I have read countless articles from many people about how bad PCI-DSS is and how it shouldn't exist and wanted to present my own opinion on this subject.
I am an industry veteran with over 15 years in the industry with 10 of them in Information Security. Some consider me an expert and a subject matter expert, but nothing in this article will fall in the category of presenting any expert advice or subject matter expertise. Most of it will revolve around common sense and simple arguments.
The perfect analogy for the PCI debate is the "glass half full or half empty" scenario. The naysayers and critics and PCI –DSS bashers fall in the "glass half empty" camp – rather some of them even think that the glass is completely empty or have varying percentage of "emptiness" usually below 50%. Some would rather just not even have the glass at all, rather just drink from their hands or use a water fountain!
I am in the "glass half full" camp.
PCI has done a LOT to further security in an industry where information security was never considered a topic worth mentioning. I can remember 5-7 years back when retailers were all about razor-thin margins (they still are – that hasn't changed) and security to them meant physical security – guards, sensors, cameras – all put in place to prevent stealing or "shrinkage" (in industry parlance). Information Security was a word that was pretty much unknown. Trying to talk about information security to a retailer was a futile exercise that would result in temporary brain damage to a security person. The familiar excuses revolved around lack of budgets and the hilarious "who is going to attack us anyway? – we are not a bank, we don't have sensitive information – what do we need to protect?"
Fast forward a few years (and post PCI-DSS) – how many retailers will say that anymore?
Isn't this argument enough to say that PCI-DSS has achieved a lot? For those who are still not convinced, read on.
Nothing will provide absolute and infinite security (measured along any dimension – time, loss, budgets, technology etc.) – we all know that (at least the rational ones that really know security).
People would like to feel that something and specifically a PCI-DSS certification provides this nirvana. My friends – you are wrong if you think that way.
PCI is a first step and a required step to erect some basic defenses and make one secure from basic security attacks (maybe some medium complexity attacks), but NOTHING will prevent a determined attacker with limitless time, smarts, promise of massive rewards and lack of fear of prosecution from breaching your most sophisticated (or not so sophisticated) defenses and getting hold of the crown jewels (for a retailer that would be credit card numbers).
Having read that statement, should we all roll over and die and cry doom and gloom and do nothing? Have humans ever done that – will most of them do it now – Unlikely. Will some of them do it – absolutely. The pessimists will just argue that PCI is terrible and why should they waste their time trying to do anything, lets us just hand over our wallets to the next person that demands them, rather let's just leave our wallets on the street (analogy for insecure wireless access points accessible from a store parking lot) and blame the loss on everyone but ourselves.
Great sayings come to mind –
"We thought we were secure because we were PCI certified" OR
"Our QSAs let us down – they didn't tell us everything that was wrong in our environment in the 2 weeks they were here and PS: We could not afford a more comprehensive review" OR
"We had firewalls and antivirus on our machines (but don't have money to hire someone to watch our logs)" OR
"We bought the latest security gizmo and spent a millions of dollars on it (maybe not that much)and we thought that would make us secure" OR
"Our IT guy also is our network admin, security admin, and everything-we-throw-at-him guy and he was hoping that the QSAs would come and fix everything for us"
Come on people – get real – security requires commitment, knowledge, resources, money, technology, people and more and that too 24x7. Once you have these traits you can START to think about being secure and then you have to spend every second working towards staying secure through people or technology. And after all that a simple "social engineering" attack directed towards a not-so-savvy employee will bring everything crashing down. Now, how's that for pessimism!
Let me take a simpler example – let's say I have one laptop at home and I wanted to be "secure" (not a whole organization with thousands of employees and computers, but just a single guy with a single computer). I am a security expert and run a tight ship and have the latest patches, AV, malware detectors, firewalls IDS, least privileged accounts etc and still I am scared – really scared of what I don't know.
Now indulge me in my "paranoia scenario"- Did the computer I buy come preinstalled with a rootkit that will still stay alive even after I reformat the drive to mitigate this threat? Should I buy another hard drive and use that instead - what if that drive also has a pre-installed rootkit? Is there a chip in my laptop with a transmitter that has some embedded OS on it that secretly sends all my communications to someone somewhere? Is the government controlling all this – maybe a foreign one or maybe my own? Should I go nuts and disassemble my computer or build my own chips and assemble my own computer just to be sure?
What if all the above was a really-crazy-unlikely-to-happen scenario? How about this one instead - I could still get a malicious piece of software on my system while surfing "only safe websites" on the Internet. What if that malicious software is unknown to all AV/Malware programs I use and lies undetected and grabbed every piece of sensitive information on my laptop and sends it somewhere? This scenario is not farfetched at all – it if probably happening on millions of "botnet owned" computers as I type and has been going on for years.
Now carry this scenario into your enterprise – thousands of "barely" computer (forget security) savvy users, lack of door locks or lax physical security, help desks that reset passwords without verification, rogue wireless access points, thousands of different devices with no concerted security patching, no active log monitoring or a massive deluge of logs with one person handling security and user admin tasks. The problem just became exponentially massive and seemingly insurmountable.
What if your external defenses were extremely strong and someone gave an employee of yours a USB key a trade show with malware and they took it into the impenetrable fortress of yours and then someone else became the king of that fortress? I have seen all these scenarios enacted at large and small corporations.
This is not fantasy and lulling yourself into a false sense of security by thinking that it won't happen to me or us is the worst approach of tackling this menace.
Again, if you are a very secure enterprise (and PCI –DSS certified!) but have this one tiny little hole in your defense (everyone has that – it may have existed there for years or just got created through a "zero day" vulnerability or a crafty social engineering attack or a simple mistake that any human could make) – how do you expect a PCI certification to imply that you are absolutely and infinitely secure? Making that statement is just flawed.
Hiring a QSA and expecting them to perform miracles for you is just the wrong approach. If you can't fix your own security issues, haven't done so for years and have no plan to do so either for whatever underlying reason trying to get PCI certified for business and PR reasons is also just wrong. Hiring a QSA to place blame on if anything bad happens – well that has been happening to consultants as long as that profession existed (nothing new there!)
Another topic that has also come up is the quality of QSAs – I am not going to argue for or against it. Not all QSAs are created equal – just like human beings or an organization's security staff. There are smart people and there are not-so-smart people. There are people who are exceptional, good, ok and bad in every group. Just because they are a QSA (went to a training and took a test but never touched a computer keyboard! – I am being dramatic here but you get the drift) does not make them exceptional.
Do your research, ask tough questions (provided you know what to ask and then interpret the answers) and then make a selection. Don't go for the cheapest one – they are cheap for a reason and I don't want to repeat the cliché – "You get what you …"
Actually part of the problem may be "What questions do I ask of the QSA to see if they are any good" – I will reserve that discussion to a future post.
Again, at this point, I would like to give up and fade silently into the night (or hire a QSA to perform miracles and if they don't work pass the blame on) – but I won't and for the sake of our collective security I hope you don't either.
I am going to anonymize this article, lest someone with an agenda comes after me and makes my "paranoia scenario" come true ;-)
