Closing the Security Gaps of PCI DSS Compliance Requirements

For many years, compliance has been a key driver for security decisions and investments. For industries like financial services, compliance represents a significant percentage of the budget allocated to security (more than half of the total security budget for 16 percent of the respondents to the SANS Institute survey on security spending in the Financial Sector)  and is one of the top priorities.

First and foremost, the effort of the PCI Security Standards Council are incredibly important to level-set the security posture of an entire industry ecosystem – in this case, credit card transactions – and enable clear communication and collaboration between the parties involved. Unfortunately, compliance requirements currently evolve at a pace that does not match the rapid evolution of technology. The pace of compliance evolution appears even slower when compared to the pace at which cyber criminals take advantage of flaws and gaps in security products aimed at protecting regulated assets.

From our point of view, there are several areas in the recent version of the PCI DSS 3.0 requirements issued in November 2013 that could benefit from rework as they leave companies exposed to today’s advanced cyber attacks. We recommend that organizations subject to PCI compliance take additional steps to ensure up-to-date security beyond compliance requirements.

1. Requirements 1.3: “Install and maintain a firewall configuration to protect cardholder data“ (page 19-27 of PCI DSS 3.0).

The requirement is not specific enough in terms of the granularity of the controls to be applied by the firewall. In a global report on the state of PCI compliance, Verizon voiced strong opinions about the problem and what’s really needed for better security:

• “A problem regularly encountered during PCI-DSS assessments is firewalls and routers being configured more “generally” allowing a wide range of ports to ensure that applications function.”
• “The DSS still specifies stateful-inspection firewalls, first launched in 1994. As the threats to the CDE become more complex, these devices are less able to identify all unauthorized traffic and often get overloaded with thousands of out-of-date rules. To address this, vendors are now offering “next generation” firewalls that can validate the traffic at layers 2 to 7, potentially allowing far greater levels of granularity in the rules. Many of these devices integrate a number of network controls — for example firewall, intrusion prevention system (IPS), and malware detection — into a single platform, allowing any potential threats detected by one component to trigger changes in the behavior of the other components, and a more thorough analysis.”

Next-generation firewalls allow for far greater levels of granularity in rules and also include additional controls (firewall, IPS, and malware detection). By controlling traffic at the application level, they ensure that only explicitly authorized traffic is allowed and block everything else. This is simply not the case with traditional port-based firewalls, even when product add-ons that add application level awareness to them are deployed.

2. What about network segmentation?

The omission of segmentation as one of the best practices to achieve compliance is unfortunate. At Palo Alto Networks, we like to talk about network compliance as a mean to reduce the scope of compliance audits. But it is also a great way to prevent attacks from making lateral moves inside your infrastructure. In addition, segmentation applied at the right level (applications, users, and content rather than ports and IP addresses) will drastically reduce the efforts required to demonstrate compliance during an audit and maintain it afterwards.

We recently published a white paper on PCI DSS compliance that sheds light on the true value of application-level network segmentation for PCI DSS. Feel free to download it at: http://connect.paloaltonetworks.com/pci-compliance.

3. Requirement 5: “Protect systems from malware and keep anti-virus software up to date”

This third and final point is a new development and in a way the most interesting. Requirement 5 in PCI DSS 3.0 (page 46-48) is entirely focused on antivirus. Unfortunately, the endpoint security market is going through major change, as evidenced by Symantec SVP Brian Dye‘s statement that the antivirus segment is “dead”. He estimated at the time that antivirus software catches just 45% of cyberattacks.

Bottom line, antivirus is no longer a reliable way to prevent malware from infecting endpoints and companies should take the PCI DSS requirements for anti-virus with a grain of salt. We highly recommend that they start looking at replacing or amending their recommendations on what should be deployed today with modern and innovative alternatives.

Palo Alto Networks has taken a completely different approach to endpoint protection. Traps, our new advanced endpoint protection solution, is all about mitigating the methods attackers use for exploitation, not about the malware itself. Why is it better? All attacks MUST use at least one of a limited number of well-known methods to deliver a piece of malware. By focusing on these exploitation methods, we can “trap” attacks before any damage is done. This is a much simpler task than trying to keep up with the high-volume of malware and vulnerabilities that are reported daily and continuously make antivirus solutions obsolete.

Keep an eye on upcoming news and events related to Traps or try it on your own organization by visiting: /products/endpoint-security.html.