Jan 24 2009

Saturday morning reading 01/24/09

Published by at 6:35 am under General,Government,PCI

It’s been a busy week for me.  Long days, short nights and report after report to write.  I guess the one good thing is that I’ve been home for a while now instead of gallivanting around the country like I sometimes do.  What I’m trying to say is there hasn’t been much time for blogging this week, even though there’ve been some pretty big stories come out this week.  I had a lot of fun a couple times earlier in the week debating the merits of PCI with Jeremiah Grossman and HD Moore, which gave me more then enough fodder for half a dozen blog posts or more.  The funny part of the debates is that we all agree that the goal is securing enterprises in a time when more and more breaches are being reported, we just disagree about whether or not PCI is doing anything towards accomplishing that goal.  I received a couple of complaints about having the debates on Twitter and even more compliments about the quality of the conversation.  Go figure.

Saturday morning reading (aka catching up with the feeds)

  • What PCI compliance really means – Michael Dahn draws the distinction between being “PCI Complaint”, being validated during an assessment and being secure.  Validation is a point in time, while being compliant is a continuous process.  Being secure means taking that compliance and continuing to improve upon it, which is a step many organizations forget.  Didn’t I write something on this recently?
  • Data breach study ties fraud lossess to Hannaford, TJX breaches – One of the most annoying things I read this week is that TJX was giving customers a 15% ‘appreciation’ discount this week to thank the customers for sticking with them.  How many of those customers were using their credit cards at a company that was in this position because they were breached in the first place?  Now there’s proof that the breach led to fraud and people are still giving TJX more credit cards to lose. 
  • The new Homeland Security page – So much changed at noon on Tuesday.  I wonder if the new DHS will ever step the security alert level in airports dow from Orange to Yellow.  Or [gasp] maybe even Green!  Wouldn’t that be nice.
  • PCI Compliant Companies Don’t Suffer Breaches – This is an article that I have a hard time swallowing.  The logic is that no company that’s been breached has been PCI compliant (as opposed to validated, read the first article) because deeper inspection found some way they weren’t compliant.  But my own experience is that you’re always going to find at least some portion of an enterprise that’s not compliant if you dig deep enough.  No one is perfect.  And that’s exactly what the bad guys are doing to these big companies, digging and digging until they find the one server in the enterprise that was misconfigured or in the wrong network. 
  • Making PCI Easier – A Reality/Health Check – Wow, merchants can make PCI compliance easier on themselves by actually applying some resources to the project.  Who’d a thunk it?  Actually, getting the manpower and tools to become complaint is one of the things that got me excited about PCI when I was a security manager several years ago.
  • A Smarter Alternative to PCI – Let’s give merchants the option of complying with PCI, as long as they secure their environments.  Oh yeah, that worked soooo well before the PCI requirements started getting what little teeth they have now. Instead they’d go back to ignoring the cardholder environment and concentrate on whatever the other hot project of the day is.  Making security optional is a guaranteed failure, instead of the potential failures that happens when merchants meet the standard and don’t go any further.
  • Network Solutions under large scale DDoS attack, Millions of websites potentially unreachable
  • Monster.com reports theft of user data – I think I have a Monster account.  I haven’t checked it in five years or so.  If you take the Monster.com breach and add the information to the Heartland breach (which I can’t talk about), you get a huge potential for identity theft.  I just hope the two groups that perpetrated these two attacks don’t get together and cross refernce the data.
[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

5 responses so far

5 Responses to “Saturday morning reading 01/24/09”

  1. Branden Williamson 24 Jan 2009 at 8:53 am

    I agree with your statements, however, that’s why we created a service around managing compliance. If a company takes it seriously, they will be able to hit those high-risk areas and avoid the breach by maintaining their compliance.

    The problem is, most companies don’t take it seriously until two months before their deadline.

  2. Martinon 26 Jan 2009 at 5:51 am

    Or two months after, when the QSA has come in and told them they’re not going to pass the assessment.


  3. SecurityNinjaon 27 Jan 2009 at 5:19 pm

    Tough times for Trustwave and PCI DSS

    Compliance management service provider and PCI QSA Trustwave appear to be having tough time recently. A colleague of mine pointed out today that Trustwave had been the QSA who certified RBS Worldpay as being compliant just 4 days before their data breach.

    Fair enough, every one can get caught out now and then but I have also found out that Trustwave (all complaint companies and their assessors can be found here http://www.mastercard.com/us/sdp/assets/pdf/Compliant%20Service%20Providers%20-%20January%2015%202009.pdf) had also certified Heartlands as being compliant with PCI. If you have ignored the security news for a few days you would have missed the fact that Heartlands have also had breach of data which could top TJX as the largest breach ever. Heartlands process in excess of 100m transactions per month so I would imagine the amount of records lost could be immense.

    Trustwave, I think the PCI Council should think about something George Bush once said: fool me once, shame on — shame on you. Fool me — you can’t get fooled again.



  4. Martinon 27 Jan 2009 at 6:10 pm

    I officially have no comment. I unofficially have no comment. As a Trustwave QSA, I can’t make any comment on this.

  5. Mikeon 27 Jan 2009 at 9:22 pm

    Being through the entire PCI DSS compliance with my company for the last 3 to 4 years I got the impression that one QSA could go into a site and determine something is an appropiate compensating control where another QSA would disagree.

    Grant it I don’t find it as bad as HIPPA in trying to get compliant but as was stated above no matter how much money and time you throw at being or trying to be complaint you can almost always digg deep enough and find something that is not complaint.

    A QSA friend of mine put it best one time in a talk we was giving about securing a network. If a bear is chasing you, you don’t have to run faster than the bear you just have to run faster than the person with you. You don’t and probably won’t have the most secure network but striving to be more secure than the next person will deter your average person attempting to breach your network.


%d bloggers like this: