This is great that HN is talking about PCI. The problem with PCI and compliance in general is three fold.
1. People don't want compliance [1]
2. People think compliance is broadly applied
3. People don't know where to start
I'll answer these point by point.
1) The reason people don't want compliance is because the security industry claims that Compliance is bare minimum and not enough. If they told you that Compliance was simply doing your due diligence on your sensitive devices, I think the market would have had a software tool to easily get us through the process by now. (I built a "brilliant" PCI tool btw. Link below)
So let me explain to them why I think Compliance is just doing your due diligence and we'll do that by simply asking this question: If compliance is bare minimum and not enough, what is a comprehensive approach available right now to reasonably protect our sensitive data? The security professionals will tell you Risk Assessments and Pentesting often is the best alternative [2]
Their answer is to specifically switch to Risk Assessment and PenTesting often, which is Requirement 11 and Requirement 12 of PCI. Each one of the bullets written is specifically covered by PCI DSS 3.1, including social engineering/phishing attacks that are provided through security awareness training. They're telling me that compliance is bare minimum, yet their suggestion is to do a subset of compliance. Its circular logic. Since its circular logic and nobody has been able to provide me with a reasonable approachable alternative to going above bare minimum, I hypothesize that compliance is NOT bare minimum, but in fact, due diligence.
Think of a fort. Forts had defined compliance checklists in the old times. In a fort, you go through a security rotation of making sure the pot of boiling oil tips over on time. You practice your smoke signaling so that the appropriate people are notified in the event of a wall breach. Were they spending a majority of their security drills taking half their army, launching it against the fort, fixing what fails, and then doing a risk assessment?
2) A compliance program by definition is only applicable to your sensitive environment. It cannot be applied broadly. Its forcing you to go through the decision making process of asking yourself, "What's most important to protect right now". Only you can classify the sensitivity of your devices. Only you can choose if your code base is sensitive or your employee's SSN is sensitive. But whatever you’ve classified as sensitive must fall under compliance. Let's refresh: Compliance is designed to be applied only to your sensitive data. If you choose to put a non-sensitive devices under a compliance program, then you've specifically applied compliance broadly.
3) To approach any compliance program, ask yourself 6 questions on any specific device.
1. Does this device store, process or transmit sensitive data (e.g. cardholder/health/SSN)?
2. Is there unrestricted access between this device and a sensitive device?
3. Does this device provide authorization, authentication, or access control to a sensitive device?
4. Can this device initiate a connection to a sensitive device?
5. Can a sensitive device initiate a connection to this device?
6. Can this device administer a sensitive device?
If you're able to answer yes to any of those questions then your device is sensitive and due diligence is required. Let's go back to the fort example. Is there unrestricted access from that boiling pot to the sensitive gold chamber? Does the pot provide access control to the sensitive gold chamber? If yes, then configuration settings of the pot, pulley, oil, need to be recorded and monitored periodically. If no, then its possible that you might have a business justification for not putting as much rigor into recording and monitoring the correct functionality of that pot.
You've already started the compliance process by asking yourself, "Does my laptop initiate an outbound connection to a sensitive device?" If yes, then your laptop falls under compliance and due diligence is required.
Everything else is just record keeping. Create a network diagram of only your sensitive assets. Write down how you rotate your keys on those sensitive assets. Write down what log files you periodically review. Go through a practice run of your Incident Response in case there is a breach of your sensitive asset.
This is a pretty long post and I hope it helped.
Shameless plug, I'm building a tool called ComplianceChimp to guide you through this entire process including recording your procedures with Github flavored Markdown. You can see how I'm using our tool to get us through the PCI Compliance process. [3]
1. People don't want compliance [1]
2. People think compliance is broadly applied
3. People don't know where to start
I'll answer these point by point.
1) The reason people don't want compliance is because the security industry claims that Compliance is bare minimum and not enough. If they told you that Compliance was simply doing your due diligence on your sensitive devices, I think the market would have had a software tool to easily get us through the process by now. (I built a "brilliant" PCI tool btw. Link below)
So let me explain to them why I think Compliance is just doing your due diligence and we'll do that by simply asking this question: If compliance is bare minimum and not enough, what is a comprehensive approach available right now to reasonably protect our sensitive data? The security professionals will tell you Risk Assessments and Pentesting often is the best alternative [2]
Their answer is to specifically switch to Risk Assessment and PenTesting often, which is Requirement 11 and Requirement 12 of PCI. Each one of the bullets written is specifically covered by PCI DSS 3.1, including social engineering/phishing attacks that are provided through security awareness training. They're telling me that compliance is bare minimum, yet their suggestion is to do a subset of compliance. Its circular logic. Since its circular logic and nobody has been able to provide me with a reasonable approachable alternative to going above bare minimum, I hypothesize that compliance is NOT bare minimum, but in fact, due diligence.
Think of a fort. Forts had defined compliance checklists in the old times. In a fort, you go through a security rotation of making sure the pot of boiling oil tips over on time. You practice your smoke signaling so that the appropriate people are notified in the event of a wall breach. Were they spending a majority of their security drills taking half their army, launching it against the fort, fixing what fails, and then doing a risk assessment?
2) A compliance program by definition is only applicable to your sensitive environment. It cannot be applied broadly. Its forcing you to go through the decision making process of asking yourself, "What's most important to protect right now". Only you can classify the sensitivity of your devices. Only you can choose if your code base is sensitive or your employee's SSN is sensitive. But whatever you’ve classified as sensitive must fall under compliance. Let's refresh: Compliance is designed to be applied only to your sensitive data. If you choose to put a non-sensitive devices under a compliance program, then you've specifically applied compliance broadly.
3) To approach any compliance program, ask yourself 6 questions on any specific device.
1. Does this device store, process or transmit sensitive data (e.g. cardholder/health/SSN)?
2. Is there unrestricted access between this device and a sensitive device?
3. Does this device provide authorization, authentication, or access control to a sensitive device?
4. Can this device initiate a connection to a sensitive device?
5. Can a sensitive device initiate a connection to this device?
6. Can this device administer a sensitive device?
If you're able to answer yes to any of those questions then your device is sensitive and due diligence is required. Let's go back to the fort example. Is there unrestricted access from that boiling pot to the sensitive gold chamber? Does the pot provide access control to the sensitive gold chamber? If yes, then configuration settings of the pot, pulley, oil, need to be recorded and monitored periodically. If no, then its possible that you might have a business justification for not putting as much rigor into recording and monitoring the correct functionality of that pot.
You've already started the compliance process by asking yourself, "Does my laptop initiate an outbound connection to a sensitive device?" If yes, then your laptop falls under compliance and due diligence is required.
Everything else is just record keeping. Create a network diagram of only your sensitive assets. Write down how you rotate your keys on those sensitive assets. Write down what log files you periodically review. Go through a practice run of your Incident Response in case there is a breach of your sensitive asset.
This is a pretty long post and I hope it helped.
Shameless plug, I'm building a tool called ComplianceChimp to guide you through this entire process including recording your procedures with Github flavored Markdown. You can see how I'm using our tool to get us through the PCI Compliance process. [3]
[1] https://news.ycombinator.com/item?id=9510435
[2] https://gist.github.com/akshatpradhan/1573e5f6c1872b6af129
[3] http://cc-stg2.herokuapp.com/compliancechimp/documents/softw...