SAN FRANCISCO–The PCI DSS standard has taken a beating from critics, security experts and CSOs virtually since the day it appeared in its earliest form in 2004. It’s evolved quite a bit in the intervening years, but it hasn’t shaken any of that criticism, and security folks say there’s a good reason for that: a PCI-compliant network is no real hurdle to exploitation.
The standard is designed to keep payment card data secure by restricting access to the data and keep it segmented from other information. The major credit card companies, including Visa, MasterCard and American Express, require that organizations that handle payment card data comply with the PCI standard, and there are different levels of requirements for different organizations. Many of the requirements are common-sense controls, and they often are criticized for not being specific or stringent enough.
Rob Havelt, the director of penetration testing at Trustwave’s SpiderLabs, said in a talk at the RSA Conference here that over the course of dozens of engagements, he’s found that compromising PCI-compliant networks is not a problem. He said that organizations typically make so many other mistakes in other parts of their operations, the getting from one part of the network to the segment with the payment-card data can be a simple matter.
“It’s not even just finding a vulnerability and throwing an exploit against it,” he said. “There are things that people just do wrong that make it possible for an attacker to get in.”
Havelt said that in a typical scenario, an attacker can find a foothold on a network in any number of ways. Maybe it’s through a weak password on a server or stolen credentials or an attack on a Web server. Or there’s the tried-and-true phishing email with a malicious attachment that has worked so well over the years. Whatever the method, the attacker just wants to find some kind of hook into the network. Havelt said that because many targeted attacks now include the use of custom malware, getting past desktop defenses and some server security systems is not that difficult.
Once he’s on the network, if the attacker’s end goal is to access the card data, Havelt said that the attacker will try to get to a position from which he can move to the portion of the network with the sensitive data. An opening part of the attack scenario could include an ARP-spoofing attack, Havelt said. That could give him access to a portion of the network’s traffic, giving him intelligence about the way the network operated and where things are located.
“These things aren’t new. It’s 2012 and we still don’t have ARP spoofing figured out,” Havelt said. “It’s simple to do and it can be devastating.”
In short, Havelt said, the same tactics and techniques that enable attackers to compromise a normal network, intercept traffic and get to the valuable data can be used to exploit PCI-compliant networks. It’s simply a matter of time and trial-and-error.