In this post, we get insights from Joseph Pierini, Director of Technical Services at Payment Software Company. He will present “Setting Them Up For Failure” at the North America Community Meeting in Las Vegas.
You describe yourself as a hacker who loves the challenge of finding ways into cardholder data environments. From your experience, what is the most common security misstep you see?
Joseph Pierini: Considering that most vulnerabilities are often due to a lack of applying the basics, I would have to say the greatest misstep would be underestimating the time and resources needed to properly secure the enterprise, network or system. So many system administrators are multitasking, having multiple responsibilities and are stretched thin just maintaining the networks and systems under their care. Upper management needs to budget for securing the network, allow for system administrators to get up to speed on new technologies and give them time to implement them securely.
What can organizations do to help control their network?
Joseph Pierini: Avoid compromising security out of a need for convenience. Good security should make things a little harder, a little less convenient. A good example of a configuration chosen for convenience is the split-tunneled VPN. In this example, a user might use a strong IPSEC VPN connection with multi-factor authentication to access the cardholder data environment (CDE), but insist on being able to simultaneously access resources on the corporate network. This configuration creates a bridge between a network of high security, the CDE, and a network of lower security, the Corp network. This provides a route for an attacker to pivot through, utilizing the user’s previously authenticated access. This design of convenience lowers the security of the CDE and may even bring the corporate network into scope as a connected network.
Why shouldn’t organizations rely on anti-virus software?
Joseph Pierini: There currently isn’t a commercial anti-virus software package that cannot be bypassed by commonly available tools and techniques. It’s possible to create malicious payloads with point and click ease, payloads that are not stopped by even the biggest names in the AV space. Am I advocating that you shouldn’t have AV installed? No, certainly not. They will still detect and stop many viruses and worms and may even catch the targeted attacker if they don’t get it right the first time. But AV should be only one tool in your layered approach to security, it should not be something you rely on exclusively.
You helped spearhead the Special Interest Group on Penetration Testing. Why is penetration testing so integral to security?
Joseph Pierini: Pen testing is where the rubber meets the road, it’s that moment of truth when you can see if all the effort you’ve put into your security is actually effective. When done effectively, it can catch errors in design and identify areas of weakness before they’re exploited.
Why is it important for security professionals to get involved with PCI Special Interest Groups?
Joseph Pierini: Our community of QSAs, pen testers and other security professionals have real world experience with an amazing number of different industries and business models. They are able to bring this wealth of experience to the PCI SIGs, and together can help articulate the risks, challenges and real-world solutions in a way that can be of genuine value to merchants. They shouldn’t have to struggle on their own to find answers when we can help guide them. The PCI SIGs are one of the best ways to make the PCI DSS stronger and merchants more secure.
Want to learn more? Attend Joseph’s session at this year’s North America Community Meeting in Las Vegas on September 20th - 22nd.