Barbie's New Cry: "PCI Is Tough." An RSA Defense Plan

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

In security, timing is everything. Two seemingly unrelated items last week turned out to share an interesting common thread.

RSA's announcement that its SecurID two-factor authentication product may have been compromised came within days of three major hotel industry associations concluding that their members might be vulnerable to payment card data breaches due to poor security practices coupled with storing vast amounts of payment card data.

Let's start with RSA. Based on the publicly available information, it appears the company was subject to an advanced, persistent threat (APT) attack. We don't know the source or what was taken, and we certainly don't know the full impact. All we know at this point is that merchants using RSA's SecurID tokens for two-factor authentication may be at risk of having the second factor— that is, the token—compromised.

The way SecurID works is that users who want remote access to a particular system provide their ID and password (the first factor). They then enter a one-time code displayed on the SecurID token (the second factor). If both factors are authenticated, the user is granted access to the system. Up until this breach, the biggest headache associated with the SecurID tokens has been users losing those tokens in hotel rooms, taxis and the occasional washing machine.

Every company on the planet faces the same risks as RSA. It's just that a security company like RSA is a more visible and attractive target than most. The company is releasing only limited information, and an awful lot of unanswered questions are likely to be bouncing around for a while. Although my (security) heart goes out to RSA, the immediate issue is what should its customers, the retail CIOs, do?

PCI Requirement 12.9 says you need to have an incident response plan, so this is a really good time to dig out yours and follow it. If you use SecurID and you have 10 or 20 of its tokens in your users' hands, you likely will want to monitor the situation actively. If you have a few hundred or thousand SecurID tokens and you rely on these devices for your two-factor authentication, you should camp on RSA's Web site and have your RSA contact on speed-dial to get regular status updates.

In the meantime, CIOs need to consider their options. First of all, CIOs need to follow their incident response plan. Nobody I know is saying that two-factor authentication as a technology is compromised. Remember that even if one product (SecurID) is compromised—and no one is saying it is, yet—you still have the single authentication factor left. The problem is that one-factor authentication is not enough for secure remote access to cardholder data.

The most obvious response is to block all remote access to your cardholder data now. If you are using SecurID to control remote access to cardholder data, that means eliminating it until you either find a substitute second authentication factor or the situation is resolved to your satisfaction.Eliminating remote access risks business disruption, and it will at the very least inconvenience a lot of users. I'm just an assessor, but if it were my job on the line, I'd rather face screams from users than see my CEO on the six o’clock news trying to explain a cardholder data breach any day.

Taking a longer perspective, PCI Requirement 12.1.2 says you have an annual risk assessment process. I wonder how many retailers have considered the risk of their security provider itself being compromised (or going out of business or being acquired or changing its product direction)? If you did not include this contingency, now is a particularly good time to add it to your risk assessment.

I have always been of the simple-minded belief that only two types of systems were ever built: those that have been compromised and those that are going to be compromised. If you think about it, that is an underlying principle in a data protection standard like PCI DSS. Nobody ever promised that security providers are uniquely invulnerable, and it is unreasonable to expect them to be. There is no such thing as 100 percent security. Security companies like RSA attract hackers like dogs on the back of a meat truck.

With that in mind, I'd include the impact of a security service provider being compromised in both your risk assessment and your incident response plan. RSA may be this week's story, but you can rest assured there will be another attack or another previously unsuspected vulnerability next week that will have CIOs reaching for the antacid.

This brings me to the joint security announcement by three leading hotel associations. It appears they have come to the profound conclusion that the bad guys target their member hotels. It seems the combination of storing large amounts of electronic cardholder data from current and past guests and having weak security controls is too good an opportunity for cybertheives to pass up.

The associations jointly recommended three actions: changing default passwords; restricting vendor access to hotel systems; and installing a firewall. To their credit, the associations also think it is a good idea to become PCI compliant, "because the threat is real and because PCI is effective." Unfortunately, it appears they also consider actual PCI compliance—which addresses each of their issues in Requirements 2.1, 12.3.9 and 1.1, respectively—"very challenging" and, by implication, too hard for some of their members.

I am reminded of the ill-fated Barbie Doll that whined: "Math class is tough." The maker pulled it from the market after numerous well-justified complaints. Maybe it's the old mathematics teacher in me, but I am wondering if we need a new Barbie that says, "PCI is tough!”

Yes, PCI is challenging. And it is particularly challenging to remain compliant every day. But PCI is also detailed and thorough, and that is why it works. From RSA we learned that even the security companies retailers depend on are vulnerable to attacks and possible compromises. That doesn't mean we give up or say PCI is too hard. It means we learn from each experience, maintain a strong security posture, conduct a thorough risk assessment and keep it current, implement comprehensive incident response plans, and understand the real data retention requirements to minimize the amount of stored cardholder data that attracts the bad guys in the first place.

What do you think? I'd like to hear your thoughts. Either leave a comment or E-mail me at [email protected].