The PCI Guru defends the PCI standard as a good framework for security in general, arguing against the refrain that compliance is not security.
My view is that the PCI Guru is missing the point. PCI DSS is a decent enough security framework. Personally I feel the SANS 20 Critical Security Controls is more comprehensive and has a maturity model to help organizations build a prioritized plan.
The issue is the approach management teams of organizations take to mitigate the risks of information technology. COSO has called this “Tone at the Top.”
A quote that rings true to me is, “In theory, there is no difference between theory and practice. But in practice there is.”
Applying here, I would say, in theory there should be no difference between compliance and security. But in practice there often is when management teams of an organizations do not take an earnest approach to mitigating the risks of information technology. Rather they take a “check-box” mentality, i.e. going for the absolute minimum on which the QSA will sign off. It is for this reason that many in our industry say that compliance does not equal security.
24. July 2011 · Comments Off on Freakonomics » Why Has There Been So Much Hacking Lately? Or Is It Just Reported More? A Freakonomics Quorum · Categories: blog · Tags: breach, PCI DSS
Stephen Dubner gathers opinions from Bruce Schneier, Tal Be’ery (Imperva), Henry Harrison (BAE Systems Detica), Julie Conroy McNellery (Aite Group), and David Jevans (IronKey).
McNellery seems to think that PCI has been a success and has reduced the number of breaches. While the number of credit card breaches has dropped, it appears that it’s because so much credit card data has been stolen that the price for credit card data has been driven down so low that cyber criminals are focusing on other types of digital information to steal.
E2EE (End-To-End Encryption) is not a bad thing, but it does have its own set of risks. And it is those risks that do not get discussed that concern me. The reason for my concern is that if you discuss E2EE with any merchant, most see it as this panacea, something that will get them out of the PCI compliance game altogether. However, nothing could be further from the truth. If anything, E2EE may make PCI compliance even more daunting than it is today.
However, the end-point device that accepts the credit card is in scope! And it’s difficult to prove that the end point has not been tampered with.
The PCI Guru (a pseudonymous PCI QSA) wrote a nice introduction to virtualization security with respect to PCI compliance. If you are not familiar with virtualization, he/she starts with the basics – defining “bare-metal” vs. “hosted” hypervisors and pointing out that hypervisors are operating systems.
Maybe PCI Guru is planning another post which will go further, but I feel it’s important to point out that along with the virtual machines, there are virtual switches which are located on the host system. Therefore traditional networked based security solutions have no visibility into and therefore no control of the traffic between VMs on the same host.
In addition, when organizations take advantage of the flexibility of virtualization by quickly creating and moving VMs as needed to meet application performance and availability requirements, it’s very difficult, to say the least, for network security administrators to keep up with the changes.
For these reasons, a new type of product has entered the market – the hypervisor-based firewall, which should reside right in the hypervisor. In addition to controlling traffic among VMs on a host, the hypervisor-based firewall needs to be able to identify newly added VMs and automatically apply the appropriate policies.
Furthermore, a good hypervisor-based firewall should perform host intrusion detection functions since it’s in the hypervisor and can see into the VMs.
Finally, there are performance considerations. Since we are talking about host-based technology, the question of CPU resource drain must be examined. In other words,how much performance are you giving up in return for the security you are gaining?
Scoping is one of the most subjective parts of doing a PCI assessment. What I consider to be a ‘connected system’ and what someone else considers to be the same can sometimes be substantially different.
Martin McKeay points out that not only is PCI scope subjective, but it’s also changing. Martin expects major changes from the Scoping Special Interest Group early next year.
Wired Magazine reported this week that Wal-Mart kept secret a breach it discovered in November 2006 that had been ongoing for 17 months. According to the article, Walmart claimed there was no reason to disclose the exploit at the time as they believe no customer data or credit card information was breached.
They are admitting that custom developed Point-of-Sale software was breached. The California Breach Law covering breached financial information of California residents had gone into effect on July 1, 2003 and was extended to health information on January 1, 2009. I blogged about that here.
I think it would be more accurate to say that the forensics analysts hired by Wal-Mart could not "prove" that customer data was breached, i.e., could not find specific evidence that customer data was breached. One key piece of information the article revealed, "The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis."
Based on my background in log management, I understand the approach of only collecting "bad" events like failed log-ins. Other than this sentence the article does not discuss what types of events were and were not collected. Therefore they have very little idea of what was really going on.
The problem Wal-Mart was facing at the time was that the cost of collecting and storing all the logs in an accessible manner was prohibitive. Fortunately, log data management software has improved and hardware costs have dropped dramatically. In addition there are new tools for user activity monitoring.
However, my key reaction to this article is my disappointment that Wal-Mart chose to keep this incident a secret. It's possible that news of a Wal-Mart breach might have motivated other retailers to strengthen their security defenses and increase their vigilance, which might have reduced the number of breaches that occurred since 2006. It may also have more quickly increased the rigor QSAs applied to PCI DSS audits.
In closing, I would like to call attention to Adam Shostack's and Andrew Stewart's book, "The New School of Information Security," and quote a passage from page 78 which talks about the value of disclosing breaches aside from the need to inform people whose personal financial or health information may have been breached:
"Breach data is bringing us more and better objective data than any past information-sharing initiative in the field of information security. Breach data allows us to see more about the state of computer security than we've been able to with traditional sources of information. … Crucially, breach data allows us to understand what sorts of issues lead to real problems, and this can help us all make better security decisions."