The article in the WSJ seems to accuse the PCI of lacking sufficient security.
In both the Hannaford and Okemo heists, hackers attacked an area that previously had been thought impenetrable — a company’s private internal computer network. Many previous breaches involved wireless network systems.
PCI mandates that all transaction data sent over networks that are publicly accessible — such as in coffee shops — be encrypted, but it doesn’t require that for transmissions over internal private lines.
At Hannaford and Okemo, hackers managed to install malicious software into the companies’ private networks to steal credit-card information being transmitted to processors for approval.
Previously thought impenetrable? By whom? Everyone I know who is familiar with PCI, or even general security audits for that matter, has been talking about the perimeter fallacy for more than a decade.
More to the point, why does the PCI specify public networks only? It is hard to guess motive without speaking to the authors, but the reality is that you have to start somewhere. The authors made many omissions and mistakes, but the standard is a starting point and it has unquestionably had a positive impact in many areas of security.
Don’t try to boil the ocean.
In addition to the slow pace of security progress in the world of credit card commerce, compliance success should not be an end but rather a starting point. Every time I drive my car I wonder who on earth gave the other drivers their license. Similarly, each time we shop at a store we place ourselves (e.g. our financial identity) in the hands of a management team that we usually can not see or judge ourselves. A company might have achieved various compliance awards (e.g. technical ability, process maturity, cleanliness, credit-card security) but we should not forget that “compliant” and “well-managed” are not intrinsically the same.
The good news is that the bar is rising.
In January, Visa announced that 77% of its largest U.S. merchants became PCI compliant in 2007, up from 12% in 2006. Compliance among midsize merchants grew to 62% last year from 15% the year before.
This means the “above and beyond” internal traffic encryption might be a worry, but if 33% of the largest merchants still are not PCI compliant then there are still a whole lot of companies not even reaching baseline measures in multiple areas.
Did you notice the detail in the Hannaford and Okemo cases suggests that internal computers were compromised via malicious software?
At Hannaford and Okemo, hackers managed to install malicious software into the companies’ private networks to steal credit-card information being transmitted to processors for approval.
So here are alternative solutions, perhaps more practical for most retailers: segment sensitive data from systems that have public/Internet access, monitor for malicious/unauthorized software being installed, and block control/command communication to non-authorized systems (e.g. proxy the traffic and inspect packets).
Don’t get me wrong, I have long advocated for internal encryption of sensitive data when it is in transit. In fact, I led the design and deployment of exactly such a system for a retailer several years ago. That work led me to the OASIS EKMI project where I work with others on a global standard so the encryption of internal traffic will be made even easier/cheaper.
However, I also understand that there are areas where this is an impracticality today (e.g. no standards) or another control is better suited to solve the same problem.
After reading the WSJ version of events, I find it sad that host-based monitoring was not mentioned at all.
Eventually people may realize that there is no silver bullet to achieving compliance in information security.
Is there a silver bullet for keeping a kitchen clean or being a good driver?
False hope is everywhere, even in the “big name” analysts:
“This kind of attack would not have been possible if the credit-card data had been encrypted,” says Avivah Litan, a security analyst for Gartner Inc. in Stamford, Conn.
Sorry Gartner, that’s not a fair assessment. Why? Because even with encryption, the keys have to be managed properly. And without baselines for good management infrastructure or standards, the probability of a company going “above and beyond” to protect their keys is very low. So this kind of attack would have only had one or two additional steps to execute the same vector successfully.
The real problem, IMHO, is that a system was compromised within the company and no one noticed in time to stop it from reaching sensitive data. Event monitoring and correlation, as well as the host and network-based controls mentioned above, need to be in the picture.