Did 2013 have to end with the somber news of a big credit card security breach? But it did! It is reported that 40 million credit cards were compromised in the security breach in stores of a major U.S. retailer Target. This is only a shade second to the earlier TJX breach in which 45 million credit cards were compromised. (After this blog was published, it was reported that the number of affected accounts in the Target breach is as high as 110 million, which would make it more that double the TJX breach!)
After any breach, and surely after the breach of such dimension, discussion on the data security issues at the retailers escalates. Earlier, the TJX breach resulted in stricter wireless PCI (Payment Card Industry) compliance requirements. The current Target breach can also trigger tightening of the compliance requirements. This breach may also prompt IT, security and compliance managers at major retailers to take a hard look at the information security aspects of the various technologies that they have deployed. Add to it the fact that retailers are aggressively deploying mobile and wireless technologies like POS, kiosks and tablets in stores. What are some of the core issues they should be looking at?
Compliance, PCI, Retail
Rouge AP is an unauthorized AP connected to enterprise wired network. It can allow access to the enterprise wired network from its RF spillage outside of the premises. While it is well established in the mainstream that wired-wireless correlation is the only robust technique to detect such rogue APs, there also have been some wireside-only scanning techniques around to detect rogue APs connected to the enterprise wired network. At first sight, wireside-only scanning appears attractive from cost and deployment perspective as it does not require RF scanners. However the reality is that wireside-only scanning fails to detect many common types of rogues on the wired network.
Recently, the PCI Security Standards Council Wireless Special Interest Group published guidelines to clarify wireless security requirements in PCI DSS 1.2. While these guidelines clearly require using wireless analyzer or wireless IDS/IPS, wireside-only scanning is still sometimes touted, albeit incorrectly, as low cost alternative to meet PCI compliance. Not only does wireside-only scanning violate PCI DSS 1.2 in letter as it does not use wireless scanners, but it also violates it in spirit as it fails to detect many common types of rogues on wired network.
To find out more about how wireside-only scanning works and its limitations please view our technical white paper - Drawbacks of Wireside-only Rogue Detection.
Compliance, Wireless security