March 4, 2009 - Volume 4, #22

What the F is with Visa?

Good Morning:
Sometimes I just sit in my office and scratch my head. It's rare that I'm speechless (very rare, just ask the Boss), but when I came across this article in NetworkWorld on Visa's latest perspective on the "new" data breach, I was pretty much paralyzed. Yesterday, SC Magazine covered it as well.

In a nutshell, Visa is either being run by lawyers or the Three Stooges. It's not clear to me which one, though I'd have to side with the lawyers at first glance.

In a classic Clintonian "it depends on what the definition of is is" moment, it turns out Visa's statement on the "new" breach didn't indicate it was actually new. And now they are saying it wasn't new. Maybe customers were compromised. Or maybe they weren't. Holy crap I'm confused.

Which is the real problem. First of all, it's clear that consumers credit card data has been compromised. Maybe it was a new breach, maybe it wasn't. But clearly there was a successful (very successful, dare I say) attack vector and we still don't know anything about it. Instead we have word games and obfuscation from the lawyers that have to approve any messages that go to either customers or the media.

With all due respect to my Dad and all the other lawyers I call friends (most of the time), I hate lawyers. You see, this gets back to the disclosure issue. These attacks are happening, RIGHT NOW. These attacks are being successful. Financial institutions and retailers are sitting under a two ton anvil called the recession (some would even say depression).

These folks need to optimize their resources and make sure their defenses are in place against new and innovative attack vectors. Instead, you have their lawyers trying to decipher what Visa and Mastercard's lawyers are saying or not saying. All the while the attackers continue to have their way with pretty much anyone and everyone (PCI compliant or not).

I know I'm asking a lot, but to hear the truth would be nice. It's all fine and dandy that Visa is now "risk scoring" each transaction to look for fraud (didn't they do that anyway? If not what the hell do I pay my 2% per transaction for?). But they are still reacting to the attacks, not helping to address them.

Makes me want to do my best Moe imitation and give an eye poke to Larry (Visa) and a head slap to Curly (MasterCard).

Have a great day.

Photo credits: “Three Stooges” originally uploaded by NYCArthur 

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

January 26, 2009 - Volume 4, #9

Good Morning:
Quick intro today, since I spent most of my allocated TDI time ranting about PCI. It's got a major problem of relevance, given the second (that we know of) massive data breach on a PCI "compliant" organization. So what will they do? Let's just say I have some ideas about what they should do... 

PS: Last call for the Pragmatic CSO Forum I'm launching with the Business of Security folks. We start the Forum sessions tomorrow, so this is the last opportunity you'll have to learn the methodology. We're running a promotion now for anyone that signs up for the Forum will get a PDF of the book included.

Have a great day.

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

The Increasing Irrelevance of PCI

This is a hard post for me to write. I've been a big fan of PCI, pretty much since it's inception. It was a lot more specific than previous regulations. I may not agree with all of the requirements (like the AV mandate), but at least there were a list of things that merchants could do to start on the road to security.

I'm a pretty Pragmatic guy, so I knew that most folks would look at the 12 requirements and figure that's all they needed to do. That once the PCI Assessor delivered the report, that they'd be secure and their credit card data would be safe. Of course, they would be wrong - but I figured we needed to start somewhere and PCI was a good start.

And it was for a little while, but it's like sending your playbook to the opponent before the big game. Your adversaries know exactly how you plan to defend against them. It's not too hard to devise a new attack to circumvent those lowest common denominators. Which is exactly what the attackers that successfully compromised both Hannaford and most recently, Heartland did. 

I wrote on the eIQ blog about how I think we can add incremental defenses to protect against these new attacks, but that still doesn't answer the crisis of confidence facing PCI right now. Sure the 12 requirements are a good start, but clearly they are not enough and the general consensus-based process of updating the requirements means PCI is always solving the attacks of 2 years ago. For instance, the mandate to eliminate WEP from wireless networks is only going into effect this year. WEP has been severely broken for over 2 years.

So I believe the PCI Security Standards Council has some serious soul searching to do. The Council needs to act quickly and decisively to stem the rising tide of irrelevance. Or else they'll need to acknowledge that PCI is the next HIPAA and organizations will continue to due the bare minimum to comply, while secretly snickering at the ridiculous hoops they have to jump through to little benefit.

The first step is to announce they are going to do a 45 day review of the current set of requirements to determine if they are still relevant and to pinpoint gaps, maybe even publish some new guidance and clarification on the weakest requirements (or the one's that just aren't working). The first step is always the hardest, and thus far the public stance from the Council has been one of "not my problem." They only set the rules, they don't enforce them. That's the wrong answer, but it's the predictable one.

In terms of the massive change needed, as you would expect, I have some ideas about how the requirements should evolve. The reality is that security is not binary. No one set of guidelines is reasonable for every organization out there. Larger organizations (with more to lose) should spend more than a mom and pop shop. The current process of requiring a real assessment for Tier 1 merchants (as opposed to a self-assessment) tries to factor this in, but everyone is working off the same set of requirements and that's wrong. 

I would define a set (probably 3) of different security levels. The lowest level would be today's bar. We know it's not sufficient, but again it's a start. Then they add at least two more levels beyond that, including maybe a full monitoring level and perhaps an end to end encryption level, depending on the merchant's threshold for risk, their size and their willingness to invest in security.

The sad truth is that it's probably not cost effective for every retailer to get to the highest level. Even if they do suffer a breach, the cost of doing whatever the highest level may be (especially if it involves widespread use of encryption) may outweigh the cost of cleaning up the mess. Not for everyone, but for enough that requiring the highest level of security doesn't make sense for them.

But how is this different? So what if there are three levels of security (that merchants can market to), where is the catalyst to get anyone to the highest level of security? Drum roll please.... the answer is TRANSACTION FEES. Merchants live and die on transaction fees. It's a huge part of their cost model and if they can reduce those fees, then investments can easily be justified.

I believe the only way to get retailers to adopt higher levels of security is to make it a good business decision. They need to be able to make a reasonable return on their investment, and then it will happen. That's the way free market economies work. Thus, we set different levels of transaction fees, depending on what level of security the organization achieves.

By the way, this makes sense for the upstream side of the equation as well. Given the potential risk of having a low level of security and the associated fraud costs that accrue to the system, issuing banks and credit card brands can also make money by reducing the transaction fees - for an increased level of security.

I've spent two decades paying attention to the drivers of what makes businesses do things. I've spent a lot of other people's money proving that you cannot make a market. Latent demand needs to be there based on a good business decision for the customer. They need to be able to either save money or make money by deploying technology. It's a simple as that. So it's just simple economics that drives me to believe the only thing that will get organizations to invest in security is to help them reduce their costs. If they can't see a clear cost savings, they'll do the least amount possible. Not many organizations do security because it's the right thing to do.

It's Monday and I guess I'm being a bit idealistic, eh? The likelihood this will happen is very small. There are a lot of folks within the council that can't afford to rock the boat too much, and the occasional black eye isn't enough to truly agitate for longer term change. So with each data breach PCI becomes weaker and weaker until it ends up similar to HIPAA. Unless something changes organizations will continue to pay lip service to it, customers won't trust it (to the degree they even know about it), and it becomes just another report that is generated out of the security reporting system, which is my definition of irrelevance.

Photo credit: “Fail (19/08/07 137)” originally uploaded by The Happy Robot