Earlier this month, the folks at the Payment Card Industry released a previewof their long awaited Data Security Standard version 3, better known as PCI DSS 3.0. In a nine-page document, the PCI standards group sketched out the high points of their proposed changes, 12 in all, that will be finalized in November. What were some of the considerations behind the 3.0 update? It turns out that weak passwords, poor self-detection, and inconsistent assessments were key drivers behind the modifications to PCI DSS.
As has been known for a long time, the actual hack craft of many exploits are quite basic. Our go-to source for hack trends and statistics is Verizon’s indispensable Data Breach Investigations Report. In their most recent 2013 study, the Verizon team remarked (yet again) that the easiest way to gain unauthorized access is by simply hijacking someone’s authorized access–typically through backdoor or brute-force password attacks.
For those looking for in-the-trenches evidence, the recent indictment of the mostly Russia cyber-criminal ring has some revealing insights into hacker modus operandi. In one of the cyber gang’s capers, the government learned that they loaded onto a server a rainbow table, which is essentially a data set that lists weak passwords and their hash equivalents. These tables are used by hackers to quickly reverse a password hash that’s found in, say, Linux’s /etc/passwd file. Obvious passwords—“1234”, “admin”, etc.— would be easily cracked with rainbow tables, thereby making the hacker’s task of taking over identities and finding content even easier
This is not sophisticated work by any means, yet the gang, using this and slightly more advanced techniques, netted over 160 million credit card numbers—a record.
PCI’s recommendations in version 3.0 for stronger passwords and improved authentication through, for example, smart cards, will go a long way towards preventing cyber thieves from gaining access to sensitive content, ultimately reducing credit card fraud.
Their call for improved self-detection and risk assessments will be met partially by a recommendation for penetration testing. In other words, rather than having the criminals probe a system for vulnerabilities, IT departments should be doing their own pen testing as part of—in PCI’s words—“business as usual” security procedures.
Overall, the current recommendations for PCI DSS 3.0 are a good step forward.
The devil is in the details, of course. We’ll have to wait till November to see how all this plays out in the actual PCI 3.0 standard. We’ll keep you posted.