The Green Sheet Online Edition

November 08, 2010 • Issue 10:11:01

Going beyond PCI

By Tim Cranny
Panoptic Security Inc.

The Payment Card Industry (PCI) Data Security Standard (DSS) is expanding and maturing. That means ISOs, banks, merchant level salespeople and merchants must familiarize themselves with an increasing number of resources, documents, processes and procedures associated with PCI.

That's good in almost every way, but it introduces a very real danger, one that is already affecting people today: the possibility of becoming "captured" by PCI and its priorities and processes and forgetting that it is, and will always be, just a response to the underlying threats and real dangers out there.

As compliance becomes a more familiar process, organizations run the risk of forgetting about the differences between safety and risk, and getting hypnotized into thinking only in terms of PCI and its issues and formal measurements.

(This problem didn't emerge with PCI, of course; it is a common cause of failure for any long-term program with hard-to-define or shifting objectives. For example, there has been a problem for years in the U.S. education system, whereby the ultimate goals of producing educated, informed graduates is giving way to the more tangible metrics of raising exam scores and graduation rates. This is how we end up with dangerous and completely backward approaches such as "teach to the test.")

The formal PCI system does not, and cannot, track perfectly or even consistently the underlying dangers from hackers and thieves. In fact, there are strong reasons (which I'll address in a separate article) why PCI is particularly bad as a tracking mechanism.

The result is that we will see increasing numbers of cases in which people follow PCI guidelines judiciously but are still hacked or damaged.

If you're an ISO, bank, processor or merchant, do not smile when you hear the phrase, "The operation was a success, but the patient died"; you could be the patient we're talking about.

For that reason, I'm going to ignore PCI for the rest of this article and talk about the real threats and dangers you should keep in mind. This has to be a regular process, too, because these threats and dangers are changing so rapidly that the right approach today is likely going to be woefully inadequate in a year's time.

Facts about cybercrime

The recently released CA Technologies report, State of the Internet 2010, (available at www.ca.com or by searching online) offers an update on "what's happening out there" in the world of cybercrime and is a good place to start.

The bottom line is that cybercrime continues to grow more common and serious while cybercriminals are becoming more professional. Not that long ago the archetypal hacker was a teenager looking for adventure and recognition among peers, not necessarily a monetary payoff.

Now a hacker is much more likely to be a member of an organized criminal group using specialized training and tools for financial gain.

Some of the details in the CA report are surprising and show how the web and cybercrime are evolving. For example:

• Far more than viruses, Trojans are the most prevalent category of threat, accounting for 73 percent of the total threat infections reported to CA around the world. A Trojan is a program that claims to do something useful with offers like, "Try this free accounting software," but it actually attacks users.

  Many of the latest Trojans are specifically designed to steal data, and the single biggest focus of these attacks is online banking, accounting for 29 percent of the new "infostealer" Trojans.

• Because security is all about the "arms race" between the good guys and the bad guys, it is always true that anything that the good guys do will be circumvented, distorted or even actively exploited by the bad guys.

  For example, users are becoming more security conscious, so attackers are exploiting that by packaging their Trojans as fake security software (fake anti-viruses that actually attack your computer and issue fake security warnings to make you hand over personal data).

• Ninety-six percent of Trojans are components of a larger underground market-based mechanism that CA calls "Crimeware-as-a-Service." This emphasizes that cybercrime is an organized industry, not a loose collection of individuals.

  (On a side note, it's more than a little bizarre to see this sort of crime become almost boring nine-to-five work: The people doing this aren't living a life filled with speedboats, machine guns and exotic drugs. They're now occupied worrying about quality control, search engine rankings, affiliate programs, multiple language support and other mundane concerns.)

• The favorite target of attacks is gradually moving away from Microsoft Corp. Windows systems to Internet-based solutions. For example, there is steady growth in attacks aimed at sites such as Facebook and foundational technologies such as Adobe PDF and Flash.

  Having said that, various Microsoft technologies remain a huge and consistent source of security problems. An enormous number of attacks focus on ActiveX, Internet Explorer and Microsoft Office.

• Not too surprisingly, the Internet is not just the target of attacks; it is the highway that these attacks use to get to you, corresponding to 86 percent of the attacks, up 8 percent year over year.

Recommendations

So what should we do about all this? Here are some general ideas that should influence both how you think about security, and what specific actions you take.

• Do not use the PCI DSS as your only guide. Security threats are evolving and shifting much faster than the PCI Security Standards Council can respond. If you use the PCI as your sole guide, you'll just be getting ready for yesterday's threats by the time tomorrow ends.

  Instead, be PCI compliant, but keep looking for guidelines like the CA report and alerts from governments and software vendors.

• Use the PCI as a good place to start your thinking about security, particularly if you haven't done much about this to date. Think of it more as a first draft of what your minimum set of standards should be, not as the sole definition, and certainly don't think of it as the maximum you should be doing.

• Recognize that the threats are constantly ramping up, so you have to ramp up, too. If you don't, the price you pay will be far higher than the cost of diligence. One comment that security professionals hear all the time from companies that have been hacked is, if only we had (fill in the blank).

• Implement and maintain a comprehensive security program; don't just rely on a single product or solution. Security is too complicated and broad an issue for you to be able to "make it go away" with one purchase, even an expensive one. Also, be aware that the cost of doing business in the modern world has to be paid with time and attention, as well as money.

Thinking about security in this way means you will be safer. It also means PCI compliance will easily follow. That's how it's supposed to work: PCI is essentially a health check, and the best way to pass a health check is to stop thinking about the test so much and concentrate on getting healthy.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at tim.cranny@panopticsecurity.com or 801-599 3454.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.