There is so much useless chatter on the Internet about Heartland, it is nice to see a well researched and written article by Bank Info Security. They report on a security road-show by Visa:
In tackling facts and myths about data compromises, as presented in the news media, Visa says:
- No compromised entity has been found to be PCI compliant at the time of the breach;
- Visa does support encryption for both online and batch files.
The presentation goes on to cover common compromise vulnerabilities, including:
- Failure to secure and monitor connected non-payment environment;
- Unprotected systems vulnerable to SQL injection attacks;
- Corporate websites targeted to gain access to network;
- Malware installed to capture passwords and cardholder data.
Perhaps most interesting is that Visa is estimating that each check card with track and PIN has a $1000 market value.
The first bullet in the second list should not be missed. Although many people are banging the drum on SQL vulnerabilities and web application vulnerabilities, as well as malware, the “it’s all connected” message is a tough one. I know this well because it was the basis of a campaign I ran a few years ago at a financial institution. Fortunately there is some help in publications like the FIPS 200 from 2006 (Minimum Security Requirements for Federal Information and Information Systems). It suggests that everything connected to a critical system should have same or higher levels of security.
This message is not an easy one to deliver because it is based upon the options of either raising enterprise-wide baseline security or building security on critical systems to the point where they are truly isolated. Either way, it’s a security project with costs determined by how the business wants to operate around risk.
Thus, the difference from the other three bullet points is that it is a question for management, rather than a strictly technical gap. You can patch and monitor to fix SQL, web applications, and malware but making a decision about information flow and minimum security requirements across the enterprise is a complex business decision. Incidentally, no pun intended, the utilities are currently dealing with this very same issue as corporate systems and control centers appear to be increasingly connected to critical assets and critical cyber assets throughout their infrastructure.