Thursday, November 12, 2009

More PCI Devil Defense

Our paper “PCI: No Angel, but Not the Devil Either” just went up on “CSO Magazine” online (and a few other sources), check it out. It debates this piece which quotes Joshua Corman of The 451 Group. Sorry, Josh, we had to argue with the imperfect retelling of your words, so some points might not have came out well… Hopefully, we can have a real industry-advancing debate at some point!

In any case, I am getting a bit tired defending PCI DSS (ya know, “I’d rather be logging” :-)) from smart people who should (IMHO) know better. As I am doing it, I am also looking for some sort of “root of PCI hatred” in order to dislodge it and stop this frenzy once and for all (the whole thing reminds me of Harry Harrison “Deathworld” Jason dinAlt saga)

Here is what occurred to me recently: I used to think that “security perfectionism” drives a lot of attacks on PCI (“it sucks because it is does not ‘guarantee’ ‘perfect’ security”). But some old Scottish whiskey made me realize that it is more subtle than that – it is not perfectionism per se, but “enterprise security disease.”

Let me explain. If your entire security career happened while working at, selling to or advising global organizations about information security, it is highly likely that your brain has adjusted to that reality. But there is another reality – and, darn, it is big.

Here is an example: next time you are having lunch somewhere and paying with a credit card, think: do there folks have a network IPS? Web application security scanner? SIEM perhaps? A DAM tool? Information risk protection strategy? BTW, the answer would be “No, no, no and no and no.” Their security is anti-virus (deployed on most systems and updated on some), filtering router with NAT (and with a very open ruleset) and a few other “bulletproof” shields of that sort.

PCI is truly a beam of light (an annoying one…) for them – it motivates them to learn about all the wonderful security things they should be doing. Risk management? Pah. Threat posture? WTH. Encryption? Stop cursing. Firewall? Yes, we have it.

Here is how I presented this side of a debate in a recent argument I had (via email), numbers are from my favorite source of security stats (that is srand(), as you know :-)):

  • 198x-1992: 99% of people just say 'screw information security'
  • 1996-1999: massive email viruses hit; 98% of people still say 'screw security'
  • 2002-2004: worms hit; 97% of people still say 'screw security'
  • 2005-2007: spyware hits, botnets start their ominous rise, 96% of organizations still say 'screw security'
  • 2007-2008: data losses hit, massive data theft happens, 95% of organizations still say 'screw security'
  • 2007-2009: PCI DSS spreads. Oops! Now only 30% say 'screw security.' The rest has to at least pay it some lip service and raise their “wooden shields.” Hurray!

That is the main reason I think PCI magick has the blinding power of pure awesomeness.

BTW, I am working on a post that clarifies this “enterprise security thinking” a bit more. Also BTW, if you are looking to use PCI DSS as a general security or data security framework, go here.

Possibly related posts:

Dr Anton Chuvakin