PCI DSS 6.1: Not All Things Being Equal
In light of recent cyber-attacks, the importance of effective, risk-based, vulnerability management have never been so important. Cyber criminals have been seen to exploit known medium vulnerabilities, associated with Man-In-The-Middle (MITM) attacks, in order to illegally harvest personal or financial customer data.
There is an important lesson that should be applied, from the PCI DSS 6.1 control, for any business wishing to effectively reduce the risk to their customers’ sensitive data.
“Note: Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected. Methods for evaluating vulnerabilities and assigning risk ratings will vary based on an organization’s environment and risk assessment strategy.
Risk rankings should, at a minimum, identify all vulnerabilities considered to be a “high risk” to the environment. In addition to the risk ranking, vulnerabilities may be considered “critical” if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed.
Examples of critical systems may include security systems, public-facing devices and systems, databases, and other systems that store, process, or transmit cardholder data.”
Today’s cyber-criminals are opportunists, looking for ways to exploit poor practices. Unfortunately, this problem is heightened through the industry’s use of ‘Traffic Light’ system of colour coding of the vulnerability ratings, e.g.
'Stop’. Wait behind the stop line on the carriageway
AMBER - Medium
‘Stop’ at the stop line. You may go on only if the AMBER appears after you have crossed the stop line or are so close to it that to pull up might cause an accident
Let’s take a look at an example:
Periodic scanning, reveals a website that has missing security headers, which based on industry best practices as only being a Medium vulnerability and, thus, are not seen as being a high priority.
However, what if the affected website enables the ability for criminals to use this Medium vulnerability to redirect the customers’ journey (during the course of making an online payment), or to use this to provide sufficient credibility for the criminals so that the customers will happily enter their sensitive personal and financial data into a fraudulent/malicious website (allowing the criminals to harvest this data)?
Increasingly, webpages have multiple interconnections which, as seen through the Magecart Group cyber-attacks, are being used to redirect the customers’ journey in order to commit fraud or identity theft.
Despite the fact that the Magecart Group have been active since 2010 (having compromised 1,000s of eCommerce websites), it is also important to remember that in PCI DSS v3.2.1, this important control requirement is omitted from the SAQ A (Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced). Therefore, any eCommerce process that redirects or uses an embedded iFrame could meet their PCI DSS compliance requirements, yet still have a vulnerable customer web interface and be subject to a MITM attack (where the customer journey is redirected/diverted before the customer safely enters their sensitive data into the 3rd party, PCI DSS compliant, Payment Service Provider (PSP) website, e.g.
During these cyber-attacks, the hackers exploited underlying vulnerabilities that resided in the 'Out of Scope' (no interaction with cardholder data) websites, without the need for trying to the security hardened 3rd Party PSP website.
"This still proves to be an extremely successful and profitable tactics for attackers"
Much like the traffic light system, when looking at Medium vulnerabilities, consideration of the risk consideration of potential impact as well as being based on industry best practices. When investigating the impact associated with any identified vulnerability, it is important to consider the potential threat presented by this vulnerability and to consider carrying out step 1 of the Cognitive Attack Loop:
What does my digital footprint look like?
What are the connecting assets?
What does the customer journey look like?
Think like your attacker.
What are the opportunities created by this vulnerability?
Do I have an opportunity to redirect the customers’ journey?
If you are business involved in eCommerce or interacting with customer personal data, through a web interface, please apply the lessons-learned from the British Airways attack. Where the customer journey was redirected through the criminals infrastructure (baways.com) hosted in Romania. Under the PCI DSS rules, for a Medium vulnerability a business is permitted 90 days remediation time. However, for British Airways, the criminals managed to harvest around 380,000 customer records within just 60 days.
I hope that the upcoming release of PCI DSS v4.0 will make this part of a control requirement (rather than just a note of guidance), to ensure that eCommerce operations understand the need to prioritise the vulnerability remediation, based upon a comprehensive risk assessment and not just in consideration of the industry best practices.
Additionally, the benefit of a risk-based vulnerability management process, will help to ensure that the prioritisation of the remediation efforts is based upon the criticality of the business systems and the sensitivity of the data being received through the associated systems.