Compliance != Security
March 26th, 2007 by chitchcock Posted in Approved Scanning Vendor, Compliance, PCI DSSCompliance standards — PCI included — are intended to foster interest and improvement in data security. While theoretically this seems like a fine idea, in practice the two concepts seem to be continually at odds. The negative deliverable of security means that it’s little more than an afterthought for many organizations. Unfortunately, it also means that with the constant tightening and broadening of PCI standards, compliance-centric merchants are being forced into the information security world; with many experiencing growing pains. Working for a major ASV, I’ve had ample exposure to these realities. 
Perhaps the most illustrative — and disturbing — behavior that I’ve seen from compliance-centric merchants, has to do with competitive evaluations between ASVs. Under normal circumstances, the vulnerability assessment that finds the most vulnerabilities with the lowest rate of false-positives or false-negatives would be the clear winner. With compliance however, the win often goes to the path-to-certification that provides the least amount of resistance. The focus of concern is on passing PCI without being fined, over actual security. In one particular evaluation that I had witnessed, ASV#1 missed that SSLv2 was enabled on a number of web-servers in a level-4 merchant’s network, whereas ASV#2 didn’t. Even though the PCI DSS clearly dictates that strong encryption must be used, the fact that there was a false-negative with ASV#1 meant — to the merchant anyway — that PCI certification could be had for far less effort by going with ASV#1 over ASV#2; compliance over security. Though situations like this may not be the norm, they’re certainly prevalent enough. Would the merchant in this case be compliant? The acquiring bank may be fooled into thinking so, but cardholder data wouldn’t be any safer.
PCI isn’t an automatic validation of an organization’s security posture. In-fact, ignoring the intention behind PCI can turn it into a detriment. Compliance is not security.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
22 Responses to “Compliance != Security”
By APM on Mar 26, 2007
Very true.
I saw on a site somewhere (may even have been this one) similar comments regarding “security at a price”. My experience is that the people who make the decisions are the people who are least suited to, normally the bean counters. That means the cheapest option is usually the “best” in their eyes.
I had a situation where ASV #1 quoted £n for the quarterly scans and ASV #2 quoted £n x 4. Guess who got the deal. This was despite it being fairly ovbious that ASV #2 carried out manual (i.e. human powered) scans whereas ASV #1’s scans were totally automated.
Needless to say, when I got both to perform a “test” scan, ASV #2 found more “real” issues. The company still opted for ASV 1 and the “lower number of problems to fix” was a contributing factor
I’ve been using the “compliance != security” phrase for a while now, few people listen.
I’ve also been using the “compliance is the minimum that should be done” and that falls on deaf ears as well.
In this environment, real security is like building a brick wall from gravel. Slowly, no, actually, verrrrrry slowly I am increasing the education level and therefore improving the security environment. But trying to build a 10 meter high brick wall using gravel is a little disheartening at times!!!
By datasecurity on Mar 27, 2007
Ok, so let’s assume we know and accept this. How does one change it? PCI SSC (via MasterCard) manages the ASV program. But how can the lay person tell how good one ASV is over another?
I would like to see one of the security news outlets do a “bake off” comparing several of the ASVs. It would be nice to see how they stand up to public scrutiny. This is commonplace for electronics (via CNet), but what about for service vendors such as ASVs?
By APM on Mar 27, 2007
I like this idea but who would organise it? Are there any mainstream “security news outlets” actually championing PCI DSS apart from sites such as this?
At the moment, I don’t think there is enough public interest to make it worthwhile for the news outlet itself. Just look at the number of registered forum members on sites such as this, the PCI Standard Yahoo group, PCIFile etc. Where is the demand, from the new outlets view point?
Also, as previously commented, it’s a compliance programme and not a security programme. Therefore, as far as the card schemes are concerned, as long as the ASV has taken the training course and passed the exam, they are certified. Therefore, the card schemes have done their bit in providing a vendor that can service the industry. Whether they are interested in quality of service thereafter is debateable, in my opinion.
By auxillary power unit on Mar 27, 2007
In your case mentioned above, ASV#1 is not offering true compliance. They are offering compliance to their own half-assed version of the standard.
TRUE compliance to the standard will provide security and proper risk management whereas half-assed compliance to the standard (as shown with ASV#1) will not.
By apm on Mar 27, 2007
Yep, correct. ASV#1 are doing the least they can / the most they need to do to make the sale. The less enlightened companies buy it and think they are covered both for compliance AND security.
I’m not sure that even TRUE PCI DSS compliance will provde security as for me, the PCI DSS Standard is not a true security standard, it is a compliance programme. That said, PCI DSS compliance will HELP companies become more secure but it is not enough in itself.
By deincognito on Mar 27, 2007
Greetings from Spain.
Compliance as security are not static concepts. For instance, legal or contractual duties could be prosecuted by implementing organizational and technological controls, but there are people on the bottom line who could be incentivated to comit information leakages in order to start up their own company or a bunch of dollars. Risk equal to 0 is not reachable unless you eliminate its focus. Compliance and security are objectives to look out for but they are never reached even for a second. Thus why all security standards obliges to audit periodically
Regards
By Rob Newby on Mar 28, 2007
Wow, is everyone in here living in Spain today? Buenas tardes!
PCI is alive and well here then!
This is THE eternal PCI debate, and I think one thing we have to accept is that security is driven by the bottom line. No-one installs a firewall because it’s fun, they do it to protect assets, to stop their network going funny and losing man-hours. So it will necessarily always be driven by the bean-counters.
Thus the regulations will always be driven by the least cost solution, which is why they are so slow to move. The fact that there are so many workarounds for PCI regulations is a bit weak, but the fact is, the technology isn’t available, or far too expensive for many merchants.
PCI does have to be challenged, but by the vendors, integrators, QSAs, consultants and the people involved in the rollouts themselves. I am a vendor, I was speaking with a client today who had seen a hole in one of their solutions and asked for help from a partner. This is the right attitude. Now to drive MY business I will be lobbying the PCI SCC for a change in the rules. If the technology is available, the regulations should rise to meet it in my opinion. Now all we have to decide is how much is too much.
Rob.
By Alex on Mar 29, 2007
“compliance to the standard will provide security and proper risk management…”
I’ve seen nothing in PCI to suggest that it has anything to do with risk management, more or less proper risk management.
By datasecurity on Mar 29, 2007
Alex,
Straight from the requirements.
“12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment”
Also, all QSAs (qualified security assessors) globally starting in 2006 have been trained to the understanding that PCI compliance should include a risk based approach.
By Alex on Mar 29, 2007
Right. It’s an absurdly high level treatment of an otherwise important subject. Not unlike saying, “People should focus on an ingestion-based approach in order to obtain nourishment” is a valid perspective on nutrition science.
There’s nothing there that has anything to do with risk or risk management. In fact, real arguments can be made that the compliance approach is antagonistic to risk management.
By APM on Mar 29, 2007
ALex,
I can see what you are saying and for me this aspect is one of the things that lessens the worth of PCI DSS. It says you need to do something but does not go far enough in explaining what is an acceptable approach to that “something”.
I think this comes down to something that I think I found on the UK FSA web site which read:-
“Compliance consists of ensuring that the activities undertaken agree with both the letter and the spirit of the standards.”
The “both the letter and the spirit…” aspect is what I mean. Very few non-regulated compliance standards are prescriptive enough to be used “out of the box”. Most have to be interpretted. However, the spirit of the PCI DSS standard and points such as 12.1.2 is that you interpret what is written on the paper and invoke something that is fit for purpose as far as the spirit of the requirement goes.
This is a tough topic and one that I am struggling to get my IT bods to understand.
By datasecurity on Mar 30, 2007
I agree that there should be more clarity, but please be aware that while you are demanding more details there are others who want less detail. Half the room wants it one way and the other half wants it another way.
Which is better, to have more details to explain the details? Or to be vague like SOX and HIPAA? GLBA says to “safeguard customer information”. This is the intent of any and every program.
If you are protecting the data from compromise then you are OK. Make sure you do that and you should have no worries.
The thing that bugs me is that companies say, “I want to accept the risk to my systems instead of securing them.” That is like a building owner saying they don’t want to fix the building and will, “accept the risk of it falling down.” It is not their risk to accept if the data belongs to their customers.
I have no doubt that most people who post here are running a secure network. What worries me are the implications of these comments on people who want to evade the compliance process by simply ‘accepting the risk’.
By APM on Apr 1, 2007
datasecurity,
“What worries me are the implications of these comments on people who want to evade the compliance process by simply ‘accepting the risk’.”
Totally agree. As per my comment in the “Is PCI half empty or half full” thread, if the consumer were better educated so that they asked “awkward questions”, more companies would take notice of the compliance requirements. When your customer says “I’m not doing business with you until you show me you are secure”, they will make the effort.
It is absolutely right to say that a company’s approach of “I’ll take the risk because my stock price won’t be effected that much” is totally wrong. But until the company’s sales are impacted because of that statement, they will continue to make it.
By Alex on Apr 2, 2007
‘It is absolutely right to say that a company’s approach of “I’ll take the risk because my stock price won’t be effected that much†is totally wrong.”‘
Really? I don’t think anyone can be dogmatic about it being “totally wrong” - that’s a business decision, and not one some network engineer or even VISA should be making.
It seems to me that the real crime how we’re now holding a PCI gun to the business decision maker’s head. Compliance and thinking like that causes us to appear to be on the “them” side of an us vs. them mentality. We threaten to pull the trigger instead of doing our job and helping them understand their risk.
But I suppose some folks would rather just be paternalistic about it - kick and scream as if PCI == Risk Management and then are amazed when things like this:
“The company still opted for ASV 1 and the “lower number of problems to fix†was a contributing factor”
happen.
You guys can’t have it both ways. You can’t reject Risk Management for the PCI standard and then cry and moan when businesses (rightly, IHMO) brush it off - and then at the same time write articles like this. Be consistent. Either acknowledge that PCI is subservient to a real Risk Management program or completely subscribe to it and assume a Donn Parker “best practices” approach, with PCI being your standard du jour.
By APM on Apr 2, 2007
Alex,
OK, to clarify, I should have said, it is “totally wrong” from the _real_ security perspective (it’s morally wrong from the customers perspective but then that’s a different argument).
“But I suppose some folks would rather just be paternalistic about it - kick and scream as if PCI == Risk Management…”
PCI != Risk Management, anyone who says it does does not understand either PCI DSS or Risk Management properly. That said, the proper approach to the ‘intent’ of PCI DSS and what it is trying to achieve should lead to the indentification of the need for proper Risk Management.
However, the real killer point is what ‘risk’ is the Risk Management process trying to address, the company’s risk, the customer’s risk? From the company perspective, with an absence of any external influence, they will look purely inwards to see what’s best for them. Short term view will be stock price, long term view will be what makes more customers spend their money. It’s a slightly different perspective but important all the same.
To take an isolationist Risk Management approach of saying, as some companies are, “the cost of the fines is less than the cost of implementation therefore we’ll just pay the bill, IF the worst happens” is very poor.
To take an enlightened Risk Management approach of considering all of the short AND long term implications of the argument is better.
All in my opinion, of course.
By Dave R on Apr 20, 2007
Interesting discussion. I came here in a search for the bakeoff mentioned above. I’m with a level 2 merchant trying like heck to get a decent scan completed. Every time we fix the identified problems, we continue to fail. We’re not looking for an easy out, but this scan is ridiculous - I have my hardened VPN boxes failing where I have no ability to modify the O/S config by design and my Exchange server failing because my firewall detects the scan as a DOS attack! It appears that my only option is to seek an ‘exemption’ from the sacn vendor.
By rybolov on Jun 1, 2007
Wow, I missed out on my chance to comment on this? Where was I that week?
By datasecurity on Jun 3, 2007
doesn’t mean you can’t comment on it now