Branden R. Williams (CISSP, CISM, CPISA, CPISM) leads an information security practice in a Global Security Consulting group at a major security firm in Flower Mound, TX and teaches in the NSA Certified Information Assurance program at the University of Dallas's Graduate School of Management. Branden has been involved in information technology since 1994, and focused on information security since 1996. He started consulting on payment security in 2004, assessing companies against the Visa CISP and Mastercard SDP programs. He has a Bachelors of Business Administration in Marketing from the University of Texas, Arlington, and a Masters of Business Administration in Supply Chain Management and Market Logistics from the University of Dallas.Branden publishes a monthly column in the ISSA Journal entitled 'Herding Cats,' and authors a blog at http://www.brandenwilliams.com/.
The credit card industry established the PCI Data Security Standards to provide a minimum standard for how vendors should protect data to ensure it is not stolen by fraudsters. PCI Compliance, 3e, provides the information readers need to understand the current PCI Data Security standards, which have recently been updated to version 2.0, and how to effectively implement security within your company to be compliant with the credit card industry guidelines and protect sensitive and personally identifiable information. Security breaches continue to occur on a regular basis, affecting millions of customers and costing companies millions of dollars in fines and reparations. That doesn't include the effects such security breaches have on the reputation of the companies that suffer attacks. PCI Compliance, 3e, helps readers avoid costly breaches and inefficient compliance initiatives to keep their infrastructure secure. - Provides a clear explanation of PCI- Provides practical case studies, fraud studies, and analysis of PCI- The first book to address version 2.0 updates to the PCI DSS, security strategy to keep your infrastructure PCI compliant
Chapter 2
Introduction to Fraud, Data Theft, and Related Regulatory Mandates
Credit card fraud, identity theft, and broader personal data theft are problems that plague our information-dependent society and predate the age of the Internet. Ironically, things such as automated processing of financial data that make your life easier and more convenient also make crime easier and more convenient. Moreover, the Internet allowed crime that only happened on a small scale to grow and spread globally, and the Internet’s scalability turned electronic-based crimes into a global concern.
Some crime was automated and changed from rare to widespread, for example, Nigerian e-mail or UK Lottery scams. Gone are the days where criminals need to be in the same location, country, or even continent to scam you out of your hard-earned cash. Nigerian e-mail scams started many years ago and are profitable for the scammers. They send out millions of e-mails claiming to be a relative of a Nigerian dignitary with frozen assets and want you to transfer the money for them. You give them your bank account information and/or send them “seed money” to get things moving and end up with nothing. UK Lottery scams aren’t much different with the same basic constructs to get you a cash prize.
Criminals have gone high-tech and have discovered that there is a significant amount of money to be made with very little risk. Hacking a company database or orchestrating a phishing attack while sitting in your pajamas and eating chocolate ice cream in the living room of your house has much more appeal than physically robbing banks or convenience stores. Add to that the lower risk of a confrontation with firearms and electronic crime becomes even more attractive! Depending on the company being targeted, the sophistication of the attack, and sheer luck, sometimes the high-tech crime may also be significantly more lucrative than traditional armed robbery. Sadly, cross-border prosecution issues significantly fuel a cyber-criminal’s activity. When a criminal physically robs a convenience store, he is probably caught on tape and there are witnesses. Plus, law enforcement will mobilize quickly to find and catch the criminal so he may be brought to justice. Cyber-criminals have a couple of things working in their favor, the first of which is their ability to commit crime without ever stepping into the physical location of their victim(s). Couple that with lagging cyber-security laws in most countries and the inability for the victim’s law enforcement to prosecute outside their borders and you have an idea on why cybercrime is on the rise. In addition, the whole ecosystem of criminal outsourcing partners now allow other criminals to only focus on the activities they do best, such as creating malicious software or hosting phishing pages through botnets.
Malicious software (malware) and cyber-criminals are not the only threat. Sadly, the very companies and organizations that are entrusted with sensitive information are often to blame because of a lack of adequate controls to protect sensitive information. In some companies information security is treated with apathy, and in others, a lack of effective controls enables an insider to commit fraud Consumers and businesses are faced with a wide variety of threats to their data and personal information on any given day.
Spyware, phishing attacks, and botnets are all computer attacks that are on the rise and pose a significant threat to corporate and home users, as they connect to the Internet from their computers. However, those threats pale in comparison with the amount of personally identifiable information and sensitive data available to be compromised due to carelessness or negligence by individuals and corporations.
Tools
Did you know that the Privacy Rights Clearinghouse has tracked all reported breaches since the ChoicePoint breach on February 15, 2005? To see all these breaches with an explanation and amount of records lost, point your browser here at www.privacyrights.org/ar/ChronDataBreaches.htm.
