PCI: Part 2 – A New Hope – #27

SPONSOR  0:01  

The question is simple: has any of the systems on my network been compromised? The answer is harder than it should be. Enter AI hunter active countermeasures has automated in streamlined techniques used by the best pen testers and threat hunters in the industry to create AI hunter  – a network threat hunting solution that does the first pass of a hunt for you to identify systems that are most likely to be compromised and scores the results on a scale from zero to 100. You can then research those systems in depth with a hunter focus your valuable time on the systems that need your expertise with AI hunter sign up for a personal demo today at securityweekly.com/ACF

Jeff Man  0:39  

Welcome back to Security and Compliance Weekly Episode 27, where we’ve been talking about the three lessons ready PCI. So glad it’s Cinco de Mayo. Before we jump back into the discussion that is loosely focused on the news, we do have a couple more announcements. First off, we’re looking for some high-quality guest suggestions really for all of our shows on the podcast to fill up our third quarter recording schedule. If you have somebody in mind that you think would be great as somebody we should interview on any of our shows. Submit your suggestions. By visiting securityweekly.com/guests. There’s a form that you fill out, you can pick which show or you can leave it blank and we can decide all of the hosts and staff review these suggestions regularly and we’ll get back to you if we decide to move forward with any of your suggestions. Also, if you want to learn how penetration testing reduces risk, our next live webcast is with core security, which is a help systems company. They’re going to be talking all about that you can register for it or any of our upcoming webcasts where virtual trainings by visiting securityweekly.com/webcasts. You can also access our on-demand library of previous previously recorded webcasts and trainings by visiting securityweekly.com/ondemand. This has been a fun show because we’ve been talking PCI.

Matt Alderman  2:12  

And tequila tongue ties you, Mr. Host.

Jeff Man  2:15  

Tequila does make its impact. Um, so, you know, this is our traditional second spot news segment. I put up some news, news articles. I think Josh did too. Although Josh, I looked at yours and saw that you’re going back 10 years, I’m not sure

Josh Marpet  2:37  

No, no no… I only went back 10 years on one article. All right. Cut the crap. 

Jeff Man  2:40  

Well, the correct one article goes back 10 years.

Josh Marpet  2:44  

The other articles within the last six months or so. So stop…

Jeff Man  2:48  

If there was a theme, it’s you’re trying to get under my skin about PCI and how the world views PCI and how it’s silly.

Josh Marpet  2:57  

Jeff! I would never do those things. I don’t know why you’re saying those things about me.

Jeff Man  3:04  

But it I’ll let you take the lead. Is there any of these articles you want to start with? We can go through one or more or all, but I’ll let you pick the order.

Josh Marpet  3:14  

That’s a good question. Let’s start with Where’d I go? There we go. So I think that the whole theme was actually I was looking for deficiencies in PCI you’re absolutely correct. 

Jeff Man  3:25  

Sure. 

Josh Marpet  3:26  

I wasn’t deliberately trying to get under your skin. Or was I? But, uh, yeah. I thought that it was interesting that PCI is a very definitive and authoritative resource in a lot of realms in a lot of ways. But there’s still problems. And anybody that thinks that it’s the only answer is just simply wrong. Not that you would ever say that, Jeff, of course. But there’s some things that I didn’t I don’t like about PCI still, I’ve got to ask you a question. You’re the expert. I totally agree with that. The one article that I went back 10 years, the one article out of five that I went back 10 years was about retroactive revocation of PCI compliance. This is something that we’ve talked about for a long time. The fact that the PCI counsel at one point would retro actively retract. You are PCI compliant, the certification if you will, once you’ve been breached, does that still happen?

Jeff Man  4:29  

Well, you know, so what happened historically was, and this sort of happened in waves,  mid to late 2000s, there was the Albert Gonzalez hacking ring that hit a lot of retailers and actually service providers. I know about him because I was working for a lot of these companies. Before during after their breaches. It was certainly sort of the mantra back then. That no company that was breached was PCI compliant at the time of the breach, and therefore, especially in the case of a service provider, the compliance at a station was revoked. You know, it was somewhat semantic, I think was somewhat political is somewhat, you know, trying to… 

Josh Marpet  5:26  

The word you’re looking for is crap. 

Jeff Man  5:28  

…put lipstick on the pig, whatever, you know, whatever key phrase you want to use it, does it still happen today. I mean, the next big wave of breaches, not that they’re not happening still was, you know, the last couple years with Target and Home Depot and a few others. And still, the mantra was, you know, nobody’s compliant at the time of the breach. I don’t know that they, you know, the revocation of compliance technically doesn’t happen from the security standards company, because they will tell you that they don’t enforce the standard. They are simply the authors there, they’re pulling from the different card brands and industry organizations that are tied into all the PCI ecosystem, what I like to call it the revocation comes from, if you’re a service provider, it comes from the card brands. I mean, Visa maintains a list of companies that provide service provider functions for mostly the merchant or retail community. And you will certainly be dropped from that list. If you suffer a breach, and you have to earn your way back by going through the compliance assessment. Again, if you’re a merchant, you know, technically merchants are the responsibility of their acquiring bank or the or the commercial bank. The commercial banks are the ones that are technically fined if there’s a breach of one of their merchant customers. So it’s between the bank and the merchant, whether the compliance is accepted or rejected or revoked or not. And that tends to not be publicized, as much as you know, sort of kept in house. So it’s harder to answer that question definitively. 

I think generally, the impression is still if you’re breached, you weren’t compliant at the time of the breach, because that preserves the perceived integrity of the PCI data security standard. What I would say is, it’s kind of silly that it’s come to that because the the PCI data security standard, if you read through the whole thing doesn’t, and never was intended to guarantee that you wouldn’t suffer a breach. It was designed to, let’s eliminate all the stuff that we know about all the historical breaches, or historical attacks, and threat vectors. Sort of the low-hanging fruit, if you will, let’s eliminate all that. But then also, let’s prepare yourself for when a breach does happen, I mean, one of the major sections and one of the major headaches for a lot of companies that have to follow PCI requirement 10, has to do with collecting logs, the right kind of logs, logs on a continuous basis, transferring them to a centralized log server and reviewing them on a daily basis. All, and basically collecting the forensics trail, so that when you’re breached, you can figure it out, figure out the source, figure out the cause, hopefully, of the holes and move on. So, to me, it’s always been interesting that the perception that PCI prevents a breach when a good portion of PCI is helping you to prepare for the breach, and to do it in a responsible and timely manner. So that’s sort of under you know, one good example of how PCI in my mind is very often misunderstood and misapplied.

Scott Lyons  9:00  

That’s three drinks if you’re keeping tally at home, by the way.

Josh Marpet  9:03  

Yes, it was up, we’re up now.

Jeff Man  9:05  

I’ll shut up and you talk and I’ll drink.

Josh Marpet  9:08  

We’re up to 19 mentions just FYI of PCI by Jeff man. If you haven’t taken 19 shots or sips at this point, you’re not keeping up. Okay. Remember, we do not take responsibility for any of the bad decisions you make. Anyway. I think the problem was not so much about the policies and procedures the way that it was done, Jeff, but the retroactive relocation, but I think one of the points you raised was fascinating. And I think I have an article in there about that. I believe it’s the first one where it says that PCI isn’t as important where it says that just a third of global firms are… Oh, sorry. I mean, this is interesting too, but only a third of global firms were actually found to be PCI compliant or care about PCI compliance. So there are obviously banks and payment mechanisms, shall we say, that are not keeping track of who’s PCI compliance In their infrastructure and their ecosystem, I should say. And that’s fascinating in and of itself. But there was one – Oh, I think this one I screwed up and didn’t get the right one in there. There was a Verizon report, I believe I’ll double check that said that. A year after being certified, getting their ROC, their AFC, the whole nine yards, the PCI compliance stamp, if you will, they were found that most of the security controls were neglected, not being done, not properly performed, just that they had effectively failed to be PCI compliant, even though they were still certified. Because and you mentioned that yourself. They just weren’t paying attention. 

