PCI requirements have come under scrutiny lately. A number of high profile security incidents resulting in the exposure of hundreds of thousands of credit cards have, fairly or unfairly, brought attention to the companies who suffered these attacks and yet were PCI compliant at the time. The highest profile incident was that of Network Solutions where over a half a million credit cards were compromised.
The culprit? Unauthorized code on their servers resulted in the exposure of the credit card data. Despite the protections employed to protect the card data on servers, they were done in by simple malware on a system in their infrastructure.
The exposure experienced by Network Solutions is not unique. One of the greatest threats to any company connected to the Internet is the prevalence of malware and the number of systems that belong to botnets. We recently blogged about two botnets formed by the new clampi trojan and the older conficker malware. Unfortunately, traditional blacklist antivirus technology is no longer capable of preventing infection and standards that target the protection of critical assets ought to take that into account.
To that extent, I would like to contrast the two requirements mandating system security in PCI DSS relative to those in NERC CIP. NERC CIP requirements calls for security that can detect, prevent, deter, and mitigate malware. The actual R4 requirement from NERC-CIP 007 is shown here:
- R4. Malicious Software Prevention – The Responsible Entity shall use antivirus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s).
- R4.1. The Responsible Entity shall document and implement antivirus and malware prevention tools. In the case where antivirus software and malware prevention tools are not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk.
- R4.2. The Responsible Entity shall document and implement a process for the update of antivirus and malware prevention “signatures.” The process must address testing and installing the signatures.
PCI on the other hand does not have this granularity and focuses instead solely on the use of antivirus. Here is the relevant PCI requirement mandating the use of antivirus:
- 5.1. Deploy antivirus software on all systems commonly affected by malicious software (particularly personal computers and servers).
- 5.1.1. Ensure that all antivirus programs are capable of detecting, removing, and protecting against all known types of malicious software.
- 5.2. Ensure that all antivirus mechanisms are current, actively running, and capable of generating audit logs.
The security of the systems in an organization’s IT infrastructure remains one of the greatest challenges to providing strong security. Application whitelisting’s purpose in life is to prevent unauthorized code from residing on critical assets. It’s time for organizations to start thinking about how they can proactively protect these devices instead of simply providing a checkbox for antivirus. Let us know what you think in the poll above.
[...] more prevalent in the future. We are happy to see that our call to action in our recent post “Time For an Update of PCI Anti-Virus Requirements: Take a lesson from NERC CIP” has come to pass so [...]