eIQcast Episode 12: Continous Compliance Coming (or not)
April 6, 2009
As recently discussed in a post by Mike Rothman, a Visa executive this week sought to clarify a company claim that no PCI-compliant company has suffered a data breach. Given that PCI compliance is determined at a fixed moment in time, the unattainable ideal is “continuous” compliance.
In the latest episode of eIQcast, Ross Levanto asks eIQnetworks Product Evangelist John Linkous about Visa’s claims. They review how companies can move toward the unattainable continuous compliance goal, and they provide tips on certain effective data security strategies not specifically mandated by the PCI rules.
Running time: 11:08
Direct Link: http://eiqcast.podOmatic.com/entry/2009-04-06T11_42_21-07_00
Continuous points in compliance time
March 24, 2009
A while back on my personal blog, I railed a bit on Visa for their clear hypocrisy in saying no PCI-compliant company has ever been breached. Basically it was like they figured out how to jump in the trusty Back to the Future DeLorean and pull the compliance certificate right before the breach. Unless the assessment happens when the breach is happening, this position is defendable, though clearly contrived.
Now the folks from Visa are out there working to clarify what they meant and what needs to change as PCI evolves. An interview on bankinfosecurity.com with Visa’s Deputy something or other, Adrian Phillips, goes a long way towards clarifying the hypocrisy. Basically, Visa’s idea now is that compliance is NOT a point in time, but needs to be assessed on a continuous basis.
Just as other industry standards, such as accounting, are amended and changed over time, Phillips says PCI requirements must evolve as well. “The principal area we must focus on is the need for continuous monitoring for compliance,” he says. “I think that people have been confusing the message. People are saying ‘I have been found compliant,’ when in fact they were found compliant on that one point in time when the assessment was done.”
First of all, this is a step in the right direction – should it happen. Obviously we live in a dynamic world. There are new attacks daily. There are new devices moved, added, and changed daily. There are new applications rolled out or decommissioned or updated, that’s right – daily. So the idea that anyone found “compliant” on March 24 would still be “compliant” on September 25 is not a good assumption.
But, as you’d expect, I have some issues with this concept. First of all, the compliance game is based upon a periodic audit. Maybe it’s every quarter, maybe every year. But it’s not like anyone is going to audit on a continuous basis. Even internal audit staffs focus on certain aspects of the systems for a certain period of time, to the exclusion of other systems. So there will always be a certain measure of statistical “assumption” made to say an organization is compliant.
More importantly, no organization can staff up for continuous assessment. They’d need more people than systems, applications, and devices. It may solve the global unemployment problem, but probably isn’t going to help the profit situation for most large companies. So obviously organizations are going to need a large dose of automation to stay on top of these regulations on a continuous basis. They’ll need to assess the technical and qualitative controls and be able to pull reports at any point in time to substantiate their real time security and compliance posture.
Which is great news for anyone in the business of aggregating security data and reporting on technical and qualitative controls. Ahem… like eIQ…
Will the real [Breach X] please stand up?
February 24, 2009
Do you remember that classic game show “To Tell the Truth?” It was great and trying to figure out who was the “real” person was always a challenge.
Unfortunately Visa and MasterCard are making all of us play the same game of late. There have been recent rumors running rampant (alliteration anyone?) about another data breach of a credit card processor (coverage: SCMag, Dark Reading). Allegedly on the scale of Heartland and that is bothersome. Especially when we can’t get any information from the banks or payment card brands. So we are forced to call is “Breach X” for the time being.
So in the absence of any real data, what can we do to make sure nothing is compromised? Let’s take two paths, the first is for you personally (and your employees) and the other is for your company.
Personal Protection Plan
There is a high likelihood that your credit card data has been compromised as a result of either Heartland or Breach X. If you are lucky, then your bank will just issue another card and you’ll need to go change all your numbers and update all your e-commerce sites and the like. It’s a hassle, but it’s not that big a deal.
If you aren’t lucky, they won’t and you’ll have a compromised card on the street. That’s why you should be monitoring your personal credit accounts on a daily basis. Each of your credit card companies have a web site and you can log in daily and check the recent transactions. This is a great habit to get into.
By the way, as a “value add” the corporate security team can do training for employees on things like identity theft and private data protection. These kinds of tips may come second nature to you (as a security professional), but certainly not to the rank and file. You can win a lot of credibility points internally by turning these massive breaches into an educational opportunity.
Corporate Protection Plan
If you accept credit cards, data being stolen from a payment process isn’t your problem, right? In the strict sense, yes – but that is a pretty myopic view.
We need to learn about these attack vectors and make sure that it’s not going to happen to us. That means we probably want to start monitoring (or even blocking) unauthorized outbound connections. Rich Mogull has a great post on that.
You probably want to monitor your network traffic as another layer of defense, and also your systems to ensure malware or unauthorized configuration changes haven’t been made.
And most of all, you need to call your issuing bank and yell at them. It’s unacceptable that Visa and Mastercard have been sitting on this breach because the payment processor can’t get their act together. Whoever Breach X happened to should be out of business this time next week.
Yes, that’s harsh, but in this kind of environment, when customer trust is at an all time low and people are struggling – to not come clean and come clean quickly is just ridiculous. There is nothing like a public execution to keep everyone focused on doing the right thing in the event of a breach.
Now will the real [Breach X] please stand up?
Photo: “Gallows” originally uploaded by ClarkZip
