By Tim Cranny
Panoptic Security Inc.
The Payment Card Industry (PCI) Data Security Standard (DSS) is expanding and maturing. That means ISOs, banks, merchant level salespeople and merchants must familiarize themselves with an increasing number of resources, documents, processes and procedures associated with PCI.
That's good in almost every way, but it introduces a very real danger, one that is already affecting people today: the possibility of becoming "captured" by PCI and its priorities and processes and forgetting that it is, and will always be, just a response to the underlying threats and real dangers out there.
As compliance becomes a more familiar process, organizations run the risk of forgetting about the differences between safety and risk, and getting hypnotized into thinking only in terms of PCI and its issues and formal measurements.
(This problem didn't emerge with PCI, of course; it is a common cause of failure for any long-term program with hard-to-define or shifting objectives. For example, there has been a problem for years in the U.S. education system, whereby the ultimate goals of producing educated, informed graduates is giving way to the more tangible metrics of raising exam scores and graduation rates. This is how we end up with dangerous and completely backward approaches such as "teach to the test.")
The formal PCI system does not, and cannot, track perfectly or even consistently the underlying dangers from hackers and thieves. In fact, there are strong reasons (which I'll address in a separate article) why PCI is particularly bad as a tracking mechanism.
The result is that we will see increasing numbers of cases in which people follow PCI guidelines judiciously but are still hacked or damaged.
If you're an ISO, bank, processor or merchant, do not smile when you hear the phrase, "The operation was a success, but the patient died"; you could be the patient we're talking about.
For that reason, I'm going to ignore PCI for the rest of this article and talk about the real threats and dangers you should keep in mind. This has to be a regular process, too, because these threats and dangers are changing so rapidly that the right approach today is likely going to be woefully inadequate in a year's time.
The recently released CA Technologies report, State of the Internet 2010, (available at www.ca.com or by searching online) offers an update on "what's happening out there" in the world of cybercrime and is a good place to start.
The bottom line is that cybercrime continues to grow more common and serious while cybercriminals are becoming more professional. Not that long ago the archetypal hacker was a teenager looking for adventure and recognition among peers, not necessarily a monetary payoff.
Now a hacker is much more likely to be a member of an organized criminal group using specialized training and tools for financial gain.
Some of the details in the CA report are surprising and show how the web and cybercrime are evolving. For example:
Many of the latest Trojans are specifically designed to steal data, and the single biggest focus of these attacks is online banking, accounting for 29 percent of the new "infostealer" Trojans.
For example, users are becoming more security conscious, so attackers are exploiting that by packaging their Trojans as fake security software (fake anti-viruses that actually attack your computer and issue fake security warnings to make you hand over personal data).
(On a side note, it's more than a little bizarre to see this sort of crime become almost boring nine-to-five work: The people doing this aren't living a life filled with speedboats, machine guns and exotic drugs. They're now occupied worrying about quality control, search engine rankings, affiliate programs, multiple language support and other mundane concerns.)
Having said that, various Microsoft technologies remain a huge and consistent source of security problems. An enormous number of attacks focus on ActiveX, Internet Explorer and Microsoft Office.
So what should we do about all this? Here are some general ideas that should influence both how you think about security, and what specific actions you take.
Instead, be PCI compliant, but keep looking for guidelines like the CA report and alerts from governments and software vendors.
Thinking about security in this way means you will be safer. It also means PCI compliance will easily follow. That's how it's supposed to work: PCI is essentially a health check, and the best way to pass a health check is to stop thinking about the test so much and concentrate on getting healthy.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at email@example.com or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next