Friday, February 27, 2009

PCI DSS and Data Breaches: Perception and Reality

Now that time has passed since the Heartland credit card data breach (even though we might have another one at our hands), it is a good time to reflect on PCI DSS a bit more. I am AMAZED about how much deep [shallow too!] thinking and, even, soul-searching, has transpired in our community as a result (see all this covered under in my On Heartland I, II, III and IV series). I already posted some of my own thoughts on this in Compliant + 0wned. So, what else is there to reflect on? Plenty!

First, some folks hate PCI DSS because it is – gasp! – not perfect. Some of these same folks have hated firewalls since “firewalls are full of holes,”  hated IDS since “they are trivial to bypass” and hated logging since “good hackers never get logged” (what a bunch of crock :-)) - many also hate “the whole compliance thing” since it is “not security.” Yes, in our industry some people will hate everything that will not stop any and all attacks from an attacker of absurdly arbitrary skill level. And since such a thing doesn’t exist and won’t exist – they just hate everything but their “31337 mad sk1lz.”

To such I say: try to get out more! If you look out of your high-floor ivory tower window, you’d see there is a ginormous crowd of people who confuse a firewall with a fire-extinguisher! And those people have your credit card data, SSNs and medical records in their computers!  Get it? IF PCI DSS made ONE of these people use a firewall or update their AV (after it lapsed back in 2005), we are all better off already!

Second, PCI DSS perception has firmly split from PCI DSS ground reality. I have a love - hate relationship with “perception is reality” maxim; in some cases it rings true, it some cases it sounds silly, but ends up being true, and in some cases it is just plain idiotic and makes you live in your own world of illusions. I’ve long been tempted to summarize the whole PCI DSS perception vs reality:

Perception Reality
“PCI failed” PCI DSS works as expected – and not perfectly
PCI DSS is sufficient for good security PCI DSS is necessary, common-sense basic security
PCI is a complete security checklist PCI is a base list to build upon and grow
Everybody is just doing the minimum of PCI to get rid of it For many organizations "this “minimum” adds much needed security!
Breaches prove PCI irrelevant Breaches prove we need to drive security even more – and PCI helps with it

So, once again:

  1. PCI was never supposed to guarantee "intrusion-free"  operation, nothing did, does or will do.
  2. No canned checklist is “sufficient for adequate security,” now or ever.
  3. It makes no sense to write prescriptive checklists for the impossible (e.g. “your defenses MUST stop all known and unknown malware as well as ‘mal-hard-ware’”)
  4. If you find something to be useless for you, think – are you 1 in a 1,000,000? Have you thought about the remaining 999,999 people?
  5. There are always people who will avoid common sense, drive without seatbelts and ignore PCI DSS: so, Darwin Awards 2008 (here too) are out!
  6. Yes, there might be pressure to choose “an easygrader QSA” for your assessment; but see item #5 above. Then remember – you are still responsible for the breach!
  7. Similarly, PCI does not “create” a false sense of security due to #1 and #2 above. If you magically “feel secure” since you’ve “done PCI,” see #5 above :-)
  8. Finally, if something is NOT perfect, it does not mean it is useless.

To summarize, this and other previous breaches definitely do NOT prove PCI useless or inefficient.  They simply serve to remind us that PCI DSS was established as a standard of minimum care for card holder data security. It never meant to be sufficient for all security  or “a security silver bullet.”  Today as much as ever, the organizations needs to think about their specific risks and implement controls for dealing with said risks. Following 12 PCI requirements is a great start, but being secure cannot be reduced to a checklist:  PCI does not replace addressing the risks to your business; however, it is an awesome start for those who cannot even spell  the word “risk” today …

What is the perfect ending for this post?

I think  quoting illustrious Dave Aitel is in order: “Who here doesn't think all the payment processors are 0wned and probably always will be?”

Possibly Related Posts:

Vote for Best Security Blog for RSA!


"Introducing the first annual Social Security Awards!

Held in conjunction with the Security Bloggers Meet-Up at RSA Conference 2009, the Social Security Awards give readers a chance to recognize the best, brightest, and most entertaining bloggers and podcasters in the field.

Please take a moment to nominate your favorite security bloggers and podcasters. There are five categories, including:

* Best Security Podcast
Who is the voice you listen to week after week?

* Best Technical Security Blog
Who is digging deeper than anyone else?

* Best Corporate Security Blog
Which vendor's contributing the most to the blogosphere?

* Best Non-Technical Security Blog
Who's got the best 30,000 view?

* Most Entertaining Security Blog
Who keeps you riveted? Or who makes you laugh?"

Tuesday, February 24, 2009

CAG Out!

OMFG... is this the most ambitious project in security (eh... maybe not :-)) or what?

"Consortium of US Federal Cybersecurity Experts Establishes Baseline Standard of Due Care for Cybersecurity – The Top Twenty Most Critical Controls" (brief)

Here is the first thing I thought about it:
Now, think:
  • Does it mean we are moving towards "control-based" security?
  • Does it automatically mean we are moving away from "risk-based" security?
  • How many times the term "risk management" is mentioned in a full CAG doc?
Finally, some misc highlights:

On vulnerabilities: "Verify that vulnerability testing of networks, systems, and applications are run no less than weekly. Where feasable, vulnerability testing should occur on a daily basis."

On logs: "Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include dates, timestamps, source addresses, destination addresses, and various other useful elements of each packet and/or transaction." (CEE gets mentioned here too)

On web apps: "Test [production - A.C. ] web applications for common security weaknesses using web application scanners prior to deployment and then no less often than weekly as well as whenever updates are made to the application."

On integrity checking: "In particular, most endpoint security solutions can look at the name, file system location, and/or MD5 [yes, MD5, really!] hash of a given executable to determine whether the application should be allowed to run on the protected machine."

In any case, go read the CAG.


Friday, February 20, 2009

Fun Reading on Security and Compliance #12

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #11, dated Feb 20th, 2009 (read past ones here). I admit that some stuff has been sitting in my “2blog queue” for way too long, but you know what? If it is relevant after a few weeks of “cooling down,” it is even more worth reading :-)

