Archive for the 'PCI' Category

Sep 08 2014

Buffer between Target and banks

Published by under PCI,Risk

We all know that Target got compromised last year, but what some of you might not know is that the banks who issued the credit cards that were compromised are suing Target.  They’re saying that because Target didn’t take sufficient measures to protect the card data the banks had to spend millions of dollars in order to re-issue every one of the cards that were compromised.  It makes sense on the surface, since the banks incurred the cost due to the insecurity of Target’s systems.  But here’s the rub: there’s no direct relationship between the issuing banks and Target.

I find it funny because this relationship is one of the things that was drilled into me from the start of my Qualified Security Assessor training.  There is a relationship between the merchant and its bank, called the acquiring bank, between the acquiring bank and the card brands, between the card brands and the issuing banks and finally between the issuing bank and the consumer.  This was done with careful thought to create a buffer between the card brands and both merchants and consumer.  As a consumer if you have an issue, you have to take it to your own issuing bank or the merchant, since you have no direct relationship with the card brand or the acquiring bank.  It’s also why the card brands have always said that they don’t issue fines to compromised merchants, it’s the merchant’s bank that have to issue the fine. The picture below illustrates this relationship and is similar to what was used to train QSA’s when I went through training.

I find a certain poetic justice in this defense being used by Target.  The card brands and the banks developed this system in part because it’s a reasonable way for transaction clearance to work, but also in large part because it gave as many parties as possible a way to distance themselves from the sins of another party.   Except the banks and card brands meant for it to be a buffer from lawsuits between them and both merchants and consumers, never thinking it would provide a buffer for the merchants as well.

I don’t claim any deep understanding of the underlying legal statutes that could affect this case, but I do see that Target’s defense could bring up any QSA that is worth his or her salt to the stand to illustrate their point.  It’s going to be much harder to establish a responsibility from Target to the issuing bank when any witness with knowledge of the Payment Card Industry Data Security Standards is going to have to say, under oath, that they had been trained from the first day that there’s no relationship between the two entities.  On the other hand, if the buffer is dismantled legally, it also opens a venue for merchants to sue the card brands, so either way the banks are going to be losers in this battle.  Well played, Target, well played.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Sep 11 2012

Scoping was too scary to handle

Published by under PCI

One of the biggest challenges for a QSA is deciding the exact limits of an assessment.  Deciding which systems store, process or transmit credit cards and all systems connected to them sounds like a straight forward and easy to follow, but in practice, the QSA’s two favorite words, “It depends” come into effect all to often.  Drawing the lines around the systems that store or process card data is fairly easy, but when you get to the ‘transmit and all systems connect to them’ it get’s a lot fuzzier.  Not only is it hard for a QSA to make those judgements, it can also be hard to argue with the customer about the specifics of scoping.  And it can cause some very, very heated arguments.

So when i heard that the PCI Council had a Special Interest Group formed specifically to create a Scoping Toolkit, I was excited and filled with trepidation at the same time.  I knew or had worked with many of the people who were involved with and leading the effort.  This gave me hope that the PCI Council would be releasing something that would give QSA’s a good platform to base their scoping decisions.  But from the first time I talked to the people who were working on the scoping document, I discovered that the Scoping Toolkit would probably never see the light of day; apparently this group put the ‘Special Interests’ in SIG.  What one member of the group thought was absolutely necessary was anathema to another member at almost every turn. The entire effort was doomed from the start, with rabbit holes of edge cases and ‘what ifs’.

The Scoping Toolkit never did get released by the PCI Council, but the Open PCI Scoping Toolkit has been released.  While it’s not an official document from the Council or even one that’s being publicly acknowledged by them, it’s an important piece of reading for any QSA to dig into, especially on the plane flight to his or her next on-site assessment.  As Walter Conway says, it addresses the three fundamental scoping questions, gives the QSA a better understanding of how other QSA’s might scope the client, and gives the QSA more ground to stand on when explaining their decisions.  And anything that helps take the variation between QSAs out of the assessment process is a good thing.

I’m glad this document finally got released into the wild.  I know a lot of hard work and sweat went into hammering out these guidelines and they can help stabilize some of the ongoing concerns about PCI and the variation in scoping between QSAs.  It’s too bad that the PCI Council couldn’t step up and endorse the document directly, but I’m glad they’re not standing in the way of it getting published either.  Which gets them the best of both worlds; the Scoping Toolkit gets published and they don’t have to stand behind it as an official document.  All the upside, none of the liability.  We wouldn’t want them to actually make a stand and improve the overall security of the merchant community, now would we?

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Scoping was too scary to handle

Apr 02 2012

Global Payment Systems delisted by Visa

Last Friday Brian Krebs broke the story that MasterCard and Visa were warning of a major processor breach.  Later in the day it was announced that the payment processor was Global Payment Inc. and that approximately 50,000 card numbers had been compromised, a number that was later revised to 1.5 million card numbers.  Global Payment took such a pummeling in the stock market that they had to halt trading in the middle of the day on Friday, and appears to not have resumed trading as I’m writing this post.  They have a press conference this morning, but the initial reporting shows that Global Payments isn’t saying anything that’s not already in a press release.  And to add insult to the injury that Global Payments has had their listing as a compliant service provider yanked as of Friday, pending the security review of the compromise and a new assessment, a process that could take months.

The relationship between customer, merchant, banks, card processors and the card brands is complex and not at all clear to the average consumer.  When a customer swipes their credit card or places an order online, the merchant passes that information on to their processor.  The processor is a company, such as Global Payments, that has been designated by the merchant’s bank to process payments on their behalf.  The processor sends the request to the card brands, who check the balance with the bank that issues the credit card and forward an approval or denial based on credit availability and fraud checks.  That approval is forwarded back to the merchant and the customer and the whole process only takes 2-3 seconds on the average day.  At the end of the day the merchant bundles the credit card requests and sends them to their bank, appropriately designated the merchant bank, who forwards the information through the card brands to the banks of the people who charged their cards that day.  The relationship is complex and my explanation doesn’t cover the many variations that can crop up, but it covers the basic idea.  For more information, there is a wiki page.

On of the most interesting aspects of this is that Visa has removed Global Payments from the list of compliant processors, a step that I don’t think has been taken for any breach since that of CardSystems in 2005.  CardSystems was the first major breach of the credit card flow to catch the public attention and it was very clear that de-listing was done to buoy consumer confidence.  But since then very few service providers of any stripe have had their listing pulled, which indicates there may be more going on behind the scenes than is being reported publicly.  Global Payments’ relative silence and the updates to the number of records compromised add to this impression.  Of course, no one expects any company to come clean immediately when faced with a compromise, but the degree to which this incident is causing lips to be sealed is interesting by itself.  Will Global Payments have to go through a similar process as CardSystems, basically selling themselves to prevent total collapse?

We’ve gotten to the point where we almost expect daily or weekly notifications from merchants stating they’ve been compromised.  But where merchants are not in the business of securely taking in credit card numbers, that’s exactly what processors and banks are supposed to be focusing on.  A merchant makes their money by selling products to consumers whereas a payment processor is selling the security of the transaction and any breach of that trust is a major issue.  The processors are also aggregation points for multiple merchants and many processors have millions of card transactions flowing through their systems on a daily basis.  As such, they know, beyond a shadow of a doubt, that they are being targeted by attackers and that their security is paramount to continuing to be in business.

I strongly suspect that what’s been disclosed so far is simply the tip of the iceberg.  If Global Payments was compromised for a month and a half, as currently stated, then a much higher number of card numbers than 1.5 million were most likely processed during that time.  Which means the compromise was either contained in some way with or without the awareness of Global Payments, or there is another shoe waiting to drop.  My money is on the latter.


Update:  I forgot to add that there was a brief outage of the Visa network on Saturday morning when they updated systems inside VisaNet.  Yeah, that can’t be at all related to the Global Payments breach, could it.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

6 responses so far

Dec 26 2011

Open Tabs 12/26/11

Christmas is over!  I hope yours was good, but I personally find the whole build up and let down stressful and I’m glad when it’s done with.  Especially the part where my kids are home from school for a week and whine every time I tell them to get out of the house for a little while before I have to hurt them.  Not that I’d actually hurt my kids, but it’s sometimes the only threat that will get them moving. 

There have been some interesting stories leading up to Christmas and it’ll be interesting to see what’s been happening behind the scenes while the majority of us have been chomping on candy and ripping open our presents.  I have nothing to support the theory yet, but I strongly suspect most of the bad guys left their tools running while they took some time off, so their might be reports of compromises in the not too distant future.  After all, there were a couple of reports that came out before the weekend, perhaps hoping to get ignored and bypassed in Christmas craziness.

A quick thought on the boycott of GoDaddy over the SOPA legislation.  GoDaddy is such a minor player in this realm and probably signed on to the legislation like a little brother following his older brother, Big Media; they wanted to sound and act cool in the eyes of everyone else without having the faintest idea that what they were doing had real world consequences.  Boycotting GoDaddy is like bullying the little brother when what you really want to do is punch the elder brother in the eye!  It’s ineffective, both in the long run and in the short term, to boycott GoDaddy when what we should really be doing is making the larger players behind SOPA aware this is an evil and unacceptable way to try to regulate the internet.  A crowdsourced version of the list of supporters on the list is available as a Google doc.  If you really want to do something important, boycott some of the big boys on the list and quit going to their movies and buying their products. 

Open Tabs – 12/26/11

  • Chinese computer hackers hit U.S. Chamber of Commerce – I wonder what our hackers are doing to the Chinese behind the scenes.  Not the vocal ones on the con scene, the ones employed by the Three Letter Agencies.  Never mind, we don’t do that, do we.
  • LOIC (Low Orbit Ion Cannon) – DoS attacking tool – The tool is old news, but this is a pretty good writeup.  If you want to know more though, one of my co-workers could tell you a few things more about how it works.
  • The Thought Leader … One year later – Chris Eng’s further harpooning of the information security thought leaders.  I know about half of the video applies to me at least as much as it does anyone else. 
  • How hackers gave Subway a $30 million lesson in point-of-sale security – There’s another meaning for POS, especially when you don’t bother changing default passwords and trust owners to follow procedures.
  • The Dark side of B-Sides – I’m staying out of this fight, since I know all the players.  But I know there’s a lot of truth to both sides of the stories, and the sooner this can be opened up and the aired out, the better for everyone involved.
  • Hackers steal data on millions of Chinese net users – No need for nefarious government hackers when criminals will hack into Chinese sites because they data they hold might be worth something.
  • Insurance against cyber attacks expected to boom – Let’s just insure our systems rather than taking the time to secure them!  Because the insurance companies won’t place caveats on what’s ensured and what constitutes a breach of contract to include poor maintenance control, will they?  “What do you mean our insurance doesn’t cover this?” is a phrase I expect to hear once cyber insurance (I shudder at the name) becomes common place.
  • Congress calls on Twitter to block Taliban – Oh yeah, because it takes so much to set up another account and tell everyone to go there instead.  And because censorship should always be one of the first tools used by a free, democratic system.  These people spend too much time thinking in hyperbole and too little time thinking in reality.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Open Tabs 12/26/11

Nov 28 2011

Curing the Credit Card Cancer

Published by under PCI,Risk

Back when I was a Qualified Security Assessor (QSA), all of four months ago, I often explained credit card data as an infectious disease.  Whatever your credit card data touches is pulled into scope, requiring the full set of Payment Card Industry (PCI) Data Security Standards (DSS) to be applied to those systems to the same degree that the systems processing the transactions are.  That’s because the scope of PCI compliance is defined as “any system that stores, processes or transmits cardholder data and all systems connected to these systems“.  In other words, the switch that stands between your firewall and your processing server is in scope for PCI as are all the systems attached to that switch, unless you take specific steps to control the traffic between the two systems.  Thinking about the credit card data as an infectious agent makes sense, since the data infects everything it touches with the need for compliance and assessment, even though the system may have nothing at all to do with card processing and only made the error of being on the wrong network segment at the wrong time.

Lately though, I’ve begun thinking of credit card data as a cancer instead of simply a disease.  Consider the fact that many security departments spend hundreds of man hours each and every year trying to segment their cardholder data environment from the rest of the network to limit the impact of the annual assessment.  They modify firewall rules, implement VLAN’s, cut off access and chase down every data flow they can think of and find in order to find credit card data and prevent it from infecting systems and bringing them into scope.  Yet every year the QSA comes in and finds data where it shouldn’t be and people with access to the data who have no business reason to have it.  The credit card data continuously spreads and expands scope, and leaving even the littlest bit behind still offers the chance of the scope of the assessment and responsibility to the Data Security Standards.

Why does this continue to happen?  As security professionals, we try hard to find out where the credit card data is at, but the reality is that all too often we don’t understand the thought processes that went into the business processes that created the data flows, and neither do all to many of the people who created the business processes.  We might understand the process that takes a credit card from the customer’s browser to our web server and back to our database server, but the clearance and settlement processes are often an arcane process that we haven’t mastered and can’t figure out how to do securely with our acquiring banks.  I mean, why is it that some processors still mandate that the settlement files be sent clear text over a leased line or the Internet?  And getting them to change that can, very literally, take years to happen.  Another process that we often forget and creates no end of headaches is the fraud control portion of the business; I’ve seen more than a few businesses that had no idea that their fraud prevention team had either full access to the cardholder database or had a portion of the feed that included credit card numbers sent to them daily or weekly.  And since these teams weren’t considered during the original scoping, it often means a whole new section of the business that has to be considered and remediated, costing valuable time and money.

Another factor is how little it costs a department to ask for a stream from the database and how strongly they’ll defend it once they have the data.  I’ve run into many departments in the past that had little or no immediate need for accessing credit card data, but wanted every bit of the information from the web server and point of sales devices, simply because it might one day be valuable to them.  And even if the data is being used now, if there is some value for them to have it today, all to often that department isn’t the one that’s actually paying the cost of processing and storing the data; the IT or Security department received a mandate to make to make the data available and no additional funds were provided to secure the cardholder data in a manner compliant with the PCI DSS.  Good luck getting them to pay for something they’ve had access to for years or give up this access, despite the fact it might cost the company millions and have almost no real return on investment.

So how do we excise the cancer that is credit card information from our enterprises?  I know it’s a bit cliched to say it, but we still need to understand our businesses better.  Yes, our managers are getting better at talking to their managers, but the fact is, when you get down to the actual data flows, managers are simply a set of filters that help the people who’re doing the actual work misunderstand each other better.  It’s just as important to understand the overarching business flows as it is to understand the actual tables and fields that are being copied from one database to another.  Digging into the nitty gritty of each data transformation and export to another department’s database is hard work, made harder by the fact it’s changing all the time.  Managers need to set the policies and procedures that dictate who has access to data, including the where and why, but the line level security folks need to be able to track down the data flows and enforce the policies set up by the people higher in the chain of command. 

Departments also need to understand that there is a cost, associated with cardholder data and need to be made to bear that cost directly.  As long as they simply have to ask for the data and work the political process to get it without paying a fiscal cost, they well.  Policies and procedures are easy to circumvent if a someone in Marketing or Sales puts their mind to it, but when that same person is given a price tag for the data, the need often disappears or becomes something much more manageable and doesn’t include the cancerous data like credit card numbers and expiration dates.  This is a step that only management can take and in many organizations it’s incredibly difficult, since the concept of having to pay for data is foreign to most of the business.  But as long as someone else is paying for it or the cost of data is indirect, people will continue to ask for it.

The real, long term cure to the credit card cancer is to change the rules of the game so that businesses never have access to the credit card information to begin with.  Face it, as long as a single record remains on your enterprise, someone will find a way to get access to it and spread the contagion from system to system.  The solution that’s available to businesses today are various forms of tokenization.  First, on-site tokenization allows businesses to create a ‘toxic waste dump’ in their environment with strong controls around it and only people who have demonstrable business reason are allowed to detokenize the data.  Since there is a more limited number of people who have access in this environment, training on how to treat the data with the caution and respect it deserves is much easier to deliver and enforce.  Plus definitive consequences for treating the cancer causing data unsafely can be enforced when only a limited, educated group of people are allowed to have it.

Even better is to have the data tokenization is having someone else handle credit card authorization and settlement and never let credit card data touch your network in the first place.  Most of the acquiring banks now have partnership with PIN pad manufacturers now with end-to-end encryption built in.  The stores are encrypting the cardholder data as it’s swiped and the register and they either have no access to the credit card information or only have access through a separate backend system.  Online merchants are making more and more use of outsourced payment systems, which also prevent cardholder data from entering enterprises and small businesses alike.  Several of these solutions offer ways to tokenize cardholder data as well.

When it’s all said and done though, it’s the credit card processing system that has to change, not just how businesses treat credit card information.  We need to modify and re-engineer how we take credit cards and remove the monetary motivation for the attack (and defense) on credit card data.  If credit card information has no value for an attacker then attention will shift elsewhere and the security department will once again be able to concentrate on securing the entire enterprise rather than just a small portion that has a compliance measure behind it mandating minimum security standards.  Of course, then we’ll have to worry about what we can use to get funding from management to secure the rest of the business.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

6 responses so far

Nov 22 2011

Open tabs 11/22/11

Published by under Family,Hacking,PCI,Risk

I got home Sunday from 3 days in Las Vegas, two of which were spent at the first ever Minecon.  For those of you who aren’t the parents of Minecraft addicts or addicts yourselves, it’s a game where you create a whole world then mine it for resources and build just about anything you can imagine.  It’s multiplayer, sometimes massively so, and it’s very easy to set up your own server and be hosting it for the world in a matter of hours.  Unluckily, it may be too easy; people who can barely figure out what their IP address is are setting up servers on their desktops then sharing their systems with friends via Hamachi or simply opening their home network to the world. It’s enough to give a security professional an aneurism!  I wrote up my own experience in creating a cloud server for Minecraft in April, but that server never caught on with the kids.  So now I’m trying a different solution, MineOS Crux, a custom build distribution of Ubuntu specifically created for people who want a secure, lightweight Minecraft installation.  I’m running it as a VM on my Mac Mini server and exposing it to the world on a non-standard port, plus I locked down the distro a little more than the standard build.  I’m still more than a little paranoid about it, so if the kids aren’t using it, it’ll go away.

Oh, and the kids got me to start playing Minecraft as well.  Good thing there are a lot of long holiday weekends coming up.

Open Tabs 11/22/11:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Open tabs 11/22/11

Nov 04 2011

Open Tabs 11/04/11

It’s almost time to hop in the car and head for #BSidesDFW (I even think in hashtags some days) in about an hour.  I find it annoying that I have to leave the house about 3 hours before my flight to have any chance of making it, since it takes 90 minutes to get to the airport and about 45 minutes to get through the TSA checkpoint most of the time.  I was joking around on Twitter earlier this week and said I’d vote for the first Presidential candidate, Republican or Democrat, who promised to abolish the TSA; it turned out that Ron Paul had already made that promise, but we’ll see if he’s still slugging it out by the time the primaries roll around.  In any case, I need to get packed up and head out.  I’m going to try to get a few interviews at BSidesDFW for the podcast, since there are so many interesting people speaking tomorrow. 

Open Tabs 11/04/11:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Open Tabs 11/04/11

Nov 01 2011

Network Security Podcast, Episode 257

Published by under Hacking,PCI,Podcast,Risk

Tonight Martin is speaking to Josh Corman, Akamai co-worker, and HD Moore, creator of Metasploit and Rapid7 CTO.  Josh came up with the idea of HD Moore’s Law a couple of months ago, the idea that the strength of the casual attacker is roughly equivalent to what Metasploit is capable of.  If your corporation isn’t capable of defending yourself against Metasploit, you’re not going to be able to defend against these casual attacker and you’re going to be wide open to more sophisticated attackers.  Josh explains the concept and what it means to security and HD talks about the fact that Metasploit helps give security teams a measuring stick for their security.

Zach, Rich and Martin are all incredibly busy and are trying to figure out how to fit the podcast into the constraints of our schedules.  We may have to skip a number more weeks between now and the end of the year, but we’re trying desperately to get our lives under control.

Network Security Podcast, Episode 257
Time:  30:09

Show Notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Oct 20 2011

“PCI Compliance in a box” Really? #RAGE

Published by under PCI

I knew it had to happen eventually, but that doesn’t lessen my desire to strangle the marketing person responsible for what was probably just a reprinted press release!  Or maybe the reporter who came up with the title of the article should be the one throttled.  In either case, I can’t let an article that states “PCI-DSS Compliance in a Box” go by without raging against the very stupidity of the statement at least a little.  It is SC Magazine, but I still hope for better.

If you have even a passing familiarity with PCI, you know exactly why this story about RandomStorm (I have another name for them, but I can’t put it in writing) making a box that meets all your PCI compliance needs is utter nonsense!  It sounds like a UTM providing a bunch of related services, like IDS, log management and vulnerability scanning with a reporting tool on top of it, but these are only a small part of the PCI requirements.  To state otherwise or try to sell a product as covering everything that PCI requires is disingenuous and dishonest at the least, and criminally misleading at the worst end of the spectrum.  How someone could be reporting on the compliance market and not know that is beyond me, but then again no one at SC Magazine was willing to put their name on the post, so maybe they did know how much BS this press release was.

“MicroStorm is delivered on a single small form factor appliance that is
designed to help merchants monitor and prove their compliance on an
ongoing basis, with the reassurance that if anything breaches their
network, they will be immediately alerted.”

Given names like RandomStorm and MicroStorm, I’m hoping this is some sort of trolling attempt and just a joke.  I can’t imagine anyone who knows how to spell PCI actually making a statement like this with a straight face.  I can however imagine many marketing and sales guys trying to sell SMB merchants a small black box with blinky lights that they sit on a shelf somewhere that will protect them from PCI bug bears!  After all, isn’t that what all too many vendors are saying about their products and “Standard Techniques Failed Uss”.

One box cannot meet with all of the PCI compliance requirements.  Even ignoring the fact that a large number of PCI requirements are based on policies and have no way of being satisfied by a technology.  And if you ever find one box that meets all of the technological requirements, back away slowly and get far away from it.  I can almost guarantee that even if it meets any of the requirements in theory, when you actually have to sit down with a QSA or forensics investigator to explain how it works, half the technologies it’s supposed to incorporate will be so minimal as to be worthless.  Less, since they give a false sense of security.  I also predict it will be a forensics investigator you have to talk to, not the QSA.

Simply put, this is more snake oil.  Enough said.

Update (10/24/2011):  You can see a comment from the CTO of Random Storm in the comments along with my reply.  Additionally, I received the following twetts from @phinessence on twitter taking the blame for the naming.  Glad to see they’re on top of the situation, but it was a bad move, despite the use of quotes, inverted or otherwise.

Blame me for that headline. It was in inverted commas for the very reasons you state. Thanks for highlighting the dangers though.
My bad I’m afraid.  It was to provide context, hence the inverted commas, buy your comments have been taken on board.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

Oct 17 2011

Think about what you want from your QSA/QSAC

Published by under PCI,Security Advisories

After four years of working as a Qualified Security Assessor (QSA) for two different Qualified Security Assessment Companies (QSAC) it’s a huge relief to be able to introduce myself as a ‘recovering QSA’.  As a friend of mine the pointed out, the taint of being a QSA is not something that washes off easily, it sticks with you in insidious ways, bubbling to the surface when you least expect it.  I make it sound worse than it really is, but I do find myself slipping into the mindset of “this is how you’d meet with a compliance requirement” sometimes when what I really want to say is “this is how you’d make your company more secure”.  After four years, it’s a hard habit to break.

Because of my experience as a QSA, I’ve had several people ask me for help picking out their next QSAC recently.  They want to know which company they should go with, what they should expect from the process and how to get to their Report on Compliance (RoC) as painlessly as possible.  For companies who are approaching PCI Compliance for the first time, it’s a scary proposition, because they’re painfully aware of how much they don’t know about what’s going to happen and what’s going to be required of them in the assessment.  For companies who’ve been through it before, they’re often feeling pretty smug in having last year’s RoC and underestimate the difference the QSA’s experience and understanding of the rules can make.  Companies who’ve been through the process many times understand that the specific QSA they get for their assessment is often more important than the company he or she works for.  Remember, you’re going to be assessed by that person and the company processes behind them are less important to you than their ability to understand your company.

Let’s get something out of the way:  if you simply want someone who can come in and check a bunch of boxes without understanding your infrastructure, go with the lowest bidder, someone who guarantees they’ll come in and assess your entire company in two days and phone the rest of their assessment in.  Seriously, if you’re not looking for a partner to give you advice in how to secure your environment and you just want a piece of paper with little or no increase in security, find someone who will give it to you.  Don’t look for an experienced QSA, look for one who’s relatively new to the job, one who can be bullied or fooled into agreeing with your assertions without verifying them.  We all know companies who operate on this business model exist and it’s not worth wasting your time and money if you are looking for check box compliance.  I’ve had too much experience with companies who could care less about securing their infrastructure and simply want to do the least amount of work possible to make the assessor go away.  If your company fits into that category, it’s less of a headache if everyone agrees to accept this premise and moves on. 

