Post Friends My journal
alcourt

Sony and PCI

May 04, 2011 22:15


In looking online, I've seen numerous discussions about Sony and PCI.  I've avoided talking too much about Sony, but I can't really keep my mouth shut.  There's a few reasons for this.  First, I work on PCI compliance, so I'm very familiar with the rules.  But I also have nothing to do with Sony, so I don't have the potential for a conflict of interest.

Several reports about the incident have drawn my attention.
  1. The attack was against known vulnerabilities.  Reports are now indicating it was an unpatched version of apache (6.1)
  2. The security code for the credit card number may have been compromised according to numerous reports (3.2.2)
  3. Firewalls appear to not have covered several key parts of the network (1.2)

The numbers list the requirement from the PCI DSS (document that describes the IT security requirements to accept credit card transactions) which are violated by the reported information.  It's important to note that very little is confirmed by Sony.

Sony has sent emails indicating that credit card numbers may have been compromised and confirmed that the attack was based on vulnerabilities known to the security community.  In their email, they explicitly state that the security code was not compromised.  Given how little Sony is actually stating was not compromised, there is at least a reasonable chance that the second item above is incorrect, that the security code was not compromised.

I've seen questions about PCI compliance state of Sony.  I do not know (and don't care to look) what class of merchant they are.  I do know that Sony would have to be certified at some level to even be able to take credit cards.  Most small merchants actually don't take credit cards, they rent equipment that does it for them.  But Sony is storing those credit card numbers "encrypted", so they would be subject to PCI certification each year.

Section 6.1 (patch known security vulnerabilities) is a particularly worrisome item to me.  I can actually understand a viable argument for not using firewalls on external facing systems (section 1.2).  It's long and complex, but it boils down to that external box doesn't have to be used if you do it right on each and every host in your network).  I cannot understand a viable argument for not patching.  However, patching is essential, and I don't mean patching when one feels like it, or months after the system is brought online.

I personally suspect that fines will be levied at some level, even if just to warn other merchants that the payment card industry is serious.  I also don't think that managers at other companies will care for more than a month or two.  Security is rarely taken seriously until after it is on the front page for at least two days.

So everyone out there reading this, go click that friendly icon to check if you are up to date on patching.  Don't forget that Adobe products are often not patched by your operating system patching mechanism, so you have to check that separately.  This is particularly important for Adobe Flash.  Your system is a target, even if just to help hide the real attackers on their next attack against a large company.  
Leave a comment

Previous post Next post
Up
Homepage Read journal... Full version Help Русская версия
© 1999-2024 LiveJournal, Inc.