Archive for April 28th, 2009


Security is a journey, not a means to an end

I do not know who said this, but they are right.  Threats are always changing; therefore, the tactics necessary to protect your organization’s assets are also always changing.  As a result, security is never a project that is completed; it is one of those never-ending projects.

As I stated in an earlier post about complaints that the PCI DSS always seems to be changing, the PCI DSS changes in response to the threat landscape changing.  And just when you think you have things under control, out comes a new threat that puts a hole in your ‘perfect’ security.  And so the process starts over as you come up with a plan to close the latest hole.

When threats originally started out, they were focused at the network level.  Denial of service attacks were all the rage.  Attacks used the available network services against themselves.  Any network was a potential target.  Remember that last statement.

When those services were disabled, the attacks moved up to the operating system.  However, unlike network attacks, operating system attacks were specific to an operating system.  This is why Windows captured the market on attacks.  When you own 90%+ of the market, you become the biggest target.  However, as Linux and other systems get wider adoption, it is just not good enough to write a Windows attack.

But now the situation is getting worse.  Why?  Because we have created an ideal attack environment in our desire to have every computer operate like all others.  We have created a situation that allows threats to automatically be cross platform enabled.  How?  We are migrating our applications to SQL-based databases and browser-based applications.  Thus creating the perfect attack environment because attackers can develop threats against a single environment.  This is why attacks have moved away from the network and operating system and have moved to the application with cross-site scripting and SQL injections.  And the future for attacks will continue to leverage this common environment because, in our infinite wisdom, we continue to migrate all of our applications (external AND internal) to this environment.  Remember my statement about any network being a target.  What goes around comes around and now every application is a potential target.

What was the PCI DSS response?  Requirement 6.6 was added in v1.1 to institute code reviews or the use of application firewalls.  Requirement 11.3 was changed in v1.2 to include conducting penetration testing on all external AND internal applications.

And given the voracity of insider attacks, it is likely that even more changes are coming.  After the Hannaford, RBS WorldPay and Heartland breaches, there is a call for end-to-end encryption.  While this may stymie insider attacks for a while, I am certain the attackers will find a new vector and we will start the process all over.

So, if you do not like constant change, you had better get out of the security business – NOW!  And do not let the door hit you in the posterior on your way out.


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

April 2009