SonyPictures Site Compromised
We have written diaries on Sony’s security woes over the past few months, first one was a DDoS against its infrastructure [1] followed by the hacking of the Sony PlayStation network that took their network offline for several weeks, affecting all its PlayStation customers [2]. This week, SonyPictures was compromised by a group of individuals calling themselves LulzSec who took over 1,000,000 unencrypted plaintext customer password. Last week, another attack took place, this time against Sony Music Entertainment Greece website [3] who took usernames, passwords, email addresses and phone numbers.
One question comes to mind. With all of this data lost, if a PCI compliant corporation can be this easily targeted and compromised, is PCI a good standard to measure security posture?
[1] http://isc.sans.org/diary.html?storyid=10654
[2] http://isc.sans.org/diary.html?storyid=10768
[3] http://mashable.com/2011/05/24/sony-hacker-attack
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Comments
My take is if they were found to be PCI-compliant at one time, it was only for the components reviewed, and only at that time. Who knows what they might have done the day after.
As long as organizations use compliance to try to achieve security we will have this problem. They need to have security achieve compliance. It doesn't seem to work any other way.
Shane
Jun 3rd 2011
1 decade ago
Seems Shane is right that they are worried more about meeting the compliance inspection than actually following the standard thoroughly.
bcave
Jun 3rd 2011
1 decade ago
elazar
Jun 3rd 2011
1 decade ago
James
Jun 3rd 2011
1 decade ago
stephen
Jun 3rd 2011
1 decade ago
Tim
Jun 3rd 2011
1 decade ago
bcave
Jun 3rd 2011
1 decade ago
Shawn
Jun 3rd 2011
1 decade ago
James
Jun 3rd 2011
1 decade ago
There is an important caveat to that comment. From the PCI FAQs:
---------------------
Would older operating systems that are no longer supported by the vendor be deemed non-compliant with the PCI DSS?
Systems that use operating systems that are no longer supported with new security patches by the vendor, OEM, or developer are not necessarily out of compliance. Compensating controls could address risks posed by using older operating systems. Exploit of legacy code is the main risk posed by an older operating system. Since well-known exploits are typically included as signatures to anti-virus, IDS/IPS and firewall filtering, a compensating control to consider is performing an exhaustive search to ensure that all known exploits for that operating system are identified, and that anti-virus, IDS/IPS and firewall rules are all updated to address those exploits. Other compensating controls could include monitoring IDS/IPS and firewall logs more frequently than required (for example, the requirement is for daily log reviews, so more frequently may be continuously and automated), or isolating and segmenting their POS systems via firewalls from the Internet and other systems in the cardholder data environment. The eventual solution is to upgrade to a new and supported operating system, and the entity should have an active plan for doing so. For more help with compensating controls, and for questions about whether a specific implementation is consistent with the standard or is 'compliant', please contact a Qualified Security Assessor.
-----------------------------
So as long as you're running end-of-life systems but have applied all of their patches, you could be found compliant. There is a caveat in the external vulnerability scan that says an out of date operating system is an automatic fail, but I've never seen that diagnosis made reliably by an automated tool from the Internet.
JJ
Jun 3rd 2011
1 decade ago