The move to a risk-based approach to PCI-DSS rather than a compliance-based approach would enable the transformation of PCI-DSS from a compliance standard to a security standard. On the other hand, the PCI-SSC avoids conflict with other industry security standards, guidance, and recommended best practices by NOT trying to be a security standard. That much is true up to now.
For example, in the case of annual key rotation requirements in section 3.6, there is little ambiguity in v1.2.1, where an annual key rotation is required. If an entity feels that quarterly or monthly encryption key rotations are appropriate, then they have met and exceeded that standard. If the cryptographic cycle is longer than one year, then that organization has not met the standard.
In most cases, the real risk of compromise to otherwise protected data lies not in the age of the encryption key, but rather in the balance of section 3.6 requirements that are NOT addressed by key rotation – specifically the key generation, storage, distribution, and revocation requirements. Generate weak encryption keys, implement weak cipher strength, get sloppy with storage and distribution and allow anyone to arbitrarily change keys at whim – and the frequency at which you rotate keys matters little, even if you change them daily.
But is a QSA empowered to make risk-based decisions regarding the suitability of a client’s key rotation interval? Version 2.0 suggests this: conceivably a QSA may reject the practice of annual key rotation on the grounds that risk factors suggest a more frequent key rotation schedule, perhaps quarterly. If the organization does not meet the schedule mandated by the QSA, then that organization may fail the audit until such time that it meets the “QSA requirement.” The target organization may in turn argue that it has met the standard of PCI-DSS by implementing (and demonstrating) annual key rotation. They will cite “contempt of QSA” as the reason for their failure to comply with PCI-DSS. Who will referee this dispute? What recourse does either the target organization or the QSA have available to them, and what actions might they take to address the conflict?
Similarly, a QSA may determine that an interval of less than one year is appropriate, and that the cryptographic cycle should be five years. How has this met the standard? By the arbitrary judgment of the same QSA who insisted on quarterly key rotations for that (other) organization? If the QSA can demonstrate the risk-based approach used to determine the cryptographic cycle, would this be acceptable? How can this be demonstrated with a high degree of confidence? That is, how do we know that the QSA did not fudge some “voodoo” numbers to support his or her “risk-based” analysis? How will this be communicated to the Acquirers and/or Card Brands?
The only vehicle currently available to communicate deviations from the standard is the Compensating Control worksheet. In its current form, one can well imagine what such a worksheet would look like. But one would be hard-pressed to imagine that such a Compensating Control would convey a strong and convincing argument supporting a lengthy cryptographic cycle well below the minimums established in the PCI-DSS.
Many years ago, I consulted with a non-profit agency that needed firewall remediation. They had just purchased an upgrade to the vendor’s latest and greatest firewall, and needed to build a policy that met their needs. One of these was the need to control the use of instant-messaging throughout the environment. Indeed, the Security Director was obsessed with stamping it out completely. Instant-messaging clients were notorious for finding egress paths out of the environment, and could find an open port in the firewall. Therefore, it stood to reason that all unused ports would be plugged, sources requesting to use these ports would be checked against the policy, traffic would be thoroughly inspected, and known destinations hosting instant-messaging servers would be blocked. This resulted in no less than 39 firewall rules dedicated just to blocking all instant-messaging traffic that could possibly exist.
In many ways this “war” against instant-messaging clients was a success – the traffic was locked down airtight. But much time had been expended in an exhaustive effort to find every possible source and path of this traffic, as well as in designing, implementing and testing the effectiveness of the controls to stop it. No doubt another vendor would have come along with a product that could handle it in ways that no firewall ever could – just plug it in, send the traffic our way, and we handle the rest?
From a much broader perspective, we spend time fighting to reduce risk – increasing the effectiveness of security controls – this is our role as the Information Security professionals. We understand that a security control that is 90% effective is better than a control that is 80% effective. But we also understand that there is a cost differential between the two – and 90% is probably not good enough. What will it take to get to 100% (e.g., stamp out all instant-messaging traffic) – and can we afford it?
Rather than expending much effort and expense to get to 100% effectiveness, we can combine multiple layers of security, each layer significantly less than 100% effective, but with the right combination we can approach 100% effectiveness through synergy between the controls.
Let us suppose we have a security control that is 80% effective at protecting our resource. Perhaps this is an Administrative control – a policy or procedure that controls personnel behavior. In this example, this particular control alone is 80% effective.
A clear target for improvement – replacing this control with another that is closer to 100% effective. But again, how close to 100% can we come and how costly is this stronger control?
Another option is to add a second control to bolster the first control, perhaps a Technical control that controls logical access at the network layer. Let us assume this control is also 80% effective. If the first control eliminated 80% of risk, and the second control eliminates 80% of the remaining 20% not addressed by the first control, we have now increased our effectiveness to 96%.
Effectiveness may be calculated as:
E total = 1 – ((1-E1)*(1-E2)*(1-E3)…)
Where E total is the total effectiveness of the security controls, and En is the effectiveness of any one control in the system.
So in this case, the effectiveness is:
E total = 1 – (1-80%) * (1-80%) = 96%
In other words, by combining two security controls whose effectiveness is each 80%, we have built a solution that is 96% effective.
Let us take this a step further and add another 80% effective control: this time at the system-level:
E total = 1 – (1-80%) * (1-80%) * (1-80%)= 99.2%
At this point, we have increased our effectiveness to over 99% by combining three controls whose individual effectiveness is 80%. We could stop here, but for the purposes of this exercise, we will add another control. Imagine adding an application layer control:
E total = 1 – ((1-80%)*(1-80%)*(1-80%)*(1-80%)) = 99.84%
If we continued to be obsessive about reaching 100% effectiveness, and the cost wasn’t prohibitive, we might include a fifth security control, this time a Physical control:
E total = 1 – ((1-80%)*(1-80%)*(1-80%)*(1-80%)*(1-80%)) = 99.97%
What we conclude from this exercise is that individual security controls do not need a high rate of effectiveness to be part of an overall security system that is effective by leveraging synergies of adjacent controls. We also note that as each additional control is added, security effectiveness improves, but at a declining rate: Adding a second control increased our effectiveness by 16% — adding a third control increased effectiveness barely more than 3%, and by the time we discussed adding a fifth control it yielded an increase of 1.3% effectiveness.
As with all security controls, we must first understand not only the level of risk facing an asset, but must also understand the level of risk that is acceptable. Our goal is not to eliminate all risk completely, but to reduce level of risk to an acceptable level. The selection of security controls must be appropriate to meet or exceed that level risk reduction through adequate control effectiveness. When we find that we encounter diminishing returns in increase of security effectiveness, it is time to consider concentrating our efforts in other areas where security improvement is needed – and where we may realize greater return.
Let us turn to “Social Engineering” for a moment. The first thought for many of us is the writings of Kevin Mitnick (The Art of Deception and The Art of Intrusion, co-authored with William L. Simon) that used real-life and hypothetical stories to demonstrate how social engineering can be combined with hacking to bypass technical security controls. We think of the call to the help desk in the middle of the night to unlock the executive account, and the psychological pressure exerted by the attacker implying retribution if the task is not carried out immediately. Or perhaps a rogue website that is accessed through a series of phishing emails that in turn collect sensitive information.
But what about an attack on a security system that affects the availability of the action of the security controls and/or the availability of the resource that the control is intended to protect? Compromise of data then simply becomes a waiting game for the would-be attacker. This “un-social” engineering attack may include little or no interaction between the attacker and the target. Let us dub it “pressure engineering” or a subset of social engineering.
Imagine a Mr. Mugglesworth working under a tight deadline. At the completion of the work, it must be submitted, transmitted and/or stored in a secure manner. Mugglesworth is as good about following the security procedures as he is about getting his work done on time. Indeed, Mugglesworth is trusted with some of the most sensitive information in the company. But when he tries to submit his work, something is wrong. The security control is not allowing him to proceed. Or the system is not able to accept the work in a secure format. The pressure mounts as the deadline approaches. Mugglesworth is counted upon to complete his work on time, and a missed deadline with “security” as an excuse simply will not do. The temptation to bypass the normal security procedures in order to complete the task is great – especially since the technical or managerial resources are not responsive. (It is after-hours and no one is available to assist.) When the right personnel are available to assist, the deadline will have long passed.
Will Mugglesworth or his superior make an “executive decision” to handle the sensitive information in an insecure manner? Or will they wait it out? The pressure mounts… pressure engineering has been applied.
The answer to this question will depend on the security culture at Mugglesworth’s organization. It may depend on the type of security training and the expected employee response that is cultivated. It may also depend on how the technical issue is escalated and the organizational response.
Where do “Da Rules” fit in at your organization? What would Mr. Mugglesworth do if he worked for you? How would you and your organization address this scenario?
A dichotomy exists between information and data – and the way that information and data are discussed, stored, protected, and used. Any number of people reading this might identify themselves as working with “Information Systems” in the field of “Information Technology,” and some of them work with “Information Security.” Sometimes they attend meetings and talk about “Information” and “Information Sharing.” But most often they are talking about “data” – data flows, data stores, data shares, data systems, data access, data security, and so on.
There is no need for a primer on the difference between data and information. It is clear to the users of information that what they want is information. They may ask for data, they may seek so-called data points, but what they are really asking for is information. After all, information is useful; it makes the difference between decisions and informed decisions. And at the end of the day, the information systems people deliver information to decision makers. They store this information in their information bases. No, wait a minute – it is stored in databases. So what they are really working with is data?
Data becomes information when it delivers something meaningful to someone. We can take any block of data and extract from it an endless stream of meaningless information. An example is baseball. From data recorded from each game, we can extract the number of runs scored, the number of bases stolen, the number of games won at home, the number of games won away, the number of errors made in the last ten years… the list goes on to infinity. Who cares? Well someone at some point may care. Perhaps the real question is “Which was the best team last season?” Or perhaps “Who is the best player of all time?” Or any other question you could dream up. Regardless of the question, the fact remains that the person recording the plays and the scores at each game does not seek to answer these questions. He/she is simply collecting data and storing it for later use. What will it be used for – 50 years from now? Who knows? Who cares? For some just simply knowing that the players will be back on that field next season is good enough. In the meantime, just let our information people hold on to that data in a safe place so that it’s there when we need it, for whatever reason we might need it .
Now let’s say that some of that data is sensitive. Well, we should protect the sensitive data. Which data is sensitive? (I don’t know – it’s your database, you tell me) The sensitivity of the data will be determined by the sensitivity of the information that will be conveyed when it is accessed. Meanwhile, are you keeping your eye on the ball like a good player? Good – I just stole second base. Are you keeping your eye on second base like a good fan? Good – I just stole your hot dog from under your nose.
Regulation guides us to identify what data is sensitive. PCI DSS tells us to protect cardholder data. HIPAA directs us to protect health and medical information. Upper management decided that your customer list is private and must be protected from the competition. Everything else is not sensitive and need not be protected the same way.
Yet I know of a web-based charity that boasted of impenetrable cardholder data security. Indeed it was. But when credit card accounts were stolen from donors who made charitable contributions to the organization’s website, it was the customer contact list that was stolen, not the credit card database. Why go through all the trouble of hacking a secure database when you can simply telephone the donor and ask for it? They were just as willing to give it out over the phone as they were online.
Information is pulled from an information system. When we know WHAT information will be pulled, and when we know HOW that information is sensitive, then we know the sensitivity of the data from which that information came. If we don’t know the sensitivity of the information or how it might be used, then we don’t know the data. Since it is the job of information systems professionals to store all data holistically, then it is their job of securing all data holistically – not selectively.
In the realm of PCI, the network of independent agents might not be so independent after all. When one thinks of agents, one thinks of real estate, insurance and travel. They all provide a service, they all take information, and they all accept payments. Some of these are independent agents who own their own agency and are affiliated with a larger organization. The larger organization may or may not also have company-owned branches of its own. At the branches, the agents are generally company employees. At the agencies, they are employees of the agency. Indeed the agency itself is a separate entity from the company. It may be a franchise, or a completely independent business that licenses the company’s name. In addition to Realtors and insurance agents, a number of other companies come to mind – cleaning/maintenance, pest control, and pack-and-ship agents that resell courier services. Indeed it is easy to find many of these agencies in our communities. What are the broader consequences on payment card security, from a corporate, agency and consumer perspective? What would happen if a breach of cardholder data were to occur at one of these agencies? Who would be responsible?
Several architectural models exist for integrating agents into the provider network. An agency may be treated as a virtual branch office, identical to any of the company-owned offices even though the facility, its employees, and its operations are not the company’s own. The company’s IT department might deploy company systems in these agent offices, with full connectivity back to the corporate offices. Each agency employee is treated like a company employee and enjoys similar information access. The independent agency may have operational practices that differ considerably from that of the company’s corporate environment, and these practices may vary greatly from one agency to another.
For example, the company might have adopted a cardholder data retention policy that is strictly enforced in the corporate office, but unheard of at the agency. The corporate office avoids storing hardcopy containing cardholder data while the agency may make their customers fill out paperwork that includes credit card account information. These documents are stored in a file cabinet at the agency. In addition to the agency being unaware of the corporate data retention policy, the same agency is also unaware of a media disposal policy that exists and is practiced at the corporate office – and that calls for shredding of the hardcopy documents when no longer needed. The agency simply throws them in the trash, having never thought about this. Nor should they – they are not the company, they are not in the corporate environment; they are an independent agency, a completely different entity.
Knowing this, part of the contract between the corporation and the agencies might establish specific operational guidelines or might mandate adherence to corporate procedures for all agencies that choose to affiliate with the company. In the face of full corporate responsibility for operations at all of its agencies, this is almost a given for any company with independent contractors, where the lines between home office and agent office blur. When and where a breach occurs might be difficult to sort out, making it difficult to determine where responsibility lies for both parties.
The blurring of operational lines often induces corporations to seek out one of two other models – remote partner model or payment gateway model. In the former, the corporation rolls out its application to the agency using a remote access methodology. This may take the form of a web-based extranet or a client-server model. In the latter, the agency is fully responsible for accepting all payments, but leverages the partner corporation for payment processing.
The advantage of the remote partner model is that the corporation rolls out remote access to its systems to the agents, but retains full control of the operating environment. The line of responsibility between the environments is well defined. For the agency, entering payment information into the “corporate system” frees it from storage, retention, and disposal requirements and obviates the worry for systems operations. For the corporation, there may still be aspects of the agency’s operations that are beyond its control, but its exposure to the risk of data compromise at the agency is limited.
When the corporation-agency relationship uses a payment gateway model for payment acceptance, the agency assumes a greater operational role in the processing of cardholder transactions. The systems are independently owned and operated, as is the agency itself, and payments (of insurance premiums, for example) are made to the agency, not directly to the corporation. In turn, the corporation provides authorization for cardholder transactions to the agency. The transaction belongs to the agency, and it is the agency’s responsibility to secure the cardholder data collected.
Finally, the implication for both parties is this: the corporation (such as the insurance company) may need to be audited as a payment gateway as well as a merchant as part of the PCI process, but the agent environment would be fully out of the corporation’s scope for PCI compliance. The agency as a fully independent organization may need to complete an SAQ or a ROC, depending upon its cardholder transaction volume and its Acquirer. It also means that the agency assumes full responsibility for any breach of cardholder data that occurs at the agency.
