Home frame_main_breadcrumb_about frame_main_breadcrumb_contact    
5 APRIL 2016

This is the site of Card & Payments World, the well respected international newsletter providing in depth information on mobile, card and online payments and this is our daily news and resource site for subscribers who also receive 11 printed newsletters a year and three glossy magazines.

More than just a technology title. Read more

PDF Print
Thursday, 05 April 2012 10:41
Comment: Admin privileges "could have prevented" Global Payments breach
By Paul Kenyon, chief operating officer at privilege management company Avecto

The possibility that the breach at US processor Global Payments was caused by a compromised administrative account that was insufficiently protected shows that governance is a central requirement of modern IT security.

Financial services companies have a duty of care – and in many cases a firm legal obligation – to meet minimum security standards laid down by legislation and several governance organisations. With 1.5 million sets of card credentials going walkabout from the transaction processor’s computers, these standards have not been met, especially on the PCI DSS front.
As the PCI Security Standards Council says on its overview page ( `the keystone is the PCI Data Security Standard, which provides an actionable framework for developing a robust payment card data security process - including prevention, detection and appropriate reaction to security incidents’.
Multiple security layers

More than anything, the data breach incident – as well as leaving a sour taste in a number of US and Canadian cardholders – teaches IT security professionals that data breaches can still occur in major financial services companies, but that multiple layers of security can go a long away to helping to prevent future data breaches of this type.
One leading security analyst has suggested that the privileged accounts that are reportedly at the heart of this breach need several layers of protection to properly insulate them from hackers.
Our observations on this breach suggest that minimising administrative privileges – an exercise in the principle of least privilege – would have gone a long way to preventing the breach.
In a properly designed, administered and maintained environment there is no requirement for any user to have administrative privileges on their day-to-day account. In addition there should be no account which has both administrative privileges and access to networks outside of the organisation, such as Internet or email services.
The use of privilege management technology can help to prevent the leak of data, as well as supporting the setting up of simple policies for on-going monitoring - and auditing - of all privileged activity.
Do you want to know more about what is going on in mobile payments, payments using cards, online payments, the advanced IC business, or to get a handle on how technology is changing just about everything in our daily lives? Card & Payments World will keep you up to date with payments, and it will fill in your technology gaps so you understand the big picture.
Find out more