Saturday, October 4, 2014

"What Keeps You Up at Night?"

Recently I was asked by SecureWorld to write an article responsind to the question, "What keeps you up at night?" Like most security professionals, I get asked that question quite a bit in various contexts.  

My answer to this question tends to be somewhat unorthodox, but it brings a perspective to the problem that I believe we Warriors of the Light should contemplate and consider.  My full response can be found here on the SecureWorld site.  Give it a read and let me know what you think!

Thursday, September 11, 2014

It Is Still All About The Business

Two weeks ago,m Baseline Magazine published the results of a survey regarding executives' views toward the CISO position.  The results were less than encouraging:
  • 74% of the C-Level executives surveyed believe that CISOs should not be a part of organizational leadership teams
  • 44% view the primary role of the CISO as "being accountable for any organizational data breaches."
These results are not surprising to most practitioners.  In many companies, the title ‘CSO’ stands for “chief scapegoat officer” even to this day.  CSOs and CISOs live in fear of the inevitable breach, because such an event will lead to accusations and recriminations versus investigation and remediation.    Ironically, this attitude by the organization's executives actually reduces the efficacy of the security team.  In addition to creating an undertone of survival and us-against-the-world within the CISO organization, the senior security executive now feels compelled to spend a goodly portion of their time covering themselves (i.e., "creating the paper trail") and focusing on tactical issues versus strategically driving the security program.

While many of my brethren will focus on the aforementioned results, this survey reveals a more telling statistic: 68% of the executives surveyed feel CISOs lack broad awareness of organizational objectives and business needs. Despite our best efforts, and despite certifications that preach otherwise, we are clearly failing to adequately link ourselves to the businesses we support.  While there are no silver bullet answers out there, here are a couple of tips and pointers that I've found effective in bridging the "business gap" over the years:
  • Ask The Key Question.  When I assume the role of CSO/CISO in any organization, I make it a point to meet every business line leader and their direct reports within the first two weeks of my arrival.  The first question that I pose to each of them is always the same:  "How do you make money?"  Not "what do you do for a living," but how does that business unit generate revenue for the organization?  When they answer me, I keep probing and asking questions until I truly have at least a high-level understanding of the services and products offered and how they contribute to the company's bottom line.  Once you understand how the business makes money, it becomes exponentially easier to understand where security controls are appropriate -- and, more importantly, the potentially negative impact a specific control can have on the revenue picture.  
Note that I used the terms "money" and "revenue" instead of "profit."  Even non-profit and not-for-profit organizations generate revenue to pay the bills.  While the mission/purpose of any organization is critical, that mission must generate some level of revenue in order to succeed at its efforts.

  • Have A Strategy.  Sounds simple, right?  Yet to this day a significant portion of CSOs do not have a documented strategy.  Those who have documented their strategies tend to link their objectives solely toward risk reduction and mitigation versus achieving the business' objectives -- which leaves an impression with executives that security is something that they "have to do" that is diverting expenditures away from revenue-generating efforts.
I'm an old Common Criteria (CC) tester and evaluator.  The one thing that I loved about the CC was its structured approach regarding requirements.  Functional requirements led to technical functional requirements which in turn logically led to security functional requirements.  I take a similar approach when structuring my strategic imperatives.  The business wants to do something; that "something" will require a specific operational and technical capabilities.  Creating those capabilities at a risk level consistent with current risk levels requires us to enable/enhance/create these specific security capabilities.  This linkage helps intrinsically tie your security endeavors to the business.  

Understand that there are times that you will need to drive compliance and/or risk reduction activities purely for the sake of compliance/risk reduction;  but never forget that being compliant is a business requirement and that you are reducing risk to a level acceptable to the business.  Say those things in your strategy.
  • Educate Your Teams.  You can't be the only one that understands the business;  every member of your team needs this level of understanding as well.  Not only will it change the optics re: your team as they interface with the business, but it will also enable them to bring more business-appropriate solutions to the table as they problem solve in the security space.  
It would be easy for us to make a bit of a chicken-and-egg argument here and claim that we security warriors can't start thinking strategically and better integrate security with the business because we fear recriminations when something goes wrong. If this survey is any indication, though, we are collectively limiting -- if not damaging -- the profession by not aggressively focusing on relating our activities to the our organizations' strategic imperatives.  If we are living in an era where massive breaches are becoming commonplace and we cannot guarantee that  a breach will not occur, then a lack of a strategically-driven security program that is intrinsically linked to business objectives only justifies the opinions listed above.

