Martin Mckeay makes a great point on a PCI mail list. A question was asked about the need to keep full credit card numbers for the purpose of refunds. The questionnaires account group says that they must have the full number. The questionnaire has heard differently and wants clarification. What Martin said is that it's up to the acquiring bank to make the determination as to what is required for a refund. Now the company can make a business risk decision to still maintain the full credit card number for it's own reasons but they don't make the rules as to what is required for the bank to issue a refund.
What Martin said next is the really good part.
The accountants can say whatever they want about the process, but I'm willing to hazard a guess that they haven't talked to your acquiring bank about refunds in a long time, if ever.
This probably holds true for a lot on network and security groups. How long has it been since they've taken a long, hard look at what they are doing, how they are doing it and why they are doing it? Are they continuing to throw good money at a technology that no longer meets their needs? Are they using the technology in the way that best fits for them?
We need to step back from time to time and evaluate what we are doing to determine if it still makes sense. We need to stay up to date with not only new technologies but also with what the bad guys are doing. This way we can better assess if what we are doing is going to continue to be effective for us. It may be time to remove or replace a layer of security with something else that will work better for us. It may be time to change how we do something that will give us better information on what is going on on our network. It may be that we discover that a particular event is happening that is exposing our network to dangers that we were unaware of.
We also need to be constantly evaluating how we monitor things. Logs are great (OK, they suck, but they do provide useful information) but if we aren't collecting the right logs or correlating them with other logs, or looking at them (shame on you) then they don't do us any good. But what about other ways to see what is going on. Internal network scans and vulnerability assessments are a great way to learn more about your environment.
It used to be that we configured our firewalls to only allow specific traffic in and anything out. We've since learned that doing that isn't the best thing. It's the easiest because the users can do what they need but it also allows the bad guys to do what they need. Reconfiguring your firewall to only allow specific traffic out can stop lots of potential issues. You have to be VERY careful with this one because no matter how careful you are you will break something so be prepared to react quickly when that user yells with a legitimate issue.
I think I'm starting to sound like a broken record but I just see this too often. We have to be willing to change to keep our information protected. We can't rely on the fact that we've never had a breach (or just don't know about it), we can't rely on the fact that what we're doing has worked for us so far. We have to think ahead and think proactively.
