As I settle in at my desk for the start of a new day, a message pops up on my desktop letting me know that a new security update is available for Windows. The pressing question is, would I like to download and install the update now? I know it’s going to require a reboot and I have some urgent emails that I need to reply to, so I simply can’t be bothered at the moment. I dismissively click “snooze” and push it off to another day.
On the other side of the world, there’s another desktop that’s had that same message pop up. “New security update, would you like to download and install now?” The user of that computer, however, chooses to immediately download the update. Once it’s downloaded, they quickly get to work on reverse-engineering the security update and find that it’s provided a fix for a glaring security hole. With this key piece of knowledge, that nefarious user is able to quickly put together a script that can enter through the backdoor of any unpatched computer on that version of Windows and provide administrative access to the user. Now armed with this administrative access, the user is free to access any data they like, take the computer hostage for ransom, use it as an entry point to the rest of my network or just wreak havoc if they’re so inclined. Within hours of me choosing to snooze my security update, I’m exposed to the whims of this person thousands of miles away.
While it may sound like a narrative from a high-tech thriller, this is the reality that we now live in: constant security updates, patching servers, changing passwords, and multi-factor authentication. As the data stored by organizations worldwide becomes more and more valuable and financial transactions are increasingly flowing through cyberspace, the financial rewards for illicitly accessing private computers are increasing as well. With a few short days of work, it’s possible to steal hundreds of thousands, perhaps millions, of dollars.
While attending the European Community Meeting for the PCI Security Standards Council (PCI SSC) last week, I participated in a session discussing an early draft of the Payment Card Industry Data Security Standards (PCI DSS) Version 4.0. These updated standards could potentially provide greater flexibility in securing cardholder data in a threat landscape that is constantly evolving, while also ensuring clear objectives for securing cardholder data. As new methods arise for hacking cardholder data, and best practices continually evolve to address these methods, greater flexibility can allow merchants to quickly adapt. For instance, while best practices had previously dictated that user passwords always be changed frequently, in many system environments that’s now actually less secure. As a Participating Organization with the PCI SSC, AdvantageCS will be taking part in the request for comment process for the updated Standards.
At AdvantageCS, we strive to foster strong partnerships with our clients to help them adapt to a constantly changing world of best practices, industry standards and government regulations. From the recent GDPR regulation in the European Union to the soon-to-come updated PCI DSS standards, we work with our clients on practical solutions to remain compliant. In some cases, that means partnering on new development that incorporates the “security by design” concept. In other cases, we’ll provide our hosting services or other services around the Advantage software to ease the burden on our clients’ staff. At whatever level you choose to partner with us, we’re always happy to help you find the right solution for securing the data in your Advantage environment.