Following the numerous retail breaches, more and more discussion has taken place regarding security and PCI compliance and guidance. Although a new guidance has come about from the PCI Security Standards Council (to attempt assisting organizations with making improvements to card security), security experts debate on how effective the advice given is.
The latest advice covers how enterprises should use penetration testing to identify vulnerabilities within their network.
The PCI guidance covers the following:
- Understanding the various components of a penetration test.
- Determining the qualifications of an internal or external penetration tester based on experience and certifications.
- Defining methods used for penetration testing (including the pre-test, test and post-test findings).
- Developing a comprehensive penetration test report.
The guidance can help improve card security, but it still doesn’t go far enough. One security expert, who asked to remain anonymous, states that the PCI Council’s guidance doesn’t go far enough since it doesn’t require that penetration be a manual process.
Manual penetration tests can help increase security because tests are random and conducted by a skilled network tester, not an automated tool. This type of penetration testing can evaluate vulnerabilities from different attack vectors allowing an organization to conduct an in-depth network overview, leaving no stone unturned. On the other hand, when enterprises choose to use automation tools they can only test limited vantage points.
In the latest Verizon PCI report, it was found that most businesses meet compliance, but can’t maintain it long-term. Both the report and recent debate over the new PCI guidance should help CEOs and CIOs to realize that compliance can’t be the only security measure taken. Even if organizations meet all compliance requirements and take steps to follow the recent penetration testing guidance, they are not able to establish a strong security posture.
A positive outcome of the PCI guidance is that businesses are being encouraged to do more about network segmentation and security. Awareness and knowledge can help business and security leaders to open a dialogue on risk management, which can then lead them to establish a risk management process that is holistic in nature; one that is seen as and becomes a part of the business process.
No CEO or CIO wants their company to become the next Target or Sony. Furthermore, the notion of data and value keep growing, as does the move to a complete online system for running a business. The cloud, IoT, and overall digital world are a part of business today. The sooner organizations implement a holistic security posture, the sooner they can go back to growing their business.
What steps are you taking to ensure your network and data are secure from risks?
Photo courtesy of docstockmedia