Page 35 - CDM-Cyber-Warnings-January-2014
P. 35
failure, then why have some American states codified PCI-DSS into state PII regulations with more states following? PCI-DSS is an evolving standard and is adapting as a result of the many high profile breaches, including Heartland Payment Systems, TJX, Sony, and the recent Target Corp, Neiman Marcus and Michaels, where cyber criminals stole 40 million cardholder records from Target’s point of sale systems. The PCI Security Council has chosen to adopt a continuous security mindset with revision 3.0 as opposed to satisfying compliance audits. They've come to the realization that bare minimum compliance is no longer enough, and have moved away from checking off boxes on such reports. PCI-DSS revision 3.0 was ratified by the PCI Security Council on November 16, 2013, and went into effect on January 1 of this year. Merchants can certify for version 2.0 or 3.0 during 2014, and must certify for version 3.0 after January 1, 2015. The new rules mandate that merchants must take a proactive approach to security and abandon the compliance checklist mentality. Some of the new PCI-DSS requirements call for: • Multi-factor authentication to replace static user names and passwords. (*OOB being the most secure) • Protection of data at rest and in transit with encryption and other obfuscation tools. (*Keystroke Encryption being the most secure form of obfuscation) • Continuous security checks, assessing risk and monitoring compliance in real time. • Event logs review. • Faster detection of malware by not relying on anti-virus solutions alone. (*Change and anomaly detection with analytics is far superior) *(OOB stands for Out-of-Band authentication, which is the separation of the user names and passwords by sending them through two separate channels, i.e.: user name via the network and password via a telephone. Keystroke encryption protects data in use by defeating keyloggers and securing the keys to the kingdom at the point of origin. Combining these two methodologies together WILL prevent the majority of external breaches. Combining the first two with anomaly detection and analytics creates a TRUE next generation data breach prevention solution, instead of the overused marketing term used by so many firewall companies labeling themselves as NextGen. But that’s just my biased opinion.) The HIPAA “Technical Safeguards” of the Security Rule calling for unique logins is vague and outdated; the way it is written doesn’t give any guidance to covered entities (CE) and business associates (BA) on what technical means they should implement to secure the networks and the data. Stating that the requirements are not linked to certain technological advances creates confusion amongst the CEs and BAs about the appropriate security tools to use. + % %! ! & , ! . !( %+ ' "! "#+% ' - + % !& , ! % '& % & %) *"% *
