Thursday, January 29, 2009

“Compliant” + 0wned = ?

Enough link posting (Part 1, Part II, Part III of the “On Heartland” saga), here is some analysis of this, now that some time has passed.

So, first, how a company, that was audited by a QSA and deemed “PCI DSS compliant” at some point, can be breached and have all their credit card information stolen at some later point? I have not seen this analysis anywhere so I will perform it here in front of your eyes. Altogether, I think the following cases are possible:

  1. It was audited by an “easygrader” QSA (here), “we-just-look-at-the-docs” QSA (here), or even “pay-per-compliance” scammer QSA (here). Owned via unpatched MS hole!
  2. It was audited by the most rigorous, pedantic, anal QSA ever, who found the organization to be 100.00% compliant. And then the next day it all changed! Owned via password “password”!
  3. The company was audited and found to be NOT compliant. They begged, begged, begged and then got a letter from a card brand saying “you are OK… for now.” Same, 0wned via an unpatched MS hole!
  4. It was audited by “the Anal QSA,” who found the organization to be 100% compliant and later nothing changed (hah!) However, an attacker wrote a nice little piece of malware (here) which bypassed all PCI-mandated controls (or used something else not covered by PCI). Owned!
  5. It was audited by “the Anal QSA,” who found the organization to be 100% compliant, later nothing changed (hah!) and nobody bothered to write a piece of malware just for them. However, their janitor took a backup tape from a closet and sold it to “his relatives” in Ukraine. Insider 0wned!

Is that all? I think so… but please comment, if you can come up with more.

Now, think for a second - which of the above 4 cases indicates that “PCI failed”, “PCI is irrelevant”, etc.





So, please shut up :-) PCI DSS remains a solid piece of basic security guidance.

Possibly Related Posts:

Dr Anton Chuvakin