Re: Compliance Is Wasted Money, Study Finds

["Thor (Hammer of God)" <Thor () hammerofgod com>]

> > Not the fault of PCI. Perhaps you should consider a better auditor.
>
> Ummmmm -- isn't the point that PCI is set up such that lowest (common
> denominator amongst) auditors are actually the ones that define what "PCI
> compliance" really is?
>
> As an earlier poster already pointed out, all the vaguely recent major credit
> card data theft cases have involved "fully PCI compliant" (as defined by that
> perpetrator's PCI auditors) card processors, etc...

While I have heard the same thing repeated many times, I've never found a credible source for the claim that "all 
breaches involved fully PCI compliant processors." 

According to the 2009 Verizon Business Breach Report, 81% of the attack victims were not PCI compliant:

http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

I trust the accuracy of a report compiled in a professional manner from actual breach data far more than I do random 
posts from anonymous users on the subject matter (not saying YOU are a random poster, Nick - I've developed respect for 
your opinions over the years).

While PCI compliance does not directly equate to the secure implementation of a system (or should I say "applicably 
secure" implementation) the existence of a standard has obviously contributed to end-of-the-day security.  As 
technologists, we will always find a way around controls, and will always be able to point out weaknesses in a system.  
For example, the "firewall" requirement to physically separate PCI assets from other assets:  One can "pass" this 
requirement by placing any qualifying firewall unit in between assets, even if all traffic is allowed through the 
firewall.  The hope of course is that this is NOT done, but analysis of every firewall's ruleset is out of scope for 
PCI audits.  It's the credit card industry's game, and if you want to play it, you have to follow their rules.

Far too often security is positioned in this highly technical, difficult to understand, "anything can be broken so why 
bother" approach.   And while that is true at the detail level, starting off with the basics of least privilege and 
security in depth has proved to be the most successful method.  I have made this statement about a million times.    
And the data seems to support this:

81% of victims were not PCI compliant.
83% of attacks were not highly difficult. 
87% were considered avoidable through simple or intermediate controls.
99.9% of records were compromised from servers and applications (meaning, not clients).  

It is one of the reasons I speak out so strongly against SOSs (snake oil salesmen) when they try to push short-cut 
methods or "magic formulas" or use pseudo-intellectual theory to postulate best practices.  One such example is some 
Berkeley guy SANS always used to get "expert" contributions from (Schmidt or Schultz or something - I can't remember 
and I'm actually happy about that) who repeatedly said that inside attacks were where all the risk was, and that they 
accounted for the most or all breaches.  Those who trusted that advice made bad decisions on their security (74% of 
attacks are external).  Analysis of over 600 breaches spanning 5 years proves that - not armchair pontification.    

And thus one see's the inherent danger in perpetuating rumors that "all assets were fully PCI compliant" in the absence 
of fact - people may very well "act" of that assertion.  We could certainly spin it up nicely and add some flair to it 
by saying something like "the Verizon report shows that amazingly, a stunning 19% of all victims were *FULLY* PCI 
compliant and certified to do process highly sensitive financial and personal information by auditors who do NOTHING 
ELSE but deliver PCI compliance services, yet over 57 MILLION innocent lives were potentially exposed to identity 
theft, information disclosure, as well as a raging case of herpes."  

So we can sit around and say "compliance is a waste of money" or we can say "if we want to make money by accepting 
credit cards, we have to comply with the industry's requirements.  This will cost money in implementation, compliance, 
and certification.   While doing this, we should focus on cost centers and expenses while ensuring that we take full 
advantage of the security benefits such a compliance framework offers."  

t


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/