James DeLuccia’s post about choosing a PCI DSS QSA auditor has some good advice. I would add to his list a criteria one of my own: the auditor should at least know how to spell WMQ. Or JMS. Or “message oriented middleware”. While I haven’t been involved in any PCI audits, many of my customers are subject to PCI DSS. Until recently, it was hard to find a shop that had enabled SSL on their WMQ channels. Even now that we are starting to see SSL enabled, many MQ installations still have misconfigurations that may leave them exposed.
This is unfortunate because, as was seen first with Hannaford Brothers and now with Heartland, the “trusted internal network” is the new frontier of data theft. Enabling SSL is great for protecting messages on the wire but if administrative access is left exposed, the attackers can disable SSL or skip sniffing traffic entirely and instead just browse the messages passing through the queue. The answer to this is not redoubling security at the perimeter. The answer is to apply meaningful controls at the messaging layer. An auditor familiar with your messaging technology would seem to be a valuable asset if the goal is to actually assess security and not merely to pass the audit.
Hannaford was reportedly the first breach of data in transit. Heartland was the biggest card data breach ever. If the bad guys are only up the H’s, what’s in store for firms in the I – Z range? I prefer to think it’s strict auditing of the messaging layer and not massive name changes to monikers starting with A – G. One of these two alternatives actually could make a difference. The other is about as effective as what we have now.
To learn more about how to assess or secure WebSphere MQ, have a look at the presentations on the Links page.