Can PCI DSS compliance protect you from hackers? If recent news stories are true, the answer is a resounding "no."
Take the recent case of Albert Gonzalez (aka "Segvec") as evidence. A federal grand jury indicted Gonzalez on charges that the 28-year-old Floridian was the mastermind behind the theft of account information on 130 million credit card users from Heartland Payment Systems.
If that name sounds familiar, it should. Gonzalez, along with unnamed Russian co-conspirators, is already in police custody, charged with hacking into the network of retailer TJX -- all the while working as an informant for the U.S. Secret Service. The new indictment reveals that TJX and Heartland were not his only targets. The networks of 7-Eleven, Hannaford Bros. Supermarkets and two unnamed retailers are also believed to have been hacked by Segvec and company, with credit card and personal information on untold numbers of American consumers pilfered.
Heartland Payment Systems has confirmed that it had conducted and passed a Payment Card Industry (PCI) audit during the time that Gonzalez had access to its network and that batches of credit card information were siphoned off the company's systems after the company's PCI DSS compliance audit was complete.
For IT pros who are on the front lines in the fight against sophisticated hackers, the question is whether efforts toward PCI DSS compliance give companies an edge against criminals like Gonzalez or just create a false sense of security while failing to raise the bar on financial fraud.
That very question was being asked by some of the world's top security experts, who came together in August for the annual Black Hat Conference in Las Vegas. In a presentation dubbed "Mo' Money, Mo' Problems" Jeremiah Grossman and Trey Ford of Web application testing firm WhiteHat Security dug into the ways that Web hacking can be used to generate outsized profits for online fraudsters.
Whereas regulations tend to look at security monolithically, Grossman and Ford pointed out that Web attacks span a spectrum from low-level, automated attacks that can net attackers thousands of dollars to sophisticated application attacks against banks, affiliate networks or e-commerce Web pages that can bring in hundreds of thousands or millions of dollars.
Exploiting Web applications can be quite profitable even for attackers with few skills -- and scarily profitable for the top tier of Web hackers. Grossman and Ford also worried over the low bar set by PCI DSS and other industry standards, which do a poor job of testing for sophisticated Web hacks that exploit holes in Web applications or take advantage of loose business logic. The message from WhiteHat: Both testing and compliance need to be flexible, rather than rigid. Both must be risk-based rather just threat-based. Flexible, risk-based testing and compliance strategies will address the challenge posed by a broad spectrum of smart (and dumb) attacks.
Security researcher and Black Hat speaker Peter Guerra took the argument a step further, suggesting in a paper that the U.S. government's CAN-SPAM Act of 2003 may have contributed to the explosion in malware. Far from stopping spam, CAN-SPAM merely pushed spam operators underground to botnets to distribute their illegal solicitations. That, in turn, pumped R&D resources into creating malware and Trojans to keep the botnets operating, Guerra argued.
Cybercrime, the argument goes, is just another form of economic activity. As such, it obeys many of the same rules as legitimate business activity: scarcity and demand, cost vs. benefit. Poorly crafted or myopic regulations do little to stem the problem but can change the incentives around specific types of behavior.
What's to be done? Here are some suggestions culled from the experts at Black Hat (and elsewhere):
- Prioritize. Focus less on filling check boxes and compliance as a goal in and of itself (though, of course, passing audits is still important). Instead, IT administrators need to do more to understand their employer's risk and exposure, then use that information to prioritize security resources and investment.
- Plan ahead. Organizations continue to fight the last war when it comes to security -- focusing resources on defending attacks on their network perimeter and mass distributed attacks against common targets like Microsoft Windows and other commercial software. But the most dangerous attacks are likely to be tailored and focused on custom or high-value applications. More investment is needed in areas like penetration testing to identify vulnerabilities in networks and applications. Beyond that, companies need to develop (and budget for) robust secure development and testing procedures internally, and they must hold business partners and ISVs to similarly high standards.
- Share information. As the Gonzalez case illustrates, organizations are loath to admit when they have been hacked. While that's understandable, it also plays into the hands of cyber criminals, who can often move from victim to victim with nary an alarm being sounded. Moreover, the absence of real data on hacks leaves a black hole that is filled by security technology vendors -- hardly a disinterested group. Vendor hype that distorts the dimensions of problems can result in misdirected investments. In a Black Hat talk with colleague Dinei Florencio, Microsoft researcher Cormac Herley argued that organizations that are victims or targets of cybercrime need to share more and better information about attacks and threats with their peers, and that government should play a role in fostering such sharing. "In the absence of data, all we have is speculation," said Herley. "And that underpins a lot of the problems you see in security."