There have been some interesting stories leading up to Christmas and it’ll be interesting to see what’s been happening behind the scenes while the majority of us have been chomping on candy and ripping open our presents.  I have nothing to support the theory yet, but I strongly suspect most of the bad guys left their tools running while they took some time off, so their might be reports of compromises in the not too distant future.  After all, there were a couple of reports that came out before the weekend, perhaps hoping to get ignored and bypassed in Christmas craziness.

A quick thought on the boycott of GoDaddy over the SOPA legislation.  GoDaddy is such a minor player in this realm and probably signed on to the legislation like a little brother following his older brother, Big Media; they wanted to sound and act cool in the eyes of everyone else without having the faintest idea that what they were doing had real world consequences.  Boycotting GoDaddy is like bullying the little brother when what you really want to do is punch the elder brother in the eye!  It’s ineffective, both in the long run and in the short term, to boycott GoDaddy when what we should really be doing is making the larger players behind SOPA aware this is an evil and unacceptable way to try to regulate the internet.  A crowdsourced version of the list of supporters on the list is available as a Google doc.  If you really want to do something important, boycott some of the big boys on the list and quit going to their movies and buying their products. 

Open Tabs – 12/26/11

• Chinese computer hackers hit U.S. Chamber of Commerce – I wonder what our hackers are doing to the Chinese behind the scenes.  Not the vocal ones on the con scene, the ones employed by the Three Letter Agencies.  Never mind, we don’t do that, do we.
• LOIC (Low Orbit Ion Cannon) – DoS attacking tool – The tool is old news, but this is a pretty good writeup.  If you want to know more though, one of my co-workers could tell you a few things more about how it works.
• The Thought Leader … One year later – Chris Eng’s further harpooning of the information security thought leaders.  I know about half of the video applies to me at least as much as it does anyone else. 
• How hackers gave Subway a $30 million lesson in point-of-sale security – There’s another meaning for POS, especially when you don’t bother changing default passwords and trust owners to follow procedures.
• The Dark side of B-Sides – I’m staying out of this fight, since I know all the players.  But I know there’s a lot of truth to both sides of the stories, and the sooner this can be opened up and the aired out, the better for everyone involved.
• Hackers steal data on millions of Chinese net users – No need for nefarious government hackers when criminals will hack into Chinese sites because they data they hold might be worth something.
• Insurance against cyber attacks expected to boom – Let’s just insure our systems rather than taking the time to secure them!  Because the insurance companies won’t place caveats on what’s ensured and what constitutes a breach of contract to include poor maintenance control, will they?  “What do you mean our insurance doesn’t cover this?” is a phrase I expect to hear once cyber insurance (I shudder at the name) becomes common place.
• Congress calls on Twitter to block Taliban – Oh yeah, because it takes so much to set up another account and tell everyone to go there instead.  And because censorship should always be one of the first tools used by a free, democratic system.  These people spend too much time thinking in hyperbole and too little time thinking in reality.

Lately though, I’ve begun thinking of credit card data as a cancer instead of simply a disease.  Consider the fact that many security departments spend hundreds of man hours each and every year trying to segment their cardholder data environment from the rest of the network to limit the impact of the annual assessment.  They modify firewall rules, implement VLAN’s, cut off access and chase down every data flow they can think of and find in order to find credit card data and prevent it from infecting systems and bringing them into scope.  Yet every year the QSA comes in and finds data where it shouldn’t be and people with access to the data who have no business reason to have it.  The credit card data continuously spreads and expands scope, and leaving even the littlest bit behind still offers the chance of the scope of the assessment and responsibility to the Data Security Standards.

Why does this continue to happen?  As security professionals, we try hard to find out where the credit card data is at, but the reality is that all too often we don’t understand the thought processes that went into the business processes that created the data flows, and neither do all to many of the people who created the business processes.  We might understand the process that takes a credit card from the customer’s browser to our web server and back to our database server, but the clearance and settlement processes are often an arcane process that we haven’t mastered and can’t figure out how to do securely with our acquiring banks.  I mean, why is it that some processors still mandate that the settlement files be sent clear text over a leased line or the Internet?  And getting them to change that can, very literally, take years to happen.  Another process that we often forget and creates no end of headaches is the fraud control portion of the business; I’ve seen more than a few businesses that had no idea that their fraud prevention team had either full access to the cardholder database or had a portion of the feed that included credit card numbers sent to them daily or weekly.  And since these teams weren’t considered during the original scoping, it often means a whole new section of the business that has to be considered and remediated, costing valuable time and money.

Another factor is how little it costs a department to ask for a stream from the database and how strongly they’ll defend it once they have the data.  I’ve run into many departments in the past that had little or no immediate need for accessing credit card data, but wanted every bit of the information from the web server and point of sales devices, simply because it might one day be valuable to them.  And even if the data is being used now, if there is some value for them to have it today, all to often that department isn’t the one that’s actually paying the cost of processing and storing the data; the IT or Security department received a mandate to make to make the data available and no additional funds were provided to secure the cardholder data in a manner compliant with the PCI DSS.  Good luck getting them to pay for something they’ve had access to for years or give up this access, despite the fact it might cost the company millions and have almost no real return on investment.

So how do we excise the cancer that is credit card information from our enterprises?  I know it’s a bit cliched to say it, but we still need to understand our businesses better.  Yes, our managers are getting better at talking to their managers, but the fact is, when you get down to the actual data flows, managers are simply a set of filters that help the people who’re doing the actual work misunderstand each other better.  It’s just as important to understand the overarching business flows as it is to understand the actual tables and fields that are being copied from one database to another.  Digging into the nitty gritty of each data transformation and export to another department’s database is hard work, made harder by the fact it’s changing all the time.  Managers need to set the policies and procedures that dictate who has access to data, including the where and why, but the line level security folks need to be able to track down the data flows and enforce the policies set up by the people higher in the chain of command. 

Departments also need to understand that there is a cost, associated with cardholder data and need to be made to bear that cost directly.  As long as they simply have to ask for the data and work the political process to get it without paying a fiscal cost, they well.  Policies and procedures are easy to circumvent if a someone in Marketing or Sales puts their mind to it, but when that same person is given a price tag for the data, the need often disappears or becomes something much more manageable and doesn’t include the cancerous data like credit card numbers and expiration dates.  This is a step that only management can take and in many organizations it’s incredibly difficult, since the concept of having to pay for data is foreign to most of the business.  But as long as someone else is paying for it or the cost of data is indirect, people will continue to ask for it.

The real, long term cure to the credit card cancer is to change the rules of the game so that businesses never have access to the credit card information to begin with.  Face it, as long as a single record remains on your enterprise, someone will find a way to get access to it and spread the contagion from system to system.  The solution that’s available to businesses today are various forms of tokenization.  First, on-site tokenization allows businesses to create a ‘toxic waste dump’ in their environment with strong controls around it and only people who have demonstrable business reason are allowed to detokenize the data.  Since there is a more limited number of people who have access in this environment, training on how to treat the data with the caution and respect it deserves is much easier to deliver and enforce.  Plus definitive consequences for treating the cancer causing data unsafely can be enforced when only a limited, educated group of people are allowed to have it.

Even better is to have the data tokenization is having someone else handle credit card authorization and settlement and never let credit card data touch your network in the first place.  Most of the acquiring banks now have partnership with PIN pad manufacturers now with end-to-end encryption built in.  The stores are encrypting the cardholder data as it’s swiped and the register and they either have no access to the credit card information or only have access through a separate backend system.  Online merchants are making more and more use of outsourced payment systems, which also prevent cardholder data from entering enterprises and small businesses alike.  Several of these solutions offer ways to tokenize cardholder data as well.

When it’s all said and done though, it’s the credit card processing system that has to change, not just how businesses treat credit card information.  We need to modify and re-engineer how we take credit cards and remove the monetary motivation for the attack (and defense) on credit card data.  If credit card information has no value for an attacker then attention will shift elsewhere and the security department will once again be able to concentrate on securing the entire enterprise rather than just a small portion that has a compliance measure behind it mandating minimum security standards.  Of course, then we’ll have to worry about what we can use to get funding from management to secure the rest of the business.

Oh, and the kids got me to start playing Minecraft as well.  Good thing there are a lot of long holiday weekends coming up.

Open Tabs 11/22/11:

• Death by Exception – As a recovering QSA (the taint doesn’t wash off), I can sympathize with Michelle’s frustration with exceptions.  It really isn’t an ‘exception’ once it becomes the rule.
• The “Off the Record” track – There’s really no such thing as “off the record”.  But for some reason, I’ve noticed that people become more guarded and less likely to talk when they first 
• AT&T tells users of ‘organized and systematic’ hack attempt – Glad to see they’re warning people and not invoking the “APT” card.  Yet.
• Hacker says Texas town used three character password to secure internet facing SCADA system – I wonder if the three letters were “APT”? 