If you’re looking to get more out of an assessment than just a piece of paper though, you have a number of things to start considering.  How important is compliance to you versus how important is security to you?  Are your goals and your company’s goals the same?  Are you going to use the assessment to help you get funding for projects you know you need (and if not, why not)?  Is this your first assessment or have you been through several before?  Are you interested in having an on-going relationship with the QSAC and the QSA or do you want to get through this project and move on to your next headache?

It’s very important that your goals and the company goals are the same, and if they’re not, it’s even more important that you understand where they diverge and how you can use that stress to your advantage.  When the security department reports to the CFO or to a part of the organization that’s more concerned with how much money is being spent than how effective security measures are, your goals will probably be far different.  Learn to use the QSA in order to close that gap, use them as an appeal to authority.  “I know you don’t want to spend the money, but we won’t pass our assessment if we don’t” is a very powerful statement in many businesses.

Very few people conflate security and compliance at this point in time, at least that’s my hope.  But compliance can be a useful tool in getting the security tools you need in order to fulfill your commitment as a security professional to your company.  If you’re concerned with getting complaint more than you are about being secure, go back to the earlier point of simply getting the cheapest check box QSAC you can.  On the other hand, if you’re looking to be more secure when the process is complete, try to use compliance as a crowbar to pry funding from management.  Think a lot about that as you’re looking for a QSA, about how you can use the PCI DSS requirements to support your argument for new tools or additional headcount.  Your QSA can help a lot in this process, especially if his initial report comes back, especially if you both understand what you need and how it will help secure your company.  Most good QSA’s are also security professionals and get excited when you approach them as such instead of treating them like the enemy.  If you can frame the argument for a security control as a way to meet several compliance measures, your budget has a much greater chance of getting approved.

The first time you go through a PCI assessment is painful, no matter how well you think you understand the PCI DSS requirements and how to implement them.  And in many cases, the second assessment isn’t a lot easier, since it’s been 8-12 months since your previous assessment and you’ve let a number of the requirements slip without realizing it.  Look at the 2011 Verizon PCI Report and you’ll realize that this is exactly what happens to far to many companies.  Year over year numbers around maintaining compliance are actually a bit depressing when you read into them; you’d hope that getting controls in place were the hard part, but really, it’s the  maintenance of controls that is the hard part for most companies to do.  It makes sense in some ways, since it’s easier to concentrate on getting a IDS or log management solution set up than it is to monitor it on a daily basis.  Let this thought sink in as you’re looking for a QSA:  just because you were compliant last year doesn’t mean your teams have properly maintained the tools over time.

All too often, the goal of companies is to get the assessor in and out as quickly and painlessly as possible.  But is this really a good use of the resources you have at your disposal?  While compliance seems like a once a year exercise, it’s really a year round commitment; it’s just that you’re compliance is going to be assessed once a year.  The assessment represents a point in time view of your work, but in the long run, you’re going to be judged by what you do when the QSA isn’t there much more than you’ll be judged by what you do while she’s on-site.  If you have a QSA that you understand and can work with, it helps to have a relationship that you can use to call them up when you have a question.  Most QSA’s get to see a dozen or more different environments a year and asking them how other companies meet with a requirement can help steer you in the right direction to be more secure or save money.  If your QSA is a security professional first, they may be able to tell you how to meet a compliance requirement with a non-traditional technology. This may not be something you’re interested in, but using your QSA as a
trusted adviser rather than an enemy of the state can make maintaining
compliance easier throughout the year and passing your next assessment
much easier.  It may cost you slightly more in the short term but can have a long term return on investment.

These are all things you should be considering before you ever start talking to a QSAC and interviewing QSA’s.  Know what you want to get out of the relationship with them and it will make the process much clearer, or at least give you something to base your decisions upon along the way.  When you’re just looking for the piece of paper, go cheap and save your money for what really matters to you.  But if you want to use compliance as a means to becoming more secure, it’s going to change your whole process and how you’re going to frame questions when you interview your QSA before the choose one.  You are planning to interview a number of QSA’s, not just accept the one the company sends you after all, aren’t you?

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Next »