PCI DSS: Lessons Applied
PCI DSS is an extremely robust and comprehensive data security standard, developed by the Card Brands (Visa, Mastercard, American Express, JCB & Discover) over many years for the explicit protection of customer cardholder. The standard consists of circa 360 individual controls and is only applicable to businesses involved in the processing of cardholder data (including organisations that have fully outsourced the responsibilities to 3rd parties). The differences being:
Merchants need to maintain annual compliance through submission to their Acquiring Bank (Report on Compliance or Self Assessment Questionnaire (depending on the volume of card transactions).
Service Providers (3rd Parties involved in (or who might impact) cardholder data processing) need to provide their clients with annual compliance submissions (depending on the volume of card transactions). Their clients' PCI DSS compliance status is dependent on this.
Merchant/Issuer/Acquirer Banks need to maintain their own compliance and be prepared to provide comprehensive evidence of maintenance of PCI DSS compliance status (in the event of a breach), to the Card Brands or Regulators
However, given the criminals change of focus into stealing company sensitive data, for monetary gain, are there similar lessons that can be applied for the protection of such data?
Rather than regurgitating the 360 controls, it might be better to understand the intent of the overlaying Objectives and Requirements:
Think of your supporting network topology, like walking into a branch of your local bank. Anyone coming in off the street are prevented from walking straight into the bank vault, whilst access is also restricted for employees (e.g. cleaners are prevented from accessing the vault). No longer do today's criminals need to look at ways to circumvent physical controls, when it is easier and cheaper to benefit from poor network configurations. Consequently, effective defense of company sensitive data should apply at least 3 network layers, with controlled gateways between the layers to help filter authorized from unauthorized access. This concept has been extremely successful, being successfully introduced centuries ago.
Objective 1 - Build & Maintain a Secure Network
Each access point has a gate control, with access control, to ensure that protection is applied to filter the data flows between trusted and untrusted areas of the supporting network topology. Much like the image of Los Millares, understanding the architecture that support the network and data flows is essential, to ensure that the full extent of the topology has been visualized, so that you are able to recognize how the data moves from the perimeter to the core. The principle being to make it progressively more difficult to gain unauthorised access to the 'Crown Jewels' (you will see from Los Millares, that as the segment becomes more important, the area decreases and even having a smaller fort within the fort at the core of the prehistoric town). Each component, will be securely configured to ensure that all default (out of the box) settings have been changed and all supporting system assets inventoried, and maintained. The gate is as only as secure as the locks, keys, hinges and gate frames that support it.
Do you understand where your gateways are (Web applications, Firewalls (internal/external), etc. and where your 'Crown Jewels' are located?
How easy is it to show your key stakeholders where the 'Crown Jewels' are stored, how it is protected and the common threat vectors for your business?
Does your network apply defensive layers, that get progressively more concentrated, closer to the 'Crown Jewels'.
Objective 2 - Protect Sensitive Data
Now having created a robust supporting network infrastructure, the next layer is the reducing your 'Crown Jewels' footprint, by ensuring that unnecessary data storage is avoided and that you only store data for legitimate use. Effective data life-cycle management, significantly reduces the associated risks in the event of a compromised network.
Avoid data hoarding...!
Data has become the 'Life-Blood' of business and, as such, needs to be kept healthy and be stored and moved through healthy infrastructures. Where data has been reduced to its absolute minimum, the risks can be further reduced through the use of tokenisation, dual tone multi-frequency (DTMF), obfuscation or encryption (remembering to ensure that the key storage/management is robust).
Undoubtedly, for the data to remain useful you will be needing to move it between sites. Although the data in transit is likely to be smaller volumes, than the data storage at rest, it increases the opportunities for this data to be ambushed/hijacked and needs to be under lock and key (encrypted), when moved between secure sites (like 'Cash in Transit').
Objective 3 - Maintain a Vulnerability Management Program
The very nature of the term processing, is the requirement for dynamic environments. This in turn, requires ongoing maintenance, to ensure that new updates are applied, vulnerabilities are detected and timely remediation applied. Effective maintenance, requires supporting change management, secure software development/coding and web application security testing (to confirm secure).
Objective 4 - Implement Strong Access Control Measures
To make the use of the 'Crown Jewels', business needs to allow authorized user access. However, this access is a privilege with the users presenting another attack vector for the criminals. Consequently, access needs to be strictly restricted based upon a business legitimate need to access this data, with robust access management. The greater the privileges the greater the risk. Users need to be educated as to the privileges they have been given and the responsibilities, and accountability, of their role.
Authorized users are granted the key to the corporate vault door......!
Objective 5 - Regular Monitor & Test Networks
This phase is the confirmatory stage, whereby a business provides ongoing reassurance that robust systems and access controls (Objectives 1 to 4) is being maintained. Without this, opportunities may present themselves. Today's criminals are opportunists and thrive on poorly managed networks, systems, software and users. No matter what their driving forces, without the presentation of an opportunity, they will find it difficult to gain unauthorised access to the 'Crown Jewels'.
Objective 6 - Maintain an Information Security Policy
To ensure the success of any cyber defensive program, it is essential that the business sets the 'Tone at the Top'. By clearly defining the acceptable policies and procedures (rules) to be applied for the protection of the 'Crown Jewels' However, effective rules require feedback from the various business stakeholders, along with the continual support and refresher training.
Even if you're a business that are not involved with taking payments, by payment cards, it is likely that you are a business with an interest in safeguarding your 'Crown Jewels'. Consequently, if you are looking at developing or enhancing your Cyber Security strategy, I would recommend that you take a look at the PCI DSS and evaluate whether your business can benefit from the application of the underlining principles.
It is reassuring to know that bank robbers need do lots of planning to get through the numerous and complex physical defensive layers. Consequently, it is likely that these defenses will be effective (fewer attacks), the robbers will get caught and the affected business will receive minimal negative press, as a result.
The same may not be the case, in regard to a large-scale hack of a business, where large volumes of customers are impacted, e.g: