According to the latest article from the SC Magazine in the UK, the latest PCI DSS version 3.1 release has “split the IT security profession” when it comes to deciding how much protection it is really providing the card holder who shops online.
The article states:
The v3.1 PCI DSS release addresses the well known, and high risk, vulnerabilities that have been discovered in both SSL and TLS protocols, and prohibits the implementation of any new technology using SSL or early (version 1.0 for the most part) TLS with these known vulnerabilities. That is, undeniably, a good thing. What is less clear cut on the ‘good thing' front is the 14 month transition window giving merchants until the 30th June 2016 to rid their systems of these protocols as standalone payment data protection controls. What merchants must do in the meantime, according to the new standard, is create a formal risk mitigation and migration plan.
The magazine draws the following conclusion:
While 14 months is really too long to deal with a known security vulnerability, it may well be that having a plan and sticking to it is as far as the PCI SSC can reasonably be expected to go. After all, service providers and retailers alike should already have a strategy in place to mitigate these well publicised risks and provide the relevant upgrades.
I’d like to offer some PRACTICAL advice:
- Businesses with internet facing payment websites that still use SSL should be migrated immediately. These face the biggest risk, as the more probable attack vector is a man-in-the-middle wireless attack, and the majority of consumers all use wireless connections.
- If SSL usage is restricted to internal, wired systems, this presents less of a risk. However, more and more businesses support wireless internally. So the best advice is to look at patching any systems that are accessible, or potentially accessible, over wireless, first.
- A wired system in a locked cabinet in a data centre is very difficult to get into and place the necessary network sniffing technology that enables attacks such as Poodle to be successful. Such systems, although vulnerable, should probably feature toward the bottom of one’s risk register and patched during the next possible cycle.
What actually surprises me, as a pen tester, is just how prevalent the SSL vulnerability actually is, on systems that are SIMPLE to patch. Companies like this, with a poor or non-existent patching strategy have no excuse. So perhaps this all just re-iterates that companies must have a mature, well-tested patch management strategy that ensures Poodle or indeed one of many future critical vulnerabilities, are identified and patched in good time.