In January 2009, Heartland Payment Systems announced that it had encountered a breach in its security system the previous year. The breach had compromised data of more than 130 million credit and debit cards transactions as the transaction data was being transmitted in an unencrypted form within its internal processing platform. The company was certified Payment Card Industry Data Security Standard (PCI DSS) compliant and had implemented all the required controls, but could not avert the breach. This paper examines if compliance with standards is enough to ensure data security. The paper will suggest the approach to be taken to formulate security controls, as well as the types of controls and monitoring that can be used.
Does Compliance Ensure Security?
Compliance and security are two different entities. Being compliant can be a byproduct of being secure, but the converse is not true. Compliance is the minimum requirement towards security. A large organization undergoes many changes and a single system change can make the organization non-compliant. Edd Hardy, author of “Is Compliance Bad for Security?” argues that true security of the cardholder data can only be achieved by non-stop assessment and remediation.
Standards such as ISO (International Standards Organization) ISO 27001 and PCI-DSS have a limited scope and Mathias Thurman; author of “Compliance does not equal security” insists that the organizations further try to limit the scope as much as possible to ensure that they can be certified as compliant, to be showcased for third parties. Standards do not reward over compliance and they are binary; one is either compliant or not. This is the reason why most organizations aim for the lowest possible standard. If compliance is the only goal, then security does not result automatically. It takes commitment to achieve security and the standards themselves do not expect such a commitment from the organizations.
Types of Controls to be Used
Standards such as FISMA (Federal Information Security Management Act) or PCI DSS provide a baseline for managing security, but complying with these guidelines is not enough to keep enterprises safe. Edd Hardy, author of “Is Compliance Bad for Security?” argues that organizations must go beyond these standards to create a stronger security posture. Due to the need for achieving regulatory compliance, actions are taken to meet the regulatory obligation rather than enhancing the security of the organization. Most regulations are aimed at the industry as a whole. Therefore, it is unlikely that compliance alone will address all the vulnerabilities an organization has to deal with, as vulnerabilities vary by the organization. This can result in a situation where one can be compliant and still be vulnerable.
When controls are formulated based on anti-cybercrime techniques, vulnerabilities specific to the organization can be addressed in such a way that both compliance and security are achieved. Edd Hardy, author of “Is Compliance Bad for Security?” illustrates the case where PCI DSS expects the controls to be applicable to CDE (card data environment) so that the card data is secure. If the other channels in the organization are not secure, they can be breached by hackers and used to access the CDE later. However, an anti-cybercrime approach will consider the entire organization and its interactions with the third parties into account. The resulting approach would consider the end-to-end security and implement end-to-end encryption to achieve this goal.
Additional Controls for Mitigating Data Breaches
Many organizations aim for very high levels of security in critical areas but neglect other areas, whereas criminals will usually prefer the easier route. It is recommended that a set of essential controls be identified and implemented across the organization without exception. After the minimum security is achieved, the critical areas can then have more advanced controls.
Data at Rest and Transit
Julia S. Cheney, author of the report “Heartland payment systems: lessons learned from a data breach” observes that data can be secured by using one of the three options end-to-end encryption, tokenization, or usage of chip technology in the cards. Out of these, the end-to-end encryption is the best option as it secures both the data at rest and transit. Tokenization does not store the customer’s card data at all and only stores a reference token generated by the third-party service providers. This puts the onus on protecting the card data on the third-party vendors rather than the merchants, but leakage is still possible. The third option of placing a chip on the card or key fob to will enable encrypted storage, exchange, and transmittal of card data. It is a good solution but an expensive one as the entire infrastructure has to be upgraded.
Access Controls
Current PCI DSS standards check for two-factor authentication for accessing networks remotely. Francesca Sales, author of “PCI DSS 3.2 multifactor requirement among the version's biggest changes” states that enabling multi-factor authentication (MFA) for all administrator accesses to networks and card data at each individual system component is recommended. MFA should be extended for remote network access.
Network Admission Control
Enabling network admission control (NAC) through the unification of endpoint technologies such as host intrusion prevention, antivirus, or vulnerability assessment is recommended. Mathias Thurman, author of “Compliance does not equal security” suggests using solutions such as NAC to be configured for role-based access control so that the VPN access can be restricted to authorized personnel and corporate-owned devices. Current PCI DSS standards do not require this for compliance.
Types of Monitoring Required
PCI DSS (Requirement 10) specifies that all access to network resources should be logged and monitored and networks should be tested regularly for breaches. Logging, monitoring, and tracking user activities can be used to detect and prevent unauthorized access. This can be achieved by assigning each user a unique identification and logging all network accesses. All applications should be configured to generate audit trails and logs. The system time should be set correctly and the logs must be examined at regular intervals. Mathias Thurman, author of “Compliance does not equal security” suggests defining the anomalous behavior and employing scripts for detecting such behavior to automate the process. Access to network and cardholder data should be tracked and monitored. PCI DSS compliance by third-party vendors has to be monitored. Anti-malware software must generate logs, which must be monitored. Security controls such as firewalls, intrusion detection systems, file integrity, and access controls have to be monitored to ensure that they are operating effectively and as intended.
Conclusion
Organizations have to be compliant with regulatory standards, which is mandatory. However, they must be more focused towards the security of data and steps have to be taken accordingly to ensure that data is secure. Compliance is should be a byproduct of the security posture rather than the goal since mere compliance will not ensure security. Therefore, standards should be used as guidelines and minimum requirements to ensure security, but cybercrime techniques must be used when selecting controls so that security of the data is ensured. Since the organization, as well as the threat landscape, change constantly, it is recommended that the organization should focus on constant monitoring and remediation of the controls to stay secure.
References
Cheney, J. S. (2010). Heartland payment systems: lessons learned from a data breach. Philadelphia, PA: Payment Cards Center, Federal Reserve Bank of Philadelphia. Retrieved from http://www.paymentsnews.com/2010/01/heartland-payment-systems-lessons-learned-from-a-data-breach.html
Hardy, E. (2015, February 26). Is compliance bad for security? Retrieved from tripwire.com: http://www.tripwire.com/state-of-security/regulatory-compliance/is-compliance-bad-for-security/
Sales, F. (2016, May 5). PCI DSS 3.2 multifactor requirement among the version's biggest changes. Retrieved from searchcompliance.techtarget.com: http://searchcompliance.techtarget.com/blog/IT-Compliance-Advisor/PCI-DSS-32-multifactor-requirement-among-the-versions-biggest-changes
Thurman, M. (2016, January 12). Compliance does not equal security. Retrieved from computerworld.com: http://www.computerworld.com/article/3021787/security/compliance-does-not-equal-security.html
