Network Security Blog

Cisco recently released the 2010 Midyear Security Report and I caught up with one of the principal authors, Mary Landesman, Senior Security Researcher at Cisco.  Mary talks about the outcomes of the report and how the security landscape is changing.

NSP-BHDC2010-MaryLandesman.mp3

Cisco recently released the 2010 Midyear Security Report and I caught up with one of the principal authors, Mary Landesman, Senior Security Researcher at Cisco.  Mary talks about the outcomes of the report and how the security landscape is changing.

NSP-BHDC2010-MaryLandesman.mp3

Well, not quite; I have a few more hours of getting packed and work before I head to the airport, but close enough.  But around lunch, I’ll be throwing all my stuff in the trunk of the car and heading for Las Vegas, Black Hat, Defcon and BSides!  I find this trio of events to be my favorite get together of security professionals.  Black Hat has the slightly more serious, business oriented presentations, Defcon tends to be a bit outrages and inflammatory, while BSides is the new kid who’s experimenting with different formats and venues.  If you’re a security professional of almost any stripe and you’re not at least petitioning to attend these events, you need to start.  The networking opportunities alone are worth the cost and when you throw what you learn about current threats, it’s not that difficult to justify, especially BSides and Defcon.  Tell your boss you heard about an amazing panel going on Sunday at noon called PCI, Compromising Controls and Compromising Security.

Whether you’re going or not, Rob McMillan over at IDG has done a good job of summarizing some of the key stories you should be watching come out  of Vegas this week.  I should be able to get interviews with at least a few of the people giving these talks, so keep an eye out here and the podcast page for this year’s series of microcasts.  Or if you hate those, you might just want to unsubscribe until next week.  In fact, if you don’t want to hear about the events going on in Vegas this week, you just might want to stop reading most security blogs, Twitter, Facebook, blogs and most other social media outlets security folks use for a little while. 

Following the twitter stream, it’s easy to see that there are a lot of security professionals eager to get to Las Vegas, meet with old friends, make new ones and get the party started.  And the parties really are an integral part of the the whole experience.  If nothing else, try making it to the IOActive Freakshow Saturday night; if last year is any example of what they have planned for this year, it’ll be worth it if only so you can say you saw it.  Just be careful how much you drink and what you say, you don’t want to be this year’s example of someone who ignored that cardinal rule.

So much for seeing eight hours of sleep a night for at least a week.

Like many people in the security blogger community, Tyler Reguly pays for his blog and other community efforts out of his own pocket.  For the most part, that’s not a big issue, since there are many options for blogs that are free or cheap.  But Tyler does more than just blog, he also hosts Damn Vulnerable Linux on his servers.  Again, usually not a problem, except he got SlashDotted and now has a bill of several thousand dollars to pay!  You can read the whole story and help by donating a few dollars to his cause.  I’ve had a few brushes with the same experience myself, so I can fully understand the panic he’s probably going through.  And on the off chance that he get’s more than the bill costs, he’ll be donating the overage to Hackers for Charity.

Zach couldn’t make it tonight, but Rich and Martin open the show with a call to our listeners for more email questions and topic suggestions. After answering a listener question last week, we realized it would be nice to engage with all of you a little bit more. But not too much… I mean we don’t want to touch you or anything.

We also spend a little time talking about how we handle our connectivity and security while at Black Hat and Defcon, which happen to be next week.

Network Security Podcast, Episode 206, July 20, 2010
Time: 42:38

Show Notes:s

• Millions of Home Routers Vulnerable to Web Attack.
• Visa issues guidance on tokenization.
• Visa pushes acquiring banks to stop forcing merchants to store credit card numbers.
• Wikileaks founder skips HOPE conference to avoid feds.
• NPR story on shortage of US cyberwarriors.
• Alex Hutton proposes Evidence Based Risk Management for security.
• Tonight’s Music:  Brian Bergeron and the Late Greats with Avalanche
  

I really wish I had the time to fully explore the idea, but there’s a certain amount of resonance between the criticisms Adrian Lane at Securosis levels against Visa’s guidance on  tokenization and criticism of the PCI security standards in general.  I believe we’re to the stage as an industry that we mainly agree that the PCI standards are a good starting point but there’s so much more the PCI Council could be requiring merchants and service providers to do for security.  Visa’s guidance is much the same way, it’s a good start, but it could have been so much more.  And in both cases, I believe the reasons for the compromises can be boiled down to not wanting to require too much of the community and not wanting to limit the flexibility of the standards too much.

