Network Security Podcast host Martin McKeay and I recently teamed up for a two-part debate on the pros and cons of the PCI Data Security Standard, with an all-star cast of IT security and compliance professionals. We got the idea for this face-off after 451 Group analyst Josh Corman gave a presentation in which he questioned the effectiveness of the PCI security standard and several IT security practitioners took exception to his description of it as being like "No Child Left Behind."
Along with Corman and the two of us, participants in this roundtable are Jack Daniel, a member of the National Information Security Group (NAISG) and one of the industry's leading activists, Ben Rothke, senior security consultant for BT Global Services, Dr. Anton Chuvakin (Ben and Anton are leading voices on PCI DSS and the authors of several books on IT security), Seattle-based security consultant Ward Spangenberg, and Michael Dahn, a PCI QA manager and director for the InfraGard National Members Alliance (INMA).
What follows is a partial transcript of the debate -- something to stimulate the appetite for more. If it works and you decide to catch the debate in full, you can listen to The Great PCI Security Debate of 2010: Part 1, and Part 2 at both CSOonline and via the Network Security blog.
We begin here:
After McKeay suggests that Corman's position on PCI DSS is "BS," Bill Brenner asks Corman to respond.
Josh Corman: I'm still not sure what we're crying "BS" on, so I'll try to re-articulate here: If you look at a normal bell curve for anything, whether it's No Child Left Behind or how mature a risk program is, there are under-achievers, the bulk in the middle and then there are people who do an excellent job. I've had the privilege to work with a lot of financial services, a lot of DOD [Department of Defense] contractors and the pharmaceuticals and they do a fantastic job. So, it would be a mistake for me to design a universal security program for the security elite. But it would also be a mistake for me to design a fairly expensive and time-consuming process for the neglectful.
I think it was Mike Rothman (of Security Incite) who said this is a Darwinist thing. There are certain people who will never do good security where you can beat them with a stick and they'll do exactly what you told them to do and they'll still have piss-poor security. You guys talk about how, as QSAs, you deal with laggards who can't even spell firewall but I've often dealt with people who do a decent risk program and understand that if there's a new attack vector or technology they need to take new measures to do something about it. What I see, instead of talking about the communities of the laggards and the elite, is something else.
Let's just look at the security market: I did a market survey when I was at IBM and there were about 70 different security product technologies, not even counting services. How many of those are required by PCI? It's a tiny subset. No one invests in all 70. But the truth is, when someone determined they had to do something about targeted attacks or data loss prevention for intellectual property, they had a pilot and a budget but their bosses told them to cut it. The reason was, "I might get hacked, but I will get fined." That's a direct quote from a CIO and it's very logical and business focused. But instead of securing their highest-risk priority they're doing the thing that they'll get fined for not doing. So if you take those 70 markets, the ones that got a lot of spend in 2009 were the Web app firewalls or things that directly aligned with the PCI mandate. The ones that were very useful and had a pilot and budget but got canceled were things like DLP that didn't have a mandate and therefore were discretionary.
Anton Chuvakin: [To Corman] You just invalidated your own argument because the highest-risk priority for them is the risk of a fine. If you follow the risk management paradigm, the highest-risk priority for them is the risk of a fine!
Corman: You're correct, and that's the perversion, that we now fear the auditor more than we fear the external threat.
Jack Daniel: Let me jump in here a minute. You're both right, but the problem is that the PCI threat is an artificial one that's been imposed on us. It's very real, but it's like jumping the fence at the zoo to get a closer look at the lions. If you stay on the right side of the fence, if there isn't something stupid happening, that shouldn't be your greatest threat. That's something a lot of people don't face. You can complain all you want but we have to be PCI compliant, and then we can resume complaining.
Martin McKeay: This kind of goes back to one of my original points, which is that spending and security has historically been bad. Yeah, there's a bell curve, but unluckily 90 percent of the companies are below what we would consider an acceptable level of security, and PCI is one of the few things that's pushing them to spend the money to get to that baseline level. That's why I appreciate PCI. I've done security before PCI. I've seen that most companies, even large ones, will look at security and say it's something they can worry about later, something that's not a big deal. They've historically under-spent to a tragic amount, and PCI is forcing them to step up and do the things they need to do.
Chuvakin: It [PCI DSS] is a much-needed artificial threat.
Corman: Let's talk about the specifics instead of the broad strokes. PCI does not give you a budget for security. It gives you a budget for the specific controls within PCI. One argument you consistently hear is that before PCI we did nothing, but now we've raised the bar. If the wall around the building was zero feet tall and now it's been raised to 2 feet tall, an amateur attacker can scale a 10-foot wall. So you've wasted two feet of wall cost.
Michael Dahn: I think we have to clarify what we're talking about here. To say an amateur attacker can circumvent controls that are properly implemented and maintained under PCI DSS is a bit far-fetched. Of those organizations that are suffering data breaches, the question is whether they were implementing each of these controls consistently. One of the things I see within organizations is that there's a hurry-up-and-wait mentality. An organization will push really hard to get compliant. Then, the day the auditor walks out the door they say, "Thank goodness. Now I can wait until next year." So when we talk about compliance driving the wrong mindset, I think the wrong mindset was there to begin with.
It's a difficult proposition to say we're doing compliance instead of security when what I see is they're doing compliance because someone told them to, whereas if no one told them to they'd do nothing. It's like telling your kids to do their homework. If you don't tell them to do the homework they're going to play outside all day.
Brenner: Let's get Ben and Ward in on this. Ben, you first.
Ben Rothke: Dan Geer is the Shakespeare of information security, but at the end of the day people are reading Danielle Steel, not Shakespeare. The Level 1 merchants do a decent job. The bulk of our clients that are Level 2 or 3 or 4 are oblivious to security. They don't know what it takes and they're pretty much clueless. PCI gives them a start. Dan Geer is great, but in the real world, in the trenches, people will read more Danielle Steel in one day than Dan Geer will be read in a lifetime. We live in an imperfect world. PCI is the best thing we have, and while it may be a distraction to a few, I'd say that as a whole it's far better than anything created to date.
Brenner: Do you agree with that, Ward?
Ward Spangenberg: Unfortunately, yes. At the end of the day it's a relatively easy baseline. It's common sense. It's not rocket science. It's typical good security practices. Up until the stick came along, companies were stranded. PCI is not the be-all, end-all. But I think we agree this is just a base medium to follow. There is security outside of PCI and if we as security counselors aren't encouraging customers to look outside PCI then we ourselves are failing the industry because we're not encouraging them to look to good security as opposed to just good PCI compliance. The idea that they fear the auditor and not the attacker really bothers me. At the end of the day, I much prefer that you protect my PII from the attacker and I'm less worried about whether you passed your last PCI assessment. Your QSA [probably] couldn't understand what the hell you were doing, even if it was good security at the end of the day.