Open Tabs 11/04/11:

• Untrusted Certificate Store to be updated – Microsoft delists another certificate authority
• DHS looking for a new CISO – If you want the role, more power to you!  I wouldn’t touch it with a 10′ pole, personally
• Security Ostriches and Disintermediation – Big words from Mike Rothman about HD Moore’s Law
• CIA following Twitter, Facebook – Why would this surprise anyone in the security field?
• China scorns U.S. cyber espionage charges – Another big surprise, China is denying any wrong doing and acting all indignant.  
• Syria crackdown aided by U.S.-Europe spy gear – There’s more and more evidence that US technologies are being used to support oppressive regimes.  And I don’t think it will stop any time soon. 
• Most firms don’t coordinate security planning – We need to learn to integrate better with the board room, that’s a fact.
• Mike Dahn and me from Hacker Halted – I’m going to close my eyes and ears, I can’t stand to see myself in video. 

Zach, Rich and Martin are all incredibly busy and are trying to figure out how to fit the podcast into the constraints of our schedules.  We may have to skip a number more weeks between now and the end of the year, but we’re trying desperately to get our lives under control.

Network Security Podcast, Episode 257
Time:  30:09

Show Notes:

• HD Moore’s Law – Josh’s blog post
• Metasploit project

If you have even a passing familiarity with PCI, you know exactly why this story about RandomStorm (I have another name for them, but I can’t put it in writing) making a box that meets all your PCI compliance needs is utter nonsense!  It sounds like a UTM providing a bunch of related services, like IDS, log management and vulnerability scanning with a reporting tool on top of it, but these are only a small part of the PCI requirements.  To state otherwise or try to sell a product as covering everything that PCI requires is disingenuous and dishonest at the least, and criminally misleading at the worst end of the spectrum.  How someone could be reporting on the compliance market and not know that is beyond me, but then again no one at SC Magazine was willing to put their name on the post, so maybe they did know how much BS this press release was.

“MicroStorm is delivered on a single small form factor appliance that is
designed to help merchants monitor and prove their compliance on an
ongoing basis, with the reassurance that if anything breaches their
network, they will be immediately alerted.”

Given names like RandomStorm and MicroStorm, I’m hoping this is some sort of trolling attempt and just a joke.  I can’t imagine anyone who knows how to spell PCI actually making a statement like this with a straight face.  I can however imagine many marketing and sales guys trying to sell SMB merchants a small black box with blinky lights that they sit on a shelf somewhere that will protect them from PCI bug bears!  After all, isn’t that what all too many vendors are saying about their products and “Standard Techniques Failed Uss”.

One box cannot meet with all of the PCI compliance requirements.  Even ignoring the fact that a large number of PCI requirements are based on policies and have no way of being satisfied by a technology.  And if you ever find one box that meets all of the technological requirements, back away slowly and get far away from it.  I can almost guarantee that even if it meets any of the requirements in theory, when you actually have to sit down with a QSA or forensics investigator to explain how it works, half the technologies it’s supposed to incorporate will be so minimal as to be worthless.  Less, since they give a false sense of security.  I also predict it will be a forensics investigator you have to talk to, not the QSA.

Simply put, this is more snake oil.  Enough said.

Update (10/24/2011):  You can see a comment from the CTO of Random Storm in the comments along with my reply.  Additionally, I received the following twetts from @phinessence on twitter taking the blame for the naming.  Glad to see they’re on top of the situation, but it was a bad move, despite the use of quotes, inverted or otherwise.

Blame me for that headline. It was in inverted commas for the very reasons you state. Thanks for highlighting the dangers though.
My bad I’m afraid.  It was to provide context, hence the inverted commas, buy your comments have been taken on board.

Because of my experience as a QSA, I’ve had several people ask me for help picking out their next QSAC recently.  They want to know which company they should go with, what they should expect from the process and how to get to their Report on Compliance (RoC) as painlessly as possible.  For companies who are approaching PCI Compliance for the first time, it’s a scary proposition, because they’re painfully aware of how much they don’t know about what’s going to happen and what’s going to be required of them in the assessment.  For companies who’ve been through it before, they’re often feeling pretty smug in having last year’s RoC and underestimate the difference the QSA’s experience and understanding of the rules can make.  Companies who’ve been through the process many times understand that the specific QSA they get for their assessment is often more important than the company he or she works for.  Remember, you’re going to be assessed by that person and the company processes behind them are less important to you than their ability to understand your company.

