Perimeter is the trusted market leader of information security services that delivers enterprise-class protection and compliance for businesses of any size
Reposted from The Last Watchdog (http://lastwatchdog.com)
The need to comply with industry and federal regulations for keeping data secure drives a good part of what many big organizations spend on security. In a recent Last Watchdog blog post, Tim Harvey, CEO of Perimeter E-Security, outlines the basic considerations. Perimeter supplies compliance, security and messaging services.
Most information security experts talk about vulnerability management quite a bit. This includes using external vulnerability assessments and penetration testing to determine your level of exposure to outside hackers and the like. Unfortunately, that is where vulnerability management ends for many organizations and by itself offers little threat mitigation. Identifying the vulnerabilities is step 1 but there are several other steps if you want this information to improve your security posture. Determining the legitimacy and reality of identified vulnerabilities for your organization is another step. Prioritizing patching and other mitigation strategies is another. And finally, implementing the fixes where needed is the final step. Most organizations don’t do these additional steps which at a minimum don’t do anything to improve their security and could in fact increase their liability if an information data breach occurs (knowing the vulnerability existed and doing nothing about it). This issue gets more complicated for organizations that need to comply with various regulations or requirements. For example, those that must adhere to the PCI DSS are required to do quarterly vulnerability assessments. All-too-often the emphasis is placed on doing whatever it takes to pass an audit as opposed to what it takes to be the most secure. I thought this article from Dark Reading was good at highlighting the issues.
Retailers and other organizations are getting tired taking all the financial and reputational hits for data breaches. Seven restaurants in Louisiana and Mississippi are suing a vendor of point-of-sale devices that apparantely don’t store credit card data in a manner compliant with PCI-DSS standards. As a result, a data breach occurred. This is similar to the outrage that many banks felt when Heartland had their data breach. We will see this type of behavior more often until all software and device vendors take all this regulatory stuff very seriously.
While not enough information has been released to know the full measure of the Heartland data breach, bits and pieces have come and and we can begin to understand the impact to a company that has a serious data security breach. I touched on this subject in a series of data breach studies I have done over the past couple of years. In these examples, sometimes there seemed to be a clear relationship between a companies stock price and the announcement or public awareness of a data security breach. Other times the correlation could not be made.
Look for yourself in the case of Heartland in the attached graph of the Heartland stock ticker over the past year.
Not only did Heartland have approximately a 40% stock drop the day this was announced, the stock continued to drop for some time. Heartland recently announced their Q2 2009 financials which includes the cost and write-offs associated with the data security breach.
They specifically noted that $.32/share was the write-off amount associated with resolving issues with their data security breach. They said this was associated with the $19.4 million dollars it cost them to settle these issues. This resulted in a quarterly loss of 2.6 million ($.07/share) for Q2.
This also does not include the money they are putting into deploying end-to-end encryption which is their answer.
It should be noted that both Visa and Mastercard have said that Heartland was not PCI compliant at the time the breach occured.
While the credit card companies have been pushing to get all companies that accept credit cards for payments compliant with the now well known payment card industry data security standard (PCI-DSS), there is still little enforcement especially for those smaller merchants. Merchants are broken down into 4 categories. Tier 1 merchants are very large performing more tha 6 million transactions each year. Tier 2 perform between 1 and 6 million. Tier 3 between 20,000 and 1 million, and lastly Tier 4 that do less than 20k. Smaller organizations have been reluctant to implement everything they need to do in order to be PCI compliant due to the time, cost, and expertise required.
For those companies that do business in the state of Nevada, it will soon be required by law to be PCI-DSS compliant. Nevada passed a law that goes into effect January 1, 2010 that will make this mandetory. Of course it was mandetory before, but I believe this will add additional penalties to those that are not compliant. It should also be a strong reminder for those that keep putting this off, that PCI compliance is not going away.
http://www.boazgelbord.com/2009/06/nevada-mandates-pci-standard.html
While PCI-DSS is not perfect and truly doesn’t go far enough in many aspects of data security, it is a good first step because it requires those that do interact with sensitive consumer and customer data to reach a minimum level of complaince and at least be cognative of data security. It should be noted that for most companies this isn’t enough however. I am somewhat encouraged by Heartlands response over the past few months in response to their data security breach (while likely the largest in history), they seem to be taking steps to reach an adequate level of security. For example, they are implementing end to end encryption which is not specifically called out by the PCI DSS. While, I was not at all impressed with the way in which Heartland announced their breach (“coincidentally” at the same time as Obama’s inaguration), I am glad to see they aren’t taking the same approach now.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=340371
Despite the good things that PCI-DSS does, there is a lot of negative feedback regarding the cost and effectiveness of PCI-DSS. As a result, the PCI Council is eliciting feedback to improve the standard. It is true that merchants will have to spend some money to be more secure, but frankly, this is over due. Merchants do not like spending money on these types of things…especially when the economy is like it is. The bigger problem is that companies and people get it in their mind that if they are compliant…they are secure. And these are very different things. Being PCI compliant does not mean you will not be hacked. Just ask all the companies that have had breaches in the last couple of years even though they are PCI compliant including Hanaford and Heartland.
http://www.scmagazineus.com/PCI-DSS-standards-to-face-open-comment/article/138998/
I read an interesting post with some commentary and analysis of the Retail Data Breach Study that I had written several months ago. It is nice to see people catch the vision and seriousness of these things and disucss it. In general I have to agree with the analysis and conclusions.
Some (including Congress) have been asking how effective is the payment card industry (PCI) data security standard (DSS) in light of several high profile data breaches that occured while the company compromised was PCI compliant. This includes Heartland and Hannaford which had both archieved PCI compliance within the previous year of their breaches.
Robert Russo, director of the PCI DSS Council said “I have no doubt that compliance to PCI standards are the best line of defense. We have never found a breached entity to be in full compliance at the time of breach.”
But does that mean that PCI is designed in a way to help organizations be more secure?
Commenting on the debate Rep. Ben Ray Lujan, D-N.M., compared the PCI DSS Council to the fire service declaring a home’s fire safety systems inadequate after a fire and stated “It seems to me that the system we have today, we can all agree, from different sides, it’s not working.”
What appears to be happening is that retailers are trying to hide behind their PCI certification status when a breach occurs. The investigators determine that maybe they were compliant at one time, but aren’t compliant at the time of the breach.
My experience with most retailers so far is that they feel PCI is a huge burden. They seem to be trying to do the bare minimum but don’t have an attitude towards protecting their customers data.
Personally, I think the PCI DSS is one of the better documents in that it is more specific than most regulations on what organizations must do. But the problem is that if someone is simply trying to “check the boxes” and not actually improve their security, that attitude difference is going to cause problems in the end. As I have said before, compliance does not equal “secure”. Compliance is simply where the minimum standard is set, not where organizations should stop. So as long as the attitude is that PCI is burdensome, difficult, costly, etc. a real security improvement will be lacking.
So if an organization is 100% perfectly PCI compliant, or compliant with any regulation out there, can they be breached? Of course they can! Regulations need to not be about scape goats and shields but more about good principles and best practices followed for the safety and security of sensitive data.
http://news.cnet.com/8301-13578_3-10208827-38.html?part=rss&subj=news&tag=2547-1_3-0-20
http://www.forbes.com/2009/03/31/visa-mastercard-security-technology-security-visa.html
VISA has removed Heartland and RBS Worldpay from their list of PCI DSS compliant vendors. This effectively puts these processors on probation while they recertify their PCI DSS compliance using a QSA (Qualified Security Assessor). They are still able to process VISA transactions during this time. See Article
Credit card issuers will also be able to get at least partial reimbursement for reissuing credit cards and fees associated with customer fraud and losses. This is good news because over 600 banks have already reported losses associateed with the Heartland breach.
This is one of the first signs of real “teeth” in the PCI DSS. Card brands are taking these breaches seriously and placing the blame and responsibility at the feet of those at fault. I think this is a good move for VISA. Until now, PCI was beginning to look like a way to hide from responsibility and fend off lawsuits. With this move, it just may move in the direction of compelling merchants and processors to take data security seriously for the purpose of eliminating consumer fraud. Lets hope anyway.
© 2010 Perimeter E-Security™ All Rights Reserved.
The trademarks used herein are the registered trademarks of their respective owners.
|
|
|
|
|
|