Next >>

Previous Next

R
darkreading.com

Previous
NOVEMBER 2012

Next

Previous

Next

Previous

Next

Download

Subscribe

Previous

Next

DARK DOMINION
The High Stakes Of Data Hoarding
I admit it: Im a pack rat. I save everything. I still have notes from stories I wrote in the 1990s. I have clothes I wore in junior high. I have my toy soldiers. Why do people save this stuff? Because you never know when youre going to need it. If I ever need 10 boxes of 9-by-12 envelopes, Ive got em. If I ever need a directory of security vendors from 2009, Ill just pull it out. If floppy disks come back, you know who to call. Unfortunately, a lot of businesses behave this way, and thats bad news. Businesses are loath to throw away data particularly customer data. They hang on to old and moldy data, thinking someday theyll mine it for sales leads, buyer analysis, or other business intelligence. Paying customers are hard to find so when you have their data, you dont let it go easily. However, old customer data also is a risk. Such records can contain credit card, banking, and other personal data. Some old data contains personally identifiable information such as Social Security or credit card numbersthat previously were used as customer identifiers. If any of this data is compromised, it would mean a major breach for your company. Old customer data is sometimes stored in applications or on servers that arent getting the patches and other security updates that current systems get. And some old data may be stored on servers or in applications that your company has forgotten about and isnt protecting.

TIM WILSON
Security people talk constantly about ways to store and use live data safely, but they hardly ever talk about disposing of old data thats no longer in use. There have been many instances of hackers or researchers exposing sensitive data on old hard drives, even those sent to a recycler. In other instances, cybercriminals have dug through old customer lists or databases and harvested enough data to penetrate a companys more current information systems. In many ways, end-of-life data security issues can be as serious as those surrounding newly created data. In my neighborhood, being a pack rat makes me quirky and colorful. But in yours, it puts you at risk for a major breach and becoming the next headline. Take a look at those old servers, applications, and databases: You may find theres plenty of information there that you can do without.

Avoid The Holiday Blues

The holiday season is one of the favorite times of the year for online criminals. Our webcast will help you get ahead of holiday hackers by taking some proactive steps. It happens Nov. 8.

The Real Risk Such data is a treasure trove for hackers and political activists. Not only can it be used or resold for nefarious purposes, but compromised customer data will make your company look bad, forcing it to disclose the breach to the authorities. A breach also can mean loss of compliance with industry standards such as the Payment Card Industry Data Security Standard, incurring additional penalties and even the revocation of your credit card processing privileges. The lesson here is simple: If youve got old, sensitive data, store it in a secure, encrypted Tim Wilson is editor of DarkReading.com. Write to him at wilson@darkreading.com. location or erase it entirely.

Register
darkreading.com

November 2012 2

Previous

Next

COVER STORY

Help for online retailers stuck in a maze of e-business security and PCI compliance requirements By Robert Lemos
darkreading.com

Whether theyre brick-and-mortar or online, merchants find the Payment Card Industrys requirements for protecting credit card data challenging and confusing. But all retailers must understand how to protect the credit card and other customer data that comes from online transactions, because their businesses are in cybercriminals crosshairs. Retailers are the second leading source of leaked data (after the hospitality industry), accounting for 20% of total breaches, according to Verizons 2012 Data Breach Investigations Report. And though the U.S. Census Bureau reports that e-comNovember 2012 3

Previous

Next

SECURING WEB DATA COVER STORY

Stay Safe
Our Security Monitoring Tech Center is your portal to all the news, product information, technical data, and best practices related to the monitoring of IT security events and status.

