Meet the Bloggers Twitter BTSecureThinking YouTube Channel Blogroll About BT Looking for more?
BTSecureThinking Resources center

SecureThinking > SecureCompliance

Monday, September 14, 2009

What We Can Learn From Albert Gonzalez: PCI DSS

by Sushila Nair

When Albert Gonzalez was indicted by the Justice Department in August for the largest and most brazen theft of credit card numbers it was estimated that he was responsible for breaches that resulted in the theft of more than of 130 million credit and debit card numbers from late 2006 to early 2008. The best known card heists in history from TJX to Hannaford all seem to lead back to Gonzalez.

According to the new indictment, Mr. Gonzalez and his conspirators reviewed lists of Fortune 500 companies to decide which corporations would be suitable targets . According to the charge sheet Gonzalez, along with two others who ‘resided in or near Russia’, injected ‘structured query language’ (SQL), a computer programming language designed to retrieve and manage data, into the computers of companies, such as Heartland, one of the world’s biggest credit and debit card payment processing companies.

Despite all the damage caused by Albert Gonzalez and his co-conspirators, there is one small silver lining: their actions have had one of the biggest impacts on the Payment Card Industry Data Security Standard (PCI DSS) and have made the standard more robust. PCI DSS was updated based on the forensics of past breaches and version 1.2 introduced the requirement for stronger wireless security, removing WEP as an option for encrypting wireless networks and requiring a wireless IDS. In particular, given that many of the attacks perpetrated by Gonzalez relied on SQL injection the introduction of web application firewalls should help prevent this kind of attacks. Gonzalez’s actions and the PCI’s response to them also plainly indicate to businesses that, in an economy where budgets are tight but the risk of breaches are high, it makes sense to place controls at the points of greatest risk.

Gonzalez and is conspirators aimed to retrieve card data out of the databases where they were stored because they got the most bang for the buck by going straight to the source . Databases are always going to be the prime avenue of attack and it makes sense to strengthen controls surrounding them. Since applications will never be bullet proof so monitoring is absolutely crucial. In the case of targeted attacks then anomaly detection becomes crucial. For example, the TJX attack occurred slowly and ostensibly silently over and18 month period. The depth and breadth of the breach would, however, have been significantly less if they had been monitoring access to the data and if they had rationalized the data that they were storing.

It would seem that with the endless tales of breaches that without requirements such as those imposed by PCI DSS many organizations would rather ride with the risk and pay fines rather than makes the investments in even rudimentary security. Before PCI DSS most retail organizations had flat networks, credit card data was unencrypted and stored in multiple places. Many retail organizations did not even have basic security detection devices like IDS/IPS. I personally have been involved in several discussions at large scale retail organizations where their IT staff were still arguing about the price of A/V software, let alone delving into more sophisticated discussions about network security. The good news, though, is that several U.S. states, including Massachusetts and Nevada, are codifying PCI DSS-like standards and are bolstering annoying fines with legal consequences.

So, while the costs of enhancing network security with IDS/IPS units and monitoring are arguably still larger than the penalties imposed by the credit card companies, the consequences of being liable under U.S. state disclosure laws are forcing companies to smarten up. For example, the full cost of the TJX breach is approaching $1 billion in the US, because of consumer protections through disclosure laws. However, if a similar breach occurred in Europe or Asia where there are currently no disclosure laws, then the company would only be liable for the costs of penalties from the credit card companies.

Gonzalez and his associates did not use rocket science to carry out these attacks – SQL injection attacks have been around since shortly after the introduction of SQL databases. Rather, their great fortune was that most companies had neither a strong understanding of the weak spots on their network nor a good grasp on how to implement rudimentary controls around sensitive data. While PCI DSS does not provide a panacea to security breaches, it certainly raised the bar and provided some more tangible steps for companies to make improvements. There is no doubt in my mind that in the years to come, tokenization and end–to-end encryption will become the standard for confidential information. We need to move the security control to where the asset really is. There is however a battle brewing on standards for accomplishing just this and the technology is expensive. Whilst we are waiting for better technical innovation around security information at the data level we need to strengthen our network access control and monitor, monitor and MONITOR.

  1. Feeling No Pain: Consumer Indifference and Merchant Risk Acceptance
  2. Emerging Technology Research to Reduce the Scope of PCI DSS
  3. No New Requirements for PCI-DSS: What is the Role of the Council?
  4. Mass. 201 CMR 17 Compliance
  5. The States Take Action: Washington Becomes the 5th State to Give Data Privacy Some Legislative Teeth

Posted at 2:18 AM
Tags: , , , , , , , , , ,

Bookmark and Share

Leave a Reply