Thursday, January 29, 2009

“Compliant” + 0wned = ?

Enough link posting (Part 1, Part II, Part III of the “On Heartland” saga), here is some analysis of this, now that some time has passed.

So, first, how a company, that was audited by a QSA and deemed “PCI DSS compliant” at some point, can be breached and have all their credit card information stolen at some later point? I have not seen this analysis anywhere so I will perform it here in front of your eyes. Altogether, I think the following cases are possible:

  1. It was audited by an “easygrader” QSA (here), “we-just-look-at-the-docs” QSA (here), or even “pay-per-compliance” scammer QSA (here). Owned via unpatched MS hole!
  2. It was audited by the most rigorous, pedantic, anal QSA ever, who found the organization to be 100.00% compliant. And then the next day it all changed! Owned via password “password”!
  3. The company was audited and found to be NOT compliant. They begged, begged, begged and then got a letter from a card brand saying “you are OK… for now.” Same, 0wned via an unpatched MS hole!
  4. It was audited by “the Anal QSA,” who found the organization to be 100% compliant and later nothing changed (hah!) However, an attacker wrote a nice little piece of malware (here) which bypassed all PCI-mandated controls (or used something else not covered by PCI). Owned!
  5. It was audited by “the Anal QSA,” who found the organization to be 100% compliant, later nothing changed (hah!) and nobody bothered to write a piece of malware just for them. However, their janitor took a backup tape from a closet and sold it to “his relatives” in Ukraine. Insider 0wned!

Is that all? I think so… but please comment, if you can come up with more.

Now, think for a second - which of the above 4 cases indicates that “PCI failed”, “PCI is irrelevant”, etc.

Huh?

None!

None!!

None!!!

So, please shut up :-) PCI DSS remains a solid piece of basic security guidance.

Possibly Related Posts:

6 comments:

Unknown said...

Number 5 doesn't work, because if the Anal QSA was paying attention, they would have ensured that those backup tapes were all encrypted.

Anton Chuvakin said...

That's a good point, actually!

Anonymous said...

Anton,

From seeing some of your comments regarding PCI DSS, I sometimes wonder if your analysis is actually serious or intended to be some type of ironic dark comedy. In any case, while PCI is usually touted to be a "security standard" on the surface, it really is more of a "compliance standard" written by and for the credit card industry to meet their own needs. While you say "PCI DSS remains a solid piece of basic security guidance", we've been arguing this point for years (in the terms of regulatory compliance, not just PCI DSS):

http://attrition.org/errata/topten.html (see #9)

Unfortunately, your comment of "So, please shut up :-)" doesn't carry much weight when there are solid arguments that merit discussion, especially when PCI DSS revolves more around *compliance* for a single industry than *security* as a whole. Hope you see the difference and might have an opinion to one versus the other without any smugness or flippancy.

Lyger (attrition.org)

jericho said...

They all fail.

1. If these are ways to become PCI compliant, then they are loopholes (fail).

2. If you can be compliant one day and not compliant one hour later, what's the point or value of such compliance? Especially when there is no control designed to determine when compliance is gone (fail).

3. Letters of "ok for now" are a loophole (fail) or not compliance (invalid argument).

4. "Used something not covered by PCI" means PCI fails to adequately secure information (fail).

5. PCI failed to ensure sensitive information was properly secured and/or encrypted (fail).

Anton Chuvakin said...

First, the "shut up" part is clearly intended as dark comedy, no question about it.

>it really is more of a "compliance standard" written by and for the credit card industry to meet their own needs

True too - however, some MUCH-NEEDED security can be had in the process, won't you agree?

>when PCI DSS revolves more around *compliance* for a single industry than *security* as a whole

Ah, that is indeed the point I am always covering, discussing, debating, etc, as it is indeed a very interesting point. See for example this bit: http://chuvakin.blogspot.com/2009/01/tales-from-compliance-first-world.html

>without any smugness or flippancy.

I can definitely give up smugness, but I have to keep flippancy... sorry :-)

Anton Chuvakin said...

@jericho

Thanks for the comment!!

Point #1 - mostly disagreed - bad QSA =/= bad PCI. Same as to say that 'bad password' = 'passwords are a bad security measure'

Point #2 - 100% disagreed; better explained by Mike Dahn here: http://pcianswers.com/2009/01/21/what-pci-compliance-really-means/ when he talks about compliance vs validation

Point #3 partially agreed: if you can beg-to-get-PCI, it is PCI-FAIL.

Point #4 mostly disagreed - PCI is not perfect. Your point will require it to be perfect-from-now-to-eternity, which is a bit silly, wouldn't you agree?

Point #5 same as before - if PCI today does not look at insider angle AT ALL (!), it doesn't mean it is somehow bad. YOU still need to look at it, as both you and me know.

Dr Anton Chuvakin