A Q&A with Christopher Pogue of Trustwave
The Payment Card Industry’s Data Security Standard (PCI DSS) has been in place for a long time. Yet we keep hearing about breaches at PCI-compliant organizations. To learn why that is and what companies can do to better protect themselves, we spoke to Christopher Pogue, CISSP, CEH, CREA, GCFA, QSA, a director at Trustwave’s SpiderLabs.
Where are most companies falling short for PCI compliance?
I would like to say that the shortcomings in PCI compliance are due to technical complexity introduced by the requirements of the PCI DSS. But they’re not. They are mainly a collection of minor, simple steps that for whatever reason are not taken.
Having worked thousands of data breaches over the last five years, the experts at Trustwave have developed a solid understanding of what shortcomings lead to a data breach. While there can be multiple contributing factors based on the type of organization, the most common are open remote access, weak passwords, and the lack of a properly configured firewall.
According to the 2013 Trustwave Global Security Report, open remote access was used as the initial point of entry 47% of the time. When organizations use a remotely located corporate IT team, or third party service provider to perform administrative functions on their payment systems, remote access applications are logically used. The issue does not lie with the simple fact that they are in use, but rather they are not configured in such a way that access is restricted to only those individuals that have a legitimate business need. Rather, they are wide open for anyone to connect, including cyber criminals.
The second weakness, which is tied in directly with open remote access, is the usage of weak passwords. Surprisingly, even in today’s world where cyber breaches and GRC (Governance, Risk, and Compliance) are part of corporate vernacular, the most commonly used password Trustwave identified after analyzing more than three million samples…”Password1″. While certain passwords like this adhere to the PCI DSS requirements outlined in sections 8.5.10, and 8.5.11, they can easily be brute forced by an attacker in a matter of seconds.
When weak and/or vendor supplied default passwords (PCI DSS section 2.1) are present, in conjunction with open remote access, attackers can identify, target, and breach such a location in very short order.
The third weakness that is most common is the lack of a properly configured firewall. The term, “properly configured” is very important in this context, because according to the PCI DSS, a control is either in place in a 100% compliance manner, or it’s not. There is no, “sort-of”, or “almost”…it either is, or is not. During our tenure as a PFI (PCI Forensic Investigator), we have seen literally hundreds of instances where the victim indicates, “I have a firewall in place…see…it’s right there!”. However, when we examine the Access Control Lists (ACLs) we discover that they are set the vendor defaults, which is set to allow all traffic, and deny nothing. This obviously does them no good.
A firewall must be properly configured with both Stateful Packet Inspection (which basically means that the firewall will check to determine if a TCP conversation was initiated from behind the firewall) and multi-directional traffic filtering. This means that network traffic flowing into and out of the PCI network has security controls in place to ensure that only business critical data is flowing to and from the correct source and destination.
What can companies do to improve their posture?
The first thing organizations can do to better their posture is read the PCI DSS. The current version is only 75 pages, and provides detailed tables outlining what controls are required, and their requisite testing procedures. Once the requirements understood, a plan can be made to meet those requirements.
The next recommendation we have is to understand your PCI data flow. Simply put, this the path the PCI data takes from the time a customer enters in their payment card information (swipe, tap & pay, website, RFI, doesn’t matter) to the point of authorization by the merchant bank, and back to the merchant. Have a firm grasp on what happens with this data, which systems it touches, where it goes, how it gets there, and what happens to it post authorization. Having this understanding will help you determine which areas need to be most heavily guarded.
Third, we recommend partnering with an organization like Trustwave who has a core competency in PCI compliance. Businesses can have many facets to the goods and services they provide. Some make electronics, other provide clothing, while others sell art work. Whatever the case may be, they have a core competency (what is it that they do best – what makes them THEM) that is likely not data security. Therefore, it becomes an afterthought. Something that they know has to be done, but there are other, more important things that directly contribute to top line growth that need to be handled first. While this makes sense from a business perspective, from a GRC and PCI perspective, it’s what is known as a, “Bad Idea”.
Organizations like Trustwave have been specializing in GRC and PCI since their inception, and know the nuances of the PCI DSS (or whatever control mechanism is being used) better than anyone. While compliance is like not your core competency, it is ours. Let us do what we do best, so that you can focus on what you do best.
What are some of the main causes of loss for a PCI breach?
The main cause of loss in a PCI data breach is the theft and subsequent monetization of cardholder data. There is a robust and thriving black market that buys and sells stolen cardholder data like a commodity. Once a breach takes place, cardholder data is harvested and transferred from the victim’s system to a system controlled by the attackers. From here, the data is parsed by card brand, issuing bank, geographic location, and even card sub category (such as Visa Gold, or American Express Platinum). These cards are then sold on “Dump Sites” to criminals who buy them in bulk, and subsequently use them to make fraudulent purchases.
Depending on the size of the organization, the number of cards they process, and the length of time the attackers are present on the network (the 2012 average was 210 days) losses can range from a few hundred cards to several million. The more cards that are present, the more attractive the target is to attackers.
In addition to the losses incurred by fraud, organizations may also face fine imposed by the card brands for non-compliance, and card replacement. Whatever the case may be, when you are breached it can be a extraordinarily costly experience, both in terms of financial loss as well as losses in customer confidence and marketshare.
I would say that Christopher Pogue of Trustwave did a nice job in laying out the issues commonly raised by organizations that need to comply with PCI and that may be impacted by a credit card data breach incident. PCI DSS is now seen by plaintiff lawyers as a national standard of care. So if an organization‘s practices fall short of PCI requirements, that can serve to increase civil liability.