Do you read the Privacy Law Blog? Well, if you care about any details behind the 45 different state breach notification laws then you need to check it out. I’m adding this blog to my RSS feed because it provides detailed analysis of changes to these laws.
One of the most important things I found was “the list” of links to all 45 state breach notification laws! It’s very impressive.
The recent rise in payment-card (credit card) skimming has given rise to a number of press released to notify the general public about the risks and how to prevent becoming a victim.
The PCI SSC released an information supplement titled: Skimming Prevention: Best Practices for Merchants. In addition Commonwealth Bank released a slideshow on the same topic.
Although this is nothing new, it is on the rise and thus we should be more aware than ever. If you have a few hours to spare check out the YouTube videos on:
What is the difference between competence and experience within regulatory compliance? Although these two terms are used synonymously the difference is between potential and actual ability. Competence is a general characteristic while experience implies a deep understanding. The difference between these two terms defines the conversation one will have about any topic.
(In German there are two different verbs for “to know”: kennen and wissen. In German, kennen means “to know, be familiar with” and wissen means “to know a fact, know when/how.” I feel this definition applies transitively to the English words: competence and experience.)
Competence
Many people have competence of an industry that they obtain from reading about it from various sources: news papers, conversations, and other anecdotal evidence. There are many sources to obtain information: newspapers, blogs, and our mind. This information is more conjecture than fact. I call these people analysts.
These individuals will converse about regulatory compliance the way that I converse about the global economy. Sure I can talk about credit default swaps, the netting effect of them, the IMF, and trade defects around the world, but know better than to try running the Federal Reserve.
Experience
Those who have actual experience in a subject tend to talk about it in concrete terms and use statistics to back up their facts. They discuss concepts and can apply actual evidence to support them. They know enough about a topic to dive deep into the details instead of staying with surface level conversations.
An experienced individual has researched, installed/implemented, and taught a topic for a prolonged period of time. These individuals have a deep understanding of the topic as well as the different exceptions and nuances to it.
The Problem with Experience
I’ve always said, “Those who know cannot always speak, and those who do rarely know the details, wherein lies the devil of truth.” Do you work in an industry where you cannot divulge everything you know?
Say you are a police officer who understands who crime is committed and where the most dangerous parts of the city are. You know this because you’ve walked the streets, experienced the crimes, interviewed the criminals, and participate in several criminal raids. Compare that level of experience with someone who reads the published crime statistics or the front page of a newspaper. That’s experience vs competence.
The problem is that the police officer cannot always divulge details of what they know. One of the things I’ve learned about any topic or organization is that the more you know the more you realize you are yet to learn.
How we get our news
Combine this surface level awareness of a topic with the way in which news is currently reported. I had lunch the other day with a reporter who told me that he published 2-3 stories a day, and many of his colleagues publish 5-7 stories a day.
Wow! I asked how he is able to research, verify facts, identify sources, and really get to the heart of the story. “We don’t,” he said, “many times we look at other publications such as the Financial Times or Associated Press and write a story based on that information.” And this is how we get our news.
I once debated for several months about regulatory compliance with a well known and respected analyst. After sitting down and discussing the topic in person for an hour he said to me, “thanks, I didn’t know that [about the topic]. Most of my information came from [another analyst].”
(That being said, there are many well respected reporters and analysts who do research every story and who do have credible conversations with experienced sources. Sadly, there are not enough of these out there.)
Where is the Truth?
I’m sometimes shocked how hard it is for truth to swim upstream against the flow of misinformation. The recent iPhone SMS vulnerability was publicly disclosed at a conference a few months back. Unfortunately the reporter covering the story misquoted the researchers (Collin Mulliner and Charlie Miller) saying that the vulnerability could be used to take control of the iPhone. This story was published and syndicated, covered again and again. The reality is that the researchers could only crash the phone and not actually use the exploit to control the iPhone.
Many times we need to read deeper, talk to the individuals, discuss the topic with others until we find the truth. Why?
Polarity
The incentive for any writer/speaker is always page views and eyeball imprints. How does one get people to read their content? Polarize the issue! I cannot tell you the number of articles I’ve read that start out with outlandish claims, only to have the writer interviewed later and then caveat their message.
