Network Security Blog

I guess Bob Russo and the PCI Security Standards Council heard the roar of the crowds at RSA and decided to do something to help clarify the situation around standards 6.6 and 11.3. In reality, they probably had this in the work for months and may have even tried stirring things up a little at RSA to get more attention to the supplements. In either case, it’s good that they’re working on making the standards clearer and they’ll be working these updates into the next version of PCI. We’re still not sure if it’s going to be 1.2 or 2.0, but it’s coming in September.

The updates to 11.3 are relatively minor and center around clarifying what’s expected from the penetration test. The update to 6.6 explicitly spell out what the acceptable solutions are for code review:

1. Manual review of source code
2. Automated app source code analyzers
3. Manual web app vulnerability assessment
4. Automated web app vulnerability assessment

It also lays out a number of suggestions for a web application firewall, but none of these are requirements at this time. The absolute minimum on a WAF is checking for and protecting from the OWASP top 10 vulnerabilities, but if that’s all you’re getting from your WAF, you better go ask for your money back.

The updates to 11.3 are going to matter to Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV) more than they are to the average company complying with PCI. On the other hand, the clarifications on 6.6 are going to be very important to everyone who’s involved in PCI as the June 30, 2008 deadline for complying with 6.6 approaches. One thing I’d like to see clarified even further is the term “proper use of” when it refers to application and source code tools; does this mean that the person using the tools needs to be certified in some way, have proof of training or just need to say they’re experienced with the tools? It’s minutia like this that gives QSAs gray hair.

A grocery store chain of about 1500 stores, Hannaford Brothers and Sweetbay, reported on February 27th that they’d been compromised and 4.2 million credit card and debit card numbers had been stolen. While the details in the InfoWorld article are scarce, one interesting factor of this compromise is that the card data was stolen in the authorization phase of the process. This means the attackers either compromised a border system responsible for the authorization or they compromised the network itself and were able to capture authorization traffic directly. These are the only two places credit card data should be appearing unencrypted.

There has been some identity theft associated with this compromise, but here’s the silver lining: Hannaford does not associate card numbers and expiration dates with the cardholder names and addresses. This in a day when your local grocery store offers you a discount if you’ll just enter your phone number at the PIN pad so they can track every single purchase you make and send you a personalized weekly ad. Most stores would have had card numbers, your home address, the names of all of your relations and possibly the name your teacher in first grade. Well, maybe not the last one, but they would have a record of every embarrassing purchase you’ve ever made. The downside to this lack of association between card numbers and cardholder names is that they have no way of knowing who should be contacted in the breach. I’m not sure if that will absolve them of having to contact anyone or make it necessary for them to contact all of their customers. They probably haven’t figured that one out yet either.

I’m glad to hear that at least one company has disassociated the data in this way, making it harder on the attackers. I can only assume that this is because the chain is owned by a Belgium company; the European laws concerning privacy and the data collected on customers is much stricter than anything we have in the US. What I’ve chosen to view as a bit of forward thinking by an American grocery chain may be nothing more than an attempt meet with European Union laws. In either case, it’s to the benefit of Hannaford Brothers’ and Sweetbay’s customers.

What do I need to log? What product will make me PCI compliant? Can you give me a list of acceptable services to run on my Windows 2008 server? Where’s the punch list of things I need to do to be compliant?; These and a number of other ’silver bullet’ questions are things a PCI assessor hears on a daily basis. And we’re not the only ones if Dr. Chuvakin’s recent post is any indicator: IT managers want to know exactly what they need to log to be PCI compliant. Unluckily, the answer is “it depends”. There is no list, no resource to refer to, no silver bullet for compliance and despite many marketeers’ wishes, there probably won’t be. Unless we want to make every network out there exactly the same that is.

That’s the real reason that Anton can’t answer the question of logging for his customers; each network is different and what’s good for one client might leave gaping holes in another network. Even networks that are using the same types of switches, routers and servers still have enough variation that what’s good for one won’t be enough for another. And just as logging nothing isn’t an acceptable solution, logging everything isn’t acceptable because someone has to actually sit down on a daily basis and review the logs. A recent comment on a mailing list I read asked “who did you piss off to be put in charge of the Linux logs?” It’s tedious work under the best of situations.

The PCI DSS is about risk mitigation (or risk transference, depending on your point of view). It list a minimum set of standards that merchants and service providers must meet to do business. The risks each business face are unique and no one can honestly give a cookie cutter approach or a product that meets all the requirements. Even implying that a product is going to solve your problems out of the box is at best bad marketing and at worst an outright lie. No matter what product you choose, customizing it to your environment is going to be vital. Not that I have strong feelings on the subject.

So what is the use of the PCI DSS if there are no real solutions? It’s a starting point to make your network secure. And that’s all it is, a starting point. It’s a minimum set of standards, not an end point in and of itself. And this is the place many merchants and service providers fail in that they think once they’ve received the blessing of their auditor for PCI they’re done securing their network. But anyone who’s relying on a PCI assessment to prove that they’re secure is missing the point of PCI and doing their company a disservice.

We all know of a company who was ‘PCI compliant’ but got hacked a lost millions of credit cards due to an improperly secured wireless network. I can only guess they got their letter of compliance, let lose with a big sigh of relief and went on to other projects. Which is exactly why they ended up as front page news. They made the mistake of believing PCI compliance equated to security. And they’re still paying the price for that assumption.

PCI is a starting point for your security programs. It’s a tool to get management to pay for implementing technologies and projects that can secure your network. It can be used as leverage to do the things that really will protect your network. Yes, there are points in the PCI DSS that won’t apply to many businesses but have to be complied with anyways. Luckily, those items are in the minority and the majority of PCI items are things every business should be doing. Your assessor has the job of making sure you’re network and systems meet with the PCI standards and will hopefully have suggestions for continuing beyond PCI to make your business secure. But the fact is, an assessor has to audit to the standards; they can make suggestions beyond PCI, but that’s all they are, suggestions. It’s up to you to take those suggestions and continue the efforts to secure your business.

I’ve been on both sides of the PCI aisle and have a pretty good idea of the problems and benefits of PCI. Obviously I view it as a jumping off point to go beyond just securing credit card data. The same tools that secure your card holder data environment can be used to protect the rest of your network. PCI can and should be used as an agent for change, giving you good guidelines for basic security. But it’s up to you to implement them in the way that best suits your environment and find any holes that PCI and your assessor may have missed. After all, your assessor is human and just as likely to miss something as anyone else; they just have a checklist of things they have to verify.

Dan Goodin was at the Fortify documentary earlier this week and draws some of the same conclusions I do about the loss of JC Penney’s customer data.  And more importantly, he actually knows the names of the players, something I’m terrible at remembering.

NotEnough commented on my earlier post that GE Money is offering a year’s credit monitoring for those affected, which he says is not long enough.  He’s specifically talking about SSN’s, which don’t have a expiration date, can be set aside for a year or two and used to commit identity fraud when no one’s actively looking for that data set anymore.  This is part of why statistical correlation between a specific breach and identity theft is so hard.  I’d like to see if anyone has done an academic survey of the difference in level of identity theft in populations that have been victims of a breach and the general population, specifically over the long term.  

It’s becoming more obvious to me that despite many companies best efforts, my data is going to be at risk at some point in my lifetime.  That feels cynical, but as a security professional, I know it’s just realistic.  There are too many places that my data is being stored, too many connections being made, too many possible points of failure in the systems.  I’ve never been a big fan of paying a monthly fee to make sure my credit is safe, but given that my information may already be a commodity somewhere in cyberspace (or Russia), a small inconvenience and a few dollars a month might not be a bad price to pay for peace of mind.  Corporate America obviously can’t keep my data and credit safe, so it’s up to me to take steps of my own.

Rich Mogull recently switched to Debix and I’ll get him to talk about why and what they offer on the next podcast.  At this point, I’m not even sure what the proper questions are to ask when choosing a credit protection service, but I’m sure Rich’ll help me understand.  I already know I’m not going to choose LifeLock, but I am interested in knowing what other solutions are out there.  I want something I can live with long term, especially since the problem isn’t going to go away any time soon.

Technorati Tags: security, McKeay, JC Penney, identity theft

I’d say this looks like another case of a box falling of the back of a truck somewhere:  Iron Mountain has lost a backup tape belonging to GE Money with approximately 650,000 JC Penney customer records on it, and 150,000 of those records include customer social security numbers.  There’s the usual patter about requiring specialized equipment to read the tape, but I’d feel more secure if they said it was encrypted.  We all know that a tape backup drive isn’t that hard to get, especially if you’re targeting a specific merchant and have any sort of intelligence on them.  We’re being told the number of JC Penney records that have been lost and that as many as 100 merchants could have been affected, so what is the total number of records on the tape?  It could add up to be quite a number when all is said and done.

A representative from JC Penney was interviewed for the Fortify documentary last night, and this is one of the dangers of the information age he didn’t bring up.  Not only do you have to worry about all of the bad guys attacking you directly, you have to worry about your partners, how they’re protecting your data and how their partners are protecting your data.  I’m willing to think this is simply a case of human error and the tape in question fell under a floor panel or something, but it isn’t far outside the realm of possibility that someone took the tape purposefuly.  In a lot of companies, it’d only take a conspiracy of two or three to get the tape, a drive for it and the encryption keys to unlock everything. 