  1. An instant classic “The Security Laugh Metric” by Ben: “The laugh metric indicates a manager's lack of understanding of risk when presented with a security issue. For example, when a reasonable security recommendation is followed by a loud laugh, expect that the manager is probably only mildly aware of their security risks.”
  2. PHPbb “0wnage” – a fun read. Main content, some fun comments and password analysis. BTW, “password” is still a king of passwords :-) “In any event, "cocacola" appears to be more popular than "pepsi" among those who choose passwords.”
  3. Ben’s “instant classic” – “Are You Addicted to Information Insecurity?” Fave quote: “While smokers' actions are driven by cravings for nicotine despite the health hazards, information technology's actions are driven by users' desire for easy access to data, usability, and quick deployment, with a disregard for confidentiality, integrity and availability of that data. These organizations typically know the risk of giving short shrift to security (many have even been bitten by data breaches and malware outbreaks), yet continue with their insecure ways despite clear evidence of its hazards.”
  4. UK “infected hospitals” (here and here) is kinda disturbing. Would you prefer your surgical equipment crashed by a Windows Update OR by a worm, huh? Fave idiotic quote: “Mytob, which also goes under the name MyDoom, was introduced "accidentally" into the network with "no malicious intent," the report concluded without providing details.” This whole situation remind me of Dave Rice’s “Geekonomics” -  a clear route to clinical paranoia…
  5. Thinking Strategically about Information Security Metrics” we all know that metrics=fun, pretty much.
  6. From the “not good” dept: “Kaspersky breach exposes sensitive database, says hacker."  What can I say? SQL injection works! :-(  “A security lapse at Kaspersky has exposed a wealth of proprietary information about the anti-virus provider's products and customers, according to a blogger, who posted screen shots and other details that appeared to substantiate the claims.”
  7. “Why doesn’t the security industry like regulatory compliance?” is pure gold. But then again, what do you expect from Mike “PCI DSS is my license plate” Dahn? :-)
  8. Mike Rothman on “Selling Fear,” a must read. Yes, FUD is alive and well (and useful at time for both infosec pros and vendors) - “Why not remind the customer they could get hit by a bus? Of course, I hope not - but it could happen.”
  9. Fun reflections on why a security startup died are here. Quote: “Whoever heads sales must be highly proficient in motivating sales people and ensuring that sales efforts are always on track. This person is in my mind the most valuable person in a software company.”  and “Ensure that you have a sufficient nucleus of highly proficient developers and quality assurance staff. ” Material like this makes perfect “reading between the lines?” :-)
  10. ATM theft case here (“Largest Coordinated ATM Rip-off Ever Nets $9+ Million in 30 Minutes”) via Mike R: “… in reading James Heary's analysis of the event, my blood ran cold. This folks is the future of crime. It's kind of a "clicks and mortar" approach to crime.”
  11. Mike Fratto kicks some ROI butt in “ROI Is Not A Good Justification For Security;” some sore vendor ass tries to argue and Mike beats him up :-)  Time for a 3rd ROI war to commence?
  12. Discussion of “full-auto” patching is baaaaaack: “Should Microsoft Take You out of the Patching Question?” Fun quote: “I have no business making your patch decisions for you and neither does Microsoft. It's your job. And if your decision not to rush the MS08-067 patch resulted in a Conficker outbreak in your enterprise, well you and whoever else is responsible deserve to suffer the consequences. It's not Microsoft's fault; they made a patch available and told you how serious the matter was.”   I think we ARE ready for full-auto patching in SOME products.
  13. Laura’s musing on FISMA are here: “An agency could have exceptional security in place, but if the security mechanisms, controls, policies, and procedures are not well documented, or incorrectly documented, there is a good chance the agency could receive an F. Keeping that in mind, an agency that receives an F could possibly even have better security than an agency that receives a C or a B. If you have mediocre security in place, but you document the security controls, policies, procedures, and contingency plans at least well enough […], it is altogether conceivable that you could receive a better grade than an agency that has nothing documented, but has sound technical security controls in place.” Fun!
  14. Love or hate survey, here is one more: “Latest Javelin Research Shows Identity Fraud Increased 22 Percent, Affecting Nearly Ten Million Americans: But Consumer Costs Fell Sharply by 31 Percent
  15. Gunnar Peterson sadly reflects in “Why Start Now?” that time to revisit old security models is NOT now, but 9 years ago :-) And flashes his now-legendary “firewalls+SSL” chart…

Special compliance section:

  1. First, “PCI Experts Around Every Corner,“ a fun read.
  2. Martin on “Evaluating the cost of PCI” has some fun links to think about: “When I was a security manager, I loved PCI because it gave me a really good reason to spend the money on the technologies I knew needed to be in place.” Another good one from him is “Are credit cards worth the risk?” with this useful reminder “Realistically, the option of ignoring PCI is there, but it’s something that is almost guaranteed to bite you eventually, not to mention the ethics and morality of a security professional ignoring security compliance.”
  3. pci actually never fails” argues with some of the points made  in previous PCI writing.
  4. A very nice intro to PCI DSS 1.2 is “PCI DSS v1.2 in a Nutshell
  5. Thanks for reminding us that “The true intent of PCI compliance is NOT to pass an audit.” It kinda belongs in the Heartland saga (1,2,3,4), but I am not, NOT, NOT doing “On Heartland V.” Quote: “If PCI DSS requirements are implemented according to their true intent—improve security to reduce risk of compromise—we should seldom hear about massive breaches and data compromise from organizations that passed their PCI DSS audit.”


Tuesday, February 17, 2009

On "The Next 100 Years"

As I said in my Twitter post about reading "The Next 100 Years: A Forecast for the 21st Century" by Stratfor's George Friedman: "the book is unbelievably, shockingly awesome! It exudes pure awesomeness from every page!"

As you know, I was a long-term Stratfor fan (I was reading the site since they launched in 1994 or so), but lately I have evolved into a Stratfor addict. And the book (
"The Next 100 Years: A Forecast for the 21st Century") didn't make my condition better, quite the opposite.

The basic premise of this treatise is this: the coming century will be ruled by an empire, so powerful economically, politically and militarily that nobody will be able to dislodge it from a top spot, even though some will try, much to their despair.

What is this empire? "A rising China"? Pah. "A resurent Russia"? Nah. "A united Europe." Hah. Its name is The United States of America. The book states simply: "The 21st century will be the American century" and "The United States is only at the beginning of its power."