Making grandiose claims, especially those that challenge the current hegemony and support an orthogonal ideology, will in fact get people to read your stuff. Claiming that the world is ending will make people ask why. Trying to explain the difference between nuances of a topic can put people to sleep.
Conclusion
I wish that those with competence would reach out to those with experience to better their argument. I wish that reporters and especially analysts would stop talking to each other and start looking at the data and interviewing those who have experience.
I also wish that those with experience could disclose more of what they know. The tides are changing and more data is being released, but what the analysts will do with this data is still unknown.
Please read my guest blog post over at IT Knowledge Exchange. It covers the topic of: Capability and Maturity Model Creation in Information Security.
The post references the following capability and maturity model (CMM) resources:
Also, Katie Moussouris reminded me of the Microsoft SDL Optimization Model.
Have you ever walked down the street and looked up to see young 20-somethings wearing the same blue or green or logo-ed t-shirt on each of the four street corners, holding clip boards and asking you to donate money to save the underprivileged peoples/animals of somewhere? Yeah, they smile and time their sidewalk elevator pitch just right so they can finish the last word as you maneuver around them.
I really hate the idea that just because someone it trying to save the pandas or the water supply that I should give my credit card number, expiration date, name, and zip code to a complete stranger. If the people are legitimate members of the organization they claim to be, then the transaction is relatively safe. But if some teenager looking to swipe a few credit card numbers decides to sport a wilderness t-shirt and a clip board — well, it turns into a 419-scammers wet dream.
I sometimes want to tell these people to go get a job and donate the money they make from that job to their cause of choice. I don’t know anyone who gives their credit card number out on the street and so employing these volunteers in actual paying jobs seems to have a higher ROI than them standing there giving me the guilt trip.
I held that view until I realized that they are not looking for money as much as they are looking for members. And not just any member, but one that is cares enough for their cause to give their credit card out on the street to someone they do not know. These are your core, life-long supporting members folks! These are members who will not just donate the $25 there on the spot, but will probably donate to the cause for the rest of their life – and at higher monetary levels.
Since it’s the connection they want, not so much your money, I think they should be asking for your name and address instead of just money. They want members they can send targeted requests to for the rest of their lives. If they asked for monetary donations and contact information it would be even better. Strangely, I’ve never spoken to one of these volunteers who wanted anything other than my credit card. They should at least take my name and number so they can have a point of contact.
If what they want is a touch point then why not collect contact information as well as credit card numbers?
Recently the large story to hit the news, the thing people are all reading and writing about, is the story about how 1 guy (and 2-5 accomplices) were able to steal 130 million payment-cards in over three years, and finally got caught. The question is, what if Albert “Segvec” Gonzalez (aka. Cumbajohnny) is an outlier? A statistical anomaly.
Facts of the Case
Rich Mogull has a good overview of the indictment. Wired magazine, the Washington Post (Brian Krebs), and the Wall Street Journal all have coverage. Rich has an interesting comment that:
In the “drama” category, we learn that the main perpetrator is the same person who hacked TJX (and multiple other retailers), and was the Secret Service informant who helped bring down the Shadowcrew.
…
This indictment covers breaches of Heartland, Hannaford, 7-Eleven, and two “major retailers” breached in 2007 and early 2008.
…
This is the same Albert Gonzales who was indicted last year for breaches of TJ Maxx, Barnes & Noble, BJ’s Wholesale Club, Boston Market, DSW, Forever 21, Office Max, and Sports Authority.
…
The attacks both sniffed traffic and attempted to identify stored card numbers. They targeted data at rest and in motion.
The Wired article adds:
But these are just the latest in a string of high-profile breaches that have been connected to Gonzalez. He and 10 others were charged in May and August 2008 with network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain and other companies.
…
Using a SQL-injection attack, the hackers allegedly broke into the 7-Eleven network in August 2007, resulting in the theft of an undetermined amount of card data. They allegedly used the same kind of attack to infiltrate Hannaford Brothers in November 2007, which resulted in 4.2 million stolen debit and credit card numbers; and into Heartland on Dec. 26, 2007. Of the two unnamed national retailers mentioned in the affidavit, one was breached on Oct. 23, 2007, and the other sometime around January 2008.
