Curing the Credit Card Cancer (and a holographic model of security)

This article is about re-engineering networks to comply with industry standards for the secure handling of credit card data… but it applies just as well to any other sensitive information. Pick a level of security you need, and now secure everything (down to the wiring in the walls) that the data touches to that level.

In the process, you learn to appreciate the art of minimizing secrets. Depending on the kind of data you’re trying to protect, you also start to understand the oddly holographic nature of security. Sure, your sales numbers are secure… but an astute adversary can tell you’re making money hand over fist when you shell out for a pricey logo redesign — or tell you’re struggling and ripe for a takeover when you start scrimping on office supplies.

The holographic model gives us one way to defend against these attacks. It’s a common misconception that a hologram contains the entire image in every point. Actually, every point on a hologram contains the entire image — as far as that point can see.

Therefore, if a given insecure point can itself not “see” anything sensitive, it can’t be used to derive sensitive information. In practice this largely underscores “need to know.” Even if the purchasing manager is completely trustworthy, if you can hold off telling them about the latest sales numbers until after the threat is gone it may be worthwhile to do so.

http://www.mckeay.net/2011/11/28/curing-the-credit-card-cancer/

“I often explained credit card data as an infectious disease. Whatever your credit card data touches is pulled into scope, requiring the full set of Payment Card Industry (PCI) Data Security Standards (DSS) to be applied to those systems to the same degree that the systems processing the transactions are. […]

the switch that stands between your firewall and your processing server is in scope for PCI as are all the systems attached to that switch, unless you take specific steps to control the traffic between the two systems. Thinking about the credit card data as an infectious agent makes sense, since the data infects everything it touches with the need for compliance and assessment, even though the system may have nothing at all to do with card processing and only made the error of being on the wrong network segment at the wrong time.

Lately though, I’ve begun thinking of credit card data as a cancer instead of simply a disease. Consider the fact that many security departments spend hundreds of man hours each and every year trying to segment their cardholder data environment from the rest of the network[…]

The real, long term cure to the credit card cancer is to change the rules of the game so that businesses never have access to the credit card information to begin with. Face it, as long as a single record remains on your enterprise, someone will find a way to get access to it and spread the contagion from system to system. […]

First, on-site tokenization allows businesses to create a “toxic waste dump” in their environment with strong controls around it and only people who have demonstrable business reason are allowed to detokenize the data. Since there is a more limited number of people who have access in this environment, training on how to treat the data with the caution and respect it deserves is much easier to deliver and enforce. Plus definitive consequences for treating the cancer causing data unsafely can be enforced when only a limited, educated group of people are allowed to have it. […]

When it’s all said and done though, it’s the credit card processing system that has to change, not just how businesses treat credit card information. We need to modify and re-engineer how we take credit cards and remove the monetary motivation for the attack (and defense) on credit card data. If credit card information has no value for an attacker then attention will shift elsewhere and the security department will once again be able to concentrate on securing the entire enterprise rather than just a small portion that has a compliance measure behind it mandating minimum security standards. Of course, then we’ll have to worry about what we can use to get funding from management to secure the rest of the business.”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: