I guess when your logo is a bulls-eye, you can’t be too surprised when people take aim.
KJR has refrained from commenting on the Target situation on the grounds that (1) it’s received plenty of coverage elsewhere; (2) we don’t play dog pile on the rabbit around here (but we do occasionally refer to ourselves with the Royal We); and (3) when it comes to information security, what we know is that it takes people who know a lot more than we do.
But really, who could resist, especially when the single most notable and important aspect of this mess — the complete and utter failure of PCI-DSS certification (Payment Card Industry Data Security Standard) to prevent such a massive theft — has received little attention from the trade press and just about none at all from mainstream media accounts.
Keep in mind that PCI certification is 100% private-industry designed, funded, and practiced. It came from the payment processing industry, with no government intervention anywhere in sight, and few or no “perverse incentives” to maim the marketplace either.
It’s the industry’s attempt at self-regulation, and it’s failed dismally. How can that be, given how much money is at stake?
Answer #1: It doesn’t matter how much money is at stake. We’re talking about an industry standard, and all industry standards share the same fundamental challenge: The process of developing and ratifying them, is, at its core, legislative. There are lots of stakeholders, who eventually group into disagreeing (and often disagreeable) factions, resulting in a design that’s chock-full of political compromises.
Which isn’t a criticism of standards-creators. Creating even a mediocre standard is hard, painstaking, time-consuming work. As with any large-scale consensus the problems are intrinsic to the process, not the participants.
Answer #2: Standards-driven certifications are yet another example of Metrics Gone Bad, which is what happens whenever a metric becomes the point of the exercise, instead of actual success.
Certifications are metrics, which is to say they’re supposed to be a way of telling whether or not someone has achieved the results they’re supposed to achieve. What, you thought a metric had to be a number?
And every time the metric becomes the point, whether it’s a college student wanting a diploma instead of an education; a supplier wanting ISO-9000 certification instead of wanting top-notch internal processes; or a retailer seeking PCI compliance instead of well-protected customer data … every time the metric becomes the point it prevents something good from happening.
And once you have a metric, it’s rare that it doesn’t become the point.
Boiled down to basics, certification means passing a test. So far, so good — tests are designed to gauge knowledge and competence. But (and you knew “but” was hanging over that sentence like the Sword of Damocles) …
Those taking the test have a personal stake in passing that exceeds their personal stake in acquiring knowledge and becoming competent. If they’re job-seekers their careers depend on it; if they’re retailers, their ability to receive payments with something other than cash depends on it, if they’re cramming for the SAT their college entrance and future careers depend on it.
Those who seek certifications are incented to pass the test. Achieving actual competence becomes the byproduct, not the point.
Answer #3: What PCI provides is a manual for data thieves. By spelling out what is protected, and how, it spells out what isn’t protected and is vulnerable. Call me naïve; this doesn’t strike me as the best idea anyone ever had.
Which brings us to Target, which can certainly afford the best information-security money can buy (okay, the second-best after the NSA, but let’s not quibble) and is undoubtedly PCI certified. And yet …
Here’s what I don’t get. I’m imagining myself sitting inside Target’s firewall. Its head of information security isn’t even trying to keep me out. Quite the opposite, he’s giving me every credential I ask for. I’m trying to track down where the POS modules reside so I can attach malware to them … without showing up in any server logs … then to figure out the protocols for propagating POS software updates to the stores.
But a company the size of Target has thousands of servers and hundreds, maybe thousands of applications in its portfolio, none named POS_SourceCode_ComeAndGetMe.cxx.
Without documentation or colleagues to consult, I wouldn’t know where to start.
Would you?
* * *
Fifteen years ago in the IS Survival Guide, a simple formula for predicting which software products will succeed and which ones will fail. It works!
Bob,
Thats not the right question. Would you or I know how to start, if we wanted to steal from Target? No we wouldn’t.
But I think what happened here is that someone who worked for Target in building these very systems realized that they could use that knowledge to steal from Target.
So the question then becomes, how can you create a standard to defend you from an internal attack from a knowledgable stakeholder. There are answers to this, but none of them revolve around the current fad of “run your companies with as few employees as possible.”
I didn’t want to speculate about this being an inside job in print … but I wasn’t above hinting at it. I agree with you – this certainly smells like an insider was involved, doesn’t it? Surprising this aspect of things has received so little mention.
It’s been mentioned elsewhere on the ‘net that the Target breach was likely the work of an insider. I think Target has probably worked hard to keep that aspect of the situation very, very quiet.
I work as a freelance IT security consultant, helping organisations prepare for security assessments against ISO27001 (the international standard for IT security) and PCI-DSS. Although PCI-DSS is closely based on the controls identified in 27001, they are very different. 27001 requires you to establish an Information Security Management System. It doesn’t mandate any particular security actions (although it provides a very helpful checklist of 130+ security controls that should be considered), but it does require a formal risk assessment, together with the adoption of controls to mitigate the risk (and appropriate monitoring measurements) and acceptance of the residual risk by senior management.
PCI-DSS (IMHO) falls into the trap identified by Bruce Schneier: “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” It mandates a long series of technical controls (insert firewalls here and here, implement rules thus and such, encrypt these fields using these technologies) and assumes that if you follow these rules implicitly, you’ll be secure. The danger is that organisations follow these rules and believe they’re secure – they’re not (necessarily) , as Target have just demonstrated.
Banking in general (with the government regulations and all) has the same problem. You can follow all the procedures, and be completely insecure.
If you think security is about having the correct policy and procedures in place, and nothing else, then the attackers have already won.
And this is where the process of PCI is at its weakest – it is too slow to adapt to new threats.
If you want to know HOW the attack occurred, may I suggest you read about it at KrebsOnSecurity.com. One thing is clear. The sophistication and skill needed to pull off this heist is impressive. The attackers were very well funded and knew exactly what they were doing. And interestingly, NOT being PCI-compliant did them in. Read Krebs and see if you agree.
Two good articles for the price of one. It was fun to read the article from 15 years ago, when something still works after decade or more, then you know your not just sharing information, its wisdom. Thanks!
“…the complete and utter failure of PCI-DSS certification (Payment Card Industry Data Security Standard) to prevent such a massive theft…”
Except that’s not what PCI-DSS is for. Nor is it industry self-regulation in any meaningful sense. It was devised by Visa and MasterCard as an attempt to force retailers to implement SOME sort of security (and squeeze more money out of them if they refused). Retailers and card-transaction processors are on the receiving end of these dictates.
Sure, the PCI marketing blather says things like “Compliance with the PCI DSS means that your systems are secure,” but that’s mainly because the actual requirements at the highest level are things like “Requirement 3: Protect stored cardholder data.” Translation: If thieves steal cardholder data, you failed this requirement. That’s not an industry standard, any more than “don’t get robbed” is a security best practice.
In Target’s case, the chain reportedly gave a third party (the HVAC contractor) the run of its network. If true, that’s a massive failure of good security practices. And if that’s how thieves stole card data…well, they stole card data, so see Requirement 3 above.
Every big retailer hates PCI-DSS, and many of them try to get the tamest group of QSAs (the people who certify them for PCI) they can, so when the retailer’s systems fail a test, the QSA will agree they have “compensating controls” that are good enough to waive whatever that PCI-DSS requirement specifies.
You can argue that it’s a scam and a sham — lots of retailers do. But don’t imagine that it’s industry-developed self-regulation.
After all, every big retailer knows that payment-card fraud and even big fines from Visa and MasterCard in the event of a security breach are just a cost of doing business. Customers will forgive and forget as soon as somebody else makes headlines for getting hit (just ask TJX, Barnes & Noble, Aldi and other chains who have been breached in the past). Real security — actually “preventing such a massive theft” — is almost always a lot more expensive than what a retailer actually has to pay in the event of a security breach.
Just imagine what sort of “regulation” they’d come up with if it weren’t being forced down their throats by Visa.
I have no first-hand knowledge of the exact mechanics of the breach. I do have decent knowledge of the PCI-DSS standard, having been my company’s PCI PM and compliance manager for four years.
From what I’ve read, the Target breach included an upload from a server in the cardholder data environment (CDE) to a server operated by the thieves. If this is correct, it points to a violation of PCI-DSS requirements 1.2.1 and 1.2.3, which require a firewall between the CDE and either the Internet or another network, and which require that inbound _and_ outbound traffic be restricted “to that which is necessary.” (We document our allowed target and source systems by address, port, and purpose.) If inbound and outbound connections are restricted properly, alarms should go off when systems try to initiate unauthorized connections. I’m guessing Target didn’t need to be allowing outbound traffic to the thieves’ servers. If the report of how this data was exfiltrated is correct, then this suggests that PCI-DSS wasn’t being followed.
The only thing worse than a buggy standard is one that’s not being adhered to.
I agree entirely with criticisms of PCI-DSS expressed so far, especially the quote from Bruce Schneier, which is exactly on point. But compliance is a useful hammer for getting better practices in-house – such as isolating your CDE into tightly controlled networks that are aggressively managed, and not allowing outbound traffic you don’t know about.
Well, this gets to the point I was trying to make. I’m quite confident Target passed the PCI cert test every year, for reasons too obvious to bother explaining.
So Target got its certification. Whether or not it followed the rules is a different matter. Which paints quite a picture, doesn’t it?
I work in card processing, and while I am not defending Target, I think you might have trivialized how difficult their challenge is. This was not a case of Target leaving a file called “CreditCardDetails.txt” on a server somewhere; this was a highly sophisticated, targeted (no pun intended) attack. I’ll echo the recommendation to read krebsonsecurity.com for more of the details.
It is very unlikely that Target Security just aimed for PCI certification and then called it a day once they passed their audit. Certification is a milestone, but security is a never-ending job. I suspect that Target Security knows full well that PCI certification is not sufficient for such a visible enterprise.
Like the Snowden disclosures, this demonstrates just how effective a targeted attack can be, and how helpless we are to defend against one.