Global
| SecureWorks - On the Radar Newsletter - FEBRuary 2009 | |
|---|---|
 |
|
PCI Update:
Compliant Does Not Mean Secure
The recent breaches of payment processors Heartland Payment Systems, Inc. and RBS WorldPay have once again shone the spotlight on the fact that simply passing a PCI audit or scan does not mean a company’s data is truly secure. The PCI Data Security Standard was created by the card brands to reduce and redistribute the risk of compromised credit card data. It does not, in and of itself, protect you from breaches as recent events have clearly shown.
In recent years, several companies who have passed the full extent of required PCI compliance audits – Level 1 merchants and service providers – have suffered major breaches disclosing millions of account numbers and records and costing millions of dollars in legal fees, lost business and brand damage. In the case of Heartland and RBS WorldPay, these companies were removed from Visa’s list of PCI DSS complaint service providers after investigation found they were not compliant at the time of the breach. Although Visa has indicated that Heartland and RBS WorldPay customers will not be fined for using them, they will inevitably lose some of their business to competitors eager to capitalize on the incidents.
Does this mean that the PCI DSS is ineffective? Well, that depends on your expectations of the PCI DSS (or any compliance mandate). The purpose of the PCI DSS is to reduce risk to card data and therefore reduce the risk faced by the card brands. It undeniably achieves this purpose – without PCI forcing merchants and service providers to meet minimum requirements, the overall risk to credit card data would be much greater. Also, it is no secret that the PCI DSS and other compliance requirements are a primary driver for security spending for many of today’s companies. Unfortunately, this has led to many non-security business leaders mistakenly equating being PCI compliant with actually being secure. If a security expenditure is not required for compliance, it is a low priority. Resources are focused on PCI compliance, while other projects that do more to reduce risk and protect assets are underfunded or set aside.
Compliance is important, but it should not overshadow security. Compliance initiatives should be a part of your information security program, not vice versa. Compliance standards, like the PCI DSS, present "lowest common denominator" requirements. In comparison, a mature information security program is tailored to your unique business, IT environment and tolerance for risk. A company that has a mature, well-executed information security program will not only be more secure, it will also be able to satisfy PCI requirements with significantly less effort – saving the company time and money.
The best approach for any company is to focus on securing sensitive data and systems first, then consider if any additional steps should be taken to satisfy compliance requirements. When it comes to PCI, do not focus solely on getting checkmarks in your quarterly ASV scan report and/or annual onsite QSA assessment. Instead, make PCI compliance a part of your overall information security program and use it to drive security improvement across your organization.
As a leading provider of security services as well as a PCI Qualified Security Assessor (QSA), SecureWorks helps merchants and service providers improve their information security program while also meeting and exceeding PCI DSS requirements. To learn more about our services and best practices approach to compliance, please visit http://www.secureworks.com/compliance/.
Threat Profile: Conficker
Having infected millions of Windows PCs worldwide, Conficker (aka Downadup) is by far the most prolific worm of 2009 – so prolific that Microsoft offered a $250,000 bounty for information leading to the capture of Conficker’s creators. To infect Windows systems, Conficker takes advantage of a vulnerability in the way Windows systems handle remote procedure call (RPC requests). This vulnerability was addressed in Microsoft’s MS08-067 critical security update last October, but there are still many unpatched Windows PCs around the world that are not protected.
Because exploitation of Windows PCs that have not installed the MS08-067 patch does not require any action from the targeted PC to be successful, Conficker has spread rapidly. In addition to its rapid propagation, the worm also takes steps that can make cleaning up a Conficker infection difficult for PC owners and IT administrators. For example, Conficker disables certain windows services, deletes system restore points and blocks internet access to antivirus and security websites.
The security community has paid very close attention to Conficker due to its fast growth and potential impact on businesses and individual PC owners. In addition to the $250,000 bounty, Microsoft has joined with major security companies, domain registrars, researchers and other concerned parties to create the Conficker Working Group to help combat the worm in the wild.
There has been significant speculation concerning the future of Conficker. While investigating the worm, researchers found instruction within Conficker for infected bots to connect to command-and-control servers operated by the hackers behind the worm on April 1st. The significance of that date (April Fool’s Day) has led to questions about what the worm’s authors have planned. Joe Stewart, Director of Malware Research at SecureWorks, summed up the situation in a recent blog post:
So why all the fuss over the 1st? It all started over a massive increase in the number of domain names being used by the worm to find control servers. In the A and B variants, there were only 250 possible domain names each day at a handful of top-level domains (TLDs) for the worm to utilize. Then, along came the Conficker Working Group (nee Conficker Cabal) who set about learning the algorithm and disabling the domain names ahead of time. This didn’t sit well with the Conficker author(s), so Conficker.C was released with some additional features.
First, it would now use its own peer-to-peer protocol to allow infected nodes to update each other without the use of a centralized command-and-control server. (One might think this could allow other parties to gain control over the botnet created by the worm, but the author included digital signature checks into the code - no updates will be accepted by Conficker unless they are signed by the author’s private encryption key.)
Second, Conficker.C will use a new algorithm to generate 50,000 unique controller domain names at 110 different TLDs every day. This activity is set to start on April 1st, and since it seems too large a problem for even the Conficker Working Group to handle, the press is worried that this massive botnet might finally be unleashed to wreak havoc upon the world’s networks.
But you should not fear April 1st, 2009, and here’s why:
- Conficker.C is already able to receive updates via its P2P protocol today, so focusing on the April 1st date is misguided.
- Don’t underestimate the reach of the Conficker Working Group. These are the security industry’s heavy-hitters, and you can be sure they are working diligently to mitigate the domain issue.
- Even though there are 50,000 domains to look at, they are being closely monitored, and if any malicious servers do appear, they will likely be taken down or null-routed very quickly.
- If the author(s) of Conficker planned some massive update of malicious code, they certainly wouldn’t do it on the one day everyone is watching for it.
How Can I Protect Against Conficker?
SecureWorks clients are protected from Conficker and other attacks exploiting the MS08-067 vulnerability via countermeasures we deployed in October of last year.
If you have not already, you should apply the MS08-067 patch for Windows systems to patch the vulnerability exploited by Conficker. Because the worm also has a function that allows it to spread via removable drives, administrators should also disable the autorun function by installing the Microsoft Security Advisory 967940 update. Additionally, any anti-malware software should be updated with the latest malware signatures and protections.
Additional safeguards include:
- Using Network Intrusion Prevention Systems that have active countermeasures enabled to block MS08-067 exploit attempts.
- Monitoring Windows host logs using Security Information Management or Log Management tools to detect MS08-067 exploitation and behavior indicative of infection such as brute-force password cracking attempts and irregular requests.
- Following firewall best practices by using default-deny firewall configurations and blocking external access to non-essential ports.
Detailed instructions on how you can remove Conficker from an infected PC can be found here.
Featured Gartner Research
Survey results highlight company burden of vetting
According to Gartner, "Gartner clients report that assessing security and privacy controls of their service providers and partners has become a priority and an increasing drain on the resources of security and risk groups." This research note will help companies understand how organizations are assessing third-party security controls and compare their efforts with those of their peers.
View the complimentary Gartner report made available to you by SecureWorks to learn more.
SecureFacts:
"The number of crimeware-spreading sites infecting PCs with password-stealing crimeware reached an all time high of 31,173 in December, an 827 percent increase from January of 2008."
Anti-Phishing Working Group, Phishing Activity Trends Report – 2nd Half 2008
