PCI DSS requires covered companies to not only be 100 percent compliant, but to also maintain that posture continuously. The Interim report on compliance (iRoc) is a measure of the state of compliance and efficacy of PCI controls in between assessments – and is a good proxy for measuring an organization’s ability to maintain a continuous state of 100 percent PCI compliance. Verizon’s 2018 Payment Security Report finds that an increasing number of merchants are 100 percent compliant, growing from 11.2 percent of the covered merchants in 2012 to 52.5 percent in 2017.
But despite the upward trend in volume of PCI compliant merchants, we continue to read reports about massive data breaches. In 2018, there were 2,216 reported data breaches – and in several instances, these organizations were PCI compliant at the time of breach. For example, a recently disclosed breach involving a major hotel chain put 500 million account holders at risk. The attack had been going on for at least four years and the company was PCI compliant during that period.
Verizon found that 66.7 percent of merchants were PCI compliant when they were breached.
Requirement 1 of PCI DSS 3.2.1, which compels organizations to “install and maintain a firewall configuration to protect cardholder data,” is a key trouble spot among organizations. Verizon found that 66.7 percent of merchants were compliant at the time of their breach. Forensic investigators also mention that the most common failure found in post-breach situations is ineffective segmentation leading to improper PCI scoping. According to auditors and QSAs, the most common mistakes are missing systems that are connected to “in-scope” systems. Vulnerabilities in these “missed systems” are often the pathways malicious actors exploit to eventually get to their target (the cardholder and payment information).
It's time for merchant organizations to approach security of the cardholder data environment (CDE) and other high-value systems in the context of risk instead of with a checkbox compliance mentality.
This approach calls for organizations to address security and the isolation of covered zones along the following dimensions:
- Asset visibility: Get real-time visibility into high-value assets like your CDE components, including the legitimate connections, data flows to support transactions, and connected systems and shared services. Use this information to create your isolation zones and enhance your ability to effectively scope your CDE.
- Exposure and vulnerability: Identify your vulnerabilities and evaluate how they can be exploited by bad actors to reach cardholder data.
- Adversaries: Know your potential adversaries, including their motivations, resources, and capabilities to exploit vulnerabilities. There are several useful frameworks for understanding your adversary and modeling their behavior: Cyber Kill Chain, Diamond Model, STIX, and MITRE ATT&CK are among the most popular. MITRE ATT&CK helps you understand your security risk against known adversarial behavior. MITRE provides guidance on the metrics and indicators that you should be monitoring in order to detect a potential or ongoing attack.
- Threat modeling and risk mitigation: Assess the impact of a potential attack and the ability of your existing security controls to detect and mitigate these attacks. Use this information to prioritize your risk mitigation activities.
A lateral movement attack is one of the most commonly used techniques in major PCI breaches.
Malicious actors target seemingly low-value systems via spear phishing and social engineering, and then spread malware laterally across the data center to find the route that would allow them to compromise the CDE. Once they reach the systems that hold credit card data, they copy or exfiltrate the payment information.
Real-time visibility into your workloads combined with host-based micro-segmentation offers the opportunity to effectively isolate and scope your CDE and connected systems so that you're PCI compliant – and secure. At the same time, you’re able to reduce the ability of a bad actor to move laterally inside your network.
To learn more about strategies for effectively using the MITRE ATT&CK framework to enhance your PCI DSS program, and how application dependency mapping and micro-segmentation fits into all of this, check out this webinar.