... aka “Teachings of Don PCI”
Presentation title: What PCI DSS Taught Us About Security
Brief abstract: This presentation will derive some useful lessons from our industry experience with PCI DSS. Organization can use these lessons to improve their security programs and reduce risk as well.
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
What PCI DSS Taught Us About Security by Dr. Anton Chuvakin
1. What PCI DSS Taught Us About Security Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com September 2010
2. Why Are We Here? Risk of DEATH vsRisk of $40 fine?
3. Outline PCI DSS Refresher PCI Helps! PCI Hurts? Lessons from PCI DSS Will compliance break security? Conclusions and Action Items
4. Inspiration…. “Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “ PCI Knowledge Base by late David Taylor
5. What is PCI DSS or PCI? Payment Card Industry Data Security Standard Payment Card = Payment Card Industry = Data Security = Data Security Standard =
6. PCI Regime vs DSS Guidance Since 2004, PCI Council publishes PCI DSS Outlined the minimumdata security protections measures for payment card data. Defined Merchant & Service Provider Levels, and compliance validation requirements. Left the enforcement to card brands (Council doesn’t fine anybody!) Key point: PCI DSS (document) vs PCI (validation regime)
14. So, PCI Helps! MUCH more organizations KNOW about security now – due to PCI DSS DSS gave many a starting point PCI DSS has motivating “teeth” Blatant card data abuses SEEM to have decreased More people vulnerability scan due to PCI
15. But Also: PCI Hurts! Anti-auditor measures “suck” resources from anti-hacker measures Now we have “checkbox compliance” Security vendors fund compliance-feature development
19. PCI Teachings: Awareness =/= Action PCI DSS raised awareness of web security "82% of websites have had at least one security issue, with 63% still having issues of HIGH severity.” (WhiteHat) Now…everybody knows that >80% of sites have XSS. So what?
20. PCI Teachings: The Floor CAN Be The Ceiling Compliance is the “floor” of security And a motivator to DO IT! However, many prefer to treat it as a “ceiling” Result: breaches, 0wnage, mayhem!
21. PCI Teachings: We Cannot Mandate “Caring” Q: Can we mandate caring about security? A: No We can mandate controls, approaches, tools, but we cannot mandate “doing a good job” Thus: mandatory = minimum only!
23. PCI Teachings: Many Would Rather Whine Than Do W1: Why don’t the brands “fix the system?” A1: They will. W2: Can we have “a risk based” standard? A2: No. 91% of people can’t spell “risk” W3: Can we do something simpler? A3: Yes! Cash.
26. PCI Teaching: $40> Your Life Risk of DEATH vs Risk of $40 fine? DOT study on seatbelts: Compliance = (Awareness + Enforcement) / Security Benefit
27. PCI Teachings: Compliance and Risk … have nothing to do with each other. But you KNOW compliance and you DO NOT KNOW risk! Which one will you act on?
28. PCI Teachings: People Will Fear THE KNOWN <- This is the enemy! This is NOT the enemy! -> Sadly, many organization will fear QSA more than an attacker!
29. PCI Teachings: Dead Data = Secure Data Many organization cannot be taught to secure the data … but they can be taught to delete it!
31. How To “Profit” From Compliance? Everything you do for compliance, MUST have security benefit for your organization! Examples: log management, IDS/IPS, IdM, application security , etc
32. In Other Words… Every time you think “PCI DSS OR security,” god kills a kitten!
33. What Does Future Hold? More regulation to compel the laggards More threats to challenge the leaders New approaches to compliance -mandating care? More organization understanding and measuring security Longer term: slow trend toward more secure world
34. Conclusions and Action Items Kill the data– whenever you can PCI is basic security; stop whining about it - start doing it! Develop “security and risk” mindset, not “compliance and audit” mindset. Use compliance to drive security If you are doing PCI DSS and not getting a security benefit, please STOP!
36. Questions? Dr. Anton Chuvakin Security Warrior Consulting Email:anton@chuvakin.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consulting:http://www.securitywarriorconsulting.com
37. Want a PCI DSS Book? “PCI Compliance” by Anton Chuvakin and Branden Williams Useful reference for merchants, vendors – and everybody else Released December 2009!
38. More on Anton Now: independent consultant Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
Hinweis der Redaktion
First: we are not here to learn how to become PCI compliant!! Keynote = THINK about security and HAVE FUN, not get trained.TODO: Netherlands fine for now wearing seat belt in car (bicycle?)NHTSA study No law - no belt Enforcement + education Belief in likely enforcementIdiosyncrasy (idiocy?)SeatbeltsChance of DEATHLikelyhood of $50 fineNHTSA studyNo law - no beltEnforcement + educationBelief in likely enforcement"Dumb management"PCI instead of securityPCI DSS over IH to live incidentPeople like to accept the risk - of OTHERS
http://www.pciknowledgebase.com/index.php?option=com_mtree&task=viewlink&link_id=1366&Itemid=0As a banker who has been involved in audit and risk management for 20+ years, I have a beef with PCI. Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. We have removed the acceptance of risk as an option by insisting on 100% compliance. That was not the intent.Damn “PCI industry”
Some folks are OK with organizations doing security ONLY because of compliance fines!!!PhilosophyDo you agree with "laws against stupid?"Tenuous connection of controls/practices vs outcomesCompliance is "easy", security is hardIf you lose my SSN, I WANT your business to FAIL!Compliance vs risk. Or is it FOR risk?"We might get hacked, but we will get audited"Age of irresponsibility' entitlementANTI-COMPLIANCE"Checklist mentality""Teaching for the test""Whack-an-auditor" gameInduction of "mandate=ceiling" thinkingNarrow focus on mandated controlsNo focus on controls effective for you!Lack of innovationSlow speed of mandate changesDifference in assessment qualityExtra diligence of post-breach assessmentTotal disconnection of compliance from security$0.71/month scansCompliance spending misaligned with riskUnhappy with compliance? Never did ANY security"PCI compliance has not been “operationalized” by 95 percent of merchants"
While many hope for gaussian, in security – counter to intuition! – most people are below average!
CSR reference!!Thus: mandatory You can drag the horse to water … but you cannot stop her fromDrowningb) Abuse water - <whatever>
As someone closely involved with PCI DSS, I observed this peculiarity more than a few times.Myth: PCI is too hard …“… too expensive, too complicated, too burdensome, too much for a small business, too many technologies or even unreasonable”Myth: PCI is easy: we just have to “say Yes” on SAQ and “get scanned”“What do we need to do - get a scan and answer some questions?”Reality: Not exactly - you need to:a) Get a scan – and then resolve the vulnerabilities foundb) Do all the things that the questions refer to – and prove itc) Keep doing a) and b) forever!
A1 a) in 5-10 years – when you will be ready. Replace the system -> bigger impact than PCI DSS!! (see interview)A2 Today if you follow you risk ass of custodial data, while being mindful of PCI requirements, likely you arrive at smth similar to PCI DSSA3 “It is not necessary to change; survival is not mandatory”
2/3 of value in OWN data, ½ is spent protecting it!Forrester report: “Custodial data has little intrinsic value in and of itself. But when it is obtained by an unauthorized party, misused, lost,or stolen, it changes state. Data that is ordinarily benign transforms into something harmful. When custodial data isspilled, it becomes “toxic” and poisons the enterprise’s air in terms of press headlines, fines, and customer complaints.Outsiders, such as organized criminals, value custodial data because they can make money with it. Custodial data alsoaccrues indirect value to the enterprise based on the costs of fines, lawsuits, and adverse publicity.”+ infrastructure to handle either kind of data, business critical processes, etc!!!Consequences"PCI technology" or "PCI industry"Custodian vs owner of dataLaws made you secure 3rd party dataYou are free to screw yourself by losing your dataPCI vs "your risk"Might be protecting CC > your key data!
+ not have OWN DATA+ not have CUSTODIAN DATA+ removes CUSTODIAN DATA = protects CUSTODIAN DATA!+ protects key business processes
First: we are not here to learn how to become PCI compliant!! Best insight into compliance.Link IS established: belt -> less chance of death.Still, only EDUCATION + ENFORCEMENT works.Click it – or ticket! <= works!Click it – don’t risk it! <= FAILs!NHTSA study No law - no belt Enforcement + education Belief in likely enforcementIdiosyncrasy (idiocy?)SeatbeltsChance of DEATHLikelyhood of $50 fineNHTSA studyNo law - no beltEnforcement + educationBelief in likely enforcement"Dumb management"PCI instead of securityPCI DSS over IH to live incidentPeople like to accept the risk - of OTHERS
http://www.visa.com/dropthedata/Drop the Data is a nationwide tour between the U.S. Chamber of Commerce and Visa, Inc. along with participating local Chambers of Commerce. The multi-city campaign is designed to make businesses aware of the risks of retaining prohibited cardholder data and educating them on actionable steps they can take to avoid storing such data.
OR: Every time you think “Compliance OR security,” god kills a kitten!Profit = not ROI scam, but how to benefit from the fact that PCI exists.HACKER <- This is the enemy!This is NOT the enemy! -> QSASecurity first, compliance as a resultCompliance as motivation, security as actionPhilosophyDo you agree with "laws against stupid?"Tenuous connection of controls/practices vs outcomesCompliance is "easy", security is hardIf you lose my SSN, I WANT your business to FAIL!Compliance vs risk. Or is it FOR risk?"We might get hacked, but we will get audited"Age of irresponsibility' entitlementANTI-COMPLIANCE"Checklist mentality""Teaching for the test""Whack-an-auditor" gameInduction of "mandate=ceiling" thinkingNarrow focus on mandated controlsNo focus on controls effective for you!Lack of innovationSlow speed of mandate changesDifference in assessment qualityExtra diligence of post-breach assessmentTotal disconnection of compliance from security$0.71/month scansCompliance spending misaligned with riskUnhappy with compliance? Never did ANY security"PCI compliance has not been “operationalized” by 95 percent of merchants"
Longer term: slow trend toward chasm closureSome from the 1st camp will call it “aligning security and business”, but it is not.2020http://chuvakin.blogspot.com/search/label/2020
+ After validating that you are compliant, don’t stop: continuous compliance AND security is your goal, not “passing an audit.”PhilosophyDo you agree with "laws against stupid?"Tenuous connection of controls/practices vs outcomesCompliance is "easy", security is hardIf you lose my SSN, I WANT your business to FAIL!Compliance vs risk. Or is it FOR risk?"We might get hacked, but we will get audited"Age of irresponsibility' entitlementTrendsOutsource!!! Outsource!!!You DO outsource cash storage to banks?Avoid toxic shit!E2EETokenizationDeletion before encryption!