October is the expected release date for the next version of the PCI Data Security Standard, 1.2. Since the PCI Standard’s creation — to serve as a guideline to help organizations that process card payments, prevent credit card fraud, hacking and various other security vulnerabilities and threats — much hype has surrounded each PCI update. Version 1.2 is no different, and we can expect commentary from analysts, journalists and a host of others touting the benefits that the extended guidance for compliance in 1.2 holds for the industry.
The problem is that even with the increased guidance found in 1.2 (which is an explanatory measure for earlier versions of the standard), PCI still sells consumers short. What holds the standard back are issues that are common with all standards that try to instill common security measures across a disparate landscape: Eventually the lowest common denominator dominates. Specifically, PCI has not kept pace with current threats or technological advances, allowing dangerous gaps in the protection of consumer data.
Two Main Weaknesses
Two threats, in particular, stick out as weaknesses that PCI does not address: internal threats to data and targeted attacks on the database. Understanding how each threat operates is essential to providing an effective defense.
The model that PCI uses for a data breach is one that most people would give as the de facto means by which data is lost: A hacker attacks a database through a weak spot in the firewall and grabs data. In this model, the key to protection is securing the perimeter of the network. If you can keep the threat on the outside of the firewall, your data is secure.
In the real world, insider threats are emerging as the greatest threat to stored data. At the same time, the world of direct attacks has become more insidious, with attacks being made directly on the database level. An examination of each threat in detail shows why PCI falls short in its focus on external threats that use the network firewall as the primary point of access.
The insider threat is surprising to some, but it makes a lot of sense when you delve deeper. A wealth of consumer data is available to employees and contractors at retailers. If you think about the amount of personal data that is collected for, say, a mortgage application, then you have an idea of what these databases are holding. Very valuable information indeed.
Who’s Minding the Store?
Retailers and others oftentimes do not have controls in place to monitor who is accessing customer data internally. When you couple this oversight with an environment in which a premium is paid for financial and other information, you have a tipping point for large scale data theft from internal sources. For those still in doubt, look at the case of Countrywide. This summer an employee at the institution was eventually caught downloading consumer application data — including names, addresses, social security numbers — for sale to a third party. The employee did not have permission to access the documents but had managed to gain access through an unsecured computer. Over the course of the theft, which occurred over a period of time, up to 2 million consumer records had been compromised.
The PCI Standard is largely silent on protecting data from internal threats. From a technological standpoint, controls can be put in place that would monitor for unusual activity patterns in addition to placing restrictions on individual users. These controls would alert database administrators when abnormal amounts or types of data are being moved or if data is being accessed in questionable circumstances. In the case of Countrywide, the employee frequently downloaded a large number of records on a Sunday. If the company had instituted internal access controls on the database level, then the activity would have resulted in alerts.
Smash and Grab
The second threat that is emerging to consumer data is an attack on the database level. Hackers and others are well-versed in the defenses created by the firewall. They know the weak points in firewall security and can bypass these points to launch an attack on the database. These attacks are quick and almost impossible to track. By the time the breach has been discovered, the data has been stolen and in many cases used.
The case in point for the database attack is TJX. Hackers found weak spots in the organization’s wireless networks and grabbed consumer data. Months passed before customers were alerted to the fact that their credit card information had been stolen. In some cases, the way that TJX customers found out that their card numbers had been stolen was by seeing fraudulent charges on their bills.
PCI does not provide provisions for database protection, but clearly this is where it is vital. The database contains the most valuable asset any retailer has: customer information. As the standard realizes, the compromise of this data will result in the loss of consumer confidence and a negative effect on a brand. However, the standard has been lax in extending its recommendations to ensure that the database has a holistic level of protection — not just against outside threats.
A company that is serious about data protection will use PCI as a starting point. It is a good checkpoint for the very basics. Companies that are serious about protection will put controls in place that will limit who can access data and when. These controls will include alerts for behaviors that are beyond the norm, such as transfer of data or the large-scale deleting of records.
These same companies will look at the database as a goldmine and will protect it accordingly. They will look to put extra protection on the database level, to enhance and strengthen what is available at the firewall level. These protective measures will prohibit the devastating “grab and use” attacks that have made headlines this year. And the return for these companies? An invaluable resource to support new business-generating applications — securely.
Paul Davie is founder and chief operating officer of Secerno Ltd., a database security provider based in Oxford, England.