…
Gonzalez was a Secret Service informant who once went by the nickname “Cumbajohnny.” He was a top administrator on a carding site called Shadowcrew when he was arrested in 2003.
…
Gonzalez called his credit card theft ring “Operation Get Rich or Die Tryin.” As Wired.com previously reported, he spent $75,000 on a birthday party for himself and once complained to associates that he had to manually count $340,000 in stolen $20 bills after his counting machine broke.
Stephen Watt, a 25-year-old programmer who was working for Morgan Stanley, created a sniffing program dubbed “blabla” that Gonzalez’s gang used to allegedly siphon credit and debit card numbers from TJX and other companies and is facing sentencing this month.
The Wall Street Journal adds:
The Treasury Department recently reported that of the more than 55,000 incidents of wire fraud since 1998, more than half of them occurred in the past two years.
For the techie in each of you, I’d recommend Rich’s summary of the Visa/FBI/USSS data breach report in February 2009.
Allegations
From all accounts it appears that many of the major payment-card data breaches in the last three years can be attributed to a small handful of people, and perhaps one ringleader. Could this be a normal attack pattern, or were these individuals outliers? If they were the crest of an even bigger wave of attacks, it does not bode well for corporate America, but if they are statistical anomalies then what would the world look like if we ignored them when measuring the success of the PCI program?
In 2003, Gonzalez, a carder in his own right, was arrested by the Secret Service and turned into a mole to allow them inside of CardersMarket, one of the largest carding rings in the world. Though Gonzalez was outed at the time by Dave Thomas (aka. Ethics or El Mariachi), many people did not listen to his rants at TheGrifters.net. Allegedly, Dave Thomas was at the time an informant for the FBI on the same operation. Later that year, Gonzalez would replace Kim Taylor (aka. MacGyver) as the board manager.
In March 2004, Gonzalez expanded his domain by replacing Dmitry Golubov (aka Script) as board manager for CardersPlanet.
In 2008, Albert “Segvec” Gonzalez, Christopher Scott and Damon Patrick Toey were indited and accused of hacking into TJX Companies and thus exposing 40 million payment-cards. This 2008 indictment named Aleksandr Suvorov (aka JonnyHell) of Estonia and Maksym Yastremskiy of Ukraine. Could these be the two “Russian” conspirators that are mentioned in the current indictment of Gonzalez?
But Gonzalez would not have gotten very far had it not been for his friendship with Stephen Watt. Mr. Watt, a 7 foot tall, 25-year-old programmer, wrote the packet sniffer “blabla” for Gonzalez to capture transactions as they traversed the corporate networks. Interestingly enough, Watt “graduated from high school at 16 with a 4.37 grade point average and from college at 19″, but had a bug in the software that caused it to deactivate each time the POS was rebooted.
Outliers
Again, I begin to wonder what the world would be like if these personalities had not met or operated in unison. What would the payment-card world be like without Gonzalez? It may be a stretch to speculate that this one individual and his actions equate to outlier status. By this measure military dictators and oppressive regimes could also be named outliers even though their affect is quite impactful.
What we are really measuring here is the difference between potential energy and kinetic energy and the catalyst to convert matter from one to the other. We can assume that there are vulnerabilities in every system and the grater the number the higher the potential energy. The catalyst, in this case Gonzalez, plays the role in converting that potential energy (vulnerabilities) into kinetic energy (stolen cards and then cash.) Without the catalyst the measured state would stay the same and as such represent a seemingly stable statistic.
We can ignore this alleged stability in the system by stating that all vulnerabilities have the potential of being converted into cash, but until they are such statements are meaningless (outside of theory modeling.) To this point we measure vulnerabilities not by their size in population but by how frequently they are exploited. Without a catalyst to convert the vulnerabilities they contain little value from a metrics perspective of data compromises.
Statistics
According to DataLossDB.org the number of payment-card numbers lost between 2007-2009 equates to the following:
2007: 111,957,179 records
2008: 13,439,242 records
2009: 130,965,494 records (to date)
The total number of records for (almost) three years time = 256,361,915 records. So, let’s see what these numbers look like if we remove Gonzalez from the picture. That’s right, let’s throw out the catalyst for the outliers and see what the world of data breaches looks like for the Payment Card Industry.
If we count up the number of records lost due to Gonzalez between 2007-2009 we have the following respectively: 94,000,000 (2007), 4,303,930 (2008), and 130,000,000 (2009). The revised data for those three years would look as following:
2007: 17,957,179 records (down 84%)
2008: 9,135,312 records (down 32%)
2009: 965,494 records (down 99%)
Analysis
What can we learn from this data? Well, one can speculate that in the absence of outliers like Gonzalez, the overall volume of credit card fraud is dropping. In fact, without him we would be coasting through 2009 with very few payment-card related data breaches at all! I won’t make the mistake you anticipate and confuse correlation with causation.
One could also conclude that payment-card related fraud does not follow a normal Gaussian distribution. In fact, it appears that payment-card related theft and fraud is statistically closer related to the probability distribution of terrorism than traditional crime statistics.
Taking a business perspective one still needs to be on the lookout for attackers and carders who wish to target your business in an effort to “get rich or dye tryin”. Wherever there is financial or payment-card data there will be those who wish to plunder and capitalize on it. One thing we must remember is that underground carding is a business model, albeit an illegal one.
This week’s personal responsibility award goes to Rich Mogull for his excellent point-for-point response to Robert Carr, Heartland CEO, blame-it-on-the-QSA interview with CIO Magazine. (If you need a summary read Michael Farnum’s notes at Computerworld.)
I fully support Bob Carr, who in 2007 was given the E&Y Entrepreneur of the Year award. I think he is an innovator who took the unfortunate data breach and used it as a chance to evangelize for not just stricter but smarter data security controls. I was happy to read about his implementation of end-to-end encryption in an effort to further thwart the carders.
What I don’t support is when people blame others for their problems. A good leader knows to take responsibility for the actions of the actions of those they manage. I find it disappointing that such a leader would bow to the blame-game and not just say, ‘Hey, we had a problem, we are fixing it, let’s move on.’
Perhaps it is something he must say legally, or perhaps he will never trust an external auditor again (financial or technical), but I must ask the same statement that Rich does.
As the CEO of a large public company you clearly understand the role of audits, assessments, and auditors. You are also fundamentally familiar with the concepts of enterprise risk management and your fiduciary responsibility as an officer of your company. Your attempts to shift responsibility to your QSA are the accounting equivalent of blaming your external auditor for failing to prevent the hijacking of an armored car.
Rich furthers this point by saying:
The role of your QSA is to assure your compliance with the standard, not secure your organization from attack. Their role isn’t even to assess your security defenses overall, but to make sure you meet the minimum standards of PCI.
If we look at the 10 Fallacies of PCI and read the 10 Myths of PCI [PDF] direct from the PCI SSC, you can see Myth #4 says, “PCI will make us secure”. I’m not sure how much clearer one can say it.
Successful completion of a system scan or assesssment for PCI is but a snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data.
I am not saying the QSA did or did not do their job. I do not know the facts surrounding the case and thus cannot speculate. What I do know is that, either way, the QSA obtained their information from the corporate IT professionals. In fact a major validation step is that of interviewing internal staff. It it through these interviews and inspection of various devices and configurations that the QSA determines the scope of the assessment and the security of an organization.
In fact the Verizon DBIR report noted situations where a company may have security controls in place but do not monitor them over time. The QSA examines the settings and processes of an organization at a point in time, but is not there every day to ensure these processes are performed.
The apparent ineffectiveness of event monitoring and log analysis continues to be somewhat of an enigma. The opportunity for detection is there; investigators noted that 66 percent of victims had sufficient evidence available within their logs to discover the breach had they been more diligent in analyzing such resources. Though lower than in previous years (it was 82 percent from 2004 to 2007), this finding still suggests that realized effectiveness remains much lower than potential effectiveness.
Rich points out a very important part of personal responsibility.
It is unfortunate that your assessors were not up to date on the latest electronic attacks, which have been fairly well covered in the press. It is even more unfortunate that your internal security team was also unaware of these potential issues, or failed to communicate them to you (or you chose to ignore their advice).
Regardless of where the blame falls in this situation, it’s the responsibility of a leader to say ‘mia culpa’ and move on. I think Bob made excellent use of the media attention to drive technology in the right direction to stem the spread of payment-card data compromise. I hope he is remembered for his leadership and not his blame of others.
In conversations with people I often find myself tangenting from the topic of security to that of organizational structure. I am not referring to the hierarchical structure that exists in many businesses, but instead something closer to the chaordic structure that Dee Hock had in mind when he formed VISA.
When I start the conversation about organizational structure, it has to start by tearing down the traditional frameworks and models that exist in peoples’ heads. Most people think that organization works best in a top-down system where everyone knows their role and responsibility, but as Dee Hock mentioned in an interview, this is not how organisms exist, evolve, and more importantly survive!
Do we really think that maximum output originates from top-down commands vs organic collaboration? You see, everything is live is about trade-offs and this is one such event. In a top-down social structure we tend to get very predictable and specific, let limited, results. For many people who like to measure progress this is an easy metric to put in place. The problem with this structure is the death rate of the organism, something companies call turnover of employees. The death rate, or turnover, in companies is sometimes higher than it needs to be because people often feel stifled by their inability to affect change within the organization.
Imagine if you needed to issue a command every time you wanted your heart to beat. Of course, such an organism would not last long less they forget or fall asleep and stop breathing. Instead, we look to a more organic collaboration that works much like the autonomic nervous system. With this system, the body has created a framework for the individual components and organs that make up the body to participate in a much greater process. There is a very small barrier to entry for these organs to participate and each only contributes a small amount but results in the greater gestalt of ones health.
In an organic organizational structure we tend to get more networked and integrated communication and collaboration. The down side of this is that the output of this group is not as easily measured and not nearly as predictable. The organic structure requires one to stop thinking in terms of processes and start thinking in terms of frameworks.
A process is a documented, repeatable, series of events. A process is something that can be tasked out and completed in a measured amount of time. On the other hand, a framework works as an incubation unit for ideas. It provides the home, resources, and food for ideas to grow and evolve, as well as a space for individuals to collaborate. A framework has the potential for generating much higher output than any one process, but to achieve this requires a change in the way we foster and grow organizations. The required change is that companies stop thinking about growing organizational charts and start growing individuals. The shift implies a movement away from Procrustean box and towards embracing the social collaboration ether around us.
What really is a framework?
A framework is a platform that enables content creation and collaboration. Wikipedia, YouTube, and CraigsList never made it big because a few people decided to, on their own, write an encyclopedia, create videos, or post adds. Instead these websites became popular because they created a framework for a Do-It-Yourself culture to create the content for them.
Traditional companies such as GE, Microsoft, and Ford Motor company have a hard time embracing the social collaborative framework because the Procrustean boxes already exist. The question of who “owns” this new “product” begin to emerge. Does it belong to research and development, marketing, external communications, or sales?
The answer is that a framework belongs to the company and should be a tool that each of these departments utilizes and leverages to the extent they want. Unfortunately, many times chaordic collaboration falls into the hands of only one of these groups and we see the marketing department creating a social game to promote the brand while the research and development team struggle to create a new product the company can sell. This is the medical equivalent of the digestive system deciding that it controls the autonomic nervous system and hijacking it for a very narrow purpose.
An effective framework should lower the barrier to entry for people to participate, share, and collaborate on information in projects, while keeping the information organized enough to be useful. These are busy times and we are busy people who don’t want to spend out free time writing an encyclopedia, but we are willing to contribute and correct entries that are of interest to us.
To really view what chaordic development can do by reducing the barrier to participation and opening up the framework of knowledge development, we have the following statistic:
At a rate of 600 words a minute, twenty-four hours a day, a person could read nearly 27,000,000 words in a month. In the month of July 2006, Wikipedia grew by over 30,000,000 words. Given this, it is unlikely for any single reader to read all of Wikipedia’s new content. Reading the current incarnation at that rate would take over two years, and by the time they were done, so much would have changed with the parts they had already read that they would have to start over.
