How much security is enough?

If you process card payments, coming up to the required standards can be tough. But does it still leave you vulnerable, or have you doing things you really don’t need to? IT security specialist Jay Abbott investigates

Best practice guidelines, standards and legislation will deliver you an almost impossible to achieve level of requirements that would make even the deepest pockets shrink. Welcome to the world of security, where too many people use the Fear, Uncertainty and Doubt (FUD) approach to deploy a legislative lever to open your wallet.

Let’s take an old favourite of mine as an example, the Payment Card Industries Data Security Standard – PCI-DSS. If you store, process or transmit Credit Card information in your business, you are required, by the card industry, to comply with a very strong security standard that will mandate a significant spend in the world of security, or result in penalties ranging from financial through to the removal of the ability to process credit cards.

The standard mandates a strong, effective, approach to the security issue, covering 6 core goals, with 12 key requirements, that break down into a significant amount of specific tasks ranging from segregating your network, through to defining and operating a strong information security policy set.

PCI Data Security Standard for Merchants & Processors

The PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards. It presents common sense steps that mirror best security practices.

Goals

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security

Having this standard is in theory, a good idea. It mandates a level that everyone needs to achieve in order to protect against a significant threat to the data, that could have a large scale impact on the consumers. Take the TJX Breach of 2007 (TK Maxx, to you and me), where a single retail company
with a typically lax approach to security suffered a breach lasting over 18 months and a loss of over 90 million credit card numbers from its global consumer base. That cost the company around $1.7 billion in fines, consultants and legal fees.

The problem with a standard, though, is that one size does not fit all. I have worked with many big name brands from the high street to Canary Wharf, and I can tell you now that even though some of them achieved the onerous task of compliance with the standard, breaches still occurred, and continue to do so. This, in short, is down to the fact that what works in one organisation just can’t be picked up and dropped into every other organisation and achieve the same results.

Let’s look at an example. Requirement 11 of the PCI mandates a strong annual testing programme with quarterly internal and external vulnerability scans, quarterly wireless scans and annual Penetration Testing. Although this is good practice, and will result in a much stronger view of security issues, if you are a large organisation, if you are a bit smaller, and have a small technology footprint that doesn’t change very often and is pretty much on “auto-patch” from Microsoft, you probably don’t need to have such a strong programme.

You’re not totally off the hook, though, as an annual Penetration Test would be valuable – but you can lose the other 12 vulnerability scans out of the programme and save some money while not increasing your overall exposure significantly.

Security is bespoke. It is a bespoke response to a specific issue, based on a series of unique variables related to the business, its operating model, structure, market focus etc. Even down to the people involved in every aspect of the business from the receptionist through to the CEO. Standards and guidelines only serve to muddy the effectiveness of security in organisations, and empty the budgets on unnecessary tick boxes which actually don’t improve the defensive stance of the organisation.

So given that security is bespoke and legislation is static, we are at a bit of a stalemate. While this is true, if you have a legislative requirement to achieve a specific level of security due to your business type or sector, then there will always be a minimal amount of work you have to do. That said, some intelligent design decisions and rethinking of the way you work can often lead to significant savings in that budget. Equally, taking a combined standards approach, where you map multiple standards together to determine the gaps, can lead to the achievement of the one standard you were required to achieve that brought you no commercial advantage, by using the other one that gave your organisation the edge over the competition.

Achieving this is not as difficult as you might think. Many of the standards in the market overlap considerably, and the gaps are small. An example is the gap between PCI-DSS and IS027001. Meeting the DSS from a controls perspective and implementing the ISO management engine over the top can lead you to the ISO certification quite easily, and that can be the difference in a competitive tender situation between a bank or major supermarket awarding you the contract.
At the other end of the spectrum, if you don’t have to comply with onerous legislation and you just want to sleep well at night knowing that when you wake up you will still have a business, a commercial advantage and you won’t be reading about how all your customers are about to sue you in the local paper, then often all you need are a few basic procedures, some common sense, a couple of strange sounding technologies, and some basic training and awareness for your staff. It doesn’t have to cost the earth and it doesn’t have to rewrite the way you do business, but it does require that you think, and engage the right advisors to get you to the right outcome.

Jay Abbott is the Founder and Director of Advanced Security Consulting Limited (JustASC), a specialist business offering consulting and managed services, focused on improving the SME and mid-tier sectors ability to understand, and ultimately withstand inevitable cyber-attack 

Contact: 08456 437 406

www.justasc.net