Industry Research : Avecto says that admin privileges would have helped prevent the Global Payments 1.5m card credentials data breach
Commenting on the aftermath of the data breach at an Atlanta-based card transaction process, Avecto says that the possibility that the breach was caused by a compromised administrative account that was insufficiently protected shows that governance is a central requirement of modern IT security.
Paul Kenyon, chief operating officer with the Windows privilege management provider, says that financial services companies have a duty of care – and in many cases a firm legal obligation – to meet minimum security standards laid down by legislation and several governance organisations. With 1.5 million sets of card credentials going walkabout from the transaction processor’s computers, these standards have not been met, especially on the PCI DSS front.
"As the PCI Security Standards Council says, `the keystone is the PCI Data Security Standard, which provides an actionable framework for developing a robust payment card data security process - including prevention, detection and appropriate reaction to security incidents’," he said.
More than anything, Kenyon notes, the data breach incident – as well as leaving a sour taste in a number of US and Canadian cardholders – teaches IT security professionals that data breaches can still occur in major financial services companies, but that multiple layers of security can go a long away to helping to prevent future data breaches of this type.
One security analyst, he explained, has suggested that the privileged accounts that are reportedly at the heart of this breach need several layers of protection to properly insulate them from hackers.
"Our observations on this breach suggest that minimising administrative privileges – an exercise in the principle of least privilege – would have gone a long way to preventing the breach" he said.
....NOTE - content continues below this message
SPONSOR MESSAGE: INVITATION!
We invite you and your colleagues to take a couple of days out of your busy schedule to join us and the elite in the industry to listen to the NEXT GENERATION Contact Center & Customer Engagement Best Practices.
"In a properly designed, administered and maintained environment there is no requirement for any user to have administrative privileges on their day-to-day account. In addition there should be no account which has both administrative privileges and access to networks outside of the organisation, such as Internet or email services," he added.
"The use of privilege management technology can help to prevent the leak of data, as well as supporting the setting up of simple policies for on-going monitoring - and auditing - of all privileged activity."
Today's Tip of the Day - Check Your Number
More Editorial From Avecto
Published: Friday, April 13, 2012
Genesys® powers 25 billion of the world’s best customer experiences each year. Our success comes from connecting employee and customer conversations on any channel, every day. Over 10,000 companies in...
eGain customer engagement solutions power digital transformation for leading brands. Our top-rated cloud applications for social, mobile, web, and contact centers help clients deliver connected custom...
Semafone provides secure voice transactions for contact centres and retailers taking Cardholder Not Present (CNP) payments. The solution allows a call - and the call recording - to continue as normal ...
Noble Systems Corporation is a global provider of contact center, workforce engagement, and analytics technologies, offering premise, cloud, and hybrid platforms. Noble Systems has been providing inno...