Click Here
darkreading.com

merce transactions account for only about 5% of the retail economy, theyve steadily grown every year. Its an interesting world out there, and a very scary world for a merchant, because from day one, youre a target, says John South, chief security officer for payment processor Heartland Payment Systems. Many of the retailers playing in this scary online world are small businesses, and theyre the most vulnerable: Nearly 95% of breaches happen to merchants with 100 employees or fewer, according to the Verizon report. They dont have the dedicated security and risk management teams larger businesses have. We arent seeing a lot of large-scale breaches. Were seeing much smaller breaches, says Bob Russo, general manager of the PCI Security Standards Council, the governing body for PCIs Data Security Standard (PCI DSS). These standards are right on target for the big guys with the big security departments, ... but we have to find out a way to make it easier for the smaller merchants. Online retailers have one big security requirement that the 100% brick-and-mortar corner store doesnt have: card-not-present transactions. Because customers dont physi-

cally hand over their credit cards for online purchases, payment processors require all online merchants to submit to a quarterly network scan by an approved security vendor. Such scanning is designed to detect vulnerabilities and misconfigurations. Many online retailers arent aware of this and other PCI requirements and how to deal

1. Know Your Infrastructure Online merchants must worry about the degree to which their online retail systems integrate with their day-to-day business networks. Start by assessing your infrastructure to determine which systems handle transaction and cardholder data. Network scanning and log analysis can help

The Hard Part

Percentage of companies that passed the three most difficult PCI requirements last year

Protect stored data

42%
Maintain a policy that addresses information security

39%
Regularly test security systems and processes

37%
Data: Verizons 2011 Payment Card Industry Compliance Report

with them, but simple steps can make a big difference when it comes to protecting customer data. The Verizon study found that 96% of victims of successful attacks had failed to comply with the PCI rules they were subject to, and 97% of breaches could have been prevented through simple or intermediate security controls. The following 10 steps will help your company institute the controls needed to secure cardholder data and meet PCIs requirements.

identify which systems have access to card data, says Greg Rosenberg, a qualified security assessor with managed security provider Trustwave. These systems are the ones that youll want to subject to PCI DSS. There are a lot more attack vectorsa lot more systemsthat we find and can identify vulnerabilities in than customers know about, Rosenberg says. Get a qualified security assessor involved, he says. Im not looking for who can get me
November 2012 4

Previous

Next

SECURING WEB DATA COVER STORY

through my audit really quickly, but who can help me understand my risk, Rosenberg says. I would rather significantly reduce my risk posture than quickly pass PCI. 2. Find The Data Companies save card data for three main reasons: to better handle customer service requests, to allow easy reuse of credit cards, and to handle chargebacks, according to the Ponemon Institutes 2011 PCI DSS Compliance Trends Study. We still have way too many companies using credit card numbers as the primary identifier for their customers, says Martin McKeay, a security evangelist at Internet services company Akamai. Whatever the reasons for hanging on to customer data, companies should hunt down every instance on their systems, whether on Web servers, in a customer ser vice application, or on a sales associates laptop. Discover where the data resides, who has access to it, and whether they need the information at all. Marketing types, for instance, want to save everything, because someday they might use the data to send someone a coupon, says PCI SSCs Russo. If you dont need the data, dont store it.
darkreading.com

3. Have Fewer Data-Handling Systems All systems that have access to the transaction data or card data at rest fall under the PCI DSS, and theyre an expensive part of any assessment. So it makes sense to segment off parts of the networkand the employees involved with those parts of the networkfrom access to card data. This approach reduces the number of systems that fall within the scope of PCI requirements, increases security, and

A key part of this approach is to log transactions without logging the credit card numbers. Logging is absolutely essential, and people dont do enough of it, says Jerry Hoff, VP of static-code analysis at WhiteHat Security, a Web application security provider. But make sure that the sensitive data itself isnt logged. 4. Get Rid Of The Data Online merchants can outsource their processing infrastructure, letting a third party handle all payment processing details and take on much of the responsibilityif not liabilityfor the data. If your store sells snowboards online, then securing credit card data isnt something that you should have to focus on, Hoff says. Companies that dont hold onto card data tend to take security more seriously and suffer fewer breaches, says the Ponemon Institute. In a survey of 670 U.S. and multinational IT managers, it found that 85% of companies that didnt retain primary cardholder data didnt suffer a breach over a two-year period. Only 40% of companies that retained data suffered no breach in that same time period. One piece of data that the business should never retain, although many do: the card verification value, or CVV, code. They see it as a way to increase the likelihood that the transaction
November 2012 5

Where Stolen Data Comes From

Hybrid Data redirection

5%

4%

Stored data

28% 63%
In transit

Data: Trustwaves 2012 Global Security Report on 300 breaches

cuts compliance costs. Being able to chop off big chunks of your infrastructure and saying it has nothing to do with processing transactionsthats a big help, says Chris Eng, VP of Veracode, an application security company.