I agree that JC Penney isn’t responsible for the incident, but I get tired of reading the “We have no reason to believe …” statement.  They also have no reason to believe it isn’t being used; there’s no reliable way to correlate a data breach of this sort and the repercussions.  Even most of the people that have been caught in the TJ Maxx case have been the flunkies who were doing the in-person fraud using compromised data.  If someone knows of a statistically significant way the credit card companies can track the affects of this breach, I’d like to hear about it.

We’d never have heard about this before California’s SB1386 and the other state laws that have followed.  And in all likelihood, this probably is just a case of a lost tape, with no nefarious intent involved.  We’re at a stage of the game where I’d rather hear about a couple of false alarms than miss one real event.

Technorati Tags: security, McKeay, Iron Mountain, backup, tape

Alex at RiskAnalys.is is ticked off because  he sees the Payment Card Industry Data Security Standards as “being more a bunch of legal-wrangling” than it is about mitigating the risk to the data.  And I think he hits pretty close to home; PCI is about transferring the risk of a data breach from the credit card companies to the person closest to the data: the merchant.  By giving the merchant a minimum set of standards to follow, the credit card companies divorce themselves from the risks associated with a breach and place it on the merchant who’s actually holding the data.  Securing the enterprise can be nice side-effect of becoming PCI compliance, but the real goal is to set a minimum standard that merchants have to adhere too.  The credit card companies can claim best effort when there is a breach and the liability (and negative press) fall squarely on the shoulders of the merchant who was holding the data.

Yes, I’m more than a little bit cynical.  PCI compliance is about marking off all of the boxes on a checklist, proving that your company is meeting with a set of minimum standard.  And a lot of companies hit that minimum and make no effort to keep securing their infrastructure beyond that.  But that’s not a failing of PCI, that’s a failing of the company.  Nowhere in PCI does it say you can’t take additional measures above and beyond those minimums.  There’s no reason in the PCI you can’t have a web application firewall as well as a third-party code evaluation.  But most companies won’t do that because it costs money and no one has money to spare.

One statement I heard somewhere is that it’s easier to be PCI compliant by being secure than it is to be secure by being PCI complaint.  If you’re shop is already being run in a secure manner, you may have to make some changes to meet the letter of the requirements, but they’ll probably be minimal.  If you’re just trying to meet the PCI DSS requirements though, there’s a good chance you’ll leave open a vulnerability that’s unique to your environment.  Which is why the credit card companies are pushing the risk and liability as close to the data storage as possible, every environment is unique.

Andy, IT Guy has the right idea: rather than thinking of PCI as a minimum standard, use it as a driver for change.  Build your case and sell it.  Use PCI as a fulcrum point to implement the changes that need to be made to the corporate environment.  Policy and procedures are a large part of the PCI assessment; use this to make changes to the way your company does business. Look for ways to implement the PCI requirements that will best benefit your business, rather than complaining about the holes it leaves behind.  When it’s all said and done, it’s the guy who’s there day in and day out who’s responsible for securing the systems, not the PCI assessor who comes once a year for a week.

Additional note:  I think the mailing list Andy and Alex mention is the PCI Standards list on Yahoo.  I created this group about 18 months ago and still approve new members.  It’s an open group, unmoderated, low traffic and has no official standing with the PCI Council or anyone else.  In other words, don’t post any significant details when sending questions to the list.

I use Gmail as my central email repository and usually the spam filters they use are pretty good.  But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally.  There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: security, spam, McKeay

This makes sense in a twisted way:  scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.

Adam at Emergent Chaos brings to light some interesting information on when customers have had enough with data breaches.  Turns out you need three successive breaches to come close to a 100% alienation rate.  What I doubt most people realize is that this isn’t the end of the risk from that company, since banks are required to keep your information for a number of years by law.   PCI is only going to help if businesses learn enough to protect their networks, rather than just marking off check boxes on a list.

So even though you may have already canceled your TJX credit cards, you’ll be vulnerable to compromises of their network for at least 7 years, probably more.  I can’t imagine it’ll be fun the receive a mail stating that your data has been compromised from a card you canceled long ago.  Guess it can’t be any worse than learning about your records being lost by the Veterans Administration.

Technorati Tags: security, PCI, breach, credit card

You can read Michael’s take on our conversation this morning.  He posted just a few minutes after I got done with my post.  I guess we both thought that the idea was important enough to merit some comment.