The PCI-DSS (Payment Card Industry Data Security Standard) is a set of requirements for businesses and merchants that deal with credit card information. These standards are designed to protect the customer by requiring businesses to protect sensitive cardholder data. Complying with the PCI-DSS requirements can result in changes to a business data infrastructure, including securing networks, implementing access controls, and creating a robust information security policy.

However, despite the stringent requirements, there has still been doubt about the real-world effectiveness of the PCI-DSS. The idea that PCI-DSS doesn’t make consumer credit card data much safer has been discussed ad nauseum, and not without some compelling evidence. In 2008, 4.2 million credit card numbers were stolen from the PCI-DSS compliant grocery chain Hannaford Brothers.

But isolated instances of failed PCI-DSS policies provide nothing more than anecdotal evidence of the perceived weakness of the standard. To truly examine its impact, a formal study should be done. On September 24, 2009, the Ponemon Institute released the results of such a study. This study (pdf) included survey data collected from people representing a number of different companies and businesses.

Some of the important key findings:

• Cost of PCI is, on average, 1/3 of the overall security budget
• 79% have had a data breach
• 55% of companies focus only on protecting the credit card data and not other sensitive information
• There is uncertainty as to what personell are the most accountable for PCI-DSS compliance
• Smaller companies are less compliant than larger companies (75k+ employees)

From the study, one can deduce that the standards favor larger companies, who are usually better able to conform to the requirements, due in part to larger security budgets and more resources. It is also interesting that the majority of companies surveyed (55%) expressed interest in only protecting the card holder data. This means that other consumer data (such as social security numbers, addresses, etc) could be swinging in the wind with no protection at all. It almost seems as if companies want to adhere to the PCI-DSS just enough to be compliant.

But if companies don’t have a serious vested interest in protecting their customers’ sensitive data (ALL of it), then maybe they’ve missed the point. The PCI-DSS certainly gets merchants thinking about security, but the lengths that they go to achieve this security shouldn’t stop with PCI-DSS compliance. Naturally, no set of standards is capable of covering all fronts– especially not in a landscape that changes as frequently as information security. But if companies don’t take the hint and think seriously about protecting data and securing their systems against threats, then compliance is nothing more than a glorified checklist representing an ineffective baseline for security practices.

If we think of the PCI-DSS as a panacea for cardholder data breaches, then it is indisputably ineffective. However, if we think of it as a guideline and a foundation on top of which real security measures can be built, then it may prove to be quite valuable.

NIST recently released an overview report on the current state of research in security metrics (short story: there are almost none), and some areas where they feel more research is warranted. One of the problems with security as a business process is that managers are being taught process improvements is the way to save money, but with security, there are no obvious metrics to measure to improve the process. Security is subjective, based on the person and the situation, and measurements tend to the objective side of things.

I think that seeing new measurements is really going to improve the overall security landscape – once they’re accepted and used. NIST and the Feds already kind of lead the way with FIPS and Common Criteria (European based), and I think that if they start using a particular metric, the commercial world will follow. One of the detriments to security metrics is that until the last few years, it hasn’t been well studied in universities – the “hotbeds” of research. I think that now we may start to see more metrics coming out as more graduate students start to study it. And if you happen to be a current grad student interested in security metrics, the NIST paper has some great starting points for a thesis.

One of the most expanded targets lately in vulnerability research is Adobe’s Flash. It has become a common everyday occurrence on the web; everything from banners, to games, to file uploads. It’s almost hard to find a mainstream site that doesn’t have some sort of flash application running somewhere within the domain. As a result it has become a target for many attacks. But one thing that hasn’t increased is the amount of time and checking that goes into the flash applications to ensure they are secure.

Read the rest of this entry »

Last time in our web app input sanitation series, we looked at unsanitized input as part of an HTML tag or attribute. This entry focuses on sanitizing SQL queries.

Case 3: Sanitizing SQL Query Data

The basic SQL attack takes advantage of improper sanitation to execute its own queries against a database. This can lead to a database being compromised.

Read the rest of this entry »

GFI LanGuard 9 is a network / PC auditing tool. The tool does a pretty decent job of detecting machines on the network, devices, appliances, and other misc. items. It can also do a fairly deep scan of each local machine for installed software, installed patches, missing patches, open ports, and detecting vulnerabilities that are present. The “Quick Scan” option is fairly quick taking no longer than a minute or two for each machine, and the “Full Scan” no longer than 5-6 minutes per machine.

Read the rest of this entry »

A lot of computer security deals with risk – what are the risks of doing or not doing something? However, risk is not exclusive to computer security, and there are many papers and treatises on how to determine and how to manage risk – you’ll generally find papers on risk in management literature, most often project management. Project managers have to deal with risk all of the time – what if the weather is bad, what if a key employee quits on the project? There has to be a plan in place for these eventualities. The same is true in computer security.

Read the rest of this entry »