I believe that the Visa best practice papers for tokenization and truncation are just like the PCI standards themselves; they’re a good place to start your journey, but these requirements aren’t enough to build your entire security stance from.  It’s up to you to continue from here to determine how the particular technologies are going to impact and secure your environment.  I think the difference between providing guidance and issuing edicts is something we’ll be talking about next Sunday at Defcon, so this is good timing.

I agree with many of Adrian’s criticisms, including that Visa could have just given more specific guidance overall.  But I also understand Visa’s need to keep the guidance vague enough so as not to provide undue direction to what is basically a fledgling market space.   Which is exactly where I see the tie in with Josh Corman’s primary argument about the PCI Council; intentionally or not, they are steering the security market space through the PCI standards.  Visa could be a force for good in the tokenization and truncation markets if they predict correctly and back solutions that are for the best over the long term.  Or they could be seen as stifling innovation if they issue poor guidance.  Much like the PCI Council.

Earlier today I heard someone make the statement that the majority of companies who are compromised are using encryption in some form, but they still got compromised.  He was reminding me that none of the other silver bullet’s we’ve thought would save us from the bad guys have worked, so use truncation and tokenization, but know they won’t solve all our security issues.  As is so often the case, they’ll just move the attack to other targets and use other vectors.

If you’ve been thinking about using tokenization or truncation to limit the scope of your PCI environment, you need take a few minutes to read the two documents Visa just released, Visa Best Practices: Tokenization and Visa Best Practices for Primary Account Number Storage and Truncation.  Neither of these documents are more than four pages in length, so they only take a few minutes to read, but they give you a good starting place for asking questions about both of these market spaces.  There’s nothing exciting or unexpected in either of these documents and you’ll need to do a lot more research to understand the more complex elements of both solutions, especially as they relate to your specific environment. 

If you’re part of a merchant organization or somehow dealing with credit card numbers and you’re not considering tokenization or truncation, why not?  Is it lack of time, lack of resources, lack of management backing or something else?  Have these technologies simply not risen to the level where you felt the need to take them seriously?  I’m curious as to why you might not be looking at a technology that could limit the amount of sensitive information on your network.  I’ve talked to a number of merchants over the last year and there’s been plenty of interest in the ideas of tokenization and truncation, but I’ve only seen a few merchants actually making a move towards implementation.

I hope the next guidance we’ll see comes from the PCI Council, giving instructions on how both of these technologies can be used to reduce the scope of a PCI assessment.  What can you take out of scope?  What common mistakes might bring systems back into scope?  What should we be looking for in an implementation?  These are still relatively new technologies, the implementations differ significantly enough that greater direction and care are going to be needed in their assessment and validation.  There are some things that are laid out in the Visa documents, but I think we need to look for more specific guidance from the Council.

Rich and Zach are still sweltering in their perspective heat waves, but Martin managed to nab an interview with Bob Russo, the head of the PCI Security Standards Council. We also cover a couple of stories and some honest to goodness listener mail!

Network Security Podcast, Episode 205, July 13, 2010
Time:  44:44

Show Notes:

• Listener Mail
• Interview with Bob Russo
• FBI Raids ‘Electronik Tribulation Army’ Over Witness Intimidation.
• Letter to the client.
• Tonight’s Music:  Missing You by Blue Matters

Last week another assessor friend of mine started a new blog, Fear Not the Assessor.  She started it off with an excellent post, Letter to the Client.  Almost every QSA goes into a new client with a certain sense of trepidation due to client’s preconceived notions and most merchants going into an assessment for the first time are nervous because they don’t know what to expect, all they know is what they’ve read online.  That first phone call with the client is always so much fun for everyone involved.  The Letter attacks some of those notions and list some of the steps a client should be taking before the QSA ever comes on site.  As a way of introduction, a letter like this really helps put many clients at ease, letting them know that you’re there to help and not simply pass judgment on them. 