My two cents...   

Saturday, August 23, 2014

The Impact of Situational Privacy

Pop quiz today!  Which of the following situations is a violation of privacy:

 

  • A national retailer utilizes purchases you make with them to send you advertisements about products you might enjoy or need
  • A reputable search engine utilizes data about you from previous searches and other products to better tailor its content to your needs
  • A government entity utilizes data in the public domain to hone in on potential criminals.

 

If you answered anything but "it depends" on this quiz, you haven't been following the nuances of the privacy debate lately :)

 

Let's get a little deeper into each of these examples for just a moment:

 

  • In 2012, Target came under media scrutiny for using data analytics to predict which of its shoppers might be pregnant.  The retailer then began sending coupons to those shoppers for things like baby clothes, strollers, etc.  The story made news when one Minnesota father noticed that his teenage daughter was receiving these materials.  The irate father marched into a local Target, demanding to see a manager, and accused the retailer of attempting to encourage his daughter to get pregnant…only to find out from his daughter that she was, indeed, already pregnant.  Target's analytics had identified her pregnancy before her own father had known. 
  • Just last month, Amazon.com celebrated its 20th birthday.  One of the features this massive online retailer is known for is utilizing knowledge of your shopping habits to send you advertisements about products and services which you might enjoy.  As of this year, Amazon is exploring pushing the envelope around this concept and has taken a patent out on what it is describing as "anticipatory shipping."  Utilizing the data it already has about you, the mega-retailer intends to just start sending you items which it believes you want before you purchase them, arguing that the success rate of its algorithms is such that the number of returns would not exceed the benefits reaped by this level of customer service. 
  • Several years ago, people started noticing that their search engines -- in particular, Google -- were displaying different sets of results for the same question.  Upon further exploration, people discovered (realized) that most search engines utilize data from your location and your browser history to better customize answers for you.  Providing such customization makes it easier to retrieve more meaningful results for the consumer which shortens search time…and also makes it easier to tailor advertisements to the consumer that s/he might be interested in.  The downside, of course, is that it may also be masking important yet contradictory information that is relevant to the individual's search -- thus reinforcing research bias.  (Note:  you can turn off "search customization" (as Google refers to it), but it's difficult to find out how if you go onto their support site. The link above also provides information on how to disable search customization relatively easily.)
  • In June 2013 Edward Snowden exposed the NSA's domestic cellular collection program.  The general public was outraged that the government would utilize cellular metadata (such as location information) to spy on its citizens; however, these same citizens exhibited no qualms about carrying a device which regularly broadcasts location nor the use of that location data by other governmental entities and agencies.

 

The examples above are illustrative of the complexity around privacy.  Gone are the days when we could simply state that "<x> data is private"; indeed, we are moving more to an environment of "situational privacy" where the data itself isn't as much an issue as how the data is used.  Consumers freely and openly volunteer exabytes of data on a daily basis for seemingly innocuous transactions…yet they are regularly shocked and angered as this data is combined with other seemingly innocuous (and freely given)  pieces of data to provide predictive intelligence to marketers, corporations…and yes, to  government entities.

 

As security professionals, we are becoming more embroiled in the debate around privacy.  Remembering that privacy itself is impossible without appropriate  security controls, the situational nature of data mining and appropriate data usage makes the protection  equation  daunting.  Do we wrap a cocoon of Pentagon-level protection around the data lake, even though 99% of the data within it is considered publicly available?  Do we inject ourselves into the data analytics process and become part of the arbitration question re: should we use the data in a certain fashion?  Can we monitor and limit/restrict data combination similar to the way in which systems can monitor separation of duties access control issues? 

