Posted by:
admin
14 years, 10 months ago
I really enjoyed the PCI debate at Shmoocon, but probably because it was more circus than it should have been. (Here's another summary from Anton Chuvakin) The pertinent points I came away with where:
- Prescriptive Security is not necessarily going to be secure.
- The brands need to fix it instead of making everyone else apply a band-aid.
- Many merchants are doing security for the first time, no longer storing payment information in plain text on PoS devices.
- It's like "No Child Left Behind" dragging the industry to the middle.
- PCI-DSS is bad because it is sucking investment away from other areas of security
I'll take these last two points on today. They were both from Josh Corman of 451 Group, who joined virtually via Skype (providing Shmooball protection, wise move). Josh has access to way more data than I do, but I have some questions about the last point. Many merchants and processors come to WiKID for two-factor authentication because their audit is about to occur or in fact is occurring. For the most part, they do not have any two-factor authentication. They have seen pricing from "market-leading" vendors and decided to look elsewhere. So, my question is: If some portion of the investment in information security technology is coming from new companies, then isn't that better? Indeed, Forrester is predicting that Information Security spending to grow in 2010. So, if more companies are spending more on information security, that's good.
The point Josh was really making, I think, is that research dollars are not being spent on other threats. Inside, engineers are doing audit work and installing WAFs. I think this argument failed to hold water, though, because it is at best a temporary situation. Once companies become PCI compliant and deploy the required technology, maintenance will be less costly.
Additionally, just look at how (depressingly ;) competitive the two-factor authentication market is now. Prices have come down significantly. This reduction should increase adoption of two-factor authentication, hopefully even where it is not required. I suspect that similar price reductions are occurring in all the major PCI-related markets. Prices will drop, companies will merge and stability will come with consolidation, with consolidation will come bored entrepreneurs who will then go start the next big thing.
Whether PCI is dragging every company into mediocrity, is of greater concern and it's why the PCI powers that be should seriously consider re-designing PCI to evolve rather than trying to manage it.
Share on Twitter Share on Facebook
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)