The Source of PCI DSS “Failure”
This is somewhat of a follow up from my post on changing our attitude towards how we might best protect consumers that use credit cards.
In FAIR, there are three types of contact that drive the probable frequency of attacks:
- Random - The attacker stumbles across some treasure
- Regular - The attacker is in regular contact with an asset and finds a state for the probability of action (value, level of effort, risk of getting caught) that compels them to attack
- Intentional - The attacker is actively seeking to cause harm.
But those factors that drive frequency are only one half of the things that enable a threat to act against us. Those other factors are those that drive the Probability of Action:
- Level of Effort - Does the attacker believe they have the skills and resources to carry out an attack?
- Value - Does the attacker believe it is worth their effort to attack?
- Risk - Does the attacker believe that the probability of getting caught, and the impact of getting caught are low enough to attack?
Here’s a nice visual aid:
SECURITY, OBSCURITY, OBFUSCATION
When people argue about security through obscurity, the crux of their argument is that obfuscation is generally ineffective against a determined attacker (1). I think we can explain why using FAIR because the probability of action is high and the contact is intentional (in other words, they are motivated).
WHAT DOES THIS HAVE TO DO WITH PCI DSS?
I’m going to state that PCI DSS is not necessarily concerned with Detection and Response. Once an organization that processes credit cards has been unable to prevent, you’re in some sort of trouble with somebody. This is because PCI DSS is philisophically about preventing illicit access to credit card numbers. As such, I think we can call it security through obscurity on a grand, grand scale. The controls we put in place and the compliance dances we perform with QSA’s are primarily(2) designed to show how “secure” we are, that is; our ability to prevent loss events.
IF PCI DSS IS SECURITY THROUGH OBSCURITY, THEN…
I’ll allow you to draw your own conclusions about its viability. But before you do, let me offer this; With retailers, banks, and processors all being involved, we might say that PCI DSS is the first significant attempt to secure a semi-private cloud.
======================
(1) I think we could offer that obscurity, as a means of resistance, does have some value against random and regular types of contact.
(2) Sure there are detect and respond aspects to the DSS, but it is not clear how they help mitigate the actions of the most significant of secondary threat communities, the PCI itself.
Mike Jan 24
Alex, did you say something about drinking the cool-aid? PCI DSS is about preventing the paper and electronic theft of payment card data. I can show you a few times where it talks about detection and response including: audit logging, IDS, FIM, etc.
I do find it totally self serving that you wrote all about your risk structures and then threw in “PCI fail” at the end. Why are you not promoting positive security and clarification in the industry instead of just regulation bashing? Next time try suggesting solutions and positive change.
Alex Jan 24
Mike,
Take a deep breath and read the following out loud, it was written by a smart guy who should know better:
“PCI DSS is about preventing the paper and electronic theft of payment card data.”
Now say it again.
One more time….
OK. I acknowledged that PCI DSS has some D & R clauses in my footnotes there. But what you’re saying is true - the DSS is primarily concerned with Prevention. What is it trying to prevent?
Ed Bellis said it this way CC#s are the world’s biggest shared secret. We’re trying to prevent the world’s biggest “secret” from getting out. And it’s prevention through obscurity within the networks of people who may not have the skills, resources, or motivation to keep that secret safe.
The only way we’ll really protect the consumer is by ignoring prevention and focusing on detection and response to act as second-level prevention at a localized level. In other words, make it so that I can post my CC# right here on my blog for everyone to see *and it wouldn’t matter*.
Kevin Peuhkurinen Jan 30
I’d say that CC#’s are the second best secret after social insurance numbers, but whether it is PII or PANs I think you are on the right track. Trying to secure the confidentiality of such an enormous amount of data located in such a diverse number of locations is eventually going to be shown to be far more costly and far less efficient than finding a way to lower the value of the information instead.