Call me a contrarian (or a Visa suck up), but I actually believe that the PCI DSS controls, implemented in an “above average” way, could have stopped the Gonzalez-led criminal masterminds from breaking into a company. Not all companies, but a company with above average security. Allow me to explain before you get too ticked off at me.
Recently, Evan Schuman wrote a piece on the Gonzalez breaches, where he quoted a security specialist who argued that these breaches constituted evidence of the failure of the PCI data security standards. (She even kept score: Hackers, 12; PCI, 0. I guess 12 is a winning score in some game with which I’m not familiar.) Anyway, I’m no apologist for PCI, as anyone who has read my columns or our research in the PCI Knowledge Base knows. But I think that position is wrong because it lays all the blame on the standards and ignores the responsibilities of the merchants. Here are the arguments for my position:
Since Albert Gonzalez has now agreed to plead guilty to what is clearly the largest data theft conspiracy to date (that we know about), we now know the names of virtually all the companies that Gonzalez and his cohorts stole from. What we don’t know are the names of the companies the criminals did not gain access to, and why. The conspirators (according to the indictment) started with a list of Fortune 500 companies.
Then, to narrow their list of targets, they did some basic security testing of the merchants’ websites, did some research on known vulnerabilities of the POS systems they used, did some war driving to test the security of their in-store wireless networks, etc. Pretty basic hacker stuff, and all covered by the PCI DSS.
My point is that the merchants who were the victims of their attacks were, comparatively, less secure than (I presume) other merchants who the criminals researched, but which were ultimately not attacked. Although it’s possible that these criminals broke into every single company they targeted, I doubt it.
Let’s say a group of retailers is being chased through the jungle by a tiger named, say, Gonzalez. To avoid being eaten by the tiger, it’s not necessary that each retailer run the fastest, but merely that each retailer should run faster than the slowest retailer.
The Gonzalez conspirators’ attacks are similar to most other security hacks, in that they took place in a series of phases, which are nicely laid out in the indictment.
For example, hackers typically use automated tools to identify weaknesses in the network perimeter, such as un-patched operating systems, default passwords, or wireless networks running without encryption keys. Once they find a weakness (or two), they employ more labor-intense tools such as brute-force password crackers, customized SQL injection scripts, and physically driving to mall parking lots to try to hack wireless networks.
Such effort is justified because their prior research has identified a subset of companies whose security is weaker than average, in those specific areas for which they have exploits. And again, each of these security attacks could have been prevented by a “better than average” implementation of the related PCI DSS controls.
Once the Gonzalez conspirators broke through the perimeter using one or more of the above techniques, they used custom-developed malware (in most cases, packet sniffers), designed to exploit known weaknesses in the POS systems, networks and operating systems used by the targeted merchants and capture credit card data as it flowed through the compromised systems.
There are PCI DSS controls related to system configuration management (Req 2), file integrity monitoring and log management (Req 10), and network segmentation (Req 1) which could have detected the malware on the systems or the transfer of files through the network and out of the company back to the criminals.
But there is tremendous variability in the merchant community as to how (and how well) these standards are implemented. In my experience, it’s all about measurable effectiveness. In some cases, the design of the standards may not be effective because they left out specific technical considerations. In other cases, the implementation and testing of specific controls may not be effective, due to the lack of sufficiently diverse or detailed test cases. It’s not that criminals are smarter than the “good guys,” but they are often more persistent, testing out thousands of different exploits until they find one that works.
I agree with the security expert in Evan’s story that it’s not all that hard for a very skilled criminal to figure out a way around security controls, once they are on the “inside,” assuming that by this point they have invested sufficient time and effort that they will do whatever is necessary to finish their criminal enterprise.
My point here is that there are PCI DSS controls that were designed to prevent most of the nefarious actions of the criminals in this case. But these are “standards,” after all, designed by a committee, reviewed and approved by a bunch of companies. To say that standards developed through such a process have “failed” because the standards, in and of themselves, were insufficient to stop highly skilled and highly motivated criminals is to misunderstand the purpose of standards in this context.
PCI DSS has to be regarded as a “minimum” level of data security, sufficient to stop your “basic” criminals. But if a merchant wants to stop this sort of “organized crime” or a “criminal conspiracy,” they have to implement “above average” security so that it’s harder to break in, harder to install malware without detection, and harder to move their ill-gotten data out of the company once it’s been “ill-gotten.” If I were cynical, I would say that the goal of data security is not to stop criminals, just to make it harder to steal from you than from your neighbors (or competitors).
I’m not trying to pick a fight or insult my many friends in the retail industry. But I am trying to make a distinction between standards as a generic, even basic, set of security guidelines and an above average level of security that goes “beyond PCI” or certainly beyond a basic implementation of the standards, in such a way that it is sufficient to cause hackers to “look elsewhere” to find an easier target. If you think I’m being unfair (or a Visa suck up), let me know. Either visit the PCI Knowledge Base, and use our “Contact us” page, or if you want to have a personal discussion about what an idiot I am, just send me an E-Mail at [email protected].