assessment such as the one required in the ISO 27001 framework. PCI DSS does NOT require recertification of changes like FISMA. PCI DSS does NOT require configuration management standards and certification for expanding new systems like DIACAP.

Under PCI DSS a cash register in New York can talk to a cash register in San Deigo. Why? Why are all the networks logically flat? For that matter, why is any data stored as close to the entry ways into the network as they are today? You wouldn't store the keys to your building in the lobby, why are you storing your password in what is essentially the lobby to the Internet?

The entire model is broken. Software vendors who create the whiz-bang tools do so in a way where they have to be the center of your universe. When they are not, they implement standards in such a way that dangerous decisions have to be made if a company is trying to build a system.

And speaking of building a system, what is wrong with custom code? Does you house have all the cookie-cutter pre-built options? Did you add on to it? Change the wallpaper? What about redoing the electricty to support networking and the upgraded air conditioner? Then why are you still insisting that you open the COTS box and it work without doing the same? You are building systems like they built houses in the post-World War II era. Pre-fabricated and thrown together as quickly as possible without regard for what would happen with the first really big storm, flood, or other disaster. Like the ol' saltbox built in 1950, you either have to spend tons of money to repair and maintain it while it is being attacked or you have to spend money to tear it down and rebuild it.

Why do it right when you can do it wrong for twice the price?!

You think I'm kidding? Ask Target and Home Depot how much damage would have been done if they isolated their point-of-sale networks from each other. What about Sony? How much damage was done because they left their open mail by the front door for the first person to walk in to take it from them?

Saying that PCI DSS can help stop breaches is like saying the TSA will stop terrorism on an airplane. Just like Haniford Foods was PCI DSS certified, the TSA did not stop the gun-running scheme between Atlanta and New York. It only came to light when the Brooklyn DA was investigating something else... sort of like how Neiman-Marcus found its problems. 

Security is NOT a checklist or a product. It is the result of a risk assessment to determine the risks and their mitigations. Security is a process, just like the physical security that every business maintains. Until these rank amatures understand this, there is no reason to think that PCI DSS in any of its forms will be nothing more than a band aid on a gushing wound!

 


COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10548
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10549
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10546
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10547
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-11094
PUBLISHED: 2020-06-04
The October CMS debugbar plugin before version 3.1.0 contains a feature where it will log all requests (and all information pertaining to each request including session data) whenever it is enabled. This presents a problem if the plugin is ever enabled on a system that is open to untrusted users as ...