A Wet Fish Called Reality

- or - Security by PCI

More and more customers are being swept up by this PCI broom, a set of regulations to supposedly secure credit card data. It’s caused me to run a critical eye over it and surprisingly, I have some disturbing doubts.

I found this nice piece in Network World, which sums up well why PCI won’t cut the mustard. What’s wrong with the PCI Security Standard.

1. Patching isn’t what PCI claims it to be.
He said some of the principles that buttress the standards don’t stand up to analysis. For example, regular, prompt patching of operating systems and applications is touted as a key to data protection. But of 90 breaches that warranted incident responses in 2009, just six could have been prevented by more timely patching, according to a Verizon Business data breach report, he said.

2. Insiders are not the problem PCI claims them to be.
Similarly, the common thinking is that most breaches are caused by insiders, but only 20% of those incidents reported by Verizon were linked to insiders. Of those, half were due to user error, not malicious intent by an insider. “That’s an urban legend. We have really bad data,” he said.

3. Anti Virus is not the nirvana PCI claims it to be.
Anti-virus, mandated by PCI, demands the largest chunk of security spending, but 85% of breaches were the result of custom malware that virus software can’t catch, Corman said.

4. The PCI council are definitely smoking their own P.R.
The PCI Council’s position is that no data breach was ever successful against a network that was fully compliant with PCI, and that had victims paid better attention to their log data, they would have detected the breaches. “It implies the infallibility of their compliance,” Corman said. But he said a third of the logs in breach cases held no evidence of breaches, according to the Verizon report.

The Verizon report he references is here.
http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

In short, a wet fish I call REALITY is raining all over the romantic twaddle PCI is smoking. Just so long as everybody remembers PCI is mostly regulatory compliance and NOT security.

Carlton

Posted by Carlton Duston on 4 May 2010 | 0 comments
Tagged with News

Comments

Post new comment

Your name: *

E-mail: *

The content of this field is kept private and will not be shown publicly.

Homepage:

Comment: *

• Node images can be embedded in this post. Format: [image:ID:TYPE:ALIGN:CAPTION]
  TYPE: thumb display logo
  ALIGN: left right center none
  CAPTION: <insert new> desc (image description) none
  Examples: [image:8:thumb:right:none] [image:12:display:none:Sunset]
• You can use Textile markup to format text.
• Adds typographic refinements.

More information about formatting options

4

What code is in the image?: *

Enter the characters shown in the image.