« IRS Should Audit Itself - or at least its cybersecurity logs | Main | Top 3 mistakes of PCI requirement 10 (part 2) »
Top three PCI compliance mistakes of Requirement 10
As an SE for LogLogic, I talk PCI (the payment card industry’s PCI-DSS) several days a week. I talk about requirement 10, I talk about retention requirements, I talk about evidencing log management. Out of all the common industry mandates and government compliance requirements, PCI exists as the one with the sharpest teeth. PCI can affect the purse by issuing fines, or raising the card swipe rate percentage.
With that, I’d like to talk quickly about the three most common PCI compliance mistakes of Requirement 10. This will hopefully aid in alleviating your headache from auditors, the headache of upper management and the headache of the Payment Card Industry.
Number 3: PCI Compliance isn’t about check boxes, it’s about security and accountability:
PCI Compliance isn’t about pleasing auditors and going through the list to mark yourself compliant. Sure, that's part of it, but the reason PCI exists is to secure your business from threat, secure your business from breach, secure your business from outside intruders. I’ve seen pre-sale customers run through a proof of concept of a log-management tool just to get through an audit. They then return the tool, immediately dropping Requirement 10, and dropping out of compliance. I found this to be absolutely insane. Here’s why.
We had a customer who was a high profile target. They had all the toys: the SIEM, segregated networks, tons of security, IDS/IPS, etc. Well, they were breached. Somehow, some way the attacker got in, got to their DB, and pulled a ton of account records: name, address, social, credit cards, etc. Now, in a situation like this, the customer had NO idea what was affected. Were his routers/switches/firewalls compromised? Their policies? Were their IOS’s re-written with a backdoor? The security officer had no idea. How about the servers on that network? Rooted? Compromised? Who knows? The scope of the breach was completely unknown. To identify a scope, most businesses would need to bring in a forensics team, go through a mountain of log-data, and identify the scope. However, as a LogLogic customer, they were able to go back and scope the breach based on the attacker's IP address(es) immediately. In a couple hours they knew where, when and how the attacker gained access. They knew what machines were affected, they knew what database was breached, they knew what user data was stolen. Log data to the rescue.
This is what PCI is about. It’s about security, it’s about doing to the best of your ability what you can to secure your network and, if you are breached, it’s about having the evidence to track down the hacker and, if able, prosecute them. Not just about check boxes, or passing audits.
Posted January 11, 2009 in Compliance | Permalink
August 2010
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 |
Categories
Archives
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
Blogroll
Blogroll
Compliance
Good Reading
- Internet and Web Security Review
- Log Management ROI
- Log Management Best Practices
- SANS Institute Log Management White Paper