Jeff Man  10:40  

Right. 

Josh Marpet  10:40  

And that’s a problem, I think. And I think that that’s why PCI. And most, if not all, compliance standards and frameworks need to go to continuous rather than point in time. I don’t know if anybody disagrees at this point. Does anybody disagree?

Jeff Man  10:56  

Well, Matt, you’re trying to say something?

Matt Alderman  10:58  

Yeah. I mean, you know, the challenge with I think most of these compliance regimes is you take a snapshot, a point in time review, the report on compliance is that snapshot for the PCI DSS as soon as that stamp is that point in time is assessed and said, Yep, you’re all good. Literally, the next day, it could change and you could be out of compliance. So to your point, Josh, I think continuous ease ultimately, where a lot of these regimes need to move to, so that you can prove a level of compliance on a continuous basis, not once a year, once every two years, three years, whatever that window is, for that point in time snapshot, I think that’s one of the challenges. And that’s why a lot of people look at I think PCI, not as a security standard, because the report on the compliance is that single snap in time that people are like, yeah, okay, I’m just going to go get this done. I’m going to go get my stamp, and then I’m going to go do whatever else I want and to deny. I know, Jeff, that’s not what it was intended to do. But that I think is the way it is handled by a number of organizations, unfortunately. 

Jeff Man  12:07  

Well, yeah… 

Josh Marpet  12:07  

You know…

Jeff Man  12:08  

I’m glad. I’m glad you met… Oh, let me address your question. I’m just piggybacking on what Matt said. Because I wanted to disagree with you, Josh, ultimately, but Matt sort of highlighted, you know, what was the intent of the PCI standard and the way it’s used and implemented, if you will, is, there’s a disconnect there. Yes, it’s an annual validation that you’re following a set of rules. But the rules themselves very often have continuous built into them, like I just mentioned, requirement 10, you’re supposed to be reviewing your event logs, any log that has…, you’re supposed to log any access to cardholder data, or systems that transmit process store cardholder data, you know, a specific type of data, that sensitive to your operations, you’re supposed to review logs on a daily basis, that sort of implies to me that that’s something that’s done continuously. There’s other requirements, that you’re you’re supposed to do things on a weekly basis, a daily basis, the scanning requirements at a minimum is, you know, scan as often as you want, but once a quarter, once every 90 days show that you’ve got clean passing results for your vulnerability scans. So it’s, yeah, it goes to the way it’s been interpreted and implemented, as Matt says, but to me, it’s always been kind of weird, because there’s so much continuous built into the standard itself. 

They actually, the Security Council when they rolled out I believe it was with version three, which came out in 2013 is where they put explicit language in acknowledging the fact that most people treated it as a point in time assessment. They tried to build in language to underscore and reinforce the fact that no, this is stuff that you’re supposed to be doing on an ongoing basis. But my most recent PCI customer, very much had the approach of we just got to get to the finish line, whatever our compliance date is, we got to make sure we got these technical controls in place, past whatever it is, by the time we get to the finish line. And they were, in my opinion, kind of totally ignoring all the process and procedure that needed to go into something that was supposed to be happening on an ongoing basis. Case in point. They put together a tiger team and gave the tiger team six months to help the particular business unit, get a passing vulnerability scan, which is a 90 day three month requirements. And I asked them I said Why are you giving yourself six months to do something that you’re supposed to do once a quarter. Never really got a good answer, and I don’t work for them anymore. Strangely enough. Next question.

Matt Alderman  15:10  

Well, I don’t want to go question I want to go into some of this news, right? So 

Jeff Man  15:14  

Okay, sure!  

Matt Alderman  15:15  

So one of the articles you put in here was PCI compliance is vital to the economic engine of the world. And I read this article, and I’m like, really, I’m like, everything you talk about in this article we’ve already known or this has been in place for a while. And then I scroll all the way to the bottom. And it’s it’s a pitch for a vendor. And I’m like, no. So I had to ignore this one. Because it just, it’s silliness.

Jeff Man  15:43  

I apologize. I didn’t get to the bottom of the article. I just saw the compelling headline.

Matt Alderman  15:49  

Yeah, but when you read the article, you’re like, Oh, really? Okay. A little outdated. And then it’s a vendor pitch at the bottom. Okay. What I thought was a little more interesting, is, despite spending more on compliance business, still have basic IT weaknesses? I mean, we talk about this all the time, right? They do not equate to be the same. So this wasn’t surprising. So I was I was just trying to dig into some of this news. And, you know, is there anything really interesting in here? Is there anything new? And I haven’t I just, I’m not seeing that, Jeff. Right. I’m just, I’m, I’m trying to figure out, you know, is there anything new in here?

Jeff Man  16:34  

Anybody? Well, the irony is, and I guess it always depends on perspective. You know, my view of PCI is it represents a pretty decent standard by which you measure a security program and the the fundamentals and the basics of how you build a security program don’t really change over time, obviously, technology changes and how you have to apply the rules and how you meet the rules and the requirements change based on the technology that you’re deploying. But the principles, the guidelines, the goals don’t really change. So in that sense, I mean, information security in general, there’s nothing new. I mean, we’re trying to protect sensitive data. We’re trying to stay in business, we’re trying to protect national security interests, none of that really changes. What does change is the technology. Which begs a, you know, sort of a follow on question to your observation, Matt, and I’m not disagreeing. There isn’t anything new. But I wonder if because there’s nothing new and there’s no perception of nothing new, of something new is that one reason why vendors, their sales and marketing programs don’t latch on to something like PCI because of the perception right or wrong, that the marketing pitches have to be new, they always have to emphasize the new and highlight the new and the different. I mean, I had this thought the other day, you know, how many of our conventional products that we buy in grocery stores and boxes and bottles every six months or a year have the label new and improved on the packaging? And have they really changed anything? We’re..

Josh Marpet  18:28  

I remember reading a story about cough medicine that changed their name from like version 4 to version 4000. And that was the new and improvement they changed the name. 

Jeff Man  18:39  

Right? 

Scott Lyons  18:39  

Well, what was it? There was a company, there was a company that did tea.. T-E-A .  It was a Tea Company and they put blockchain in their name and their stock shot up like 4000%.

Josh Marpet  18:54  

Yeah, it was an iced tea company?

Scott Lyons  18:57  

Was it long island iced tea. 

Josh Marpet  19:00  

It’s silliness. 

Scott Lyons  19:01  

Right, but that’s what I’m trying to…

Matt Alderman  19:02  

Long Island Ice Tea’s don’t have tea in it.

Jeff Man  19:06  

Not a bit. 

Matt Alderman  19:08  

It’s got a splash, correct? A a whole lot of liquor…

Josh Marpet  19:10  

…and you’re technically correct. The best kind of correct. So in all seriousness, though, I do want to…

Scott Lyons  19:16  

answer the question. Here we go. 

Jeff Man  19:22  

Josh, have a… PCI Josh.. take a drink. Go ahead.

Matt Alderman  19:28  

So you asked the question, you know, our vendor, you know, is the reason why vendors don’t talk about PCI because they’re always chasing the new improved thing. And I think there is definitely some viability to that. Everybody’s chasing the next shiny object, right? Everybody wants to be in the security operation center. They want to be on the forefront of automation and orchestration are they wanted, they want to do all this new stuff, right? Because they think this is where the next set of revenue comes in. But if we go back and we look at things like the Equifax In the discussion we had yesterday with grant pain, it boils down to basics, vulnerability scanning, patching, configuration management, basic policies. And I think one of the one of the fears I have in our industry is that so many vendors are chasing the new shiny stuff that we’re forgetting about the basics. And it’s the basics that are causing us grief in these new technologies. So let’s think about cloud for a second, certain aspects of cloud, do I really need to control certain aspects of security? No, because maybe the cloud provider does it. But here’s what matters, configuration matters. Because if you miss configure an s3 bucket, guess what you’ve just exposed all your data to the internet. And that’s why we see breaches. So sometimes we’re moving so far to the brand new, shiny stuff that we’re also forgetting about some of the basic stuff. And that scares me a little bit in our industry.

