Archive for February 12th, 2009


The Weakest Link

Most organizations have implemented a plethora of technological security solutions in the form of firewalls, network monitoring, anti-virus, real-time log monitoring and all the other requisite technologies. The PCI Data Security Standard is predominantly focused on these technological solutions and their appropriate care and management.

Regardless of all of the technology solutions for securing sensitive information, people still interact with this information for the purpose of getting their jobs done. The PCI Data Security Standard recognizes this and directs organizations to minimize the number of employees with access to sensitive information. In addition, Section 12.6 ensures that a security awareness program exists, that employees are periodically reminded of their responsibilities to protect cardholder data and that employees attend at least annual awareness training.

Organizations have not done themselves any favors in this area. For more than 20 years, organizations have based their customer service training on the premise that it is cheaper to retain an existing customer than to court a new customer. This training neglects the fact that some customer requests are made with ill/bad intentions—and it therefore does not encourage employee skepticism of customer requests.

Traditional customers aren’t the only people employees are trained to provide exceptional service for. Internal client servers, those who work at the help desk or even the receptionist, are encouraged to bend over backwards for other employees as well. In our customer-focused society, everyone is tripping over themselves to be the most helpful. To make matters worse, most organizations reward customer-focused activities through employee incentive programs. Employees must learn to consider the ramifications of what their assistance may put at risk., and that’s what’s missing in our customer service training.

This lack explains the recent rise in social engineering attacks. Organizations have most of the technological security solutions, but they have not focused on the threat their own employees present. Social engineers use this to their advantage and obtain user identifiers and passwords, account numbers, encryption keys and other sensitive information just by leveraging an organization’s customer-centric service philosophy.

Disgruntled employees also threaten the practicality of the customer-centric philosophy. Not all of these people are necessarily on the firing line. At their worst case, they can be everyday, reliable employees who hold a grudge. However, when they decide to act, a disgruntled employee only cares about extracting revenge. And they will do whatever it takes to extract that revenge such as destroying records, releasing sensitive information or even murdering other employees.

This is why section 12.6 is a vital section of the PCI Security Assessment Procedures. Security awareness programs are one of the most important aspects of minimizing social engineering activities. However, the tests suggested in the current PCI Security Assessment Procedures are just a start. In order for organizations to truly have an effective security awareness program, reminding employees of their responsibilities is just not good enough. Social engineering testing must be conducted periodically against random groups of employees to ensure that all of the awareness training is put into practice. Without testing, it’s anyone’s guess how well an organization’s awareness training is working. That is why, in future releases of the PCI Security Assessment Procedures, I expect to see section 12.6 expanded as attacks move from the technological back to social engineering and, eventually, hybrids of both.

Is social engineering testing a silver bullet? No. Regardless of how much training and testing an organization does, people are fallible. It’s human nature. But a good awareness program with social engineering testing minimizes the risk to the organization from social engineering attacks. That’s more than customer service training alone can do.


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

February 2009