As I discussed in my last post, the Verizon RISK Team 2010 Data Breach Investigations Report ties poor rates of compliance with PCI DSS to data breaches. Specifically, 79% of the organizations that suffered breaches and were subject to PCI DSS were not in compliance as of their last assessment. The report gives the impression that PCI DSS compliance does indeed help reduce the risk of data breaches. However, the authors of the report rightly point out that the more interesting segment of breach sufferers is “the 21% that had validated as compliant during their last PCI DSS assessment.” They suggest that this may be less of a failure of the guidance provided by PCI DSS and more due to the fact that compliance validations are performed at points in time. In other words, validations do not ensure that compliance (and security) is maintained over time. Specifically, they state (page 53):
Due to the point-in-time nature of assessments, it is entirely possible (even probable) for an organization to validate their compliance at time A but not be in a compliant state at the time of the breach. This may reflect a desire within organizations to achieve compliance with the standard for the purposes of validation but a lesser commitment to maintaining that state over the long-term.
I believe this bears more analysis, which I’ll do here, briefly:
To use the lessons from the Verizon report to evaluate the strength of the PCI DSS guidance for protecting cardholder data, we need to look at the most common methods of data breach. These methods are what the Verizon authors call “threat actions.” They range from malware to hacking to physical compromise and so on (see page 20 of the report). From their analysis, it is quite clear that the two most damaging threat actions are malware and hacking. They were involved in the compromise of 94% and 96% (respectively) of data records. If we could eliminate the threat of malware and hacking, we would greatly improve our data protection (at least for a time).
So how well does PCI DSS compliance protect against malware and hacking? In my view, PCI DSS provides some excellent guidance for protecting against these threats, but is undermined by an over-reliance on AntiVirus software. PCI DSS dedicates one full requirement (of twelve) to AntiVirus software. In doing so, it encourages security professionals to invest considerable money and time in a control that has proven ineffective against the two greatest threats actions. Let me explain.
Malware, or malicious software, comes in various forms and functions. Once a system is infected with malware, it provides a backdoor to the system, logs keystrokes of users, skims data from the system and sends it to a remote site, or provides other useful functions for the attacker. According to the report, malware infections are often spread through SQL injection or after the attacker has gained access, methods that “have the troublesome ability to evade AntiVirus software and other traditional detection methods.” (page 22). Another factor makes AntiVirus less effective in protecting against malware: malware customization. Since move AntiVirus products are built to detect “known bad” software, they often fail to detect customized malware that is designed to evade detection.
Hacking includes a variety of techniques. According to the report, the use of stolen credentials and SQL injection are by far the most damaging (i.e., involved in the theft of 86% and 89% of data records). Unfortunately, AntiVirus provides little or no protection against either method of hacking.
What does PCI DSS mandate that helps protect against malware and hacking? There are several good requirements for this. First and foremost is Requirement 2 (“Do not use vendor-supplied defaults for system passwords and other security parameters”). This requirement helps protect against the theft of credentials (such as accounts with default passwords) but also applies best-practice security configuration standards to systems, making them less vulnerable to hacking and some malware. Requirement 6 (“Develop and maintain secure systems and applications”) is designed to ensure systems are patched and that vulnerabilities (including web app vulnerabilities) are mitigated, also helping protect against hacking (including SQL injection attacks). The poorly named Requirement 8 (“Assign a unique ID to each person with computer access”) helps protect against stolen credentials by improving controls over passwords and logins.
Requirement 11 is especially useful in protecting against malware. It mandates the use of file integrity monitoring (or change detection) software to “alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.” This is a very effective means of detecting malware, which almost always involves a changes of system files or configuration. Requirement 10 (“Track and monitor all access to network resources and cardholder data”), which mandates logging and log reviews, can also help detect breaches, sometimes before they cause significant harm to the victim. As noted in the Verizon report, logs often contain evidence of a breach long before the breach is discovered. Strong compliance with Requirement 10 arguably could help minimize the impact of data breaches.
Some of you may argue that the AntiVirus requirement is not a distraction (of time and money) from the other requirements. If that were the case, then I believe the compliance rate of those that suffered breaches would be higher than the 53% disclosed in the Verizon report. If it were easy and cheap, compliance would be much higher (Even encryption fared much better, at 90%). Furthermore, I often hear complaints from IT and security professionals about AntiVirus software consuming precious server resources (CPU, memory, etc.) and sometimes competing for resources with other security software. AntiVirus software on servers is not as easy as one might think.
I’m not advocating that organizations abandon AntiVirus software. In my view, AntiVirus software helps protect system availability and integrity against a very common threat, especially in client environments. But it does a poor job in protecting the confidentiality of data against a very sophisticated threat. For that, organizations should focus more on other requirements of PCI DSS. More importantly, they should apply sound judgment in the application of security controls to protect their data. A mandate such as PCI DSS is no substitute for strong security practices applied by a skilled team of experienced security professionals.
Posted
Aug 23 2010, 12:49 PM
by
Todd Tucker