Jul 27 2009

But Network Solutions was compliant, weren’t they?

Published by at 8:18 pm under Hacking,PCI,Security Advisories

Repeat after me:  “Being compliant does not mean you’re secure.  Being compliant doesn’t mean you’re secure.”  Keep muttering that to yourself while you read the rest of this post.  If you have a bluetooth headset, people might not even think you’re crazy.

If you haven’t already heard, over the weekend Network Solutions announced that they’d been compromised and over half a million credit card records had been stolen.  All we know about the attack so far is that it used ‘unauthorized code’ which could mean anything from a wholesale compromise by an outside attacker to a malicious insider placing the code for his own profit.  In other words, they’ve really told us almost nothing about what happened and it’s quite likely that’s about all we’ll find out.  The code transferred the the information to servers outside the company and while there’s no evidence yet that the stolen credit cards have been used for fraud, there’s also no evidence that they haven’t. 

So why are we spending so much time on PCI if it doesn’t make our merchant and service providers secure?  Network Solutions had been validated as PCI compliant by Payment Software Company (PSC) last October, so they were secure weren’t they?  Once a merchant or service provider is compliant, that’s it, isn’t it?

The Payment Card Industry Data Security Standards are not a magic potion that will make a company secure.  The requirements are mostly good practices and the annual review that merchants and service providers go through is not exhaustive and do not touch on every server in a company’s PCI environment.  The PCI DSS is a minimum baseline companies should be complying with in order to take credit card numbers.  Each network and each business is too different for any standard to cover in a horizontal market that includes everything from your corner Mom’n’Pop store to the likes of Amazon, Best Buy and Walmart.  What PCI does, and does well, is raise the baseline of security for the entire market and hopefully makes it a little harder for the bad guys.  But raising the bar for everyone may not raise it high enough to actually secure any one company and it’s up to the security professionals who work at those companies to realize that PCI isn’t a stopping point, it’s just one milestone along the way to securing the systems at their companies.

Network Solutions had been validated by a QSA, nearly a year ago.  If you’re ever curious, Visa keeps a list of the validated service providers on their site.  Pay very close attention to a short clause they have on every page of the document:

(1) PCI DSS assessments represent only a “snapshot” of security in place at the time of the review, and do not guarantee that those security
controls remain in place after the review is complete. These reviews did not cover proprietary software solutions that may be used or sold by
these service providers.

Yes, Network Solutions was listed as having been validated last Halloween.  Take a moment and think back to how your own network was configured and maintained last Halloween; have there been any changes to your network since then?  Has anyone made any configuration mistakes on your systems in the last 10 months?  Have there been any 0-day vulnerabilities that affect your servers since then?  If you can answer ‘no’ to all of those questions, you’re either the best systems administrator I’ve never met or you’re lying to yourself.  I’d lean towards the latter.

The PCI requirements don’t require a QSA to check every server on the network or even in a company’s PCI environment.  They require the QSA to check a sample of systems for all of the PCI requirements.  My own experience has been that you can tell pretty quickly if a merchant or service provider is following their own configuratioin and hardening standards or not.  If they are, you might be able to reduce the sample size some and if they’re not, you might have to increase the sample size you’re assessing.  In all except the very smallest merchants, there’s is no way even the most competent QSA can assess more than a sample of systems involved in the PCI process.  It’d be great if we could review each and every system involved with cardholder data, but that’s why companies retain security personnel. The job of the QSA is not to verify every system, it’s to assess the security of a company as best they can in the few days they have on-site.   It’s the job of the security and system professionals who work at a company day after day the rest of the year to ensure that the baseline of security PCI requires is kept current and that even the systems the QSA didn’t check are secure.

Like my friend Anton, I wish people would stop taking every breach of a PCI compliant company as proof that PCI has failed.  We don’t scream that Microsoft is a failure every time a Windows server is compromised or state that the OWASP top 10 is worthless if a company follows the guidelines but still turns out insecure software.  We acknowledge that the system has weaknesses, that people don’t follow guidelines as well as we might like and we move on.  Just because one part of an overall system is flawed, we don’t declare the whole thing a failure.  Instead, we work on improving the system and making it better so that the same problem doesn’t happen again.  Or at least we try to.  So why does anyone expect the PCI system to be perfect?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

8 responses so far

8 Responses to “But Network Solutions was compliant, weren’t they?”

  1. Angelo Comazzettoon 28 Jul 2009 at 7:46 am

    PCI Compliance is interesting, they wanted to assure that millions of unknowledgeable retailers and shops could get compliant, so they left the actual requirements quite vague and sometimes open to creative interpretations. With 1.2 they got a bit more specific but still it’s easy to do it poorly.
    PCI just basically enforces security around the payment card industry.