 

Let's take it a step further.  Remembering that corporate data analytics seeks to (among other things) improve the sales cycle and make marketing campaigns more efficient, imagine the implications if the bad guys choose to take such an approach.  Consider:  your systems are penetrated and data is stolen…but none of the data is regulated by current privacy law or regulation.  Six months later, the bad guys run data analytics against the acquired data and determine the best targets for fraud or scam.  You protected the data and your borders reasonably and can show a tiered approach to your controls…and those controls were appropriate for your environment…you even prevented the breach from reaching the most sensitive data stores…yet data stolen from you was used to target your customers in the same manner that your marketing and sales team target prospects.  Imagine the liability issues that will circulate through the courts.


As your organizations recognize the value of the data it holds, it is important that we as security professionals remind people of the larger risk & privacy landscapes out there.  We cannot rely solely on the legal/regulatory framework to guide us as the potential brand risks go beyond what the hodgepodge of privacy regulations currently address.  In most cases, you as the will be the first person to bring these concerns to light and as such will risk the possibility of being initially portrayed as  naysayers…but more often  the security warrior ends up prognosticating  future risks and challenges looming on the horizon.  As we continue to enable our businesses we must ensure that the aforementioned questions -- and dozens more -- are acknowledged and addressed by our business leaders.

 

My two cents…

Thursday, August 7, 2014

Password Redux

Given the spate of security compromises that have occurred this past year, many of my posts have emphasized the need for aggressive password management.  Unfortunately, aggessively managing passwords comes with its own set of problems and challenges.  Here are a few tips and pointers to help:

  • How Can I Tell If My Password Is Strong?  As a general rule, passwords are considered strong if they contain a combination of upper- and lower-case letters, numbers, and special characters.  Passwords should be at least 8 characters in length, as shorter passwords are exponentially easier to break.
If you want to get a sense of how strong your password might be, take a gander at howsecureismypassword.net   The site doesn't capture your password, but it'll give you a readout of how long it will take a standard modern PC to crack your password.  It's not mathematically perfect, but it can easily show you the difference just adding one special character or lengthening your password
  • How Do I Keep Track of All My Passwords?  Remembering all those complex passwords is the biggest reason people reuse passwords or choose weaker passwords.   There are a handful of different things you can do to help with this problem:
    • There are ways to construct complex passwords that make them less random and thus easier to remember.  There are several articles which lay out different schema.  Here's a link to one of the better ones.
    • Place your password inside of a spreadsheet or document, then save that dcoument in password protected mode.  Then compress/zip that file using software which allows you to encrypt the file and password protect it (e.g.:  WinZip)
    • There are a variety of password management tools out there which will store and protect your passwords for you on your computers and mobile phones.  If you go this route, though, ensure that your tool is reputable -- since bad guys will throw up faux "password management" apps as a method of stealing your passwords.  The reputable password management tools all have advantages and disadvantages;  this recent article reviews and compares them  all.  For free applications I like KeePass...but LastPass Premium ($12/year) is truly the gold standard for password management tools.
A reminder:  if you use a password management system ensure that the password for this system is as strong as you can make it.  That password is, quite literally, the key to your online kingdom.

Hope this helps!

Wednesday, August 6, 2014

Russian Hackers Amass Over 1 Billion Passwords

Many of you may have seen the recent announcement about a Russian hacking group amassing over a billion internet passwords from internet facing applications.  If you haven't, here's a link to the recent New York Times article

This hasn't generated a tsunami of chatter just yet but I am certain that many of you will have/face questions.  Based upon what little we know right now, here are some random thoughts and opinions.

  • When In Doubt, Change Your Passwords.  Seems simple enough, but many people still do not do this with regularity.  Worse, many people use the same weak password for multiple accounts.  Changing your password to a strong, complex password that you haven't used elsewhere will eliminate the threat of compromised passwords.  Corporately, enforcement of password policies regarding complexity and periodicity of change will have the same positive impact
  • The Announcement Timing Is Suspect.  Hold Security (the company that announced this finding) may be doing this for publicity.  Less than scrupulous security firms have often kickstarted their initiatives with a huge announcement like this as an entry into gaining traction in the market.  Add to that the fact that the Blackhat and Defcon Security Conferences are currently underway, and my suspicions become exacerbated.  Indeed, Forbes announced this morning that Hold is now offering a service "for as low as $120" to help you determine whether your password is on the list.
  • We Don't Know The Important Stuff.  Yet.  Until we have more data (who/what/when/where/why) about this announcement, there's little anyone can do corporately/organizationally to protect themselves beyond changing passwords.  Indeed, this is little more a "the sky is falling" announcement as it is currently crafted.  What's would be more interesting is an understanding of what servers in what corproate entities were compromised to get this data.  If Hold Security chooses to release that information (and early indications are that they will not), then the impacted organizations will come under increased scrutiny and may trigger a need for security professionals to reassess their overall protection profiles.
Bottom line for this one -- for now -- is password management.  Only time will tell if we need to take a deeper look at the potetnial ramifications of this revelation.

