Latest news
Anyone who handles credit card information now needs to comply with the Payment Card Industry Data Security Standard (PCI DSS). Nobody likes to spend money to comply with new regulations, so there's always grumbling from merchants about how expensive complying with PCI DSS is. But if you look at how much credit card information that's compromised, it looks like PCI DSS really isn't enough, and even more protection is needed. How much credit card information has been compromised?
Four researchers recently worked their way into the underground community of cyber-criminals to learn how the business operates. Their paper "An Inquiry into the Nature and Cause of the Wealth of Internet Miscreants" summarizes what they learned. One fact from this paper that's particularly interesting is the fact that the amount of credit card numbers being sold by cyber-criminals outnumbers other types of sensitive data by a factor of over 20 to 1. There are way more credit card numbers available to cyber-criminals than there are Social Security numbers, bank account numbers, or ATM PINs.
It certainly looks like the PCI DSS isn't enough to stop the wholesale theft of credit card numbers. It's a good first step, but it's not quite enough. Keeping credit card numbers safe will probably require shifting to a new idea of what security means and how to implement it.
Current security architectures try to protect data by keeping hackers out of the networks where sensitive data is processed. Inside the network, however, data is often relatively unprotected. This was the case at Heartland, and it let hackers collect credit card numbers as they moved through the network once it was penetrated. Heartland did a great job of complying with the PCI DSS, but that wasn't enough, because the hackers took advantage of weaknesses that the PCI DSS doesn't address.
An alternative is to protect the data itself instead of protecting the network. In a data-centric model of security, sensitive data is encrypted and stays encrypted until it's needed for processing. This means that as sensitive data moves through a network it's still encrypted and useless to any hackers who might be able to collect it. It also means that it's still encrypted while it sits on the server that it reaches after it moves.
Spotlight
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
