Do You Have a Mobile Blindspot?

Written by Evan Schuman
November 20th, 2008

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

The further employees get from corporate, and from corporate networks, the more likely they are to do things with their computers that security managers would rather they didn’t. Envision buyers or sales people in hotel rooms late at night trying to kill time. Could these people be doing things (e.g., downloading malware) that could bring down your company?

If they are not connected to the corporate network (and even if they are), you may not know about it until it’s too late and the malware has already propagated throughout your network.

  • The mobile blindspot
    We have done many interviews lately about remote workers: employees working on their own computers from their homes, road warriors (and "road pacifists") in sales and marketing, and store employees. In many cases, there is clearly a "mobile blindspot" when it comes to being able to monitor the state of their systems (viruses, patching, file integrity, etc.). Although most of the merchants we’ve spoken with do have endpoint security of various types, these controls only work when employees are connected to the corporate network.

    Mobile workers often do some pretty bizarre things on the road (referring to computing practices, of course), such as using many Web-based applications that might normally be blocked by policy management tools such as Cisco’s NAC if they were working at corporate. The bottom line is that it’s pretty easy for remote and mobile workers who use their own PCs to do things that you may not be able to detect when they reconnect to the corporate network. That’s your mobile blindspot.

  • Remote security, without spying on employees
    One way to take a peek into your mobile blindspot is to implement behavior monitoring software (i.e., monitor keystrokes, Web sites visited, downloads). However, there are legal and ethical implications to consider. We have also been talking with European companies lately, and the issues of employee privacy and global security policies are frequent topics.

    Because European data privacy laws are stronger than equivalent U.S. laws, the idea of using employee behavior monitoring tools to "spy" on employees may not fly globally. Generally, a defensible approach is to define specific, detailed policies regarding what remote workers can and cannot do while using company property or acting on behalf of the company and then to deploy controls that are matched to these policies.

    The goal is to detect threats to the corporate network, even when employees are not connected to that network, which is very different than spying on employees. Your policies, tools and data analysis process must be consistent with this perspective, or the company could be in violation of some of the data privacy laws.

  • Securing the "over-extended" enterprise
    The primary point we’re trying to make here is that it is clear from talking to mobile workers and compliance officers that we have "extended" our enterprises far beyond our ability to secure them through the use of most endpoint security tools, which focus the controls at the point where road warriors reconnect to the enterprise network.

    But the number of home workers (often part-time) who use non-dedicated machines and the number of mobile workers who are connected to the Internet far more often than they are connected to the corporate network will continue to grow. It’s time to redraw the network security boundaries to better reflect the extended enterprise reality.

  • Extended enterprise compliance issues
    The case of the over-extended enterprise is an excellent illustration of how an organization can be compliant yet not secure. To prove PCI compliance, for example, all an organization would have to do is prove that all mobile and home workers are not a part of the cardholder environment. That is, prove that there is no way for any of these people to have access to any cardholder data from their computers.

    OK, so maybe that’s not so easy in some cases, depending on what these mobile and remote workers do for the company. For organizations that cannot effectively "segment off" mobile and remote workers, it’s critical to have controls in place to encrypt the data and to monitor and log user access to card data—the whole nine yards (or 12 yards, in the sense that there are 12 PCI controls). Therefore, not only do you need to extend endpoint security to embrace the extended enterprise, you also need to extend PCI controls and the assessment process. With PCI 1.2, the instructions to PCI QSAs make it clear that a review should include a thorough sampling of stores and remote locations. As a result, we expect increasing attention to be paid in PCI assessments to the extended enterprises and the vulnerabilities that mobile and home workers can entail.

  • The Bottom Line
    We have spoken with several leading merchants who are on top of this problem. They have offered a number of best practices when it comes to securing mobile and remote workers, and they have some tools that they would recommend.

    If you want more information, I’d encourage you to visit the PCI Knowledge Base and read what your peers are saying about this topic.

    We’re considering adding a discussion forum about this topic. Let me know if you think that’s a good idea. Lastly, if you’re a retailer, we want to get you involved in the PCI Best Practices study we’re doing with the National Retail Federation. It’s 100 percent anonymous. Just send us an E-mail at

  • advertisement

    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.