Here’s a letter of my own with several more points to ponder.

Dear Client,

We’re about to start on an effort of many months of work that both of us hope will culminate in the issuance of a compliant Report on Compliance.  There will be surprises and setbacks along the way, but I’m sure that we can work together to overcome them.  My job is to help assess the security of your cardholder environment and provide you with honest feedback about your compliance with the PCI standards.  Your job is to provide me with the information I need to make that assessment.  Together we will document your environment and show that it is both secure and compliant.

Several things you should know:

1. Securing your data and your network should be the goal and PCI is just a signpost along the way.  Please, please, please don’t make the mistake of thinking once you pass your assessment that you’re secure and you have no more work to do until next year.  PCI is a good starting point for securing your environment, but each company is so unique that there are innumerable holes it leaves open to exploitation.  And the assessment only covers your cardholder data environment: what about the rest of your network?
2. I am judge, but I am not jury nor executioner.  I will make judgment calls on the state of your environment and I may find things I do not believe are compliant.  You may agree or you may think your controls and safeguards are sufficient.  Make your case to me, and if we still don’t agree, we can bring in other QSA’s within my company to review the situation, starting with my manager.  Sometimes they’ll see something I didn’t. 
3. I will never leave you wondering if I found something wrong.   I will always try to let you know at the end of the day, if not at the end of each meeting, if I have any questions or concerns.  It’s in both of our best interests for me to be as transparent as possible.  The sooner you know of an issue, the sooner you can begin investigating and getting it resolved.
4. You are my client and it is my job to help you receive a compliant RoC.  I will give you the best advice I can to help you achieve compliance.  But it is up to you to establish the policies, procedures and controls needed to reach this goal.  If I identify a requirement that is not being met, I will bring it to your attention and help you address the issue in a timely and cost conscious manner.

Clear communication is a good salve for many of the pains an annual PCI assessment brings.  I look forward to learning about your company, your network and your people.  And I hope that the lessons I’ve learned helping dozens of companies become compliant can be used to help you avoid some of the pitfalls and false starts of compliance.

Once again we have a wandering host; Rich has wandered off into the hinterlands of Denver (Boulder, I think) and is too busy to call in for the podcast.  Left to their own devices, Zach and Martin muddle through tonight’s podcast without major mishap.  We’ve got a little PCI, a little disclosure and some potential cracks in the Apple Store armor. 

Network Security Podcast, Episode 204, July 6, 2010
Time:  30:28

Show Notes:

• PCI Standards to be updated every 3 years
• US Largely ruling out North Korea in 2009 cyberattacks
• Apple’s app store filled with app farms
• Employees crack Facebook security
• Full Disclosure and no disclosure
• Tonight’s Music:  Missing You by Blue Matters

New show. Zach late. Show still good. Martin’s birthday. Mongo like.

Network Security Podcast, Episode 203, June 29, 2010
Time: 32:57

Show Notes:

• The National Strategy for Trusted Identities in Cyberspace.
• Sen. Bond says DHS shouldn’t oversee cybersecurity.
• Why the disclosure debate doesn’t matter.
• Disclosure via court.
• Tonight’s music: All India Radio with Endless Night

I got to talk to a number of very interesting people while work with the FIRST conference.  Steve Adair was one of the people I found very interesting because every time I did research on him, I found something new I’d missed before.  Steve’s talk was about the large number of compromises he’s seen working as part of the Shadowserver Foundation, with an emphasis on how we need to realize that attacks like the one on Google aren’t commonplace, but they aren’t rare either.  The chances are, you’re doing business with someone who’s targeted right now. 

I interviewed Steve shortly after his talk.  You can find this talk and the series of interviews I did for FIRST on their podcast page.  I’ve been told there’s a redesign of the FIRST site coming, I’ll fix the links afterward if there are any problems.

Truth can be stranger than fiction sometimes; I’ll be speaking on a panel on compliance with Jack Daniels and Josh Corman at Defcon next month.  There’s a couple other people on the panel, who I’ll add once they’ve been confirmed.  This should be a fun panel, since we won’t be as interested in keeping it completely civil as we would at someplace like RSA or BSides.  We’ll laugh and shake hands afterward, but don’t be surprised by anything you hear during the panel.  And this is an interesting crowd to give this talk to, much more technical and focused than more managerial conventions like Black Hat.

I talk to Jack, Josh and a lot of other people about PCI fairly regularly.  I’m fairly confident I know their positions on compliance and they have a good idea of mine as well.  Jack’s a good moderate who sees both the good and bad, while Josh sees it as a tidal force in the security market space, and not one he likes.  Where PCI points, the money goes, like it or not.  But this talk won’t just be about PCI, we’ll talk about compliance in general, the good, the bad and the ugly. 

If you, by some chance, are around at Noon on Sunday, come see the discussion.  The question I have for the audience is simple, “How has compliance affected you and/or your company?”  Has it’s affect been positive or negative? Given the crowd we’re drawing our audience from, it could generate some very interesting responses.  I’m curious to see how a group that collectively thinks of themselves as hackers feels business attempts at compliance frameworks really affect the work they do.  I expect to hear more annoyance with compliance getting in the way of real work than anything else.

This should be a fun way to end Black Hat and Defcon.  Josh and I really haven’t had it out over whether compliance being a market force is a good thing or a bad thing and this is a good venue to draw him out on the subject.  I’m looking forward to it.

We have an interview with Akamai CSO Andy Ellis this week, so we cut our coverage of the news a little short. Which is okay, since Zach was dialed in from Denver and Rich managed to catch some sort of virus (turns out macs may not get them, but Mac users sure do).  Martin started to just about his new iPad, but, of all people, Rich cut him off. 

Network Security Podcast, Episode 199, June 1, 2010
Time: 37:05

Show Notes:

• 44 million stolen gaming credentials discovered.
• Google ditches Windows on security concerns.
• Microsoft Spokesman Mocks FT Over Google-Dumps-Windows Story.
• Martin’s Interview with Andy Ellis.
• Tonight’s music:  George Fletcher’s Bourbon Renewal/The Tequila Mockingbirds singing Messing with the kid, Live

It can be downright disheartening to be a QSA.  If you do your job and identify holes in a merchant or service provider’s systems, they’re upset.  If you try to help them adapt their current systems to meet with PCI, they think you’re letting them off the hook.  If you send them a packet of documents about what to expect during the assessment and what they’ll need to gather, more often than not the client will ignore it and claim you never told them what you needed.  If their due date for compliance is coming up quick, it won’t matter how long you told them the writing and quality control process would take, they want their Report on Compliance turned around overnight.  And then there’s the whole ‘check list’ mentality that has many people responding to the letter of the PCI DSS, completely ignoring that with a little more effort they could have increased their security instead of just marking off a box.  Yes, being a PCI can be frustrating, annoying as hell and will burn you out if you’re not careful.  Just ask my friend Michelle, she’ll tell you exactly how hard it is to be a Qualified Security Assessor.

She’s got a number of good points; we see all too many clients who just want to have their PCI assessment and then ignore the whole thing for the next 8-10 months, until the whole process starts over again.  They don’t want to think about PCI at all during that time, they don’t realize that there are a number of requirements that mandate continuing effort on a daily basis, not just when the assessor is on site.  And we never, ever see clients putting lipstick on the pig just to cover up a deficiency until the assessor is gone.  Oh no, never that.

But there is an upside to being a QSA.  Some security departments have learned to do an awful lot with very limited budgets.  Some clients understand that attaining compliance as a side effect of security is actually cheaper and easier than trying to do it the other way around.  Some clients actually want an honest review of their environment that identifies potential weaknesses outside of a strict interpretation of PCI.  And every so often you run into a client who’s doing something unique and unusual that doesn’t meet the letter of the law of PCI but still manages to exceed the intent of the requirements, sometimes by quite a bit.

