I was reading an article recently about what auditors really think about the security and compliance requirements that they test for when doing a PCI DSS compliance audit. I was more than a little surprised to read that over 60% of the 505 auditors in the study referenced said the organizations they audit don’t believe compliance improves their data security effectiveness. I’m a bit perplexed by that. After all, there are only 12 requirements in the PCS DSS specification, and they seem pretty straightforward and simple to me. Read More »
Recently, our country was up in arms over the new airport security requirements imposed by the Transportation and Security Agency. Travelers complained that new full-body scanners and pat-downs at airport security checkpoints were inconvenient and invasive, and major concern ensued that objectors to the new regulations would cause significant delays over the Thanksgiving holiday — the busiest travel time of the year. Grassroots groups were encouraging travelers to either refrain from flying or opt out of full-body scans and choose the more time-consuming pat-downs as a protest. Despite all the hoopla, the Thanksgiving travel rush was not impacted by the new laws. In fact, a recent CBS poll revealed that 4 out of 5 people support the new security measures.
We as individuals like to whine about laws and regulations that keep us safe, and the same can be said for organizations. As Cisco security team members, we have heard our share of customers grumble about regulatory compliance requirements such as HIPAA, SOX, and most recently the Payment Card Industry (PCI) Data Security Standards (DSS). These regulations can be, at times, cumbersome to deal with. Yet, when asked in a recent Cisco-commissioned survey about their sentiments on PCI compliance, organizations were largely positive and on board with PCI.
One of the phrases sometimes heard in certain circles I have traveled in was “Don’t be a victim,” or its near cousin “Don’t allow yourself to be victimized.” While these words of wisdom were passed around in some of the rough, hard biker hangouts up in the Santa Cruz mountains, they are relevant to the world of Borderless Networks as well.
In terms of mitigating risk, one of the very best things you can do is actually one of the simplest. When it comes to passwords, pick a good one and use it. Mix in numbers, special characters, uppercase and lowercase and avoid names and dictionary words and you are going to be in a far better place. Oh, and as 4chan illustrated when they hacked a Christian dating site, never assume that your password will not be stolen – you may want to use different passwords. For mobile devices, which are prone to being left in various places, it is critical to have a password protected locking home screen.
I have been preparing for the PCI DSS 2.0 draft released on October 28th, 2010 which is to be ratified in January of 2011. PCI DSS 2.0 clarifies requirements in many areas.
The draft 2.0 released yesterday has shown that there is little change in wireless recommendations around detecting the presence of rogue wireless access points. Actually the draft adds a little more room for interpretation.
In PCI DSS Draft v2.0, requirement 11.1 states that to be compliant organizations are required to “Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly Basis.” With a note that states, “Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.
As we examine this statement it seems to lend itself to more than one option. Perform a quarterly scan with a handheld scanner, rely on physically inspecting connections or implement an always-on wireless IDS/IPS solution. I vote for the latter. Why?
PCI DSS, the Payment Card Industry Data Security Standard, is a set of standards that, more than many regulatory and compliance efforts, has real world relevance. PCI compliance can earn merchants tiered interchange rates and protection from fraud losses, while a lack of compliance can result in monthly fines of thousands or tens of thousands of dollars per month. Unlike some compliance efforts with relatively small penalties that are unlikely to be applied, PCI compliance has significant financial implications with a high probability of impact.
PCI DSS 2.0 is being released today. Earlier, we took a look ahead at some issues around PCI in a piece that you can read here.
So, now that we are on the cusp of a new set of standards, what’s new? Read More »