Tom Olzak

Archive for the ‘PCI DSS’ Category

Blame the auditors: What a concept!

In Business Continuity, Data Security, Network Security, PCI DSS, Risk Management, Security Management on August 13, 2009 at 08:02

I have never thought of this.  After a breach, just blame the auditors.  Wait.  The reason I hadn’t thought of it is because passing a compliance audit IS NOT ASSURANCE OF SECURITY.  But some still don’t get it.

In an interview with CSO’s Bill Brenner, Heartland Payment Systems’ CEO, Robert Carr, blamed his QSA auditors for a recent (huge) breach.  Because they said his organization was PCI compliant, he felt secure.  Wow.  Security by checklist once again.

Rich Mogull, in an open letter to Carr, makes several excellent points about reliance on compliance instead of solid security practices.  He concludes his letter with,

But, based on your prior public statements and this interview, you appear to be shifting the blame to the card companies, your QSA, and the PCI Council. From what’s been released, your organization was breached using known attack techniques that were preventable using well-understood security controls.

As the senior corporate officer for Heartland, that responsibility was yours.

Source: An Open Letter to Robert Carr, CEO or Heartland Payment Systems, Rich Mogull, 12 August 2009

Rich’s letter is a good read, and it should be circulated widely among security professionals and senior executives. 

Among other things, this is another case where an organization is falling back on a completed checklist representing compliance with the PCI standard, a bare minimum set of security requirements.  But whether you are HIPAA, GLBA, or PCI compliant, checking off on recommended practices doesn’t equal security.

Each of us is responsible for placing compliance activities within the proper context: guidelines within a broader security program.  No regulatory or industry standards can protect our critical infrastructure or sensitive data.  Only an aware, thinking human who actually cares about security—and understands how standards apply within his or her unique environment—can do that.

Fear, Trust, and Desire: Fertile ground for social engineers

In Business Continuity, Content Filtering, Cybercrime, Data Security, HIPAA, Network Security, PCI DSS, Risk Management on April 10, 2009 at 09:42

According to the recently released Microsoft Security Intelligence Report (2H2008), social engineering is taking the lead as the preferred method of network and end-user device malware infection.  Since operating system vulnerabilities are slowly disappearing and more organizations are implementing basic network controls, the easiest way to a target system is via the end-user.

Fear, Trust, and Desire (FTD)

According to the Microsoft SIR, users fall prey to social engineering attacks because of three common modes of human behavior: fear, trust, and desire.  As depicted in Figure 1, each of these behaviors is targeted by specially crafted attacks.


Figure 1 (Microsoft SIR)

Read the rest of this entry »

PCI DSS is a get out of jail free card

In Business Continuity, Cybercrime, Data Security, PCI DSS, Piracy Legislation, Risk Management on April 2, 2009 at 08:21

The problem with security standards is they often are a get out of jail free card for organizations which believe in doing only the bare minimum necessary to stay out of trouble.  Some standards, like the PCI DSS, add some value when protecting sensitive information, but they don’t go far enough.  They become something management can point to and say, “See.  We’re secure.”

Apparently it takes a congressional hearing to sort this out.

The PCI standard, long touted as one of the private sector’s best attempts to regulate itself on data security, is increasingly showing signs of coming apart at the seams.

At a hearing in the U.S. House of Representatives Wednesday, federal lawmakers and representatives of the retail industry challenged the effectiveness of the PCI rules, which are formally known as the Payment Card Industry Data Security Standard (PCI DSS). They claimed that the standard, which was created by the major credit card companies for use by all organizations that accept credit and debit card transactions, is overly complex and has done little thus far to stop payment-card data thefts and fraud.

Source: PCI security standard gets flayed at House hearing, Jaikumar Vijayan, Computerworld, 1 April 2009

No, Congress is certainly not the right body to control cybersecurity.  However, in this case I think they got it right by simply stating the obvious.

PCI DSS Compliance Made Easier, but Upside Down

In Data Security, PCI DSS, Risk Management on March 16, 2009 at 17:18

Most companies required to jump on the PCI DSS wagon are SMBs.  So implementing security controls to protect cardholder information is not an easy task.  And the difficulties begin when business owners and managers realize they don’t even know where to start.

The PCI Security Standards Council, using information from security breaches, security assessors, and forensics investigators, recently released a set of tools to help jumpstart the process.  Although the council’s tools are useful, I disagree with how some of the compliance tasks are prioritized.

Read the rest of this entry »

%d bloggers like this: