Skip to content

Troubled Audit Waters: Trustwave and the Target Breach

My last post is probably overkill on the Microsoft topic so here’s a TL;DR version of one aspect of that story.

Microsoft mentions an independent auditor will help them avoid risk in the future. In order to not violate privacy of their customers without due cause, they will ask a specific 3rd party attorney of their choosing for opinion on the matter.

That does not give me much confidence. It seems only slightly less likely to fail, at least in obvious terms of independence.

Take a look at an important related story in the news: Target’s QSA (qualified security assessor) Trustwave, who was meant to help stop privacy violation of payment cardholders, is being sued by banks.

There are two parts to the story. One is that an assessor is in a complicated responsibility dance with their client. Did the client fail in their burden to disclose details to the assessor? Did the assessor fail to notice this failure? Did the assessor intentionally overlook failures? The debate over these problems is ancient and the lawsuits are likely to draw from a large body of knowledge, driven in some part by the insurance industry.

The other part of the story is that Trustwave apparently was running a portion of security operations at Target, not just assessing them for adequacy of controls. This is the more interesting angle to me because it seems like a relatively easy risk to avoid.

An assessor is meant to test controls in place. If the control in place is run by the same company as the one assessing its adequacy, then independence is dubious and a conflict-of-interest test is required.

For example, assessor Alice finds Retailer has inadequate IDS. Alice recommends Retailer replace existing and buy new IDS service from service provider Bob. Bob sets up IDS services and then Alice says Retailer has adequate IDS controls. Then Retailer is breached and people notice Alice and Bob work for the same company. Lawyers ask if Alice was conspiring with Bob to sell IDS and rubber-stamp assessments, without regard to actual compliance requirements.

Companies have internal auditors test internal controls all the time, so it’s not impossible or improbable to have a single authority sit above and manage both roles. Independence is best served transparently. However, one of the primary benefits of bringing in a 3rd party independent assessment is the most clear form of independence from any operational influences.

Bottom-line is Trustwave was known for selling services and assessing those services in order to maximize income opportunities and grow their practice size; they found a more lucrative but far less clean business model that now begs the question of adequate separations. If the Target investigations question the model then it could change the industry.

Update March 29: Trustwave’s CEO Robert McCullen has posted an announcement, specifically mentioning the conflict-of-interest issue.

In response to these legal filings, Trustwave would like to reassure our customers and business partners that these claims against Trustwave are without merit, and that we look forward to vigorously defending ourselves in court against these baseless allegations.

Contrary to the misstated allegations in the plaintiffs’ complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target’s network, nor did Trustwave process cardholder data for Target.

As I said, this is a key issue to watch in the dispute.

Posted in Security.

One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. Arshad Noor says

    Since PCI-DSS first came out, at StrongAuth we have held the position that we do not pay QSA’s referral fees for recommending our products to their clients, Davi. This was based on a very simple tenet: anyone hired to test controls should not be selling products or services to customers implementing those controls to avoid the obvious conflict-of-interest. I don’t see anything wrong with a QSA specifying a list of vendors (3 to 5) that the customer may look at for a potential solution, but smart customers ought not to ask their QSAs for such information in the first place – theirs is to research, buy and implement while the QSA’s is to test.

    We have lost quite many deals because we refused to pay referral commissions; but after the Enron debacle, it was obvious to anyone with half-a-brain that QSAs had no business selling products/services – unless they wanted to get sued. So, I’m the least surprised that Target has chosen to sue Trustwave. Its been long overdue.

Some HTML is OK

or, reply to this post via trackback.