|
|
|
Features
< Back
Sarbanes Oxley : Technology : PCI
Above and Beyond PCI Standards
By
Paul Henry
|
|
Paul Henry
VP Technology Evangelism
Secure Computing
|
PCI requirements don’t cut the muster, and professional input that would have improved the specification in an important area – the requirement for an application firewall – simply seems to have been overlooked.
PCI is short for Payment Card Industry. An organization, known as the PCI Security Standards Council, strives develop, enhance, disseminate and implement security standards for account data protection. That’s a worthy cause but sometimes the council’s work doesn’t quite hit the mark.
One prime example: The PCI Security Standards Council is responsible for publishing and enforcing the PCI Data Security Standard (PCI DSS). But the latest version of that standard, known as version 1.1, has at least on glaring shortcoming. The standard is currently considered a “best practice recommendation” but becomes an actual, set-in-stone requirement on July 30, 2008.
Now, for the problem: The standard calls for an “application firewall,” yet it does not define what an application firewall is. This is a problem for the following reason: A packet filter that uses Layer 7 signatures and claims to be an application firewall can be used to meet the PCI requirements. This, however, fails to protect against any threat other then those for which signatures have already been written.
A “real” or traditional application firewall would break the Client/Server model, thereby preventing a direct connection between hackers and databases. Further, it affords strong zero-day threat mitigation by leveraging application awareness to dramatically reduce the threat envelope. This should clearly be specified in the requirement but, alas, it’s not.
Today, organizations are allowed to use the former (packet filter) approach, which is purely reactionary and should have no place in protecting credit card databases against today’s professional hackers.
Consider this: According to IBM, over 5,000 new vulnerabilities are discovered and reported annually; and over the same period of time, over 100,000 newly discovered vulnerabilities are never reported publicly.
A packet filter with Layer 7 signatures simply cannot provide protection against the 100,000 new vulnerabilities that are not being publicly reported.
Further, we know that the average zero-day vulnerability is in the wild for nearly a year (approximately 348 days) before it is discovered or patched.
To conclude, this means that – for firms using the packet filter approach to a so-called “application firewall” – databases are seriously exposed. They will afford absolutely no protection whatsoever from even the average zero-day vulnerability, which provides nearly a years’ window of opportunity for the bad guys to exploit in hacking credit card databases.
Bottom line: Today, we have an inadequate standard for the protection of credit card data. To make matters worse, audits typically cost $30,000 our more in the US, creating a barrier to entry and excluding small firms that handle credit cards.
What should businesses do? The answer is simple: While standards work is important and commendable, it’s critical for organizations to sometimes go above-and-beyond the recommendations of a standards group. In this case, deploying a traditional application firewall – or relying on a managed service provider that offers an application firewall -- resolves a key issue not covered by PCI’s work.
Paul Henry
VP Technology Evangelism
Secure Computing
Paul Henry, Secure Computing’s vice president of technology evangelism, is one of the world’s foremost global information security experts, with more than 20 years’ experience managing security initiatives for Global 2000 enterprises and government organizations worldwide. At Secure Computing, Mr. Henry plays a key role in launching new products and re-tooling existing product lines. He is frequently cited by major and trade print publications as an expert on both technical security topics and general security trends, and serves as an expert commentator for network broadcast outlets such as NBC and CNBC.
Paul serves as a featured and keynote speaker at network security seminars and conferences worldwide, delivering presentations on diverse topics including network access control, Cyber crime, DDoS attack risk mitigation, firewall architectures, computer and network forensics, Enterprise security architectures and managed security services.
|
|
|
|
|