    For example they say you have to physically secure the servers, but they don’t say with what. Lock and Key? Machine Sentry Guns? Gas Chamber? Tie a rope around them?

    Since they are indeed general and not terribly specific about many requirements, its very valid to say that even you are fully PCI compliant, it doesn’t mean at all the entire network is anything resembling fully secure, but rather that you knew how to implement a few broad guidelines as they relate to payment processing and data storage.

    For example, it doesn’t mean every client workstation not related to the payment card systems is fully locked down, content filtered, IPS’s scanned, etc…since that’s not a requirement for PCI specifically.

  2. Rob Lewison 28 Jul 2009 at 9:37 am

    It’s not much of a standard if there are so many work arounds that any serious attacker can navigate successfully. It then leaves people with a false sense of security, which may be more dangerous than when they had nothing in place. They assume they are “secure” when what they really have is a ” little bit more secure”. I think you say this in your own post.

  3. Peteron 28 Jul 2009 at 9:59 am

    I don’t think anyone expects it to be perfect, but too many companies view PCI compliance as the maximum amount of effort required to avoid liability instead of the minimum amount required to do the job properly.

    You know a risk analyzer somewhere has done the math based on how much the extra security would cost and how likely an event is and how much the fallout from an event would cost and said it just isn’t worth it to spend more on compliance. Additional security is also something that is probably not going to result in additional sales, making it that much harder to justify economically.

    In tough economic times, it’s easier to say “let’s do the minimum required, roll the dice on the rest and deal with any problems IF they occur, since they probably won’t.” It’s a bad long-term philosophy, but it usually works quite well in the short term.

    In situations where the free market doesn’t force businesses to the right thing you need to legislate it and make the penalties so severe that not complying isn’t a viable option. You hear stories all the time about business that violate regulations for years, make hundreds of millions of dollars in profits from those activities and then get hit with a $50 million fine. It might not be right, but from a business perspective, that’s not a bad deal. If the fine was double your ill-gotten gains, people might think twice about it.

    So if you want strict compliance and better overall PCI security make the fines outrageous, something like $1000 per piece of breached data. Network Solutions had 573,928 records stolen. A fine of $573 million makes spending money on better security seem like a good idea instead of an unnecessary expense.

  4. NY Computer Security Consultingon 28 Jul 2009 at 10:49 am

    I think the problem is most larger companies use accountants to determine “risk” as appose to engineers. If the likelihood of a security compromise and the ensuing lawsuits, don’t outweigh the cost of tightening their infrastructure then it isn’t deemed “cost effective”.

    When your only goal is the bottom line your core business (or at least what should be the core values of your business) will suffer.

  5. Rickon 28 Jul 2009 at 6:27 pm


    Perhaps the work that Network Solutions undertook to become PCI-DSS compliant resulted in the breech being detected, analysed and remediated in a timely manor that actually reduced the effect of the breech. Any network can potentially be breached, what PCI brings is detective and preventative controls as well as an incident response plan. Perhaps if they had not put all the PCI controls in place the breech may have gone undetected for months even years.

    One of the controls of PCI-DSS (12.1.2) is that you conduct a threat risk assessment against your CDE (Cardholder Data Environment). Perhaps today is a good time to take this to your CEO\CTO and ask for time and resource to conduct an assessment.

  6. kilaueaon 30 Jul 2009 at 12:40 am

    Your just not getting the budget thing fella’s.

    Any company makes x profit of which a small % is allocated to security. Nothing wrong in that, the company has other costs and needs to make a profit (and we are in recession after all).

    Pre-PCI, all that small budget would be focussed on the high-risk areas. In this case, the web servers that were hacked. Post-PCI, you have over 200 controls to apply to a wide variety of systems.

    It’s the removal of a risk based approach, allowing orgs to put budget to the high-risk areas year-on-year, that is the biggest failing of PCI. Nobody is chasing security any more, they are all chasing compliance.

  7. […] Standards aren’t security: PCI compliance and Heartland’s data breach – A secure network often means a compliant network.  But a compliant network only sometimes means a secure network.  Therefore COMPLIANCE DOES NOT EQUAL SECURITY!  […]

  8. Seanon 21 Aug 2009 at 5:25 am

    For everyone that continues to say PCI failed because of the recent breaches, just proves that if they are running any security or compliance programs for their organizations that they could likely be the next name on the list of data breaches, simply because they don’t get the PCI DSS!! They just don’t get that PCI DSS is just a security baseline (and a pretty good one at that) and you must go beyond getting the ROC and maintain compliance as a program not a project. Projects have an end date, which means if you treat PCI like a project, then the day after the project is completed you will probably not be compliant. I strongly agree with your friend, quite blaming the standard and take ownership for your own failures.

%d bloggers like this: