I know, I know, there have been an over abundance of articles published on what we can learn from the WikiLeaks incident. However, after reading an interesting article in the Washington Post regarding how the WikiLeaks debacle came about, I thought there were a number of lessons that merchants and service providers could benefit. The WikiLeaks documents have been traced back to the Net-Centric Diplomacy database developed by the State Department as a result of the 9/11 terrorist attacks.
Everyone Had Access
Access to the Net-Centric Diplomacy database had become unmanageable. According to the article, not only was the database accessible to State Department employees, but it was also accessible to a number of other government departments including Defense and Homeland Security. This project was undertaken as a result of the 9/11 attacks to make information that the State Department was collecting available to a wider audience of analysts. While the database was only four years old in 2010, State Department officials acknowledged that over half a million people had access to the database all over the government including government contractors.
To add insult to injury, State Department personnel admitted that user management was out of control, particularly outside of the State Department. You see the State Department took a distributed security approach for the Net-Centric Diplomacy database and designated persons at other entities to manage their users. Unfortunately, there appears that there was no oversight of these people nor was there a requirement for these people to justify why all of their users required access. This distributed data security approach is very common in the business world. However, without oversight and periodic review, the distributed approach turns into a free-for-all with almost anyone asking for access being granted access.
Requirement 7 of the PCI DSS is all about access to cardholder data and verifying that those users continue to require access. The user management situation with the Net-Centric Diplomacy database is why requirement 7 was put into the PCI DSS. What this situation points out is that if you do not have defined criteria for users that you strictly enforce for access to sensitive data, then you cannot expect to control the data and you can then probably expect to have a breach of that data somewhere down the line.
Users Responsible For Use
This is usually a good thing, but in this case it went horribly wrong. From an IT perspective, this is exactly what an IT organization wants – user ownership of their application. However, this is a prime example of how user ownership goes wrong. In addition to the mismanagement of user access, users were also in control of how the database got used as well as what data went into the database. Based on my reading of the article, the issues documented are symptoms of a larger problem which was that it is highly likely that little to no training was provided regarding the Net-Centric Diplomacy database and how it was expected to be used.
This is a problem that is very endemic in business as well as government. Vendors and IT departments leave training up to their end users in the mistaken belief that applications these days are intuitively obvious and all that needs to be provided is a good Help system and that the Help system explains “everything” a user needs to know to use the software. While users typically are responsible for developing the Help system, how many of us have complained that the help topic we are trying to find is not covered? The problem with this approach is that it is up to the user to familiarize themselves with the software which no one ever does because the application is intuitively obvious. If Help systems are so good, why are thousands of books published each year to explain how to use everyday applications like Microsoft Office, Oracle and Lotus Notes?
The first result of this lack of education was that information that did not belong in the database ended up in the database. The way the input process worked for the database was to code in a mnemonic into a diplomatic message that would trigger the routing of the information into the database. However, no one apparently explained clearly enough what belonged and did not belong in the database. As a result, everything was coded to go into the database whether it really did or not. From a PCI perspective, I cannot tell you how many times that we run into applications that are being used for purposes that their vendors never anticipated. As a result, cardholder data ends up in fields unprotected just because someone saw a need to retain it in an application never engineered to accept it. This is also why scoping by the organization needs to be done as cardholder data can end up all over.
The second result of this likely lack of education is that users were unaware of their responsibilities regarding the data they now were allowed access. Obviously since the information in the database was leaked, users were not aware of their responsibilities or just did not care. Worse yet, since there was likely no feedback to users that might be misusing the data, they likely were unaware that what they were doing was not allowed. In the PCI realm, this is why policies, standards and procedures are so important as well as making sure that all users are aware of them. While policies, standards and procedures do not in and of themselves stop a leak, most people do not want to break the rules if they are constantly made aware of them. It is likely that users of the Net-Centric Diplomacy database were not regularly made aware of their responsibilities like PCI DSS requirement 12.6 requires.
You Need To Go Above And Beyond
Another concern that was identified was that data could be downloaded at will by any user. While the State Department could limit downloads to thumb drives, it could not control downloads from other agencies. Based on the article, it appears there was also no limit to the amount of information that could be downloaded. As a result, whoever downloaded the information from the Net-Centric Diplomacy database could do so without worrying about being quickly discovered.
This is one of the biggest problems with information management today; ensuring that the information within the data store is properly used and remains in the data store. Thanks to Microsoft, Oracle, IBM and other database vendors, access to databases can be obtained through a multitude of ways such as ODBC, direct SQL query, and directly from tools such as Microsoft Office. The bad news is that not all of these methods require authentication, so anonymous access can be obtained. This is why PCI DSS requirement 7 exists; to make sure that authentication is always required in order to gain access to cardholder data. However, we constantly run across people in organizations that are doing valuable data analysis, but are using access methods to databases containing cardholder data that do not require authentication. In a few instances, we have run across organizations that have written access control systems for ODBC to secure their data.
The PCI DSS has a requirement to monitor the access to cardholder data in requirement 10.2.1, but there is no requirement in the PCI DSS that calls out limiting the downloading of data. This is an area where organizations need to go above and beyond the PCI DSS. Most database management systems will allow you to limit the amount of data returned by any query. While this is usually used to control runaway queries, it is also a good security practice as you can then make sure that no users can get a hold of the entire database without having to get special permission.
I am sure as time goes on, more and more of the details of how the WikiLeaks breach occurred will be revealed. However, just what has been revealed to date can provide a lot of lessons that we should all take to heart.
PCI Guru 