Cisco Releases PCI Survey Findings

Cisco has unveiled the results of a survey of 500 IT decision-makers regarding the PCI Data Security Standard (PCI DSS) 5 years after its introduction.   Surprisingly positive, to me it demonstrates the value that increased awareness and applying the foundational basics of information security can have.

 The survey included IT decision-makers involved in PCI-compliance programs from several industries, aiming to gauge adoption, uncover the costs and challenges associated with compliance, and measure adoption of certain technologies to better understand the approaches that organizations are taking to meet the requirements.



Key survey findings

  • 70% of respondents feel their organization is more secure than if PCI compliance were not required.
  • 87% believe PCI requirements are necessary for protecting cardholder data.
  • Retail and financial services respondents both felt comfortable in their likelihood to pass an assessment of their PCI compliance.
  • 67% of respondents anticipate spending on PCI compliance will increase in the next year, indicating positive executive and board buy-in.
  • 60% of respondents suggested that PCI-compliance projects can drive other IT or network security projects.

Top challenges

  • When asked to define specific challenges for implementing the PCI DSS requirements, educating employees on the proper handling of cardholder data was the single most highly recognized problem identified, at 43%.
  • Updating antiquated systems was named by 32% of respondents.
  • Of the 12 PCI requirements, the top 3 issues for achieving or maintaining compliance were;
    • Tracking and monitoring access to network resources and cardholder data (37%),
    • Developing and maintaining secure systems and applications (32% ),
    • Protecting stored cardholder data (30%)

Adherence to PCI

Government fared better than other sectors on PCI assessments, but the vast majority of respondents are making strides in protecting their sensitive cardholder data.

  • 78% passed their previous initial assessment.
  • 85% believe they would currently pass an assessment.
  • 85% of governmental organizations passed their initial assessment.
  • 72% of health care organizations passed.
  • More than 85% of respondents were aware of the clarifications and recommendations in the newly announced PCI DSS 2.0 standards.

Microsoft Patch Bundle Fixes DLL-Load-Hijacking

Microsoft’s January patches fixed 3 vulnerabilities in Windows, including one that could be exploited by a malicious website.  The company also implemented a new defensive measure to help defend against ongoing attacks exploiting a known bug in Internet Explorer.  Microsoft took the unusual step of using the Windows Application Compatibility Toolkit to modify IE so it’s immune to attacks leveraging a bug in how the browser processes a Cascading Style Sheets (CSS) file.  This is the first time that I am aware of that they’ve used the Application Compatibility Toolkit to mitigate a zero-day vulnerability.  The toolkit has been part of Windows since XP, and was designed to allow older apps to run on newer versions of Windows.

The workaround modifies the core Dynamic-Link library, “Mshtml.dll” which contains the rendering engine, each time IE runs.  The modification prevents recursive loading of a CSS, which effectively stops the attacks in their tracks.

When Is A Malware Event A “Security Breach”?

Recent data breaches at 2 banks underscore what has always been a thorny issue for companies that collect and manage sensitive information:  When does a compromised PC constiture a data breach?

According to ComputerWorld’s Robert McMillan, One bank recently detected traffic destined to an unusual IP address, and discovered a keylogger installed on a company laptop.  It notified 50 customers that their data may have been exposed.  Another bank found that a compromised laptop had been used as a jump-off point for an attacker to access a customer database containing credit card, SSN and other sensitive information.  514 credit cards are being re-issued in that case.

The actions taken by these banks are admirable, and errs on the side of caution.  It is not uncommon for companies large and small to detect a malware infection and simply wipe the system, eliminating the symptoms while not addressing the potential exposure of their customers’ information or uncovering the how and why the attack was successful.  Forensic examinations are hard work, and time consuming.  But so is rebuilding your reputation.  There is the spectre of liability to deal with.  What few incidents are reported is generally a small percentage of what is actually taking place.

These 2 examples are BANKS.  Banks have large IT and security budgets, and employees are generally more security aware than most businesses.  So, how are these systems getting compromised?  Pure speculation from this point on, but;

  • Both systems noted appear to be transient laptops.  They often leave the comfortable security controls present within the company perimeter.
  • Were they patched against all known Operating System and application vulnerabilities?  Laptops are the hardest systems to keep patched due to their mobility.
  • Anti-virus is pretty common, but so is the practice of providing laptop users with admin privileges.  They can interfere with updates, scans, and can also be used to the attackers’ advantage when installing malware.
  • Web content filtering is one of the controls that is usually in place at a large financial institution, but is probably not present on the home-user LAN or while on the commuter train.  Drive-by web attacks are very very common these days.
  • While in transit, it is also possible that the laptop owner could have used a “free wireless” connection to maintain connectivity.  This is a common, and extremely dangerous practice, as you are trusting a middle-man that is providing something for no obvious gain, to handle and potentially capture all of your communications.
  • The possibility of unapproved software downloads, installations, and even allowing family members to use the equipment could have resulted in a Trojan.
  • There is also the potential that the users themselves were involved or complicit in the installation of the malware.  Unsavory, but not unheard of.

The possibilities are virtually endless.  Be aware of the risks and take reasonable precautions to counter the likely threats in your organization.  In this day and age, any time there is malware that makes any kind of outbound communication attempt, an investigation should be made as to where, why and what was communicated, as well as how the malware got onto the system.  In my humble opinion, if data was moved outside of the company, it should be considered a breach.  These guys made the right call.

There is much more information contained in this interesting article.  Read it and start making Incident Response plans that go beyond the standard “Got malware?  Nuke it!!” discover what data might have been compromised, and act accordingly.

BlackBerry Vulnerabilities

RIM has issued 2 security advisories warning Blackberry users and corporate BlackBerry Enterprise Server (BES) administrators of newly discovered security flaws in many versions of it’s BlackBerry handheld software and in BES.

The first advisory applies to BlackBerry smartphone users, and it warns of what RIM is calling a “partial Denial of Service (Dos)” attack, where websites with malicious code could freeze BlackBerry browsers until the browser restarts or the device is rebooted.

The second BlackBerry security advisory relates to yet another flaw in the PDF Distiller component of  BlackBerry Enterprise Server. Issues with the troublesome PDF distiller component have been identified as “severe” risks in at least 5 different advisories since 2008.

For more information on these 2 vulnerabilities and patches, visit RIM’s advisory pages here and here.

WikiLeaks – Twitter Link

The US government has served subpoenas seeking personal details of some Twitter users who are believed to have close ties to WikiLeaks.  The US District Court in Virginia is seeking names, addresses, connection records, phone numbers and payment information.

The court order was issued on December 14, 2010, and WikiLeaks was ordered not to reveal that it had been served or being investigated, but the court last week removed those restrictions.  Among those named are Julian Assange, US Army Pfc. Bradley Manning and Birgitta Jonsdottir, a member of Iceland’s Parliament who has allegedly worked with Assange.  Assange has called the court order harassment.

BBC US/Canadian News