Martin, Rich and Zach are joined tonight by none other than Josh Corman from the 451 Group to talk about the recent RSA breach. Actually, he was on more to talk about the industries reaction to the breach more than the breach itself. The reality is that we still know almost nothing about what happened, though Rich has a little insight that goes beyond the press release, since he’s actually talked to folks at RSA. Which means we know just a little more than nothing, which is not a significant improvement.
Another reason Josh wanted to join us was to talk about one of Rich’s recent articles, called Table Stakes. We clarify what Rich meant in the original post as well as talking about some of the more touchy feely aspects of the industry. Except Zach, who doesn’t do touchy feely so much. And finally we end up with a little rant about those hacks over at the Southern Fried Security Podcast and how they’re always imitating us. They even have they’re own Bizarro Zack, @jsokoly.
Network Security Podcast, Episode 234, March 22, 2011
PCI has become a way of life, not just for me personally, but nearly every merchant out there who makes a serious number of transactions using credit cards out there. What was just a murmur on the wind for most folks five years ago has become part of the drumbeat of their every waking hour. The evolution from something just the largest companies have to deal with to something nearly every merchant has to deal with has been painful for many, and will probably continue to be so for quite some time. All because PCI has become the dominant standard in security for anyone dealing with credit cards. And since most businesses deal with credit cards on some level, it’s become the de facto standard for the majority of the security industry.
Branden Williams wrote a post that took me back to some of the early arguments I had Josh Corman, very polarized ‘discussions’ of how PCI was the answer to a lot of security issues vs. PCI was deforming the security market in potentially harmful ways. I’ve always been of the opinion that PCI is a good lever for getting money to implement projects most security teams should have in place. Josh states that PCI has been starving other technologies that could go beyond the simple requirements involved in the standard, which is where his infamous “No Child Left Behind of Security” comes from. Josh and I have since modified both our positions, I have admitted that there are some technologies that PCI ignores that could meet security concerns, while Josh has conceded that some of the technologies that PCI requires are something nearly every business needs in some form.
I shouldn’t be surprised that there are still a number of merchants out there still in denial about what’s required of them by PCI and their acquiring banks, but I still am a little. Many businesses have been able to ignore PCI or play lip service to it so far, but as the card brands push compliance (and the risk, incidentally) farther down into the merchant community, that’s going to be harder and harder. If you’re a single merchant or service provider, no matter how large or small, you’re going to eventually have to concede that compliance is the irresistible force and you’re not an immovable object. The only real ways to affect change on the PCI standards is going to be to work with them for now, work within the PCI Council and Special Interest Groups and potentially look for a better standard to be created. Another alternative is to work with state and federal government to affect change, but I can’t imagine how that could improve the situation.
One last point from Brandon’s post to consider is the use of compensating controls; I’ve worked with more than a few merchants who were unable for real, technical reasons were unable to meet with requirements, as have most experienced QSA’s. Don’t be afraid to use them, if you’re meeting and exceeding the requirement in question. It’s not a blemish on your Report of Compliance to have a Compensating Control Worksheet, especially if it is well written.
Rich and Zach are on the road this week, so Martin was left alone for this week’s podcast. Luckily there was already an interview with Larry Ponemon, from the Ponemon Institute about the report “The True Cost of Compliance”, which was sponsored by Tripwire. Unluckily, I (that is Martin) over-engineered the interview in order to pull out some annoying sounds, which leaves the interview sounding a little muddy. The content is still good, which is what really matters in any case. I tried to ask a number of questions that were supplied by folks on Twitter, which I mostly succeeded at.
We’re traveling a lot right now, so the podcast may be spotty for the next couple of months. We’ll figure out how to make the transition to some new schedules, never fear.
The True Cost of Compliance
Tonight’s Music: Brown by Children of a New Jazz Era
Network Security Podcast, Episode 232, March 1, 2011