Your company was certified as PCI compliant by a bona-fide PCI Compliance Company, and security was breached anyway. You paid the big bucks to go with a highly recommended company with a price tag to prove it. How could this happen? It’s simple really.

There’s no such thing as total security. I don’t care what you pay for it or who you hire to assess the security of your infrastructure; security is not a sure thing.

As a security professional and practitioner, I can tell you that all it takes is one mistake by one person to open a gaping hole in your defense structure. However, there are things you can do to be proactive and aid your existing staff in becoming compliant and maintaining compliance.

Automate the security assessment and compliance process with sophisticated tools. If you don’t, you will have to beef up your security staff to keep a watchful eye on every part of your infrastructure. While you can’t replace the human brain and security experience, you can help yourself by employing the right toolset.

Consider the issues:

· Email and messaging encryption

· Encryption for data at rest

· Knowledge of where all the data resides

· Segregation of duties

· Access controls

· Network segregation (isolation of PCI networks)

· Myriad firewall rules with no business justification

· Undocumented policies and procedures

· Un-patched systems

· Storing sensitive data on tape

These issues are not just an IT problem. They are a people and process problem to boot. Where to begin?

The Payment Card Industry Data Security Standard (PCI DSS) requirements, “the digital dozen”, must be met annually to maintain PCI compliance.

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data sent across open, public networks

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security

You understand the issues and you understand the requirements. You have capable staff, or maybe you are under-staffed. But, in every case, the security environment is complex and essentially you can’t hire enough people to cover all the bases. You must automate what you can.

You may be thinking, “That’s going to cost the big bucks!” Yes it is. But, consider for every tool you employ, you will hire less people to ensure the security and safety of your network and data. That is, if you want to have the absolute best security possible. What’s it worth to your business?

There’s no going back. We live in a highly mobile, networked world. It is what it is.

So, you must do something to get things under control, and that something is about finding the right technologies and processes to put in place. Too bad there’s not a one-stop shop to go to. There hasn’t been until now. IBM is now the leader in Security. And trust me; they don’t pay me to say that. Let me explain.

IBM has a five-phased approach to achieving PCI compliance:

1. Assessment

2. Design

3. Deployment

4. Management and Support

5. Education

IBM offers software, hardware, managed services and professional services to meet the requirements of the PCI DSS “digital dozen”. PROVISTA, as an IBM Premier Business Partner, can offer all that IBM has to offer at a reduced cost combined with the personal and dedicated attention you need.

What we have to offer to meet the “digital dozen” requirements:

1. Firewall

• IBM Proventia Server Intrusion Prevention System (IPS)
• IBM Proventia Network IPS

2. No default passwords or security parameters

• Tivoli Access Manager
• IBM Proventia Network Multi-Function Security (MFS)

3. Protect stored cardholder data

• Tivoli Storage Manager
• Proventia Server IPS
• IBM PKI services
• Guardium database activity monitoring

4. Encrypt transmission

• IBM data encryption for IMS and DB2

5. Anti-virus software

• IBM Proventia desktop endpoint security
• IBM Proventia network enterprise scanner

6. Secure systems and applications

• IBM software development platform
• Tivoli CCMBD
• IBM Rational AppScan

7. Restrict Access

• IBM Tivoli Access Manager
• Tivoli zSecure Admin
• Tivoli Compliance Insight Manager

8. Unique IDs

• Tivoli Identity Manager
• Tivoli Federated Identity Manager

9. Restrict physical access

• IBM digital video surveillance
• IBM biometric access control

10. Monitor access

• Tivoli Compliance Insight Manager
• Tivoli Security Operations Manager
• IBM Proventia Server IPS

11. Test security systems and process

• IBM ISS products and services
• Tivoli Security Compliance Manager
• IBM Proventia Network Anomaly Detection System (ADS)

12. Security policy

• PROVISTA/IBM services
• IBM software automated compliance reporting

Even if you deployed all of the above, how can you be assured that there will actually be a return on investment? Stay tuned and email me at cjkelly@provista.com.

Cyber attacks of the kind that have recently hit numerous public websites are more of a nuisance than a real threat.  As first reported here, “a botnet comprised of about 50,000 infected computers has been waging a war against U.S. government Web sites and causing headaches for business in the U.S. and South Korea.”

What is a botnet?  It is a network of zombie computers, all infected with malicious code designed to attack a target.  In this case, the target was high profile government websites that include the U.S. Secret Service, the U.S. Department of Treasury, the U.S. Department of Homeland Security, the U.S. Department of State, the New York Stock Exchange, the Nasdaq, the Washington Post, the White House, the Federal Trade Commission, and the Transportation Department, as well as websites in South Korea. 

The type of attack is categorized as a distributed denial of service (DDoS).  The intent of the attack is to overwhelm resources in such a way as to make them unavailable to users of the system.  In South Korea, the situation was even more widespread as reported here. 

“The so-called distributed denial-of-service (DDoS) attacks hit 25 Internet sites, including 11 domestic ones, shutting them down for hours, KISA said.  Other government agencies attacked include the National Assembly and the Ministry of Defense, with the websites of major lenders Shinhan Bank and Korea Exchange Bank brought down by the attack as well… The cyber attacks also affected the country’s No. 1 portal Naver’s e-mail service and online auctioneer eBay’s South Korean site Auction.com, the agency said.”

If this was a nuisance and not a real threat, then what was or is the purpose?  This is a political statement most likely.  It is very difficult to track the source of these types of disruptions to any particular responsible party.  Is this cyber warfare?  No.  It reminds me of North Korea’s current efforts to frighten the world by blasting off missiles and posturing about.  Could the attacks have originated from North Korea?  Maybe… but again, hard to prove. 

The media is making a big deal out of this, but it’s the usual Internet chaos that occurs on a minute by minute basis.  The embarrassing bit about all this is that United States’ government web  sites were affected! We have technology that is available to prevent these kinds of disruptions and it’s somewhat of a disgrace that the appropriate technology has not yet been implemented.   And I leave you with that thought.