How this impacts every area of your business
What does this mean for my company? The net-net is that companies need to stop thinking about creating white-papers, marketing materials, and position statements that result in highly polished cannon fodder that nobody ever reads. Having glossies/slicks in front of your convention booth is par for the course but an entirely necessary evil. The absence of them implies you have no information, but never have I heard someone say they do anything but throw this material away.
Even if the white-paper you write is highly polished and read by a few people, how much content can you individually create? Using the Wikipedia statistic above, imagine if you could write 600 words a minute (an impossible feat as that is 10 words a second) for 24 hours a day, 365 days a year. Now imagine that those words you are typing never require editing and are well written (another nearly impossible feat.) Even then you could not create the content, with the expertise and attention to detail that happens in Wikipedia.
Every minute members of YouTube upload over 13 hours of video. It would take well over 400 years to view every YouTube video clip. Even if the majority of that content is nothing but mental fodder, those videos that go viral empower the marketing that drives value in the site. In addition, YouTube has capitalized on the long-tail approach towards market ownership by building a framework that all segments of the video creation spectrum can participate in.
The next time you decide to create a process, ask yourself if a framework would be a better fit.
The PCI SSC quietly released version 1.2.1 (July 2009) and some very minor wording changes. The following is a list of those minor changes:
So, pray tell what is that sentence incorrectly deleted?
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.
This is a rather minor clarification. Many people read the cardholder data matrix and think that all elements including the name and expiration date are considered cardholder data (CHD). With this update from the PCI SSC we are reminded that these are only considered CHD if they are stored with the PAN.
Translation? No PAN, no cardholder data!
This leaves us with only one remaining question…
Now that we are completing the In Place / Not In Place areas for requirement 6.5.b, what are the necessary validation steps? Perhaps documentation review, observation of process/action/state, and interview staff.
Recently Nick Selby posted on FudSec his article on Showing the Oblomovs the Door. For those who care, an Oblomov or Oblomovism is considered a lazy or apathetic person or belief. The blog post claims that information security professionals are “well-trained, well-intentioned” but “reduced [to] a series of relentless box-ticking” due to being “saddled with compliance management.”
The blog post further claims:
The CEO who lets the Security organization become the compliance department has abdicated to the government and Payment Card Industry his responsibility to understand and manage organizational risk. That is a fiduciary breach of CEO responsibility to shareholders. In addition to firing your ass, this should also be a floggable offense.
I agree one should use compliance as a guideline but manage it with respect to the business process. I disagree with the fiduciary statement on grounds that one cannot claim a breach based on sparse case study and singularity statements. The writer says this to bring grandeur to their claim.
The important part of this statement is that we are focused on the individual company here and their personal responsibility. Remember, if you ever want to get something done don’t pass the buck.
The author, frustrated with the current implementation of compliance, states, “I stomped away from trying to influence security as an analyst because compliance … has managed to suck every ounce of oxygen from the room that is the security industry.”
Let’s just remember that history has shown that in the absence of legislation there exists a downward spiral of corporate responsibility towards protection of customer/consumer information and the well being of others. To support this I point to the moments of punctuated equilibrium that lead to things such as the Food and Drug Administration (FDA), the Securities and Exchange Commission (SEC), marginally improved ecological laws in China, and the current global financial crisis — to name a few.
Let’s also take a moment to remember that regulatory compliance has been raising the bar of information security since 1999, starting with GLBA, then with HIPAA and SOX, and finally with PCI DSS. Is it because PCI DSS impacts most all business verticals on a global basis that it receives the most abuse from those who feel burned out?
Might I remind you that without such efforts the number of data breaches would be higher, much higher, than we see now because people find it easier to blame someone or something else rather than take personal responsibility for their own work. The Information Security Management Handbook, by Tipton and Krause, has a section on diffusion of responsibility.
