|
PCI DSS is a binding collection of rules that promote IT security processes in organizations that handle payment card information. PCI DSS aims to reduce financial fraud through heightened network security capabilities of whoever processes payment card information and was designed because of 3 distinct factors that fuel financial fraud:
1. E-commerce, which helps overcome geographical boundaries and, often, any protection offered by local laws and regulations.
2. The high availability of "plastic money" for consumer purchases in all industrialized nations.
3. An indifference to security best practices by all businesses that store and/or process unprotected payment card details.
To counter credit/debit card fraud, the 5 major card companies (Visa International, MasterCard Worldwide, American Express, JCB and Discover Financial Services) designed a strong security framework to reinforce payment card transaction security. The result of their efforts was the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS compliance is the irrefutable responsibility of all businesses handling cardholder data including retail, mail orders, telephone orders and e-commerce - irrespective of business size.
What is network vulnerability management?
Security weaknesses lead to a continuous stream of security updates being issued by the developers of software solutions on a periodical basis. Due to the frequency and the amount of security updates released, systems administrators find it an arduous task to stay on top of this demanding process. This neglect enables hackers to exploit un-patched systems and launch network attacks most commonly through worms and viruses. One such notorious case is the Mytob worm and its derivatives. Notwithstanding the fact that Mytob spreads using known vulnerabilities for which a fix has existed since August 2004, this worm is still active to date and firmly holds the seventh position in the April 2007 top twenty virus list (Viruslist.com, Virus Top 20 for April 2007).
Targeted attacks are also an ever-increasing threat to business continuity which systems administrators must factor in their defense strategy. Malicious individuals who know of missing security updates within an organization's infrastructure can exploit such weaknesses through malicious software that enables them to gain access to networks. Such targeted attacks are often not noticed until long after these have happened and the repercussions of such attacks are already being felt.
The term 'network security' is often misinterpreted as pertaining exclusively to missing patches and security updates. Network security goes way beyond that however - for there are a multitude of attack vectors and weaknesses that must be taken in account. Lack of due diligence efforts and human error are security weaknesses in themselves and can be the direct cause of severe security breaches. This raises questions like: Why, despite all the breaches and threats that afflict networks, do systems administrators leave services running on default vendor passwords? Why, despite the fact that updated anti-malware solutions are key to network wide protection, don't IT professionals update anti-virus and anti-malware solutions with the latest signatures? Why do companies allow the uncontrolled use of portable devices on their networks? Don't they know that these can be used maliciously to take out sensitive corporate data or bring in and install peer-to-peer (P2P) applications to smuggle pirated music, download unlicensed software and other unacceptable files on the network? All this leads to disruptions in day-to-day business activities and exposes companies to extensive legal liabilities.
Vulnerability management is the process that identifies all of these issues; a self-assessment exercise that identifies, categorizes and provides ways and means to resolve these weaknesses, while tackling security from various angles and attack vectors. It is blatantly clear that this is an essential part of any network security due diligence process and therefore it comes as no surprise that the Payment Card Industry Security Standards Council ingrained vulnerability management as an integral part of the PCI DSS compliancy requirements.
What is the connection between PCI DSS and vulnerability management?
Through PCI DSS, the addressed issue of security is defined as being only as strong as its weakest link. The general idea governing PCI DSS aims to:
- Build and maintain a secure network - Protect cardholder data in transit or at rest - Maintain a vulnerability management program - Implement strong access control measures - Regularly monitor and test your IT infrastructure - Maintain an information security policy.
|
