Secure Payments, PCI DSS, Regulatory Compliance Blog

Integrity for PCI

May 3rd, 2007 by Rob Newby Posted in Audit log, PCI DSS, Vendors

pci.jpgIt’s not everyday you get to see yourself in print, this is why we blog. It takes a special kind of self-interest to maintain a blog, and an almost blind faith in what you are saying. That’s why I always invite feedback from everyone, and try to ask a question in my posts these days to start things off. I’ve been really impressed with the quality of answers we’ve had in the last week or so.
In line with some comments I made about First Data yesterday, we may need to make it easier to comply, either by making it more technically comprehensible or cheaper to comply. Perhaps both.

I’ve said before that PCI could be split into 2 separate documents, one for techies and one for the business people. I had a couple of comments yesterday saying that PCI is easy to comply with, but the financial side is too great. Some people seem to think it is hard to comply at all, and don’t really care about the financial side at this stage. I could take a guess which side of the company each of these types comes from. I think mostly we have Security people reading this however, which is an interesting blend of both. I consider myself more on the business side now, but up until 6 months ago I would have said I was a techie. Interesting how that works.

So my question of the moment: is integrity of your logs and data something that is important to you? Is it something that PCI should cover, or is it a step too far?

If you comment, please let me know if you are business or technical, or if you are security focused, whether you consider yourself more leaning towards one or the other. I’m interested to find out the different sides of the argument as I think this is where a lot of problems in PCI stem from, and hence a lot of the headaches for us security guys in the first place.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 8 Responses to “Integrity for PCI”

  2. By rybolov on May 3, 2007

    How much of a “pie in the sky” question can you throw out there? Rob: “Do you care about integrity?”

    The problem with log management is the lesson of SoX: It’s hella expensive to save everything so you have to prioritize.

    I know this is going to be a controversial statement, but the vendors who offer log management systems still have some problems. The products and the companies are fairly immature and they are really expensive for what they do. What they do give you is hashes for log events to provide some kind of nonrepudiation.

    The biggest problem with log retention is storage. There’s a reason EMC bought out Network Intelligence–if you do it right, the product will literally consume millions of dollars in drive space.

    This is entirely my opinion, but right now the log management vendors are fat cats in a world full of mice that have had their hand forced by SoX to buy a product. Last summer we did an informal shootout of products and companies and found that they all suck. =)

    People will always complain about PCI. It’s like the grief stages you go through when you have cancer.
    http://changingminds.org/disciplines/change_management/kubler_ross/kubler_ross.htm

    I know this because I’ve been on the auditing end trying to get commercial service providers DITSCAP-certified. Exactly the same scenario, except that in the government world, you have a contract and you can go back to the government and ask them for more money because they changed the requirements on you. In PCI, it’s more like “these are the rules if you want to play in our world”.

    The trick to making PCI work is to increase both the carrot (discounts, indemnity, better rates, monetary rewards/compensation) and the stick (fees, being cut off) and at the same time prove ROI for the merchants and processors–taking a look at what really needs to be in the standard. Will adding integrity controls help or hinder? I’m not sold either way. I do know that if you keep adding controls to the standard, it will implode under its own weight because sometime you’ve reached the tipping point of what the merchants will tolerate.

    Where do I lie on the spectrum of business-technical? Well, I’m a security person first and foremost, but I’m a really good Linux administrator and I can play business games pretty well.

  3. By Rob Newby on May 3, 2007

    I knew I could rely on you to provide some good insight Mike! I agree with you to some extent on the log management side. I don’t think they all suck however, there are some good technologies out there. Have 1 techie point.

    I spoke to the PM at NI recently about this, and he thought it was great to be able to add integrity to data (as opposed to WORM storage). RSA liked it because what we talked about was agent-based. He then took the idea to EMC who said “NO”, because it would mean selling less storage. So your opinion is absolutely correct. Have 1 business point.

    Other log management companies use certificates to sign entire databases of log information, so if one piece of information becomes corrupted, the integrity of the whole is lost.

    Criticism is also noted, I understand that the question is not as specific as you might like, and this further illustrates my point about techies and business. I’d like to know if it’s important to people, however, I didn’t ask if you care about integrity, it would be odd not to, but if it is relevant in the scope of PCI, such is the focus of this blog!

    Again, maybe that was the wrong question, “do you understand integrity?” might have been a better one. It reveals your techie roots to see that you knock it and then answer it so precisely! Have another techie point!

    “Will adding integrity controls help or hinder?” isn’t really a question that needs asking within PCI, the requirements are already there, it’s whether they are already too much that I wanted to consider. Again, you addressed this quite nicely too, thanks. Have another business point.

