« The danger of Silo Risk | Main | Arab Israeli arrested for Cyber-Sabotage of Israeli Websites »

The cost of credit card security

Talking on a cell phone on a bike in traffic, and not wearing a helmet - is like really ignoring risk management.
Just read an article how Synovus (a bank in Southwest US) uses ER mapping techniques to map their customer-facing business process and estimate risk to customer data. I thought the approach was intriguing until I saw the Excel spreadsheet they use and I realize that they are not even trying to identify asset vulnerabilities and mitigate them. The Excel appears to be a way of toting up plug numbers to estimate the business process risk. No threats or countermeasures, no measurement of cost or effectiveness of risk mitigation.

I don't get it.

How can you map a business process, record some plug numbers in an Excel and call it operational risk management?

A few years ago, I visited the Motorola factory in Israel that manufactures cell phones. They are Six-sigma certified - when a work station in the line discovers a defect in a sub-assembly, they have a pole with a black flag, they raise and the entire line stops- until the root cause of the defect is discovered and fixed.

Data security should work like that - but you need to monitor traffic and transactions first before you start buying some expensive security technology countermeasures from Symantec or McAfee.


1. Countermeasures cost and effectiveness in dollar values must come first

Both extrusion prevention and database firewalls can be expensive propositions. A product like Vontu starts at 300k (Fidelis XPS starts at 85k) + implementation cost can add another bundle. A client of mine installed Imperva last year and they're still struggling with implementation after spending 100k on the product. Imperva is being used to monitor access of a production Oracle db with the dba user/password - they would have been better off creating and segregating separate dev, test, stage and prod environments using a Linux box with iptables. The quantity of false positives that Imperva sets off is close to 100%. I would say that it is not a very cost-effective countermeasure

2. Extrusion prevention for mitigating data theft:

Extrusion prevention is best used in a monitoring role in my experience. I don't buy the story about how ILP/EPS/DLP technology can prevent credit cards from leaking out - the data classification and learning problem is too steep. We're using Fidelis Security Systems XPS in a monitoring role at a number of telecoms here and in Eastern Europe in a pragmatic operational approach that is part of the security officer work day.

You monitor, you see a problem and you fix it. You see a false positive, turn it off.

That's a far more effective strategy than trying to fingerprint all the files with all the credit card numbers and then put them into a work flow process. Geez - don't any of these vendors work in the real world?

By the way, Mike Rothman wrote a good article on pragmatic use PCI DSS compensating controls a few months ago over here:
PCI DSS compensating controls

Posted on December 28, 2007 1:58 PM |

Search


About

This page contains a single entry from the blog posted on December 28, 2007 1:58 PM.

The previous post in this blog was The danger of Silo Risk.

The next post in this blog is Arab Israeli arrested for Cyber-Sabotage of Israeli Websites.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.32