DatalossDB at http://datalossdb.org/ is another useful site for tracking the impact of data breaches. Despite its name, most of the recorded and analyzed data “loss” incidents are really data theft and abuse incidents. DatalossDB crew makes an awesome job of tracking all publicly reported incidents and digs out the details on them.
As of today, hundreds of millions of various personal information records have been lost or stolen. Every year since the ChoicePoint breach, we’ve seen major companies fall victim to Payment Card Industry (PCI)-related security breaches. DSW Retail in 2005, The U.S. Department of Veteran’s Affairs in 2006 (and in later years), The TJX Companies in 2007, Hannaford Brothers in 2008, Heartland Payment Systems in 2009, Albrecht Discount (ALDI) in 2010, and Sony in 2011 continue to demonstrate both the poor state of security and increasing sophistication and numbers of the bad guys (as more and more countries have growing populations on the Internet) who want this data and know how to profit from it.
In an “Information is King” era, when more consumers are using computers and the Internet to conduct business and make purchases, taking the proper steps to secure and protect personally identifiable information and other sensitive data has never been more important. It is bad for companies, individuals, and the economy at large if consumer confidence is eroded by having personal information exposed or compromised. It is worthwhile to add that credit card brands are definitely not the only entities suffering from such possible loss of confidence.
Note
your mindset and think of yourself as a consumer, Internet user, or citizen not as a security or payment professional. What data do you hold dear? Think through the following list of scenarios:
What data or information about me can be considered sensitive and should not be disclosed, be corrupted, or be made permanently or temporarily unavailable? Think of a broad range of types of information—from a rare photo that only sits on a hard drive of one PC to your bank account number, medical history, or information about anything you’ve done that you are not proud of.
Think whether this information exists in any electronic form, on your computers or anywhere else? Is that picture on your “private” Facebook page—an oxymoron if there ever was one—or present in an e-mail spool somewhere?
Next, think whether this information exists on some system connected to the Internet. Sadly, the answer today would be “yes” for almost all (!!!) information people consider sensitive. For example:
Credit card information—check,
Bank account information—check,
Personal financial records—check,
Sensitive personal files—check,
Health records—check.
Think what will happen if this information is seen, modified, or deleted by other people. Will it be an annoyance, a real problem, or a disaster for you?
Now, think about what protects that information from harm. Admittedly, in many cases, you don’t know for sure. We can assure you that sometimes your assumption that the information is secure will be just that—an assumption—with no basis.
Going through this list helps you not only understand data security rationally but also feel it in your “gut.”
Information technologists are affected by a number of laws and regulations designed to coax businesses into addressing their security problems. Depending on what industry a company does business in, they may fall under Sarbanes–Oxley (SOX), the Gramm–Leach–Bliley Act of 1999 (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), and other regulatory mandates that we mentioned in the very beginning of Chapter 1, “About PCI and This Book.” Maybe this confusing hodgepodge of alphabet soup—and that is without European and other regional mandates and regulations—makes for a tough job understanding how to comply with all these measures, as many organizations still fail to enforce adequate security. The Unified Compliance Framework (UCF) that can be found at www.unifiedcompliance.com tracks hundreds of IT-relevant regulations, and many commercially available eGRC tools such as RSA’s Archer or IBM’s OpenPages can help build, manage, and reference a common control set to cover all of these compliance initiatives.
Note
If you feel lost and out of control, don’t. Remember, all these crazy compliance initiatives are trying to minimize the risk associated with an underlying problem—poor security. Taking a step back and looking at a standard security framework, like ISO27002, would do more to boost your global compliance efforts than attacking any one of these by themselves. A mature ISO27002 program would be able to adapt to future compliance initiatives or changes in a way that would minimize the overall impact compliance has on your organization.
Breaches often target consumer credit card information because of the revenue this type of data can generate on the black market. Since our last publication, the value of magnetic stripe data on the black market has declined dramatically, but that doesn’t stop the attacks or the desire to capture other data like PII and PIN-Debit information. Card companies recognized the rising threat to their brands and...
| Erscheint lt. Verlag | 1.9.2012 |
|---|---|
| Sprache | englisch |
| Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
| Recht / Steuern ► Strafrecht ► Kriminologie | |
| Sozialwissenschaften | |
| ISBN-10 | 1-59749-953-6 / 1597499536 |
| ISBN-13 | 978-1-59749-953-8 / 9781597499538 |
| Haben Sie eine Frage zum Produkt? |
PDF (Adobe DRM)Größe: 6,2 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
EPUB (Adobe DRM)Größe: 3,1 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