Let’s get something out of the way:  if you simply want someone who can come in and check a bunch of boxes without understanding your infrastructure, go with the lowest bidder, someone who guarantees they’ll come in and assess your entire company in two days and phone the rest of their assessment in.  Seriously, if you’re not looking for a partner to give you advice in how to secure your environment and you just want a piece of paper with little or no increase in security, find someone who will give it to you.  Don’t look for an experienced QSA, look for one who’s relatively new to the job, one who can be bullied or fooled into agreeing with your assertions without verifying them.  We all know companies who operate on this business model exist and it’s not worth wasting your time and money if you are looking for check box compliance.  I’ve had too much experience with companies who could care less about securing their infrastructure and simply want to do the least amount of work possible to make the assessor go away.  If your company fits into that category, it’s less of a headache if everyone agrees to accept this premise and moves on. 

If you’re looking to get more out of an assessment than just a piece of paper though, you have a number of things to start considering.  How important is compliance to you versus how important is security to you?  Are your goals and your company’s goals the same?  Are you going to use the assessment to help you get funding for projects you know you need (and if not, why not)?  Is this your first assessment or have you been through several before?  Are you interested in having an on-going relationship with the QSAC and the QSA or do you want to get through this project and move on to your next headache?

It’s very important that your goals and the company goals are the same, and if they’re not, it’s even more important that you understand where they diverge and how you can use that stress to your advantage.  When the security department reports to the CFO or to a part of the organization that’s more concerned with how much money is being spent than how effective security measures are, your goals will probably be far different.  Learn to use the QSA in order to close that gap, use them as an appeal to authority.  “I know you don’t want to spend the money, but we won’t pass our assessment if we don’t” is a very powerful statement in many businesses.

Very few people conflate security and compliance at this point in time, at least that’s my hope.  But compliance can be a useful tool in getting the security tools you need in order to fulfill your commitment as a security professional to your company.  If you’re concerned with getting complaint more than you are about being secure, go back to the earlier point of simply getting the cheapest check box QSAC you can.  On the other hand, if you’re looking to be more secure when the process is complete, try to use compliance as a crowbar to pry funding from management.  Think a lot about that as you’re looking for a QSA, about how you can use the PCI DSS requirements to support your argument for new tools or additional headcount.  Your QSA can help a lot in this process, especially if his initial report comes back, especially if you both understand what you need and how it will help secure your company.  Most good QSA’s are also security professionals and get excited when you approach them as such instead of treating them like the enemy.  If you can frame the argument for a security control as a way to meet several compliance measures, your budget has a much greater chance of getting approved.

The first time you go through a PCI assessment is painful, no matter how well you think you understand the PCI DSS requirements and how to implement them.  And in many cases, the second assessment isn’t a lot easier, since it’s been 8-12 months since your previous assessment and you’ve let a number of the requirements slip without realizing it.  Look at the 2011 Verizon PCI Report and you’ll realize that this is exactly what happens to far to many companies.  Year over year numbers around maintaining compliance are actually a bit depressing when you read into them; you’d hope that getting controls in place were the hard part, but really, it’s the  maintenance of controls that is the hard part for most companies to do.  It makes sense in some ways, since it’s easier to concentrate on getting a IDS or log management solution set up than it is to monitor it on a daily basis.  Let this thought sink in as you’re looking for a QSA:  just because you were compliant last year doesn’t mean your teams have properly maintained the tools over time.

All too often, the goal of companies is to get the assessor in and out as quickly and painlessly as possible.  But is this really a good use of the resources you have at your disposal?  While compliance seems like a once a year exercise, it’s really a year round commitment; it’s just that you’re compliance is going to be assessed once a year.  The assessment represents a point in time view of your work, but in the long run, you’re going to be judged by what you do when the QSA isn’t there much more than you’ll be judged by what you do while she’s on-site.  If you have a QSA that you understand and can work with, it helps to have a relationship that you can use to call them up when you have a question.  Most QSA’s get to see a dozen or more different environments a year and asking them how other companies meet with a requirement can help steer you in the right direction to be more secure or save money.  If your QSA is a security professional first, they may be able to tell you how to meet a compliance requirement with a non-traditional technology. This may not be something you’re interested in, but using your QSA as a
trusted adviser rather than an enemy of the state can make maintaining
compliance easier throughout the year and passing your next assessment
much easier.  It may cost you slightly more in the short term but can have a long term return on investment.

