Posted by John Verry on Fri, Aug 28, 2009 @ 04:50 PM
Call me jaded but my level of distrust goes up when an organization:
Perhaps I am just cynical based on our mutual experience with the "Payment Card Industry Standards Council" and the PCI-DSS program which has only succeeded in reducing the risk to the payment brands at the expense of the merchants and the card owners.
My lack of trust in all things PCI-related is well illustrated by the recent "gift card" I gave to my nephew for graduating high school. He called me embarrassed to report that the card balance was zero and that the credit card company had told him that it had already been used. After a considerable time on the line the credit card company finally "admitted" that the card had been used five days prior to my purchasing it. If the credit card companies can't prevent/detect this proactively - what faith can we have in them or their ability to govern?
On learning of HITRUST I was hopeful that it would be different. But on first blush it looks like they have stolen a page or two out of the Payment Card Industry Standards Council playbook. For example, the costs involved for a consulting/auditing firm to be "qualified" exceed $20,000. Initially the standard was only available at a significant cost. On a more positive note, the Alliance recently announced that the Common Security Framework (the standard) will now available for free (however, after 30 minutes on the site today - I still can't find it).
Hopefully, I am wrong and HITRUST will be a shining beacon for Information Assurance - but I'm not so sure. I would rather have a comprehensive, non-industry specific, standard (e.g., ISO-27001) achieve sufficient status that these entities don't feel the need to develop proprietary standards. The benefits would be significant.
Posted by John Verry on Fri, Aug 14, 2009 @ 10:23 AM
This post is largely the product of a great email from Mosi Platt who heads up our audit practice area ...
Robert Carr, the CEO of Heartland Payment Systems, had some very candid and controversial thoughts relating to the Payment Card Industry Data Security Standard (PCI-DSS), the Qualified Security Auditors (QSA) who certified their environment as PCI Compliant before their massive (up to 100M card) breach, and the difference between being compliant and being secure. Article here
The part that really jumped out to me was the statement about the QSA failing to check Heartland's vulnerability to a "common attack vector". Without additional information it's difficult to determine if the criticism is fair.
Did the companies that were previously attacked using that vector disclose it? Had the vulnerability been disclosed by the researcher(s) that discovered it (or were they waiting for the vendor to issue a patch)? What if the "common attack vector" only rates as a low-medium vulnerability by PCI's own scanning standards? There's a potential information asymmetry problem that works against the auditor in these situations. Has Heartland shared detailed information of their attack with the QSA community as a whole to prevent the same situation from occurring elsewhere?
Is it the QSA's obligation to stay aware of common attack vectors or is it the PCI Council's responsibility to promulgate "common attack vectors" to them. I believe it's both, but more important that the PCI Council does so as they have visibility across every PCI Compliance Audit and data breach. Assuming the PCI Council does promulgate this information to QSAs, but not to the companies themselves or other non-QSA auditors that do PCI DSS work (like us), then the council is creating additional incentive to pay the hefty fees to be QSA certified at the expense of the companies and the consumers. This shouldn't be all that much of a surprise. Ask yourself why we haven't gone to two factor authentication on credit cards to reduce fraud ? (hint: because it's cheaper to let companies like Heartland take the fall)
I think the PCI Council is a great example of an industry association failing to fulfill their role of building trust between their members and their consumers (another great example). How many more PCI-compliant merchants will get hacked before that trust is completely eroded? As trust decreases, so does the industry's pricing power and the only way out of this mess is providing a higher level of assurance that will cost the merchants more money - but who's going to pay more money for a PCI audit if they don't feel compliance will actually secure them from hackers?
An incentive for conformance (i.e. compliance) is not an incentive for performance (i.e. effective security). Until PCI either gets the incentives right or implements technology that's secure by default the problem will only get bigger. How many more PCI-compliant breaches will it take before the government intervenes?
Posted by John Verry on Mon, Aug 03, 2009 @ 12:29 PM
Last week I spoke to a group of senior Information Security professionals at the CSO Breakfast Club Event held in Philadelphia PA. The topic 'Data Protection' was chosen specifically by the CSO Breakfast Club's founder, William Sieglein, 'to focus on the challenges our executive members face in trying to decide what data requires protection, where that data resides and how best to protect that data in a cost-effective manner.'
The meeting ended up as a spirited discussion of the challenges of securing data and determining which point solutions are best to address the most vexing issues. I recommended that they consider ISO 27001, as short of divine intervention, there is no 'silver bullet' for data protection. So having a 'road map' (like ISO 27001) is more and more critical. I think that the 6K+ companies that have been certified over the last few years are a testament to the challenges we all face and the value of a road-map.
The benefits of 27001 are numerous but can be simplified to:
- It is a certifiable standard (you can prove you are secure to a known set of criteria).
- It simplifies information security into an overarching process (27001) and best practices (27002). No need to reinvent the wheel when thousands of folks have developed and vetted an approach and collection of controls.
- There is not a lot of new ground to learn - it is largely comprised of activities you are familiar with and your current control environment can easily be migrated into a 27001 ISMS.
 |
Click on the image to download a copy of the presentation! |