These are the clients who keep me from pulling my hair out.  I find it rejuvenating to talk to a client about the security impacts of changes to their environment honestly, rather than trying to argue an interpretation of PCI that doesn’t require them to make any changes or worse, leaves them less secure if implemented.  When a client understands their own environment and knows why their data is where it is, it makes my job, and theirs, so much easier than when clients are doing their discovery while I’m on-site.  And sometimes I’m actually working with a client to secure their environment, rather than fighting to get them to implement basic security controls.

I recognize that being a PCI QSA and consulting with clients on meeting the DSS requirements is a balancing act; we try to balance security against the DSS against budgetary and manpower constraints.  And since we only have two hands, balancing three competing limitations is hard, very hard.  If you’re in this field and you don’t feel burnt out from time to time, it means you don’t care.  And that is probably a bigger vulnerability than most of the technical requirements in any compliance framework.

It’s the clients who view the security of their company as a calling that keep me coming back.  It’s easy to check off a box, go home at night and ignore what’s happening to your business while you’re away.  But some security professionals are intensely passionate about what they do and how well they’re protecting their enterprise.  These are the people who make being an assessor worthwhile.  Because even if you’re arguing with them about an interpretation or commiserating about a requirement that sounds stupid on the surface, you know these people care and at the end of the day, they don’t just walk away thinking their job is done, they worry about bettering their company’s security the next day.

Next post I’ll address Branden William’s post “Why ISA’s are qood for QSA’s“  Can you say “arm chair quarterbacks”?  I knew you could.

It may not quite be VPN for Dummies, but Astaro RED sounds pretty close if you ask me.  I talked to Jan Hichert at Astaro about RED (Remote Ethernet Device) at RSA earlier this year and the way he talked about this new product, it seems like it’s an easy way for companies to add a remote office without many of the headaches this often entails.  I haven’t played with it myself and haven’t talked to anyone who has yet, but at least in theory it sounds like a good product.  Basically, you run Astaro Security Gateway at your central office, when you bring the remote RED box online, it phones home to Astaro, where it receives instructions on how to connect to your central office server.  There is configuration, but it’s mostly handled by Astaro before it ever gets to your office.  I’m sure Jack Daniel can tell you more if you’re interested, but in the mean time, the press release follows after the break.

Astaro RED Simplifies Branch Office
Security

Remote Ethernet Device offers comprehensive
security for branch offices while cutting the total cost of ownership by
more
than 80%

May,
26 2010 (Wilmington,
MA)– Astaro Corporation (http://www.astaro.com), a leading Unified
Threat Management
vendor, today announced that Astaro RED, (Remote Ethernet
Device) is now available. Astaro RED combines VPN functionality and
complete IT security for branch offices by automatically connecting with
a
central Astaro Security Gateway. The devices can cut the cost of
securing and
administering a branch office’s security by up to 80% by eliminating the
need for IT staff and additional security products at the remote office.

Astaro RED is designed to
secure remote offices of all sizes. Because the devices are managed
through the
central office using an Astaro Security Gateway, no training, licensing
or
technical expertise is required at the remote location in order to
secure the
branch office. Additionally, security policy and configuration changes
made at
the central office can be pushed to the remote sites without any
technical
involvement at the branch office. This means organizations can
affordably
secure and manage the security for even the smallest branch office.

“Astaro RED eliminates
the need for having a technical person in all offices. You just ship a
device
to the site, and it works”, said Paul Smith, Senior Network Engineer at
Metafore Technologies Inc., who participated in the BETA testing of
Astaro RED.
“It saved me at least two hours per branch office, where I would
normally
have to pre-configure a device and ship it, and then work with someone
onsite
to get it online. This is a totally unique approach to branch office
connectivity.”

Upon viewing Astaro RED during
a security conference, security industry expert Richard Stiennon stated:
“Astaro’s RED box is the single most innovative product I saw [At
RSA 2010]. It leverages the investment in security at one location by
extending
it to many. It is simple and inexpensive.”

Setting up the Astaro RED is
completed within minutes. Once the device is connected to the Internet
it
automatically registers with the central Astaro Security Gateway and
receives
its IP address via Dynamic Host Configuration Protocol. The remote
office is
then connected with the headquarters via an Astaro VPN tunnel and is
immediately protected as the web traffic is filtered through the central
gateway. Additional configurations and policy changes are also done
centrally,
therefore Astaro RED requires no GUI. With Astaro RED, it is possible to
connect approximately 100 branch offices in one day.

“We developed Astaro RED
as we saw an urgent demand on the market for a solution to secure branch
offices that is really easy and reasonably priced”, said Gert Hansen, VP
Product Management at Astaro. “So far, organizations could use low-cost
Firewalls or VPN Gateways or even small UTM appliances, but then had to
cope
with high acquisition costs, high installation and maintenance effort or
lacking security features. Astaro RED ends these dangerous and resource
devouring compromises.”

More information about Astaro
RED can be found here:

http://www.astaro.com/products/astaro-red 

http://www.astaro.com/landingpages/2min-explainer-red

It may not quite be VPN for Dummies, but Astaro RED sounds pretty close if you ask me.  I talked to Jan Hichert at Astaro about RED (Remote Ethernet Device) at RSA earlier this year and the way he talked about this new product, it seems like it’s an easy way for companies to add a remote office without many of the headaches this often entails.  I haven’t played with it myself and haven’t talked to anyone who has yet, but at least in theory it sounds like a good product.  Basically, you run Astaro Security Gateway at your central office, when you bring the remote RED box online, it phones home to Astaro, where it receives instructions on how to connect to your central office server.  There is configuration, but it’s mostly handled by Astaro before it ever gets to your office.  I’m sure Jack Daniel can tell you more if you’re interested, but in the mean time, the press release follows after the break.

Astaro RED Simplifies Branch Office
Security

Remote Ethernet Device offers comprehensive
security for branch offices while cutting the total cost of ownership by
more
than 80%

May,
26 2010 (Wilmington,
MA)– Astaro Corporation (http://www.astaro.com), a leading Unified
Threat Management
vendor, today announced that Astaro RED, (Remote Ethernet
Device) is now available. Astaro RED combines VPN functionality and
complete IT security for branch offices by automatically connecting with
a
central Astaro Security Gateway. The devices can cut the cost of
securing and
administering a branch office’s security by up to 80% by eliminating the
need for IT staff and additional security products at the remote office.

Astaro RED is designed to
secure remote offices of all sizes. Because the devices are managed
through the
central office using an Astaro Security Gateway, no training, licensing
or
technical expertise is required at the remote location in order to
secure the
branch office. Additionally, security policy and configuration changes
made at
the central office can be pushed to the remote sites without any
technical
involvement at the branch office. This means organizations can
affordably
secure and manage the security for even the smallest branch office.

“Astaro RED eliminates
the need for having a technical person in all offices. You just ship a
device
to the site, and it works”, said Paul Smith, Senior Network Engineer at
Metafore Technologies Inc., who participated in the BETA testing of
Astaro RED.
“It saved me at least two hours per branch office, where I would
normally
have to pre-configure a device and ship it, and then work with someone
onsite
to get it online. This is a totally unique approach to branch office
connectivity.”

Upon viewing Astaro RED during
a security conference, security industry expert Richard Stiennon stated:
“Astaro’s RED box is the single most innovative product I saw [At
RSA 2010]. It leverages the investment in security at one location by
extending
it to many. It is simple and inexpensive.”

Setting up the Astaro RED is
completed within minutes. Once the device is connected to the Internet
it
automatically registers with the central Astaro Security Gateway and
receives
its IP address via Dynamic Host Configuration Protocol. The remote
office is
then connected with the headquarters via an Astaro VPN tunnel and is
immediately protected as the web traffic is filtered through the central
gateway. Additional configurations and policy changes are also done
centrally,
therefore Astaro RED requires no GUI. With Astaro RED, it is possible to
connect approximately 100 branch offices in one day.

“We developed Astaro RED
as we saw an urgent demand on the market for a solution to secure branch
offices that is really easy and reasonably priced”, said Gert Hansen, VP
Product Management at Astaro. “So far, organizations could use low-cost
Firewalls or VPN Gateways or even small UTM appliances, but then had to
cope
with high acquisition costs, high installation and maintenance effort or
lacking security features. Astaro RED ends these dangerous and resource
devouring compromises.”

