Target Data Breach Outlines Need for Application Whitelisting, Flaws in PCI-DSS

As I find myself diving deeper down the rabbit hole of the recent Target data breach and the malware writers behind it, I can't help but keep asking "Why were no safeguards put in place to prevent this?"

For those who didn't hear, there has been an arrest of two Mexican citizens in Texas who were using stolen credit card numbers to purchase goods - and that the case possibly leads back to the Target data compromise.

Quite honestly, with today's computer security suites, there is almost no excuse for a static configured system such as a Point of Sale terminal to ever be infected by a virus. With proper implementation of application whitelisting a system can be protected from even unknown malware.

However, the Payment Card Industry Data Security Standard (PCI-DSS) only requires basic anti-virus coverage to protect against "known" malware, as well as a (network-based) firewall.

Introduction to PCI-DSS Vulnerability Management Requirements

Introduction to PCI-DSS Network Security Requirements

While PCI-DSS requires file integrity monitoring (FIM), it does not require full system FIM - what needs to be monitored is up to the discretion of the company.
PCI-DSS File Integrity Monitoring Requirements
PCI-DSS  interestingly enough doesn't require host-based intrusion prevention or application whitelisting to be implemented. These missing components from point of sale terminals (which today are essentially full-blown computers) creates a large security gap which was exploited to compromise Target and other retailers.

The fact of the matter is, a retailer could be 100% PCI-DSS compliant, and attacks from unknown malware could still affect their systems. The vulnerable state of point of sale terminals is not a retailer specific problem - it is an industry wide problem. Until PCI-DSS is revised to require much stronger security on point of sale terminals and the servers they communicate with, the risk of these attacks occurring will continue to persist.

It is time for PCI-DSS to revise their standards, and hold retailers accountable for implementing high-security computing environments.

No comments:

Post a Comment