Yes, indeed! Stratfor fo
George Friedman predicts that the US power is barely at its dawn, unlike some silly writers. His geopolitical analysis predicts that US will remain the leading world power for at least a century. He goes thru the events of 2020s (a new mini-cold war, then collapse of Russia), 2030s (a new crisis in the US) and then predicts a bit of a global war in 2050s. I will not post any more spoilers, go read the book; a few more juicy bits from the book follow below.

Some of the weapons to be used in mid-21st century wars:
  • Hypersonic UAVs armed with missiles
  • Space command stations and direct space-to-ground weapons
  • "Armored infrantrymen" in electrically-powered suits
  • Various types of robotic armored vehicles.
Below are some of my favorite quotes:
  • "Where humanity goes - war follows" (on war)
  • "The European Age has ended and the North American Age has begun" (on Europe)
  • "The United States has a huge margin of error. [...] The US therefore tends to be careless in how it execrises its power globally." (on some current events)
  • "The combined naval force of the rest of the world doesn't come close to equaling that of the US Navy" (on Navy)
  • "Mankind does not pose problems for itself for which it does not already have a solution" (on global warning; BTW, he is quoting Karl Marx here)
Should I mention it again? This is one of the best books I've read for a good number of years...


What the hell is SAQSA? Self-assessment qualified security assessor, a QSA that lets you assess yourself. If you don't think this is funny, you are not in PCI biz....

Friday, February 13, 2009

New Processor Breach?

Just a quote from dataloss db: "Banks around the country are reportedly receiving warnings, and perhaps even new lists of cards to replace. This is apparently regarding another credit card processor, unrelated to Heartland Payment Systems, having a significant breach.

OSF has received multiple tips from multiple sources, and has spoken with the good people over at who have confirmed they too are hearing the exact same thing."

God, please, if you exist, don't let us AGAIN blog about all the other subjects we blogged about after the Heartland breach :-) Puleeeeeease....

UPDATE: rumor squashed by Visa

Tuesday, February 10, 2009

On Heartland IV

I swear I never wanted to do this part IV of the Heartland credit card data breach saga, but there is so much more fun stuff on this, it is not even funny :-) In other words, they made me do it :-)

