The Green Sheet Online Edition
November 08, 2010 • Issue 10:11:01
Going beyond PCI
The Payment Card Industry (PCI) Data Security Standard (DSS) is expanding and maturing. That means ISOs, banks, merchant level salespeople and merchants must familiarize themselves with an increasing number of resources, documents, processes and procedures associated with PCI.
That's good in almost every way, but it introduces a very real danger, one that is already affecting people today: the possibility of becoming "captured" by PCI and its priorities and processes and forgetting that it is, and will always be, just a response to the underlying threats and real dangers out there.
As compliance becomes a more familiar process, organizations run the risk of forgetting about the differences between safety and risk, and getting hypnotized into thinking only in terms of PCI and its issues and formal measurements.
(This problem didn't emerge with PCI, of course; it is a common cause of failure for any long-term program with hard-to-define or shifting objectives. For example, there has been a problem for years in the U.S. education system, whereby the ultimate goals of producing educated, informed graduates is giving way to the more tangible metrics of raising exam scores and graduation rates. This is how we end up with dangerous and completely backward approaches such as "teach to the test.")
The formal PCI system does not, and cannot, track perfectly or even consistently the underlying dangers from hackers and thieves. In fact, there are strong reasons (which I'll address in a separate article) why PCI is particularly bad as a tracking mechanism.
The result is that we will see increasing numbers of cases in which people follow PCI guidelines judiciously but are still hacked or damaged.
If you're an ISO, bank, processor or merchant, do not smile when you hear the phrase, "The operation was a success, but the patient died"; you could be the patient we're talking about.
For that reason, I'm going to ignore PCI for the rest of this article and talk about the real threats and dangers you should keep in mind. This has to be a regular process, too, because these threats and dangers are changing so rapidly that the right approach today is likely going to be woefully inadequate in a year's time.
Facts about cybercrime
The recently released CA Technologies report, State of the Internet 2010, (available at www.ca.com or by searching online) offers an update on "what's happening out there" in the world of cybercrime and is a good place to start.
The bottom line is that cybercrime continues to grow more common and serious while cybercriminals are becoming more professional. Not that long ago the archetypal hacker was a teenager looking for adventure and recognition among peers, not necessarily a monetary payoff.
Now a hacker is much more likely to be a member of an organized criminal group using specialized training and tools for financial gain.
Some of the details in the CA report are surprising and show how the web and cybercrime are evolving.
- Far more than viruses, Trojans are the most prevalent category of threat, accounting for 73 percent of the total threat infections reported to CA around the world. A Trojan is a program that claims to do something useful with offers like, "Try this free accounting software," but it actually attacks users.
Many of the latest Trojans are specifically designed to steal data, and the single biggest focus of these attacks is online banking, accounting for 29 percent of the new "infostealer" Trojans.
- Because security is all about the "arms race" between the good guys and the bad guys, it is always true that anything that the good guys do will be circumvented, distorted or even actively exploited by the bad guys.
For example, users are becoming more security conscious, so attackers are exploiting that by packaging their Trojans as fake security software (fake anti-viruses that actually attack your computer and issue fake security warnings to make you hand over personal data).
- Ninety-six percent of Trojans are components of a larger underground market-based mechanism that CA calls "Crimeware-as-a-Service." This emphasizes that cybercrime is an organized industry, not a loose collection of individuals.
(On a side note, it's more than a little bizarre to see this sort of crime become almost boring nine-to-five work: The people doing this aren't living a life filled with speedboats, machine guns and exotic drugs. They're now occupied worrying about quality control, search engine rankings, affiliate programs, multiple language support and other mundane concerns.)
- The favorite target of attacks is gradually moving away from Microsoft Corp. Windows systems to Internet-based solutions. For example, there is steady growth in attacks aimed at sites such as Facebook and foundational technologies such as Adobe PDF and Flash.
Having said that, various Microsoft technologies remain a huge and consistent source of security problems. An enormous number of attacks focus on ActiveX, Internet Explorer and Microsoft Office.
- Not too surprisingly, the Internet is not just the target of attacks; it is the highway that these attacks use to get to you, corresponding to 86 percent of the attacks, up 8 percent year over year.
So what should we do about all this? Here are some general ideas that should influence both how you think about security, and what specific actions you take.
Thinking about security in this way means you will be safer. It also means PCI compliance will easily follow. That's how it's supposed to work: PCI is essentially a health check, and the best way to pass a health check is to stop thinking about the test so much and concentrate on getting healthy.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.