My two cents...

Wednesday, April 9, 2014

Tips and Tricks on Surviving the Heartbleed Bug

As many of you have heard this week, a significant vulnerability was recently discovered within OpenSSL  a popular open-source protocol used to encrypt vast portions of the web -- to include authentication data such as user names and passwords.  The bug has been dubbed the "Heartbleed" bug as it exploits a flaw in the handling of the The TLS heartbeat extension within the protocol.  

This particular bug is actually worthy of the attention that it is getting.  That being said, the sky isn't falling and the Internet isn't collapsing :)   Here are a few things that you can do to protect yourself while Heartbleed is being remedied:

  1. Password Management.  There is some debate around whether you should consider changing your passwords now or changing your passwords after verifying that the patch has been deployed.  My practical answer is to wait.  Changing your password on an already-compromised website still results in a compromised password, so waiting to change until sites are patched makes better sense.  My one exception to this is in situations where you are using the same password for multiple accounts.   Immediately changing your password the password that you use for your 4 email accounts, 3 banking applications, 2 social media sites, and 1 online shopping service to 10 separate passwords is one way of minimizing any potential damage from a compromised account.  Of course, managing and securing so many passwords can be painful;  I recommend utilizing a secure password management tool to assist.  My favorite?  MiniKeePass.
  2. Financial Scrutiny.  It's an old saw, but it still rings true:  keep an eye on financial transactions and financial statements for potential fraudulent activity.  Call your fiancial institution immediately if you see something that doesn't make sense.
  3. When in Doubt, ASK.  So how do you know if websites you do business with are vulnerable to this flaw?  If you like to get your geek on you can test a website yourself (though the results aren't necessarily conclusive);  you can also consult the latest list of Heartbleed test results for popular sites that is circulating the web right now.  The easiest way to find out, thought, is to ask the question of those sites which your frequent.  Knowledge is power, and getting straight answers from the online entities which you frequent will help you better protect yourself as you move forward.
Hope this helps.  Spread the word!!

Sunday, March 16, 2014

Intelligence Redux

Anybody who was at the RSA Conference a few weeks ago can attest to the fact that "threat intelligence" has become the catchphrase du jour. As was the case with "cloud" a few years ago and "data analytics" last year, every vendor on the show floor was hawking a product or service which claimed to increase my understanding of the bad guy and thus improve my ability to better defend my enterprise.

As I began to dig into these products and query my fellow practitioners, I became concerned about what the vendors were calling intelligence and the real value this latest array of tools and services would (or would not) provide. Many of my discussions quickly focusd on the concepts of intelligence and intelligence collection and how to apply these to concepts practically. While it's been years since I worked in Army Intelligence, some lessons certainly spill over into the corporate world. Allow me to share some of my thoughts on these concepts for your consideration...

Intelligence Defined.  With the term threat intelligence being widely (overly?) used these days, it's worth stepping back and understanding the difference between data, information, and intelligence. Data are facts; they are immutable and unchangeable. Information, simply put, is data in context. Intelligence is information that is extracted and revealed from an analysis of given data and information.

Confused?  Let me give you an example. Take the number 3015178088. This number is  piece of data, devoid of any context. We can attempt to provide some context to this data in an attempt to provide some level of information to the reader. Examples:
  • 3,015,178,088 -- a number in excess of three billion
  • 30151-70808 -- an overseas telephone number, most likely European
  • (301) 517-8088 -- a North American phone number
As you can see, adding context to the data provides different information to the consumer.

In this particular example, the North American telephone number is the correct context. Now let's provide additional data/information to the reader:
  • 301 is one of the area codes for Maryland
  • I lived in Maryland from 1995 to 2003
Given these pieces of data and information, you might be able to extract the intelligence that the phone number listed was one of my old phone numbers. That piece of information is not stated anywhere within the provided data/information, but through simple analysis and some deductive reasoning, it can be extracted with a reasonably high level of confidence. Consumer organizations regularly extract "business intelligence" from data collected with member loyalty programs in an attempt to focus its markting and sales efforts with laser-like precision -- occasionally to the point of becoming quite intrusive.

Actionable Intelligence Collection. In order for intellignce to be actionable (i.e., result in the abiliity for me to do something better/smarter/differently/more effectively than I am at the moment), the intelligence collection effort within the enterprise must be organized and deliberate. Intelligence collection is more than information gathering/information consumption; it requires the enterprise to remain focused on fanatically answering three seemingly simple questions:

  • What do I need to know? What are the most important questions for you to get answered? In the military we referred to these questions as priority intelligence requirements (PIRs). Intelligence collection efforts should be focused on answering these questions first and foremost. Note that determining these questions may be simpler than you think. I remember an intelligence exercise from my GI days involving the transport of relief supplies into a fictional European country via military convoy. As the exercise assumed a hostile force which occassionally disrupted transports along the one major highway into the area, the #1 PIR each was always "Is the road open for travel?" I would imagine that some of the PIRs for most enterprises would be equally straightforward. Some examples:
    • Are bad guys in my environment right now?
    • Is sensitive data leaving my environment in an unauthorized fashion?
    • Which bad guys trying to get into my enterprise? 
    • Where are the most likely/most vulnerable attack points?
  • What is the best way to get the answers I need? Folks, PIRs can (and should) be answered by a multitude of sources. These include (but are not limited to)
    • News reports
    • Existing enterprise tools 
    • Communications via professional organizations
    • Organizations which monitor threat activity regularly (CERTs, ISACs)
While a "threat intelligence" platform or service, properly constructed, might provide indications and warning about an iminent attack it may be argued that existing sources of data from within the enterprise are better suited to determining the current state of attack if properly monitored and utilized. Indeed, focused monitoring and analysis of open-source information providers may provide reasonbly accurate and timely indications and warning of threats and attacks against the enterprise.

  • What do I intend to do with the intlligence gathered?  Intelligence collection should not be an academic exercise. Answering your PIRs should drive action within your environment. If fulfilling a PIR does not drive even a minimal course correction on the actions and activities of the enterprise, then you need to consider whether or not you are answering the right questions...or whether or not you need to adjust you efforts down to that which is actionable within your current culture. This last phrase may seem like an anathema to the security professional, but given limited resources we must constantly balance our collection efforts against our execution priorities lest security become simply an academic exercise.
* * * * * 

Given the aforementioned definitions, many of the "threat intelligence" products and services being advertised today provide threat information versus threat intelligence -- i.e., they are providing yet another credible data/information source to the enterprise defenders versus true intelligence. While this data source may be more focused and more useful than other data sources available, without an understanding of organizational PIRs this data source becomes yet another firehose of "stuff" which the security team must consume lest it drown. Worse, without an ability to guide and focus collection efforts across the enterprise the security team may be looking for indications & warning regarding attacks from largely ineffective (and probably expeensive) sources.  

Threat "intelligence" products and services do have a place within the enterprise...but only if the enterprise is prepared to utilize and absorb the information provided in a cogent and thoughtful manner. While the temptation to garner information from closer to the bad guys is appealling, having yet another firehose to drink from will only hasten the drowning if you're not careful.

My two cents...


Saturday, March 1, 2014

A Three-Pronged Approach to Protection

In the wake of recent merchant breaches, I have found myself on an increasing number of calls with customers, reporters, and business leaders from various industries.  Invariably, the questions asked all boil down to one overarching interrogative:  "How do we avoid becoming the next breach victim?"  After I attempt to calm nerves and reiterate that there are no silver bullets out there, my answers tend to center  around three fundamental areas that I offer up to you for critcism or comment.  Here goes...

1.  Be Harder Than The Other Guy.  Folks often ask me whether or not they should put the alarm sign in front of their house when they buy an alarm service.  My answer to them is "yes, absolutely!" Most burglaries and break-ins are by amatuers looking for easy targets and/or targets of opportunity.  While the alarm sign will alert the 1% who are specifically aiming to break into your house to cut the phone lines, it will also steer the remaining 99% to your neighbor's house if your neighbor doesn't have an alarm sign posted.  No alarm equals an easier target, so becoming a harder target than your neighbor is an attack deterrent.  The same principle applies in cyberspace.  If your protections and controls are preceived to be more durable and more resilient than your competition, it stands to reason that the bad guys will attempt to acquire data from the weaker target instead of attempting to breach the harder target.  We can see this occurring in a strategic fashion if we step back and observe the class of businesses that hackers are attacking;  instead of focusing predominantly on financial institutions and payment processors, we have seen concerted efforts against merchants, contact centers, and other potential 3rd party "aggregation points" for data.  Even within certain classes of targets, there is value in informing your  adversary  -- in general (but not opaque) terms -- of the strength of your protections in order to discourage attack.  (Note:  Those of you reading this post who have some military experience will recognize this approach from your unconventional warfare training;  if you think about it for a bit, you'll see that the same principles apply when facing off against the hacker community :o)  )

2. Be Best-In-Class At Incident Response.  If you accept the premise that even the most prepared defenses will be breached -- and they will, believe me :) -- then the ability to identify, contain, and eradicate the threat as early as possible becomes critical.  There are statistics out there which state that  the average time between infection by a sophisticated attacker and its detection in the network can be measured in months if not years.  Investing in the technologies and the personnel needed to shrink this window is a critical step in breach avoidance.  Note that investing in personnel does not just mean headcont; more importantly, it means training and education to improve general security knowledge; an understanding of the threat; and critical thinking skills.  This training needs to go beyond just those within the security team but to all members of the extended incident response team.  

3.  Add Threat Intelligence To The Mix.  If this year's RSA Conference is any indication, the importance of understanding one's adversary has come back into the forefront of the security discussion.  This will be considered good news by those who have long stated that we have become so process and business focus that we have diluted our understanding of hard-core security.  Still, I wonder how many people understand the difference between threat information and threat intelligence.  True threat intelliegencce, in order to be useful to the enterprise, requires an understanding of what knowledge is of paramount use (priority intelligence requirements); what the best sources are for obtaining that knowledge (collection management); and what actions need to be taken based upon the information obtained (risk management planning).  In the absence of these key components, threat information becomes yet one more firehose from which the the security team must drink from whilst attempting not to drown.

While these answers may provide small comfort to organizations looking for quick-fix solutions, they represent the basic building blocks for moving toward a risk-based security program.  Consider using these concepts when discussing security needs with your business leaders.  Enjoy!

Wednesday, February 19, 2014

Eulogy to Windows XP

(The following eulogy was written by Sam Marshall from Treca Educational Solutions.  Enjoy!  -K)

 

Many of you may have heard that Windows XP will soon see retirement and no longer receive updates or support from Microsoft.  So let’s take a moment to remember Windows XP:


  • When Windows XP was released on October 25th, 2001, President George W. Bush had not yet completed his first year in office.
  • The minimum amount of RAM to run it was 64MB;  the iPhone 5s comes standard with 1GB which is 16x more powerful
  • When Windows XP was launched there was no Facebook, Twitter, or Pinterest
  • Businesses wanting to install windows XP could prepare 6 FLOPPY DISKS to install the operating system on systems that did not have a CD-ROM drive.
  • By January 2006 over 400 Million copies had been sold.
  • Microsoft Officially ended sales of Windows XP on June 30th 2008 -- over 5 and a half years ago!
  • Microsoft has released 3 newer Operating Systems after Windows XP
  • Even in 2014 Windows XP is being used on nearly 30% of the world’s computers.  Many of these sytems are ATMs, and Point-of-Sale devices.
  • Microsoft will end support of Windows XP on April 8, 2014 (Less than 60 days away)

 

Why should you care?

 

If you, your friends, or your family run Windows XP know that after April 8th these systems should no longer be considered secure. Microsoft will no longer release security patches or updates for Windows XP.  These updates are like vaccines and Microsoft ending support means no more vaccines will be made to keep your system healthy. (note:  Microsoft is offering some level of continued patching suport for businesses, but the pricepoints are punitive.  No such support has been planned for individual consumers to my knowledge)

 

Sadly there are no easy solutions.  The only options available are to update to a new operating system or purchase a new computer if your current one cannot run a newer version

Sunday, February 16, 2014

Blinded (and Bitten) by Compliance

I have remained silent on issues of security as we entered the new year, and many of my readers have asked me why. With the plethora of merchant breaches that hit the news during the holiday seasion, surely I had an opinion (or six) on the topic...so why not share them?  The reason was simple: there were already way too many "experts" and pundits providing comment with minimal information that adding one more voice to the fray would most likely be counterproductive.  The merchants who were breached have been vilified in the press and had their collective competence unfairly questioned by far too many people in far too many venues;  anything I had to say (and much of it would be favorable to my security brethren) would merely add to the noise...and might be subject to misinterpreation by folks hungering for a story.  Still, now that the media drama has subsided and we're into the "what must be done" phase of the crisis, I think its time for me to come up for air.  While I don't wish to continue "making glue" out of well-flogged security issues, there is one area that I believe bears a tad more exploration:  the PCI-DSS and its role within payment security.   

Earlier this month, Bob Russo of the PCI Council formally responded to criticisms  of the PCI-DSS standard in the wake of recent breaches.  Mr. Russo reminded nay-sayers that (a) there is no such thing as a silver bullet; (b) the PCI standard represents an "excellent line of defense" in terms of security; and that (c) it is not the job of the PCI Council to enforce merchant or banking institution security.  In short:  the recent merchant breaches do not represent a failure in the PCI-DSS but rather a breakdown in security controls within the respective institutions.

Hmmm....

I remember working as a CISO in the mid 2000s during the early days of credit card breaches.  I remember watching a couple of television commercials sponsored by all five major credit card brands touting the safety and sanctity of credit cards payments.  Every time I saw one of these commercials I noted to my colleagues that I felt the credit card companies were "running scared" from regulation in light of the then-current state of breaches;  I was curious as to what the card brands would propose to fend off the spectre of further regulatory oversight.  The very next year, PCI-DSS came into being.  More prescriptive and detailed than HIPAA, the PCI-DSS had more teeth than existing federal mandates given the ever-looming possibility of losing the ability to process electronic payments transactions.  During this time, the card brands feverishly campaigned to anyone who would listen about how PCI-DSS would collectively raise the bar in how credit card processes were secured and inject peace of mind back into transactions.

The security community willingly and eagerly jumped onto the compliance bandwagon, touting HIPAA, PCI, and GLBA whenever possible.  "At last," the community said, "we have a useful arrow in our quiver."  Security was either the law of the land or a regulatory requirement for business.  We hitched our programs onto these regulations and laws with reckless abandon, eschewing the nay-sayers (yes, I was one of them) who touted the  regulations yet cautioned that they could become yet another brand of FUD (fear, uncertainty, and doubt) if we linked our programs too closely to them.  Years would pass before we would come to realize that by equating security to compliace we risked watering down our programs to the minimum necessary controls required to obtain a compliant state.  It would be even more years before we recognized that the final determination of legal and/or regulatory sufficiency often did not reside within security but with the offices of the corporate attorney.

At the end of the day, any security professional has to agree with the statements made by Mr. Russo.  Any assessment against regulation is a point-of-time view of an organization, and while the DSS is an excellent standard it mightn't be suffient to ensure security of all critical assets within the envirionment.  Worse, if security controls are not monitored and appropriately enforced then even the most robust ecosystems will beome vulnerable.  In defending the PCI-DSS  and its viability, Mr. Russo has merely restated a tenet that security professionals started saying en masse several years ago:  compliance does not equal security. My minor umbrage, if you will, to Mr. Russo's comments stems from the fact that the security community's late realization of the aforementioned tenet was one of the contributors to the successful marketing of the PCI-DSS as a standard of excellence for security.   

One cannot help, as a community, feeling partially thrown under the "blame bus" by an ally.  

Mr. Russo's interview should hopefully represent a wake-up call for those still focused on compliance instead of security.   Anyone struggling with their leadership to focus on holistic, risk-based security versus compliance should use Mr. Russo's interview as a reminder of the role -- an limits -- of compliance within one's security program.

My two cents...