Previous

Next

SECURING WEB DATA COVER STORY

will be approved, Trustwaves Rosenberg says, but the problem is that you arent supposed to have that data after the transaction has cleared. Getting rid of the data reduces the PCI burden tremendously. Rather than having to comply with all 12 requirements, you can narrow your focus to two requirements: blocking access to data (requirement nine) and maintaining a policy that addresses information security (requirement 12). You still must check your store for compliance and fill out a self-assessment questionnaire, but the overall effort is less onerous, Heartlands South says. Just segmenting the network and minimizing retention of card data wont make your company PCI compliant, says Evan Tegethoff, a PCI solutions architect with security services firm Accuvant. No merchant can ever eliminate the scope of PCI requirements, but it can reduce them. If a third party is handling your companys data, youre still responsible for confirming that the third party is protecting the information. The same goes for technology. Buying a PCIcompliant data protection product wont automatically make your company PCI-compliant. Merchants frequently think, Let me go buy something thats PCI-compliant, and then Im done, PCI SSCs Russo says. Data security
darkreading.com

technology must be adjusted to a companys needs and monitored to ensure that its protecting all of the right data. 5. Check Out Partners Merchants that outsource to a service provider but retain some ability to check transactions are less likely to reduce the scope of their PCI compliance, says Troy Leach, CTO at PCI SSC. The challenge is that there is typically some sort of access to that cardholder data, Leach says. If there is, that brings their entire environment back into scope. Youll also want to gather information on your partners PCI compliance. Managed service providers handle a lot of card data, making them attractive to attackers. Third parties administered 76% of systems that were breached last year. And when a breach happens, the liability generally rests with the merchant. Ask for documentation of a third partys PCI compliance status, including a self-assessment questionnaire. Key areas to be aware of: >> Hosting services must comply with PCI and, in particular, have a vulnerability remediation process in place, including timely patching and updating of their server software. >> Any payment application used as the transaction engine for a store should comply with a

separate set of standards: the PCI Payment Application Data Security Standard. A compliant program needs to, among other security measures, log transactions, not store full mag-stripe data, provide secure authentication, and encrypt all communications over public networks.

PCI PREVENTS BREACHES

64 38%

PCI-compliant companies had no % of cardholder data breach in last two years of noncompliant companies were breach free

Data: Ponemon Institutes 2011 PCI DSS Compliance Trends Study

>> Web application scanning vendors must qualify as PCI-compliant to be listed as compliant on the pcisecuritystandards.org site. 6. Use Secure Software Credit card data is handled most often by software, not people, so make sure youre using secure software. A few years ago, companies that had to comply with PCIs requirement for the development and maintenance of secure applications only had to make sure their software eliminated the Open Web Application Security Projects top 10 vulnerabilities. Those requirements became
November 2012 6

Previous

Next

SECURING WEB DATA COVER STORY

more stringent last year, when PCI SSC changed the language to include other collections of vulnerabilities, such as the SANS top 25 most dangerous software errors. No wonder companies have trouble keeping up, says Veracodes Eng. Online companies have problems securing their sites against SQL injection and cross-site scripting, the top two threats on the SANS list, never mind the other 23 issues. 7. Protect The Web Server The critical part of an online retailers operation is the care and maintenance of its Web server and online store. The quarterly scan that e-commerce vendors must submit to can find security vulnerabilities. In addition, under PCI, software must be kept up to date and critical flaws patched within 30 days. That may be too long. Merchants can use one of three strategies to protect their online stores and comply with PCI: Scan code for vulnerabilities and fix any problems as part of development; dynamically scan the website to identify and patch vulnerabilities; or use a Web application firewall to block attacks. But just having a WAF isnt enough. It must be configured correctly. They tend to be configured very, very ledarkreading.com

