June 14, 2014
In this presentation on June 14th, 2014 The Rubicon Advisory Group founder, Edward McCabe, speaks at Circle City Con in Indianapolis, Indiana on the topic of 3 is a Magic Number (or Your Reality Check is About to Bounce) and its importance of following and understanding PCI standards to an organization.
From this presentation, one takeaway includes understanding the need to transition from compliance based penetration testing and leverage a business driven approach to provide value. Another point to gather from Ed’s talk is how to move away from checking the box and start protecting the business and your customers.
A brief history on PCI starts with five (5) card brands and anytime there was a fraudulent activity, they would pay the fee. However, these card brands don’t control the ingress and outgress those are merchants, payment processors etc. Therefore, the five card brands formed the Security Standards Council, which applies to merchants/retailers, payment processors, financial institutions and service providers. Other entities that abide by PCI are as follows: hospitals/clinics, insurance, hospitality & service, law firms, churches/mosques/synagogues and academia.
The situation is that there is an improper focus on Compliance & Audit, incorrectly focusing on “Toxic Data” and breaches are still taking place. Through PCI 3.0, there is a stronger focus on the threat environment to assess what’s actually going on and clarify requirements as well as understand intent and help manage evolving risks/threats.
The times we’re living in state that organizations, with PCI compliance, are required to perform external and internal penetration testing at least once a year and after a significant infrastructure or application upgrade or modification. In PCI DSS v3.0 Requirement 11.3 , it is defined what it means to have a penetration test on an organization’s systems with the intent to simulate a real-world attack with the goal of identifying how far an attacker will be able to penetrate into their environment. A penetration test allows an organization to better understand their potential exposure and develop a strategy to defend against attacks.
The importance in understanding and applying PCI standards/requirements includes coverage of the entire CDE perimeter and critical systems, testing to validate any segmentation and scope-reduction controls, review and consideration of threats and vulnerabilities experienced in the last 12 months.
The problem is compliance gives organizations a false sense of security if all they are after to check a box. The top ten (10) causes for breaches are rarely technology and include: budgets for protecting information is underfunded, improperly implemented/missing controls, overly complex solutions, lacking proper resources, absence of management oversight, disconnection between IT & business strategy, documented current and enforced policies, immature risk management program, too much focus on Compliance & Audit and no executive support.
The Solution is to bring value to the business by not relying on your tools, claiming the sky is falling, educate the business and focus on the business. How do organizations create value around compliance and penetration testing? By performing Business Driven Penetration Tests that simulated attacks that acquired the business’s customer databases, board minutes, IP & trade secrets and merger and acquisition information. Keep in mind, the business understand money. Ways to solve the problem is to communicate and educate – personalize the message for the staff and it’s associates, form a plan for “that” incident – don’t stop at table top exercises, testing – there isn’t enough real-world testing and demonstrate business courage – get in front of the business and explain why these considerations for securing business data is important. Ask, can the business (and is the Board okay with) absorbing the costs associated with investigating, remediating, associated regulatory fines and civil claims?