More information about Astaro
RED can be found here:

http://www.astaro.com/products/astaro-red 

http://www.astaro.com/landingpages/2min-explainer-red

This episode is brought to you by the letter “P”. We start with a couple of articles about privacy (yes, mostly about Facebook), with a short segue on random security news, before closing with multiple articles on PCI.  We went a little long tonight, but not nearly as long as we could have if all three hosts had really gotten going on privacy.

Network Security Podcast, Episode 198, May 25, 2010
Time: 41:08

Show Notes:

• My Contrarian Stance on Facebook and Privacy.
• Top 10 Privacy Tweaks You Should Know About. From Lifehacker
• Are Low Standards Better Than No Standards? Nope.
• IBM Unleashes Virus on AusCERT Delegates. Oops.
• I have seen the enemy and it is me. Great post by Dave Shackleford
• Tonight’s music:  Have U Googled Yourself 2day? by the ConSoulTant

I’m a big fan of tokenization and end to end encryption (E2E2).  Never mind the fact that neither technology is fully developed, nor do we even have a real definition of either technology.  The fact that both of these technologies have the potential to take credit card information our of the general merchant environment and gives the bad guys less reason to attack is enough for me.  It won’t stop attacks against merchants all together, but it will cut down on the value of breaking in and therefore cut down on the number of attacks, at least in theory.  It will also cut down on merchants’ responsibility for meeting with the PCI DSS requirements, since much of environment that the QSA’s have to review will now be out of scope.  But without the threat of PCI (and potential fines/fee increases) will merchants keep up the minimum security safeguards that PCI mandated or will they revert to their old ways and ignore security for the most part?

One of the big questions that comes up over and over again is how effective is PCI in securing the merchant environment.  And the answer is, no one really knows.  Breach disclosure laws prior to 2003 were non-existent, and even once California passed SB1386 and got the legal ball rolling, breach disclosures have been spotty at best.  Now that we’ve got some 40 states that have some form of breach disclosure law, the information we’re able to gather is much more consistent.  Unluckily, we still lost the ability to have any real baseline to measure the success of PCI against and anyone who says that PCI is or isn’t effective is mostly going on their own anecdotal evidence, not hard data.  Verizon’s Incident Metrics Framework may help in gathering statistics going forward, but we’ve already lost the data needed to measure the effectiveness of PCI.  (Disclaimer:  I work as a QSA for Verizon Business)

As tokenization and E2E2 take hold, we’re going to have another chance to see how effective PCI is in securing the merchant environment and whether or not merchants are really going to secure their environment without the threat of PCI hanging over their heads.  There’s almost nothing in PCI that a shop with a good security program shouldn’t be doing in the first place.  Firewall reviews, anti-virus, log monitoring, IDS, etc. are all safeguards that are mandated by PCI but are security measures that any good security shop should be putting in place for their organization by default.  The fact that many organizations couldn’t get the funding for some of these tools until PCI came along is a measure of how hard it is to get the budget for security.  And if organizations start losing the funding for these projects because tokenization and E2E2 have taken the majority of their systems out of the scope of PCI, we’ll know that PCI was the real driver for the safeguards, not any real concerns over security.

PCI is expensive.  Security is expensive.  Not necessarily because the tools are expensive, but because merchants ignored security for years and have had to spend a lot of money and time to implement the tools they should have been running in the first place.  If they can reduce the scope of the systems they have to protect through new technologies and no longer have to be assessed on an annual basis, do you think they’re going to keep paying for the tools that they implemented just for compliance or do you think they’re going to let their IDS and log management tools fall by the wayside?  I know that some of the shops I’ve seen will keep the tools and keep using them properly.  But I think the majority of merchants are going to go back to their old ways and do the bare minimum that their security group can fight to keep.  If your company’s marketing department depends on PCI to make sales, I’d be very afraid of tokenization and end-to-end encryption.

It’s only a couple of hours away, but Rich Mogull will be on Science Friday today talking about online privacy and Facebook.  I don’t know how much time he’ll have on the air, but he’s living a geek’s wet dream by getting on NPR and being asked about privacy.  I’m sure the show will be available as a podcast and online later, but I’ll be sure to listen in live.