A good friend of mine over at NetIQ, Todd Tucker, recently blogged about some of the frustrations he sees when looking at the failure of PCI as a security standard (or rather, the failure of those organizations who pay lip service to compliance) and especially the oddly heavy emphasis given to anti-virus (AV) software. As he says of some of the most damaging attacks:
"PCI DSS provides some excellent guidance for protecting against these threats, but is undermined by an over-reliance on anti-virus software. PCI DSS dedicates one full requirement (of twelve) to anti-virus software. In doing so, it encourages security professionals to invest considerable money and time in a control that has proven ineffective against the two greatest threats actions."
I've always found the explicit emphasis on anti-virus to be a bit perplexing. Yes, it's important and yes, I would expect any organization handling my credit card data to have AV installed, but does it really warrant one twelfth of the attention? I always felt it was a bit like those teachers who give points for spelling your name correctly on a test.
That aside, as Todd correctly points out, there's little that AV can do against the type of attacks that are likely to target and steal card information. Trusting anti-virus to stop attackers is a bit like wearing a life vest to a gun fight: you're dealing with the wrong kind of problem, and the attacks are too targeted for the protection to be of any help.
(By the way, if you're interested in keeping score on data loss, I can recommend the good folks at datalossdb who keep track of recent (and historical) information on breaches. Interesting reading.)
As I mentioned in my last blog, the days of one-size-fits-all security are gone, and relying on AV to get the job done is a perfect example. Threats are too complex and there are too many ways for data to walk out the door to rely on Maginot-style defenses to stop them. Interlocking defense in depth, flexibility of response, and the ability to centrally manage and coordinate response is essential. Starting with the data (encryption) and working outwards to harden systems, implement good monitoring, and enforce controls is going to get you a lot further than hoping the latest attacker is dumb enough to use a well-known malware tool.
As Todd says in his conclusion: "A mandate such as PCI DSS is no substitute for strong security practices applied by a skilled team of experienced security professionals."