  • Stock angle – NOT sure whether true OR false (or somebody is doing psyops on the side, as my old ROTC teacher would say): “CEO Carr dumps $15 million of his Heartland Payment Systems stock” and “Did Heartland CEO Make Insider Stock Trades?” seems to think so. The latter post also has some fun additional details and it actually a very good read. BTW, the original source for this (here) seems dead (“Error establishing a database connection”), which kinda confirms the whole psyops angle…
  • One of the commenters to my previous post asks: “I'm really interested in the method used to ship the card data out of the processors datacenter. Did they allow outbound connections to random addresses on the Internet?” Good question  indeed! BTW, direct connectivity from payment server to any address on the Internet will be a violation of PCI DSS Req  1.2.1
  • Mike Rothman returns to normalcy (here too!) and quotes this from here: “Of course, anyone that has been in the security business for a while knows the folly of thinking that any set of requirements and controls will truly create security”, then “Merchants have been relying on PCI as a crutch. Comply with the 12 requirements and credit card data is secure” and then even “To be clear, there is value in the 12 requirements set forth by the PCI Security Standards Council. The PCI-DSS does a good job of laying the foundation for security, but just like you don’t live just on a foundation and expect to stay warm and dry in the winter, you can’t just rely on your security foundation for protection.” Amen to that!! PCI DSS is useful again – and the world is saved :-)
  • This is very, very interesting (“Visa issues security alert”) and can be used to piece together what we know about the breach mechanics. But BAD IP addresses? Gimme a break… What’s next? An evil bit?
  • Another commenter leads an interesting discussion about the underlying technology: “I contend that the largest *real* security issue is the 1960's technology of a plastic card with an integrated magnetic stripe which contains easily readable data encoded in an open format.” (a fun discuss follows)
  • On DarkReading, “PCI DSS Is A Process, Not A Checklist“ also has a lot of good points: “The elements that go into complying with PCI DSS need to be followed day in and day out -- not just every quarter when your scan is scheduled or your annual pentest comes up.” Yes, Virginia, in reality you are never DONE with this one…
  • Heartland and Protecting PII” bizarre angle here: “Just out of curiosity – is anyone else concerned about how the victim is getting vilified when there is a significant loss of credit card data or PII?” and “Heartland may have been very dumb in the way they are handling the PR side of things but remember that they were robbed by criminals.” and “This makes the security and risk management equation a binary, results oriented art – either we are “secure” or we are not. How do we know we are? No incidents. How do we know we are not? Incident!”
  • Mildly Heartland breach inspired, Jeremiah brings up “Some unanswered questions” – fave quote from comments: “Look at who does the most PCI assessments [and the Heartland one] and you'll realize that they're the ones that do the least invasive testing, don't bother verifying much of the information provided by the client, and do the minimum amount necessary to fulfill the external scan and web assessment requirements.” :-(
  • Grok Security in “Heartland Breach” says “In summary, Heartland failed to properly implement and enforce defense-in-depth, network segmentation and separation of duties. Remember, Heartland is a level 1 PCI processor and was required by regulation to get this right. This means Heartland's auditors failed.”
  • Mildly, Heartland-inspired, Pete’s “PCI and Social Proof” has a few good thoughts on what “security vs compliance” conundrum. Key thought: “One of the themes that comes out of compliance vs. security discussions is that compliance is about meeting a minimum standard and people who "really care" about security (whatever that means) would actually do more. I think the principle of social norms is hard at work here, which makes the "goal" of being PCI-compliant the social norm and acts as a deterrent (or creates a 'boomerang effect' according to Cialdini) to folks that want to be more secure.” BTW, while you are there, read his “Are Compliance and Security Related?” where he reminds that “Maybe I am getting too broad in my interpretation of what people say. I certainly believe that many things you do for compliance can reduce your risk.” [however, I think "checklist!-just-make-it-go-away” compliance will likely NOT reduce risk]
  • Michael here (“pci, shifting blame, and perfection assumptions”) questions a point from Branden that “PCI Compliant Companies Don't Suffer Breaches.” He says “QSAs can only be as good as the standards, visibility, power, talent, and cooperation of the host customer.” (notice the part in italic: QSAs are people too – and they are getting lied to too!)
  • Tyler argues in his “Where PCI Fails” that PCI IS considered a FAIL (unlike what I say here) if a particular QSA is an easygrader or if a company can beg its way to getting an exception. He also has a good point that “If you are barely hitting your mark as an ASV or QSA, you should be gone.”  Upon reading his post, I’d still prefer to fall these “growing pains” and not FAILs, however. Please read the related comments here  too, very fun.
  • OMG, another new angle – this case is a treasure trove: In “US Citizen? Your credit is in doubt...” Rainer says: “Remember, card processor Heartland has screwed up and, as some sources say, 100 million credit card numbers were stolen from them via a Trojan. That fact spread big news and, among others, started a discussion if PCI has been proven to be useless. But there seem to be additional effects: US customers seem to have lost a lot of credibility in international shopping.” Obviously, not a huge deal, but interesting to note nonetheless… He also adds this gem: “If you loose your credit card, you are legally required to call your card issuer and report that loss. As long as you do not notify them, you are liable. If, on the other hand, someone in the card industry looses your card (number), nobody seems to be liable: Customers must check their statements and vendors must do in-depth checks (sigh) on their customers.”

Enjoy! I double-dare-promise this is the last one with media coverage…

Possibly Related Posts:

Monday, February 09, 2009

Watch Ma .. A Blog Fight!

