[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds

To: "nick@xxxxxxxxxxxxxxxxxxx" <nick@xxxxxxxxxxxxxxxxxxx>, Full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
From: "Thor (Hammer of God)" <Thor@xxxxxxxxxxxxxxx>
Date: Sat, 10 Apr 2010 18:00:23 +0000

> > Not the fault of PCI. Perhaps you should consider a better auditor.
> 
> Ummmmm -- isn't the point that PCI is set up such that lowest (common
> denominator amongst) auditors are actually the ones that define what "PCI
> compliance" really is?
> 
> As an earlier poster already pointed out, all the vaguely recent major credit
> card data theft cases have involved "fully PCI compliant" (as defined by that
> perpetrator's PCI auditors) card processors, etc...

While I have heard the same thing repeated many times, I've never found a 
credible source for the claim that "all breaches involved fully PCI compliant 
processors." 

According to the 2009 Verizon Business Breach Report, 81% of the attack victims 
were not PCI compliant:

http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

I trust the accuracy of a report compiled in a professional manner from actual 
breach data far more than I do random posts from anonymous users on the subject 
matter (not saying YOU are a random poster, Nick - I've developed respect for 
your opinions over the years).

While PCI compliance does not directly equate to the secure implementation of a 
system (or should I say "applicably secure" implementation) the existence of a 
standard has obviously contributed to end-of-the-day security.  As 
technologists, we will always find a way around controls, and will always be 
able to point out weaknesses in a system.  For example, the "firewall" 
requirement to physically separate PCI assets from other assets:  One can 
"pass" this requirement by placing any qualifying firewall unit in between 
assets, even if all traffic is allowed through the firewall.  The hope of 
course is that this is NOT done, but analysis of every firewall's ruleset is 
out of scope for PCI audits.  It's the credit card industry's game, and if you 
want to play it, you have to follow their rules.

Far too often security is positioned in this highly technical, difficult to 
understand, "anything can be broken so why bother" approach.   And while that 
is true at the detail level, starting off with the basics of least privilege 
and security in depth has proved to be the most successful method.  I have made 
this statement about a million times.    And the data seems to support this:

81% of victims were not PCI compliant.
83% of attacks were not highly difficult. 
87% were considered avoidable through simple or intermediate controls.
99.9% of records were compromised from servers and applications (meaning, not 
clients).  

It is one of the reasons I speak out so strongly against SOSs (snake oil 
salesmen) when they try to push short-cut methods or "magic formulas" or use 
pseudo-intellectual theory to postulate best practices.  One such example is 
some Berkeley guy SANS always used to get "expert" contributions from (Schmidt 
or Schultz or something - I can't remember and I'm actually happy about that) 
who repeatedly said that inside attacks were where all the risk was, and that 
they accounted for the most or all breaches.  Those who trusted that advice 
made bad decisions on their security (74% of attacks are external).  Analysis 
of over 600 breaches spanning 5 years proves that - not armchair pontification. 
   

And thus one see's the inherent danger in perpetuating rumors that "all assets 
were fully PCI compliant" in the absence of fact - people may very well "act" 
of that assertion.  We could certainly spin it up nicely and add some flair to 
it by saying something like "the Verizon report shows that amazingly, a 
stunning 19% of all victims were *FULLY* PCI compliant and certified to do 
process highly sensitive financial and personal information by auditors who do 
NOTHING ELSE but deliver PCI compliance services, yet over 57 MILLION innocent 
lives were potentially exposed to identity theft, information disclosure, as 
well as a raging case of herpes."  

So we can sit around and say "compliance is a waste of money" or we can say "if 
we want to make money by accepting credit cards, we have to comply with the 
industry's requirements.  This will cost money in implementation, compliance, 
and certification.   While doing this, we should focus on cost centers and 
expenses while ensuring that we take full advantage of the security benefits 
such a compliance framework offers."  

t


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Valdis . Kletnieks

References:
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Digital X
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Tracy Reed
- Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
  - From: Nick FitzGerald

Prev by Date: Re: [Full-disclosure] Free Security Video Tutorials for beginners
Next by Date: [Full-disclosure] Vulnerabilities in CMS SiteLogic
Previous by thread: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Next by thread: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Index(es):
- Date
- Thread