    In my experience, everyone interprets the requirements in different ways at this level, even QSAs have problems, and your comments confirm this again. Thanks for your input again Mike, and let us know some of your Guerilla games sometime soon. It sounds fun.

    2 techie points and 2 business points, you are truly a security man.

  4. By rybolov on May 3, 2007

    By suckage, I mean that they all have their weaknesses, and it’s not always technical. Let’s see my very informal scoring:

    One couldn’t tell us what kind of support for their appliance we would get if it died in the middle of the night–a recording or a live voice. I have to be able to transfer my outage risk at least partially to the vendor because as a MSSP, I get penalized by SLAs and that dries up the income stream really quickly. Could be a bad sales rep, but I’m not going to give him the income if he can’t answer the simple question.

    One wanted us to pay pro services $5000 for 2 days of development in order to implement a feature today that was on their roadmap in 6 months. They then would sell the feature to all their other customers. Can you say “evolve past bootstrapping a startup” long enough to hear that your customers are asking for something?

    One only took windows logs. Game over. Most of what we store is firewall logs in syslog format.

    One stored all the log data in a MS Access database. Ack! This is scalable?

    Most of them sell appliances that run many $10K to buy, and it’s like potato chips, you can’t have just one. You can easily put in $150K for a basic enterprise log management system without drives and end up with 6U of equipment that still has to be installed, maintained, etc.

    Now that I’m done being catty, I’m not going to tell you which one we went with. Suffice it to say that the incumbent vendor was the least suckiest of all of them, but it still leaves a bad taste.

    So do I win anything? =)

  5. By Rob Newby on May 3, 2007

    Ew, Access based? I think I know who some of these is just from your description, so I hope you went with the good one.
    I agree it’s overpriced at present, but this should come down soon as the market is already flooded, and there’s one clear leader who everyone is trying to catch up with.
    As for prizes, I’ll autograph a copy of “PCI Compliance Demystified” if you bring your laptop to Barcelona.

  6. By Saso on May 6, 2007

    Rob asks:”So my question of the moment: is integrity of your logs and data something that is important to you? Is it something that PCI should cover, or is it a step too far?”

    Logs AND data? Logs and DATA? It depends, doesn’t it? Logs that I will use for forensics definitely need to be collected and preserved with integrity as the primary objective. Does that mean you should do it at the message level? Or at the system level? Or even at the storage level? It depends on - wait for it - integrity of your systems and networks. :-)

    Logs that I use to keep a tab on network performance don’t need bulletproof integrity. On the other hand, logs that may uncover internal fraud, such as system access logs, application access logs, data access logs, should be generated, collected, and preserved with integrity in mind.

    PCI DSS doesn’t need to, nor should it, require integrity. For public companies, there is an ample set of rules and regulatory requirements that they need to comply with in regards to fraud. For privately held companies, they either realised that without integrity they can’t survive, or will realise it soon, or will go bust because they haven’t realised it in time.

    Adding more requirements to the PCI DSS will not enamour it to anyone. It is already everyone’s favourite punching bag, a ‘toothless SOx’ so to speak. Adding more, and in some ways duplicating, requirements will not add to the strength of the standard. Besides, how can you sincerely audit integrity?

    As for data, I think a short and sweet answer is “Yes”. Integrity generally trumps availability trumps confidentiality.

    Fred Cohen wrote a seminal rant on integrity here: http://all.net/journal/netsec/1997-01.html

    Am I security, technical, or business focused? Yes. :-)

  7. By Rob Newby on May 6, 2007

    It’s interesting that you say PCI DSS doesn’t need to require integrity and yet private companies should know better. I think this is something which could be talked about more. You are quite correct to say that privately held companies cannot survive indefinitely without integrity, and yet there are still so many of them not getting anywhere near it.

    This is at the heart of what I am interested in, hence my questions about whether people were techie or business based.

    PCI as it is seems a bit half-hearted on integrity with a foot in both camps. It doesn’t really address it fully and only goes into detail on protecting logs, not mentioning the data which should be of far more importance.

    Great comments, thanks for your input.

  8. By Michael Dahn on Dec 14, 2007

    @Gerald, this is very true and holistic risk management examines all attack vectors, but strict PCI DSS compliance is meant to protect against the electronic and paper theft of credit card data. It does not expose to eliminate skimming or copying of numbers onto post-it notes.

  1. 1 Trackback(s)

  2. Dec 12, 2007: Gerald

Sorry, comments for this entry are closed at this time.