Presentation given by Nick Selby, Trident Risk Management at SANS WhatWorks in Data Leakage Prevention, New Orleans, 2010

1. Sleeping With The Enemy: Better Living Through Hacking Compliance (budgets) Or Navigating the Corridors of the Compliance Industrial Complex January, 2010

2. In a nutshell Compliance != Security A selection of frothy rants about PCI in particular, then “But Nick? What can I, a mere infosec professional, do?”; A New and Improved Way to Articulate Risk; Scattered throughout: Propaganda, crypto-advertising for TRM (when you engage TRM as a consultant, you and your boss become measurably more attractive to the opposite sex.)

3. Compliance != Security Compliance == Compliance Are you {compliant|secure} like this guy is {compliant|secure} ?

4. Compliance & DLP What the hell does a rant about compliance have to do with DLP? Well, if you’re like most infosec professionals, You’re tasked with reducing data loss; and You’re tasked with increasing compliance tasks and reducing audit dings for, you know, everything I aver these goals are in conflict

5. DLP is not a Technology Issue Ironically, this is being presented at a conference called, WhatWorks in DLP Note, ladies and gentlemen, the Red Square of Death. Image: The 451 Group, Mind The Data Gap, June 2008, http://www.the451group.com

6. Why Rulesets Exist Ruleset writers aren’t evil, but they are reactive SOX, HIPAA, PCI – all were in response to a specific problem All attempt to raise the level of overall “security” How they do so is the problem Some rulesets are less cynical than others

7. PCI on PCI “The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.”

8. “Not worthless.” “I do not believe the PCI Standards are worthless; in the absence of other requirements, they do serve some purpose. But I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not, and the credit card companies acknowledge that.” -Rep. Yvette D Clarke (D-N.Y.) chairwoman of the Subcommittee On Emerging Threats, Cybersecurity and Science and Technology, Committee on Homeland Security

9. The PCI Dilemma PCI says it wants to, “Raise the bar” by setting forth some highly specific tasks and standards. Unfortunately they were specific to a paradigm gone by, and those who don’t comply get fined and hassled For offloading risk from card brands, PCI has raised the bar. For data security, not only has PCI not, “raised the floor,” in fact it’s substantially lowered the ceiling Because it is expensive in terms of money and resources, PCI is not the minimum standard, it’s the maximum effort that many organizations make.

10. Why Compliance is InfoSec’s Problem As punishment for making everything so complicated, information security professionals have been saddled with compliance management.

11. OK, here’s really why… Enron. Yelling. SOX. “Oh, crap – who’s going to deal with this? Hey! Information Security!”

12. The CEO should do better The CEO who lets the Security organization become the compliance department has abdicated to the government and Payment Card Industry his responsibility to understand and manage organizational risk. That is a fiduciary breach of his responsibility to shareholders. In addition to firing his ass, this should also be a floggable offense.

13. Here’s why present-day implementations of PCI are not just not good for security, but why they’re antithetical to good security.

14. Setting The Bar … at 1984 We’re in an Orwellian IT universe, and criminals are Big Brother They have better configuration management data on us than our own information security groups. They know exactly what we’re doing because PCI tells them what we’re doing. They have rapidly evolving and advanced persistent threats, new generations of attack tools and a wildly changed attack paradigm We have anti-virus and IDS/IPS and firewalls

15. When Rules & Taxes Matter When government wishes to discourage behavior, they have options: They can shunt it off to someone else (“Faith Based Community Initiatives,” etc They can tax it They can legislate it Taxes and legislation clearly discourage behaviors…

16. Smoking in New York City March, 2003: Smoking banned at NYC restaurants, bars, nightclubs

17. Smoking deaths in NYC

18. Teen Smoking Rates in NYC * no data available for 2007

19. Now, let’s look at how well PCI has worked to prevent loss of PII

20. Records Lost…. 2006: PCI 1.1 PCI 1.0 2008: PCI 1.2

21. Records Lost…. SEPT 2006: PCI 1.1 DEC 2004: PCI 1.0 OCT 2008: PCI 1.2

22. Records Lost Per Breach

23. An opposing view

24. A retort “From all accounts it appears that many of the murders and drug-smuggling operations can be attributed to the Mafia. What would the world look like if we ignored their crimes when measuring the success of policing efforts?”

25. Statistics Manipulation Of course, I’m being intellectually dishonest with my statistics on PCI. In the slides about smoking we deal with known and proved risks and threats. The PCI council behaves as if it is too, but security is a dynamic, transactional environment comprising constantly evolving technology. PCI makes specific statements about security which are suspect at any point in time let alone in a continuum, and pretends it’s delivering consistent effect against a static equation. Logicians call this behavior, “Stupid.” Okay, they call it “Confounded thinking.”

26. The Trouble With PCI SOX, HIPAA, etc made their goals clear and the means vague. This caused confusion, but the market sorted it out. PCI is a compilation of a hunches on how to prevent breaches: the specific means to the desired end (that is, to offload risk onto merchants). How about not confusing the means and end? Just punish the failure to secure data, and let the free market figure out how best to prevent breaches.

27. PCI is a Protection Racket by a Cabal. Ponemon 2009 PCI DSS Compliance Study: 71% of companies don’t treat PCI as a strategic initiative 79% have experienced a data breach 56% don’t believe PCI compliance improves their data security posture 60 % say they can’t achieve PCI compliance Recent studies say 30% of the IT security budget is spent on PCI compliance Let’s call it 20%. TWENTY PERCENT. Plus, when you’re breached, you got your fines and your publicity hit. That’s a regressive, unofficial tax for which we get back nothing. And the card brands get to offload risk onto merchants.

28. If we’re gonna tax, let’s tax… D’OH!TAX Fun Fact: This tax will hit many banks! D’OH!TAX THE a. $1,000 per record breached; b. Raises $250,000,000,000 for deficit reduction – WHAT bailout?; c. Replaces all PCI requirements; d. All other fines & reporting requirements still apply

29. While I’m in Fantasy Land… I also want a pony.

30. What is to be done?

31. First of all… Join the rebel alliance. Don’t let a dismal failure be held up as a success: Loose lips sink ships - let’s sink one: be vocal about PCI failures and how they affect your job, your happiness and your effectiveness as an info-security pro. Because if you don’t speak up, other rule-writers will hold up PCI as the model of how this stuff should be done.

32. Be Constructive Rather than berate something which isn’t going away, let’s work to change these arbitrarily objective compliance overviews like PCI into subjective risk analysis tools. Let’s be wiser about how we look at PCI and use it as a lever to free up budget funds for things that we, as security professionals, believe will positively impact the bottom line.

33. Then… Reduce the suck. Work the system as best you can. Question – loudly – things that seem like window-dressing. Ask, “What is the intent of this?” Use compliance requirements to justify spending on sensible things, like greatly expanding pen testing, or setting up an incident response workbench.

34. Compensating Controls If you are not engaged deeply with your QSA in substantive conversations regarding compensating controls, you either don’t care, or: You don’t understand your environment; You don’t understand the requirements; and You are wasting lots of money on PCI. You pay those people. Make them work for you.

35. Let’s Get Back To Basics

36. “If you can’t measure, you can’t improve.” Well, yeah, but… Right now, we’re counting things that help the vendors sell us stuff. Not only do we count these things, we let vendors tell us how important one is relative to another! It’s fine to count things, but if you’re counting the things that matter to the vendors, not to your business, you’re not doing yourself any favors According to this, everything’s getting better! Awesome!

37. Every business is different A fashion house can’t tell a media firm what’s important; hell, one media firm can’t tell another what’s important. This is not just cross industry – it’s true in the same company three months later! Each pen tester, each auditor will have different results even in the same company

40. Articulating Risk How do you articulate risk? Doctors listen most to mom’s statements like, “Something’s just not right.” Say to your CIO, “This feels icky” How Icky? On a scale of 1 to eeew! Eeeeeeew A little

41. An Example PCI 12.2 talks about internal and external pen testing teams. There is great bang-for-buck setting up internal pen-testing team: To talk to pen testers To test patches, controls To enumerate hosts, processes, workflows To understand your environment To understand and positively affect config management

42. Pick Your Battles Find out what you care about Attach your team to revenue producing projects Use PCI and compliance as a lever the budget Speak in terms of risk, not threat Count metrics that speak in dollars and time Yell when compliance makes you do something dumb or hate your job

43. Questions? Contact us: Nick Selby, Managing Director nick.selby [ at] tridentrm.com Paul Davis, Chief Security Officer paul.davis[at ]tridentrm.com Clint Bruce, Chairman c.Bruce (at ) trg-ltd.com