Sunday, March 25, 2007

How much security is enough security?

For most businesses, it is important for security to be "good enough" and to make sure that you are investing enough to mitigate risk.

Of course, for some companies, such as those in the payment and financial spaces, just one exploited security vulnerability could severely impact customer confidence and result in loss of business. In 2005, for instance, CardSystems, a credit card payment processor, got hit with a SQL injection attack that allowed the bad guys to steal 263,000 credit card numbers over a period of six months, and a total of 43 million unencrypted credit card numbers were exposed to the attack. Visa and Mastercard canceled their contracts with the company, the incident was investigated by the FTC and Congress, and CardSystems' assets were sold off.

There is debate as to whether or not CardSystems was compliant with all of the existing VISA and Mastercard data security requirements prior to the attack. After the attack, the requirements for such compliance were beefed up, but it also demonstrates that compliance, certifications, and audits may have limited value. There is a significant difference between being able to pass an audit and having "real" security. In layman's terms, it is sometimes easier to "talk the talk" than it is to "walk the walk." ;-)

No comments: