Data Security for PCI and Beyond
Ulf T. Mattsson
February 2, 2007
For many years external security threats received more attention than internal ones, but the focus has changed. Worms, viruses and the external hacker were once perceived as the biggest threats to computer systems. What is often overlooked is the potential for a trusted individual with special privileges or access to steal or modify data. While viruses and worms are serious, attacks perpetrated by people with trusted insider statusemployees, ex-employees, contractors and business partners - pose a far greater threat to organizations in terms of potential cost per occurrence and total potential cost than attacks mounted from outside. Well documented breaches have heightened the public's - and regulatory agencies' - concerns about how well companies are securing consumer-specific information captured at the point-of-acquisition. Extended partnerships lead to that more and more tasks will be performed outside the physical boundaries of company facilities which will add another level of due diligence we must take into account. The reason why insider attacks hurt disproportionately is that insiders can and will take advantage of trust and physical access. In general, users and computers accessing resources on the local area network of the company are deemed trusted. Practically, we do not firmly restrict their activities because an attempt to control these trusted users too closely will impede the free flow of business. And, obviously, once an attacker has physical control of an asset, that asset can no longer be protected from the attacker. While databases often are protected by perimeter security measures and built in RDBMS (Relational Database Management Systems) security functionality, they are exposed to legitimate internal users at some degree. Due to the fragmented distribution of database environments, real time patch management, granular auditing, vulnerability assessment, and intrusion detection become hard to achieve. With the growing percentage of internal intrusion incidents in the industry and tougher regulatory and compliance requirements, companies are facing tough challenges to both protect their sensitive data against internal threats and meet regulatory and compliance requirements.
Number of Pages in PDF File: 20
Keywords: PCI, VISA, CISP, SB1386, COMPLIANCE, MASTERCARD
JEL Classification: C88
Date posted: March 27, 2007