Bashas’ became the most recent example of a merchant claiming to be PCI compliant yet ending up breached. A lot of naysayers I am sure are running around pointing to the PCI standards and say, “See, they are worthless.” But the larger question most of you have is, “How can an organization be breached if it is PCI compliant?”
The first piece of the answer is security is not perfect. Security controls have never, ever totally stopped an incident from happening. If they were perfect, banks would no longer be robbed. However, due to the security controls that have been implemented, the success of those robberies has dropped significantly. This is the fact that the PCI SSC and the card brands seem to miss. That while their standard is a good starting point, there is much more that has to be done to ensure a reasonable level of security. And even then, an organization is never 100% secure.
The second part of the answer is that even if an organization is 100% compliant with the PCI DSS, there are still numerous ways to get around the controls and breach data as the Bashas’ breach may eventually point out. Let us assume for this discussion that Bashas’ statement that they were PCI DSS compliant is accurate. Then how could they have been breached?
The first clue is the statement that they discovered malware that went undetected for some period of time. Any organization that believes that their anti-virus/anti-malware solution will address this issue is seriously lying to themselves. AV is good, but it is also not perfect. If the AV vendors have never seen the malware you picked up, then they have no signature to match it to, so they will likely not flag it. This is the first indication that this attack was done by a professional. The malware was not immediately detected which means the attacker likely developed it themselves from a variety of sources.
But how did the malware get on Bashas’ network? The answer is social engineering and probably a spear phishing attack. The attacker likely used PasteBin or similar Web sites, got some Bashas’ email addresses and used those to deliver the malware. Someone unfortunately clicked on a link, opened an attachment or any other number of infection methods and the deed was done. This is why security awareness training is so important. Not that it stops these sorts of attacks, but it significantly reduces the likelihood that they are successful. However, with the malware in place, now all it took was time to find the data.
But would not Bashas’ have noticed someone probing their network? That depends on a number of factors, but based on the fact that they became aware of the malware, something eventually triggered an incident. Unlike the security firm you hire to do vulnerability scanning and penetration testing, professional attackers do not perform their scans as quickly as possible. They take their time and scan very, very slowly. As a result, they usually do not generate enough traffic at once to garner an alert. In addition to that, most of their backdoor software encrypts their external transmissions using SSL/TLS/IPsec over port 80 or 443 which are typically open to the Internet. As a result, from a monitoring perspective, a lot of what is going on would appear “normal.”
So now that your view of the PCI DSS is dashed. What should you do to respond?
- Admit that security is not perfect and educate management that it is not perfect. Breaches will still occur, but security controls are meant to minimize the number of those occurrences and the extent with which they obtain sensitive data.
- Do not save sensitive data. Merchants typically do not need to store cardholder data these days. If you do, then use tokenization so your systems do not store cardholder data.
- If possible, further isolate your sensitive data. Look at Forrester’s “Zero Trust” model or the McGladrey Ultra Secure approaches.
- If possible, reduce the number of actual people that can access your cardholder data to as few as possible. The fewer people that can access cardholder data, the fewer targets that can be social engineered.
- Use a “jump box” to provide access to your cardholder data environment so that you do not allow people direct access. Couple this with different user credentials to gain access to the cardholder data environment. Add in full instrumentation of the jump box to capture all activity performed on the jump box and monitor the jump box tightly.
- More tightly monitor your communications through your firewalls. Yes HTTP/HTTPS needs to be open these days just to do business, but do your personnel need totally unrestricted access to every possible IP address or URL? No. So white or black list IP addresses and URLs so that an attacker cannot just use whatever URL or IP address to work from.
Will all of this prevent a breach of your sensitive data? No. All these controls will do is reduce the risk of a breach to the lowest possible level. In time, an ingenious professional attacker will find a way to compromise your controls. However, with a rigorous control environment it is hoped that you will find them before they find your data.