Greetings and welcome back! In this week’s blog, we begin a new series on PCI-DSS Breaches and Data Rack Security. Every retailer must keep their systems secure and PCI-DSS standards require strict control on the cyber, physical and operation security of data racks. But as we shall see in today’s blog, there is a huge gap in what individual retailers believe suffices for PCI-DSS compliance and in actual compliance with these standards.
To begin with, there are 12 individual security requirement categories in PCI and each must be followed carefully to be in compliance. If a user is in compliance will all 12, statistics show that they will be much less likely to have a breach. In addition, if a breach does occur, the liability to the user is substantially less if all 12 requirements had been followed carefully. Unfortunately, many organizations believe that they are complying with these 12 standards when in fact, they are not.
A great example of this comes from the most recent Verizon PCI Compliance Report. In this report, all users were asked if they were in compliance with all 12 categories of PCI compliance. Then, users who suffered a breach were asked to provide a post-breach assessment of their actual compliance levels. It is an eye-opening report to say the least and one thing that jumped out to me was the overall compliance levels in Requirement 12 – Maintaining an Information Security Policy Standard. As you can see from the chart below, while 65% of overall users had a 3rd party compliance certification for Requirement 12, only 10% of users that were breached were actually compliant in this area. In other words, those who are relying on a mere certificate are taking enormous risks with their data.
Let’s look at a couple of areas in Requirement 12 that have lead to some serious data breaches in the past few years.
“Malicious individuals may breach physical security and place their own devices on the network as a ‘back door.’ Personnel may also bypass procedures and install devices.”
It is all-too-common to have a data rack that is not physically secured and where any individual with the will to do so can open the rack door and place a device that can be used as a back-door into a credit card data server. This type of attack is sometimes known as a Man-In-The-Middle (MitM) attack. One way that this is done is for a user to place a router that is different from the existing Internet router as described in this excellent research article by Towson University’s computer science department. By this simple procedure, anyone with even modest hacking skills can create a back door into a retailer’s credit card data servers and can essentially steal data at will.
Another item pointed out in the text of Requirement 12 is that data thieves can create back doors by using existing devices that provide remote access to systems within a data rack. One way that this is being done is to use the networked Uninterruptible Power Supply (UPS) or Power Distribution Unit (PDU) to create a back door to the credit card server’s data. Again, the text in Requirement 12 specifically addresses this issue as follows:
Remote-access technologies are frequent “back doors” to critical resources and cardholder data. By disconnecting remote-access technologies
This type of attack has been successfully carried out already in a recent attack that caused millions of dollars in losses as can be seen here. Because PCI-DSS standards require the use of UPS systems to protect system data, all users should have a UPS and should have a remote monitoring package for their backup power to ensure that their backup systems are working. However, any remote monitoring system for the UPS MUST be implemented in a way in which no one would have the ability to connect to the UPS without authorization.
Our RackGuardian system is a perfect answer to solving both the Physical Access Security issues that can be used to create a man in the middle attack and in protecting and securely monitoring your Uninterruptible Power Supply. Please think about these things and, feel free to give us a call to have a confidential discussion about how we can help you become PCI compliant and greatly reduce your chances of having your credit card data stolen.
Until Next Time,