Jan 16 2009
While I’ve only heard of one concrete example of a situation where PCI caused a company to actually become less secure than they were before, I’ve seen multiple examples of company’s that were concentrating so hard on meeting compliance deadlines that they ignored any security measures around their network that weren’t directly related to PCI. While this isn’t a huge problem in most cases, because PCI is generally based on ‘best practices’ (hate that term), it still left areas of the network less secure than they really need to be.
Anton Chuvakin wrote an interesting post called Tales from the “Complaince First!” World that highlights some of the dangers of the compliance first philosophy. There is a large number of requirements in PCI calling for specific technologies, such as AV and web application firewalls, that companies are putting in place, turning on and forgetting. While the PCI-DSS requires the technologies to be implemented and monitored, I’m sure there are QSA’s all around who’ve gotten to a company to do an assessment only to hear “We have a [insert technology here], but it’ll take me a minute to remember how to log into it.” Great! You have it but you haven’t monitored it in so long you can’t remember how to log in?? That makes it really useful and gives me confidence in how well you’re monitoring you other technologies.
Another point that Anton makes is about the external scanning requirements of PCI. Your external scanning is only as good as the lower of two points: how good the scanning vendor is and how honest/complete you are in configuring the scan engine. Most companies aren’t going to have any control over the quality of their scans, other than chosing a new vendor if the current one is just paying lip service to scanning. But there are a lot of companies who only scan their PCI environment or ‘forget’ to include the other couple of blocks of Internet accessible servers. Or even worse, have servers exposed to the network they aren’t even aware of. And just because you get a clean scan from your vendor doesn’t mean you’re secure. If you’re not backing up your scanning vendor’s findings with your own scanning tools, you’re going to have a sense of security that may be misplaced. Nessus is your friend.
The point of all this is that if you’re aiming to be complaint, think about security first; it’ll make compliance easier. Or if you have to make compliance your number one goal, follow Anton’s advice: “…please at least make sure that ‘Security SECOND’ happens.” I’ve seen too many companies that attain complaince and then call it a day, forgetting about other areas that aren’t covered by PCI. You don’t want to be the next TJX, a company that was technically PCI compliant but insecure in reality.