nient, Eng says. Many companies run them in a mode that never blocks a request. Companies also must think like attackers. A cross-site scripting attack, for instance, lets an attacker inject content onto a vulnerable website to make it appear to come from that site. A cross-site scripting attack may not directly compromise a merchants website, but attackers can use the technique to redirect customers to a lookalike site from which they can collect card data. If Im a hacker and I can redirect you to a website, what prevents me from redirecting you to my bad site? says Trustwaves Rosenberg. E-commerce vendors must find these vulnerabilities during development or a security scan and fix them. Alternatively, use a WAF to block these attacks, he says. 8. Authorized Users Only Three PCI requirements deal with authorization. Restricting physical access to cardholder data may be the easiest one to comply with. While a brick-and-mortar store has to educate and monitor cashiers who handle credit cards every day, e-commerce employees never see an actual card. Yet an online retailer may have a harder time restricting access to card data, because so many employees have legitimate ac-

cess to the systems that handle the data. Employees and partners may also inadvertently weaken your companys data access policies by choosing poor passwords. A whopping 80% of breaches are caused by the use of weak or default administrator credentials, Trustwave said in its 2012 Global Security Report. In many cases, a third-party provider used the same password or a simple variant across many of its clients; a breach of one business led to the breach of all. 9. Encrypt, And Dont Lose The Keys For companies that keep cardholder data, that data must be encrypted when stored and transmitted. Its all about turning cardholder data from gold data that attackers want into worthless straw that they cant access, says Mark Bower, VP of data security firm Voltage. Techniques that encrypt transaction data and return a token, which is similar to a credit card number, to unencrypt the data are popular with merchants. By using end-to-end encryption, you cut down the number of PCI requirements and reduce the impact of breaches, because with tokenized data, even if attackers get the information, it doesnt constitute a breach, Bower says. But encryption doesnt solve all of your
November 2012 7

Previous

Next

SECURING WEB DATA COVER STORY

problems. Many large breaches have happened because thieves were able to get the decryption key. 10. Dont Become A Check Box Culture PCI isnt the be-all and end-all of information security. Its an absolute bare-bones requirement, Hoff says. Its like the sign that says No Running by the pool. It doesnt mean you arent going to have an accident. Businesses should worry about threats beyond those covered by the PCI DSS. Attackers could use HTML injection, for example, to make Googles pageranking bots see links in a merchants site that arent normally there. The result: An online retailers site could be used to raise the page rankings of malicious websites. You need to ask in this environment: How could I be attacked? says Trustwaves Rosenberg. Most important, online merchants must understand that to keep their customers, they must protect their customers data, says Heartlands South. Their basic obligation is that they have to protect their clients transaction. And that really has nothing to do with PCI. PCI is just a tool to get there. More help is on the way: PCI SSC has an interest group developing guidelines for e-commerce security. Its initial report, due by December, should go a long way toward assisting all retailers in securing their customers data. Write to us at editors@darkreading.com.
darkreading.com

Previous

Next

Online, Newsletters, Events, Research

Tim Wilson Dark Reading Site Editor wilson@darkreading.com 703-262-0680 Rob Preston VP and Editor In Chief rpreston@techweb.com 516-562-5692 Lorna Garey Content Director, Reports lgarey@techweb.com 978-694-1681 Sek Leung Associate Art Director sleung@techweb.com Kelly Jackson-Higgins Dark Reading Senior Editor higgins@darkreading.com 434-960-9899 Stacey Peterson Executive Editor, Quality speterson@techweb.com 516-562-5933 Mary Ellen Forte Senior Art Director mforte@techweb.com READER SERVICES
DarkReading.com The destination for the latest news on IT security threats, technology, and best practices Electronic Newsletters Subscribe to Dark Readings daily newsletter and other newsletters at darkreading.com/newsletters/subscribe.jhtml Events Get the latest on our live events and Net events at informationweek.com/events Reports reports.informationweek.com for original research and strategic advice District Manager, Cori Gordon (516) 562-5181, cgordon@techweb.com Inside Sales Manager East, Ray Capitelli (212) 600-3045, rcapitelli@techweb.com

Chris Murphy Editor cjmurphy@techweb.com 414-906-5331 Jim Donahue Chief Copy Editor jdonahue@techweb.com

Business Contacts
Chief Sales Officer, TechWeb Media, Martha Schwartz (212) 600-3015, mschwartz@techweb.com Sales Assistant, Salvatore Silletti (212) 600-3327, ssilletti@techweb.com

TECHWEB
Ed Grossman President, TechWeb Media Martha Schwartz Chief Sales Officer, TechWeb Media David Berlind Chief Content Officer, TechWeb Media

How to Contact Us darkreading.com/aboutus_editorial.jhtml Editorial Calendar informationweek.com/edcal Back Issues E-mail: customerservice@informationweek.com Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.) Reprints Wrights Media, 1-877-652-5295 Web: wrightsmedia.com/reprints/?magid=2196 E-mail: ubmreprints@wrightsmedia.com List Rentals Specialists Marketing Services Inc. E-mail: PeterCan@SMS-Inc.com Phone: (631) 787-3008 x30203 Media Kits and Advertising Contacts createyournextcustomer.com/contact-us Letters to the Editor E-mail editors@darkreading.com. Include name, title, company, city, and daytime phone number. Subscriptions Web: informationweek.com/magazine E-mail: customerservice@informationweek.com Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.)

SALES CONTACTSWEST
Western U.S. (Pacific and Mountain states) and Western Canada (British Columbia, Alberta) Western Regional Sales Director, Kevin Bennett (415) 947-6139, kbennett@techweb.com Strategic Account Director, Coretta Wright (415) 947-6245, cwright@techweb.com District Manager, Jeremy Cotton (415) 947-6237, jcotton@techweb.com Account Manager, Ashley Cohen (415) 947-6349, aicohen@techweb.com

Strategic Accounts
District Manager, Mary Hyland (516) 562-5120, mhyland@techweb.com Account Manager, Tara Bradeen (212) 600-3347, tbradeen@techweb.com

Joseph Braue Exec. VP, Light Reading Communications Network Fritz Nelson Sr. VP, Editorial Director, InformationWeek Business Technology Network John Ecke VP of Brand and Product Development, InformationWeek Business Technology Network

SALES CONTACTSMARKETING AS A SERVICE

Director of Client Marketing Strategy, Jonathan Vlock (212) 600-3019, jvlock@techweb.com Director of Client Marketing Strategy, Julie Supinski (415) 947-6887, jsupinski@techweb.com

UBM LLC
Pat Nohilly Sr. VP, Strategic Development and Business Admin. Marie Myers Sr. VP, Manufacturing

Strategic Accounts
Account Director, Sandra Kupiec (415) 947-6922, skupiec@techweb.com

SALES CONTACTSEVENTS
Senior Director, InformationWeek Events, Robyn Duda (212) 600-3046, rduda@techweb.com

Copyright 2012 UBM LLC. All rights reserved.

SALES CONTACTSEAST
Midwest, South, Northeast U.S. and Eastern Canada (Saskatchewan, Ontario, Quebec, New Brunswick) District Manager, Jenny Hanna (516) 562-5116, jhanna@techweb.com District Manager, Michael Greenhut (516) 562-5044, mgreenhut@techweb.com

MARKETING
VP, Marketing, Winnie Ng-Schuchman (631) 406-6507, wng@techweb.com Senior Marketing Manager, Monique Kakegawa (949) 223-3609, mkakegawa@techweb.com Promotions Manager, Angela Lee-Moll (516) 562-5803, aleemoll@techweb.com

darkreading.com

November 2012 9