Over the last few years, card brand executives have implied that the PCI standards are the ‘Holy Grail’ and that only by following these standards can cardholder data be protected. To add insult to injury, the House of Representatives’ Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology held hearings on the PCI DSS and its ineffectiveness in stopping terrorism funding. In the end, all of this bluster just added fuel to the fire around security and in particular cardholder data security.
What all of these people have missed is that regardless of whatever security standard you follow, sensitive data, cardholder or otherwise, is always at risk. There will always be a market for private information and there will always be someone willing to take the risk to obtain that information, regardless of the barriers put in their way. If they want you, they will get you.
Do not believe this to be true? Over a week ago, it was announced that HBGary Federal, an obscure subsidiary of Internet security firm HBGary, was attacked by “Anonymous” and their internal emails and other documents were posted on the Internet. To add insult to injury, Twitter and LinkedIn accounts were also compromised and postings were made under those compromised accounts. But the most embarrassing thing about this was that the documents posted showed that HBGary Federal is in the business of corporate espionage and discrediting corporate rivals.
What the HBGary incident highlights is how different a dedicated attacker is from your everyday, annoying attacker. Dedicated attackers are hunters. They research their prey conducting detail reconnaissance of their target. They know about the defenses of their target and they develop plans to defeat those defenses or at least keep them at bay. These are people skilled in their craft. These are people that take a job as part of the night cleaning staff at the building where their prey is located. They use this as an opportunity to scope out their quarry and determine where the weaknesses are located. If they need other expertise, they will go and acquire that expertise either through training or by teaming with someone that has that expertise. In the end, if they want you, they will get you.
And that is where the ‘Holy Grail’ status falls apart. Security relies on human beings either to configure, manage or monitor the process. Unfortunately, humans make mistakes either deliberately or accidentally. It is those mistakes that more times than not create the problems the result in breaches. Decisions are made to short cut a process to save time. Alerts or warning messages are ignored because they always are generated. Commands are mis-keyed resulting in an unforeseen configuration change that opens a hole. Whatever it is, mistakes occur and sometimes organizations pay the price.
The late David Taylor at PCI Knowledge Base was quoted as saying, “It’s easy to find somebody to be in noncompliance if that is the primary goal.” What Mr. Taylor is pointing out is that ‘witch-hunts’ are always successful given enough resources. No matter how well you think your organization is run, there are always enough ‘rocks’ that can be turned over to reveal a less compliant side of the organization. Forensic examinations are looking at the underside of all of those ‘rocks’ to determine which ones resulted in the breach.
Unfortunately, for most organizations, the forensic process becomes a witch-hunt because the media and public demand it. Why? Because thanks to the card brands and the PCI SSC holding out the PCI DSS as the ‘Holy Grail’, the public’s expectation is that a breach should never happened. That is not the message that should be being delivered.
What the card brands need to do is explain to the public the actual realities of the PCI standards. Particularly the fact that even if the PCI standards are followed, breaches are still going to occur. Now those breaches that occur should be much smaller and less costly, but they are still going to occur. That is the stark reality of security because, as I know some of you are tired of hearing, security is not perfect.
UPDATE: After the comments I have received, I want to clarify this point. I am not suggesting that security is a worthless endeavor because it is not and cannot be made perfect. Security is a necessary activity that all organizations need to participate in at some level. What people need to realize is that security is not perfect, it will stop the great majority of incidents if properly implemented and managed, but it will not stop everything. The problem is that there are sales and marketing types, as well as security “experts” that imply that their solutions or ideas will result in a “perfect” solution. It is these things that concern me because the unknowing believe that they are absolutely protected and then are dumbfounded when an incident occurs and then blame the security industry for misleading them.