As companies are making efforts to obtain Level 1 PCI compliance, they are required to provide overwhelming amounts of evidence to a third-party assessor, specifically qualified for the job. Other levels of PCI can be achieved by merely completing a self-assessment questionnaire, as well as passing quarterly security scans. Level 1 is not so easily obtained.
Achieving Level 1 PCI compliance is a long and arduous process that consists of more than 400 controls, a lot of which require evidence to be submitted. Stating that measures being taken is not enough, proof of encryption, and encryption at rest is required, as well as proof of encryption in transit.
Despite the extensive effort to meet compliance requirements, the truth is that compliance does not equal security. Even running in full compliance can leave you vulnerable. Discussed below are examples of how this is the case.
Companies are required to prove that certain activities are being logged and regularly reviewed. Companies spend incredible sums of money to deploy state of the art security incident event management infrastructure, as well as employing a team of security analysts to handle around the clock monitoring.
Other organizations may opt to hire a third-party to handle the 24/7 collection, correlation, and analysis of any and all events. This constant coverage is ideal for detecting any indication of a compromise because attacks can happen at any time, but not every company is able to meet such a high standard.
As an alternative, they may log all events and use scripts that search for certain suspicious log entries. If there is no script for a particular log entry that may be suspicious, then it will go unnoticed. Where flagged events are concerned, an email is sent to a distribution list, which generally is monitored on a daily basis, however, the coverage is not around the clock.
While the measures in place may not be adequate, and this is obvious, this form of patchwork monitoring still satisfied PCI requirements. This is a great illustration of how compliance does not equal security.
VPN deployment is another area where remaining compliant does not guarantee security. PCI requirements dictate that it is necessary to use strong encryption while in transit, with a multifactor authentication in order to access the corporate network. This is done easily enough, however, despite meeting these requirements it a knowledge of VPN configuration settings can easily obtain software, installing it on any computer in the world, ultimately putting that untrusted device on the corporate network.
This problem can be resolved by implementing Network Admissions Control, or a range of other controls that restrict VPN access to include only authorized corporate-owned devices. This particular scenario is another great example of how security isn’t guaranteed just by achieving PCI compliance.
Patch Management and Anti-Virus
In a third example of how compliance fails to equate to security, is the issue of patch management and anti-virus. The majority of compliance activities represent a point-in-time state, and in order to satisfy the compliance auditor that at the time of the audit all servers and PCs are up to date in regards to patches and endpoint protection.
It would be more effective if companies were required to prove through the use of metrics, that a certain standard of compliance is met on a year-round basis. Many organizations are in a hurry to get all of their devices in order for the auditor, then let things slip for months on end until the next audit looms near.
Although there is some substance to compliance, it is by no means a guarantee of security. It is critical organizations look at the shortcomings that may still be present in their systems even after meeting compliance requirements, taking seriously the need to become more secure.
Contact Aurora Technical Consulting at (208) 936-7616 or email us at email@example.com to find out more about what we can do to ensure security. We provide the managed IT services in Boise businesses trust.