Always a suckler for a good blog fight! A subject is a bit dumb (“Is security a cost center?”), but still, this one is fun to watch:

  1. McAfee, who should know better, starts it: “Is information security compliance really a cost center?” - “No. Absolutely and unequivocally not. I am drawing the line in the sand.” Read the rest here, even though it gets t sound pretty darn stupid at times (example: “ … makes it obvious that it is better and more efficient to be compliant as a business” – uhu… go tell it to all the small businesses trying to avoid PCI DSS)
  2. First, Hoff kicks them in the balls (in their comments, no less): “If security compliance isn’t a cost center, are you then suggesting it’s a profit generator? So on the balance sheet it shows up as a revenue generator or profit center?”
  3. Next, enlightened-not-insane Mike Rothman dropkicks them in “Compliance is SO a cost center” – “OMG. I figured a big company like McAfee would have a drug testing policy, but evidently not. I want some of what this guy is on” and even “A "Compliance Driven Company" is the next Heartland or TJX”, “CEOs don't care about security or compliance” and – fun! – “And even better, they don't want to spend money on avoiding either of those cases because it's not going to happen to them. Seriously. They see the headlines, they ask some questions about whether they are "secure," the CSO lies to them, and they go back to their mahogany conference room and check on the sales numbers.” He then ends with “Like I said, Little Red needs to check what's in this guy's water bottle. It ain't water.“
  4. Finally, Pete runs, jumps in the air and lands on the McAfee guy ("Security Insights Draws Security Incite"): “It is entirely misleading to suggest that "information security compliance" is NOT a cost center. That smacks of a misunderstanding of exactly what a cost center is.” He then again jumps and lands with “I have a HUGE problem with this statement: "...a good business leader needs no justification to do to the right thing." It is so laced with b.s. that the cows are lining up in the barn waiting their turn.”

Enjoy! This whole thing makes me so want to kick them too, but I think there is a law against kicking the dead horse or something :-)

Also, this sooo reminds me of the ROI wars last year.

I will add to it, if this grows.

Security (Info/Physical) Humor

What do you need to steal $100m?

1. $1m
2. $5

This comic answers it :-)

BTW, this also tells you how behind I am on blogging... Guess why? 'Cause I also "do stuff."

Wednesday, February 04, 2009


Just FYI, SANS got this new interesting whitepaper on benchmarking SIEM [PDF] as well as a related webcast, that tries to inject some objectivity into an esoteric subject of SIEM tool testing.

My fave quote? "This is the problem with benchmarking Security Information Event Management (SIEM) systems, which collect security events from one to thousands of devices, each with its own different log data format. If we take every conceivable environment into consideration, it is impossible to benchmark SIEM systems." [that is exactly why people are having some trouble with them]

On the other hand, the paper is way too "EPS-obsessed" to my taste. And EPS is so 90s :-) And some vendors count EPS before their "magic rule" 'drop event if condition = whatever' kicks in, which is kinda sad. And EPS won't help you compare the tool that just stores all the log records vs the one that applies complex analytics over live and stored log data. And if you pick a tool by EPS, you are guaranteed to select a tool that "does less" with the log data ...

Tuesday, February 03, 2009

Monday, February 02, 2009

Monthly Blog Round-Up – January 2009

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is an attempt to remind people of useful content from the past month! If you are “too busy to read the blogs” (!), at least read these.

So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics.

  1. As expected, my coverage of Heartland data breach saga took the #1 spot, by a long shot. Specifically, “On Heartland”, “Heartland II” and “Heartland III” are the most popular. Even “Largest Card Data Breach Ever?” mini-post made it to the list.
  2. Perhaps ironically, my repost of “Titanic”  and then humorous “Titanic Update” were hot. Yes, Virginia, HMS “Titanic” was compliant with safety regulation of that time. Is this a coincidence, esp. in light of item #1 above?
  3. Much to my excitement, “Tales From the “Compliance First!” World” made it to the top list; I definitely put a lot of thinking into it and I thus I am happy that my readers reacted to it. Sadly, “Compliance First!” is alive and well, even after massive breaches.
  4. Another quality post on PCI DSS, “Making PCI Easy?” is also on the list. This post made some people think that I am “a PCI evangelist” at my employer. Not true! I am actually building a product to make PCI DSS compliance efforts easier.
  5. My first analytic post on Heartland breach, ““Compliant” + 0wned = ?” is a fun read. It covers possible scenarios of being reported as “compliant” while being penetrated by attackers. Are you “comp-0wn3d”?

See you in February. Also see my annual “Top Posts” (2007, 2008)

Possibly related posts / past monthly popular blog round-ups:


Technorati Tags: ,,,

Dr Anton Chuvakin