People behave differently based on the perception of being part of a group as opposed to being an individual. It has been commonly observed that people tend to work less in a group than as individuals when only group output is measured. People, in addition, tend to feel less responsibility in a group than as a single individual. The bigger the group, the lower the felt sense of responsibility. Social scientists call this diffusion of responsibility and the phenomenon is commonly observed across all cultures.
I believe that instead of blaming others, we as information security professionals need to become an agent of change starting with ourselves and our current environment and expanding outwards.
The blog then claims:
At this writing it’s unclear whether Black Hat and DefCon demonstrations will include the PCI-compliant account skimmers we’re heard of, but the fact that they’re out there stands testament to the Pyrrhic victory that is the PCI Data Security Standard.
Please remember, the PCI DSS is meant to protect against the electronic and paper theft of payment card data. It is not meant in any way to prevent credit card skimming. If you wish to raise the issue of skimming, please use the correct approach which is to clarify the need for a more secure payment card. That of course gives way to the larger question of what is proper capital allocation and the conundrum of offline transactions and backwards compatibility.
I agree, sadly, with the blog post when it says, “PCI is not the minimum standard, it’s the maximum effort that many organizations make.” The question I have is, based on historical precedent (see above): are we better off with or without a carrot-and-stick approach? What impact has HIPAA had on the security of health care records vs PCI on the payment card industry? In which area do we see more movement?
Certainly, movement does not always imply movement in the correct direction, but I would claim that basic items such as PCI DSS Requirement 3.2 which tells merchants and service providers to not store sensitive authentication date post-authorization has done wonders to the security of our payment card data. How better to secure the data than to remove it in the first place? We are seeing trends in this direction more and more in this industry and others.
But isn’t it better to have a minimum standard than none? What if the minimum was for companies to do nothing?
Jeremiah Grossman stated, “nothing did more to build webappsec awareness than pci-dss. Now we need something to improve webappsec security.” I could not agree more, but let’s please remember that without awareness of a problem you cannot bring clarity or correction. People love to lambaste and transfer responsibility to others, all the while stomping away from personal responsibility.
If your company or those around you fail to see the forest through the trees of ‘industry best practices’ when I wonder if they are fit to run the information security department. Those who complain that ‘compliance’ is the problem are transferring responsibility to industry standards instead of working to secure their own infrastructure.
Do such standards need correction and evolution to mirror the evolving threat of attackers and the continued evolution of information security practices and technology? Certainly! I support Mr. Selby in his goal to drive higher standards and move towards risk management, but let’s do so by taking individual responsibility for our own management of risk.
Mr. Selby claims, “all this compliance stuff is preventing us from addressing risk and performing, you know, security.” Why? Did someone tell you that you cannot secure your data? Did someone tell you that by using proper the proper risk management practices you claim work so well that you cannot pass the “minimum standard”? I support you in questioning and ferreting out anyone who makes such statements. For the rest of the unwashed masses, we need standards.
Mr. Selby ends his rant with a statement everyone should agree with, “Compliance – the state of being – is achieved as a by-product of well-managed risk, not through a relentless ticking of boxes”, which is then followed by high-level statements of positive thinking. The problem is that we need some tactical examples and guidelines to match the ever increasingly vague strategic statements. GLBA says to safeguard customer information, but how? And left to their own devices most companies will chose the cheapest possible way to implement optics of compliance.
I argue, that the PCI DSS has given concrete statements to how one secure their infrastructure, while giving the flexibility one needs to adjust for business and risk management (e.g., compensating controls, wireless and end-t0-end encryption guidelines.)
The problem lies not with our industry “best practices” but with the diffusion of responsibility that happens throughout every company. Let’s reference back to that Information Security Management Handbook article:
The effects of de-individualization and individualization are real and play a role in how users perceive their role in an information security awareness program. In the credit card processing call center example, de-individualization can encourage theft, carelessness, and loss of productivity.
I’d like to stop the blame game and see everyone start at home, transforming their company and being neighborly enough to share the information and results with others. Revolution has often come from emerging evolution of ideas and conversations. I commend Mr. Selby for the conversation, but wish it involved a greater focus on personal responsibility.
Take responsibility for your own security, risk management, and data protection. Start today.
Chaordic Conversations