Andrew Mason and RandomStorm co-founder Robin Hill

Member Article

What did the Romans ever do for us? Except build the foundations for cyber security

Andrew Mason, co-founder and technical director of RandomStorm talks Romans and technological defence.

“Hadrian’s wall, straight roads, garden snails, a few coins buried here and there and a lot of our scientific words. These are all remnants of our former conquerors.

The Romans also left us another legacy that has continued to protect this emerald isle, rebuffing numerous attacks by sea, air and land. After expanding their empire throughout Europe, the Romans had many military outposts that needed to be protected from the indigenous people (us). Knowing that they were under constant threat of attack, the Romans devised the concept of Defence in Depth.

Often called the “layered approach,” defence in depth is the military term that describes the use of multiple obstacles to prevent attackers reaching critical assets, which could be people, armaments, equipment, or information.

Defence in depth is such a successful concept, that it is still used across the globe to provide effective protection for critical assets, including nuclear sites and banks. The use of multiple layers makes it more difficult for casual attackers to breach them and slows down more determined assailants, so that critical assets can be moved or obscured.

Today, when much of our business is conducted online, websites and email have become the primary attack vectors for cybercriminals seeking to steal critical business assets such as credit card details, customer credentials and intellectual property.

In recent years there has been an increasing variety of attacks on the web servers of banks (such as JP Morgan) and gaming companies (such as Sony) and the point of sale systems of large retailers (such as Target), aimed at stealing customers’ payment card data and login details. Now criminals are turning their attention to smaller businesses, in the knowledge that these organisations are less likely to have a full time IT security specialist on their staff.

With these recent developments in mind, the Payment Card Industry Security Council has recently updated the Payment Card Industry Data Security Standard (PCI:DSS) to assist Merchants to make their payment card business processes more secure. PCI:DSS version 3.0 consists of around 352 controls (over 12 domains) that provide a sequential, layered security model, across the card payment activity.

Many businesses could not continue to operate if they lost the ability to process card payments. Consequently, it is important that Merchants, no matter how big, or how small, maintain the security of their customers’ payment details. PCI:DSS provides a benchmark which they can use to measure the security of their card payment processes.

In an information security context, defence in depth refers to the use of multiple layers of protection, such as web firewalls, web gateways, anti-spam and antivirus software to stop attackers getting into your network. For more determined assailants, network security monitoring and log analysis provide visibility of new vulnerabilities and assets under attack. As a last line of defence, data encryption slows criminals down if they do breach your defences.

Recent headlines have shown that criminals are constantly evolving fresh tactics to breach IT security defences and get to the Payment Card Environment. When you’re running a business, it’s hard to stay on top of all the new security threats so that you can stay compliant with PCI:DSS. There’s no need to go into battle on your own. PCI keeps a register of Qualified Security Assessors, who are able to assess your network and provide guidance on how to improve the security of your Payment Card Environment, so you can call in reinforcements to help you to protect your empire.“

This was posted in Bdaily's Members' News section by Andrew Mason .

Our Partners