These are all things you should be considering before you ever start talking to a QSAC and interviewing QSA’s.  Know what you want to get out of the relationship with them and it will make the process much clearer, or at least give you something to base your decisions upon along the way.  When you’re just looking for the piece of paper, go cheap and save your money for what really matters to you.  But if you want to use compliance as a means to becoming more secure, it’s going to change your whole process and how you’re going to frame questions when you interview your QSA before the choose one.  You are planning to interview a number of QSA’s, not just accept the one the company sends you after all, aren’t you?

I’m not going dissect the report, I’m still a little to close to it.  I will say that I’m worried because there’s a definite downward movement in compliance with the PCI requirements.  I’m not sure if merchants are feeling burnout, if QSA’s are getting tougher or if something else is going on, but it’s not heartening to see that meeting with the requirements is becoming less of a priority for merchants.  I wish the report had come out before the PCI Community Meeting so I could have asked Bob Russ and other Council members for some feedback.  It might have put a little bit of a damper on the ‘Rah! Rah!’ that was being presented to the crowds.

I used to fight with Josh Corman, saying that while it wasn’t perfect, it had improved the landscape of security.  Now I’m not so sure.  If compliance with the requirements are on the decline, maybe it’s not barely even being given lip service anymore.  Or maybe I’m reading too much into a year over year change, we’ll have to wait until next year to see.

We’re taking a week off from the podcast, but we’ll return the first week of May.

Network Security Podcast, Episode 238, April 19, 2011
Time:  29:45

Tonight’s Music:  Head Full of Numbers by Fine Print Pariah

Ask any experienced QSA about the different businesses they’ve worked with over their tenure and you’ll really start getting the feeling that there’s not that much variation in how companies do networking, configure servers and run a web site.  That’s only natural, since as human beings we generally tend to focus on how things are alike before we start observing the differences.  And from a casual viewpoint, there really aren’t any major differences between similar businesses when you’re taking that sort of 10,000 foot view.  But PCI isn’t about the 10,000 foot view, it’s about getting into the nitty gritty details of how credit cards flow through the businesses systems, where it’s stored and all the minutia of how every system that stores, processes or transmits cardholder data is configured.  If you consider how hard it is for even one business to configure all of their servers to a set of standards, then thinking about how much variation exists between any two companies, even ones doing the exact same business, should give you a moment of pause. 

Where Mike’s most dead on is when he says “You seem to think you know everything there is to know about your competitor, but in all likelihood you do not”.  I’m no longer surprised when I go into an assessment and somewhere halfway through a conversation a manager says, “Wait a minute, why haven’t I haven’t heard of this data repository/network connection/export to sales before now?”  It’s not a dig against anyone, the fact is most cardholder environments are complex and constantly changing and unless your only job is to dig into the environment on a daily basis, it’s very hard to keep up with what’s where.  Assuming you ever actually knew where everything is in the first place.  And if it’s not unusual to do this sort of accidental discovery in your own environment, how can anyone assume with any certainty that they understand their competitor’s environments well enough to make a judgment call on compliance?

It’s hard to remember sometimes how much of a difference a little segmentation or minor configuration changes with the exact same equipment configured just a little bit differently can make.  And part of the reason you consider someone your competitor is because they’re doing almost the same thing you’re doing, just a little differently.  Ask your own sales or marketing department how your product is different from your competitors and I’m willing to bet they could rattle off dozen differences in a couple of minutes.  (If they can’t, get a new sales/marketing department!)  If marketing knows that there are differences in the products, how can you reasonably expect that your cardholder data environment won’t have similar, nuanced variations?  The reality is, you can’t.

Do QSA’s miss things?  Yes, every day!  Are there QSA’s who ignore things they don’t want to review?  Probably, but that’s not an accusation anyone should make without proof.  Is you’re environment exactly the same as your competitors?  Unless a large part of your crew came from the competitor’s workforce, or vice versa, the chances are slim that when you actually look under the hood of how business is done you’ll find nearly as many similarities between you as you thought.  And it’s the ‘devil in the details’ that make all the difference in the world between passing an assessment and not.

Yes, you are beautiful and unique, just like everyone else.  And no, neither you nor your competitor are going to get special treatment under the PCI DSS.  They’re probably just not as similar as you thought they were.