What Good is PCI-DSS?

Wednesday, May 02, 2012

david barton


With the most recent high-profile credit card data breach occurring late last month at Global Payments, one has to question the real benefit of PCI-DSS. 

After all, didn't a nationally-recognized Qualified Security Assessor (QSA) confirm their compliance with PCI-DSS?  If so, how is it that the company still had a breach?

There are very few details on exactly what happened at Global Payments.  One rumor has the breach occurring through a taxi company in New York.  Another rumor states the breach involved answering a series of knowledge-based security questions correctly. 

The truth is, Global Payments may never know exactly what led to the breach.

Once the breach became public, VISA removed Global Payments from its list of "approved" card processors.  VISA indicated the company can be reinstated after an independent assessment of compliance with industry standards. 

If we read between the lines,  VISA is essentially saying that since Global Payments had a breach, they must not have been in compliance with PCI-DSS standards at the time of the breach. 

So where does that leave us regarding PCI compliance?

Basically the same place that any compliance review leaves you.  Just because an organization is compliant with a given standard does not mean that bad things won't happen.

Credit card processors have some very valuable information that bad guys all over the world would love to get their hands on.  They are the Fort Knox of the modern world.  When bad guys are motivated, it seems no amount of security can keep them out. Does that mean PCI-DSS standards are worthless? 

Not at all.  It just means it isn't foolproof.  Especially not in today's world of spear phishing, trojans and highly coordinated social engineering attacks.  When you have good locks on your data, the bad guys will simply begin targeting those within the organization that have the keys.

No matter how much technology you throw at security, people will always be the weakest link. The PCI-DSS standard (and many others) doesn't do a very good job of evaluating how well we train our people to recognize social engineering and spear phishing.   

As evidence, look at the facts behind the breaches at RSA, Epsilon, and HBGary.  Each of those breaches involved a failure of humans to recognize that they were being enticed to hand over the keys.  If we ever do get any details about this latest breach at Global Payments, I'm betting there was a component of human failure. It can be difficult to recognize the wolf in sheep's clothing when they are asking for the keys.

PCI-DSS compliance is primarily about setting up and maintaining technology to protect credit card data.  With the exception of Requirement 12, the PCI-DSS criteria are predominantly about security technology such as firewalls, intrusion detection, encryption, IDs and passwords, and the like. 

Requirement 12:  "Maintain a policy that addresses information security for all personnel.  A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it." That description does not address the need for a rigorous training program for the human factor. 

Are all your employees equally capable of recognizing a spear phishing email?  Are they trained how to recognize a telephone-based social engineering exploit?  Are they absolutely clear on what information is secret, classified, and public?  Without regular ongoing training the human factor will continue to be the weakest link in our security and the bad guys will continue to exploit that weakness.

So what's the answer?  First, we have to do a better job with education and training.  The SANS Institute has developed a two-day course devoted to "Securing the Human".  The course is Management 433. 

The intent is to develop and strengthen the human side of the security equation through an effective security awareness program; one that will change behaviors of employees and give them more tools to recognize the wolf in sheep's clothing.

Second, we need to work to improve our standards to include the human factor.  That will take time and effort on everyone's part, but especially those at the PCI Security Standards Council and other standards organizations.  What have you done recently within your organization to strengthen the "human factor"?

Possibly Related Articles:
Information Security
breaches PCI DSS Compliance Data Loss Prevention Standards Policies and Procedures Payment Processors Human Factor Global Payments
Post Rating I Like this!
Marc Quibell Unfortunately, details of these types of investigations are rarely made public. We'll never know what really happened. It could be as deviant as someone selling the data from the inside, or a disgruntled employee creating a backdoor. I'm not convinced rigorous, expensive training is an answer. I'd lean more towards a comprehensive on-going awareness program, where you could also cover the latest schemes and scams employees could watch out for....
PCI Guru Just because your organization is breached does not automatically mean you were not compliant with the PCI DSS. The PCI standards are starting points for security, not the be all to end all of security. As a result, you can be compliant with the PCI DSS and still be breached due to an approach that works around the PCI DSS. I have seen organizations chase anomalous network traffic for weeks and months before they figured out what it was and whether it was a threat. I am not suggesting this is what happened at Global Payments, but I want people to understand that it is possible.
Beau Woods The failure of PCI-DSS auditing in this case is part of a broader problem with auditing in general. As I point out, Infosec could learn a thing or two from Enron on that score: http://beauwoods.blogspot.com/2012/05/what-infosec-can-learn-from-enron.html

I disagree with the statement that VISA decided a breach = non-compliance. Keep in mind that the card brands likely knew about more details and for longer than the general public. I think it was more likely one of two things, and to me the latter sounds more reasonable.
-VISA looked at the details and determined they were out of compliance with the DSS.
-VISA felt GP should be delisted until they demonstrated that they were cleaned up, keeping them focused on the task at hand and preventing other companies from signing up with a known compromised processor.

But I do agree that we need to do a better job of training our people. Not just to detect spear phishing and similar types of attacks, but to build and follow secure processes. If this was an attack where a series of correct guesses led to attack, technology can't fix that business process. It needs to be designed better. And if it's a case of employees not properly authorizing and authenticating requests, then process and training are critical.

Spear phishing can be largely mitigated by technical controls such as proper system hardening, isolation of the CHDE and other technical controls applied smartly (all required by PCI). But that doesn't obviate the need for good training, in conjunction with the technical controls. Multiple layers of security controls - defense in depth - is definitely a principle and concept that's foundational to the DSS.
PCI Guru At the end of the day, people are fallible. I'm not suggesting that training is pointless. But, we need to recognize that you can train all you want, one individual will still have a "moment" and you have a incident. As a result, security needs to minimize the impact of that "moment" so that the organization doesn't lose everything just because of one person's "moment".
Beau Woods Sorry if my message wasn't clear - I absolutely agree that training is a great way to reduce risk. And it's one of the lowest cost thing that organizations can do! Sadly, training and awareness are underfunded in most organizations because it's just not as sexy as the more expensive technical tools.
Marc Quibell In light of (the lack of) any facts in this case, I could easily propose an increase of penetration testing as an answer. Better technical controls, more internal auditing..the problem could be any of these. The fact of the matter is that GP, at the moment they were compromised, was conducting business at a certain risk level. The management @ GP was comfortable with that risk level prior to this incident. Obvioulsy the worst-scenario case happened. There was a certain weakness at a certain layer of security/protection, and that weakness was exposed and compromised. Training is only one layer, and it's highly possible that increased training would not have had any effect at all. What we DO know is that there was a breach, and that management knew there was a risk for a breach; they took a gamble, as do all businesses. One question that should be asked and answered is this; was their risk level too high? Did GP take too many risks over profits, given the treasure they were tasked to protect?
Beau Woods And this is where I have a problem with the way most organizations do risk management when it comes to customer data. They look at the risk to their organization, not the risk to others who will mainly be affected.

The losses in this one are a) the banks who have to reissue cards (Krebs is now reporting it's 7M card numbers) and eat the cost of the fraud, b) consumers who have to reactivate those cards, c) consumers who don't know they've been a victim of fraud and whose banks didn't detect it, d) merchants who may have clawbacks from transactions, e) card brands who have a tarnished reputation (for what that's worth), f) Global Payments who now has to spend millions cleaning up, actually securing themselves and rebuilding their reputation. But only the last one had the ability and duty to prevent the breach. The others are just collateral damage, or a negative externality in economics terms.

In that sense, hitting GP's business hard puts greater financial risk on being insecure. So if other organizations see this and it enters their risk equation (even if that equation is the CEO sees it and says "could this happen to us?"), the delisting a good thing for security. And anecdotal experience says that whenever a big breach happens, others in the same industry go scrambling to try and answer that posed CEO question above.
Marc Quibell Pretty comprehensive report at this link will show you the latest statistics on breaches. Notice also the "Where should mitigation efforts be focused" deal with technical controls and auditing as the top mitigating controls. Technical controls that can also easily counteract users' lack of using 'security diligence'. I mean really, how much reliance do you put on users always 'doing the right thing'? But anyways, related to this article is a great report concerning recent data breaches:

Beau Woods You're right. There is no "silver bullet" (despite some vendors' claims). Many different tactics should be used together for defense in depth. Right now awareness is being largely ignored, in favor of the wrong kinds of technical controls and oversight. So yes, absolutely we need better technical controls (not just more of the same ones poorly used) but those are a _part_ of the solution, not the solution itself.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.