Friday, January 23, 2009

On Heartland

Before I post anything long and thoughtful (aka “a rant” :-)), I wanted to summarize a few interesting  bits on the Heartland breach I have seen (warning for folks with ADD: some of the juiciest blurbs are in the end; also, some of the most enlightening bits are in comments – including one from someone who claims to be from Heartland). This breach definitely blew open the debate about PCI DSS usefulness and efficiency (as well as restarted a broader “security vs. compliance” debate)

  • Heartland Payment Systems Breach - Why it likely happened”  by Ryan from Panda Security hypothesizes a bit about why the breach happened.
  • Via “Heartland Payment System - biggest ever data breach?” we find this GEM [PDF]. Did someone say “OMFG”?!
  • A few Heartland links” – a few really fun comments here, below the blurb itself. For example, why the only “early indicator” was the resulting fraud? Where was IDS? IPS? Logs? AV?
  • From The Heartland Breach To Second Guessing Service Providers” contains a few good ideas, including (thanks Dave!) a reminder that “Honestly, most companies, as a whole, don’t take data security very seriously.” Definitely a  good read.
  • “Massachusetts Analyzes its Breach Reports” contains the magic line from some MA report “The Hannaford incident suggests that the Payment Card Industry Data Security Standards are not an effective standard in light of the need for encryption.”
  • Amrit’s “2009 The Year of the Largest Security Incidents Since the Beginning of Forever” was the first to reveal that Heartland was indeed PCI-compliant (as per this [PDF], it even covers who was their QSA…) ; Amrit also cutely reminds us that this breach is THE largest EVER… until the next one :-)
  • HPY - The latest breach.... 100 million credit cards stolen“ states “QSAs cannot be held liable for customer breaches, but seeming the compromise occurred only a few months after their final audit it does bring into question PCI DSS auditing practices [A.C. – OF THAT PARTICULAR QSA?] and whether or not they're just 'tick in the box' or actually leave companies with a long-lasting compliance strategy that actually helps merchants/service providers remain compliant. [A.C. – hmmm, are QSAs supposed to do that?]”
  • Somebody who claims to be from Heartland shares just how fucked up they were IT-wise (here, in comments, read all, really). Some comments do beat up on their QSA as being “the checklist monkeys.”
  • Heartland Payment Systems - Quick Point...” reminds people that under the “right” – not too extreme! - circumstances it may end up a $1.5b (!) incident.
  • “cutting corners with security*” reminds us that “If a company is cutting corners, choosing to accept risk poorly, or simply incompetent, I would bet they will actively make sure PCI doesn't catch it, or outright lie, fudge, or (hah) cut corners with the Assessor [=QSA].”
  • Mike R weighs in with “I'm thinking about the future of PCI a lot in the wake of another mishap, and the news isn't good.” (however, the sad part about Mike here is that he is wearing a vendor hat … well, that is how it sounded to me, at least)
  • Matasano folks remind us “Heartland: First Thoughts“ to ask: “Did the intrusion happen before April 30th, 2008?” [the date of their PCI validation date]
  • More PCI Compliant Companies Breached“ does say it: “These incidents again raise the question as to the efficacy of PCI.  Of course it is possible that these processors made a mistake in validating their PCI compliance.” and “The question from my perspective (legal) is whether PCI compliance constitutes reasonable security.” (do read the comments also); this particular post BTW is a must-read, not just a good read!
  • Mike Dahn explains “What PCI compliance really means”, but do read the debate/comments below it (E.g. “How do we measure the positive security impact of PCI DSS?” and “Why are people chasing compliance at the cost of proper risk management?”, “I would go further and assert that compliance and security are largely independent with only a few limited touchpoints” and the liability argument – it is HOT!); then read the next item.
  • The debate then continues in “Is Something Wrong With PCI?”: “Nobody checks if you REALLY ARE PCI compliant or whether you ACTUALLY have reduced any risk.”

My conclusions? See next post…

Dr Anton Chuvakin