Jeff Man  20:55  

Well, it’s interesting that you bring that up. Because, and as a sidebar, I think my article five actually talks about, you know, the responsibility for cloud security. But it’s interesting that you bring up and I haven’t listened to it yet. But I’m interested now, in listening to the interview that you did yesterday. You’re emphasizing that, you know, time and time again, what causes the breaches at these companies, especially the big companies that we expect to be resilient and not fall to such major breaches, it is determined to be because of some of the basics, ironically, or maybe deliberately, the areas that PCI the data security standard are more prescriptive on are very often these very basic things that we that you just described are very often the things that are missed, and why breaches happen, to which I simply say, PCI, people have this attitude about it. But if you followed it, a lot of those basic things that are time and time again, the reasons or the causes for so many major breaches, gets addressed goes away. Maybe we should revisit, maybe we, the collective we, should look twice, or again, or frankly, maybe for the first time, it just what PCI says and what it’s all about.

Matt Alderman  22:28  

Yeah and I think a lot of it has, look, there’s nothing sexy about configuration management, nothing at all. I know people would much rather do threat hunting pentesting, do some orchestration automation in their SOC. But if we look at these breaches, a lot of it boils down to basic configuration or vulnerability, or patch management, unfortunately, that’s what these things deal with, in a lot of respects, those are just the basics. They’re not sexy, I get it. Everybody’s chasing the shiny object, but that’s what’s getting us breached. And so, to your point, Jeff, I think, you know, looking at something like a PCI data security standard, is covering the basics. It is a very good guide to cover the basics and people who aren’t doing the basics, I think are just fooling themselves that they’re going to be secure and prevent breaches.

Scott Lyons  23:18  

So if we have a company that we think is mature in their security and compliance regime, right, but they’re not doing the basics, are they really mature?

Jeff Man  23:29  

I would say no, 

Matt Alderman  23:30  

I would say no too. 

Jeff Man  23:33  

But well, the rephrase your question, though. And I think this touches on a perception that’s common in the industry, if not the world is if a company has implemated… implemented (one too many PCI drink, sorry, 

Josh Marpet  23:51  

implemated? 

Jeff Man  23:52  

Implemated.. implemented. The coolest and shiny is to niftiest and costliest security tools and solutions and monitoring solutions. And they’ve got all this stuff, because they’ve got the money in the budget. And they believe that if they’ve got all that, maybe this is the question.. Is it appropriate to think that if you got all the shiny and you got the budget for all the cool stuff, you don’t have to do the basics? That somehow you’ve circumvented or, or moved beyond the basics? Is there a lesson here that no, there’s no getting away from doing the basics?

Matt Alderman  24:30  

I still don’t… 

Josh Marpet  24:32  

Yes,the lesson is simple. Smack the people that think that.

Matt Alderman  24:34  

Well, I’ll give you example, after example. The Capital One breach of Capital One sped I look, I love what they’ve been doing right. They’ve been moving their stuff to the cloud. They’ve invested a lot of money in security. They were so breached. It was a basic misconfiguration, type of issue that propagated that breach to happen. Equifax was spending money they may not have been prioritizing the right money in the right places. Still breached, right? So this stuff still happens. And so I don’t think you can get away from some of these basics.

Scott Lyons  25:09  

Sorry, Matt, I had to speak over top of you. They’re not just breach but also found guilty for insider trading. Let’s not forget that as well. 

Jeff Man  25:15  

True. So..

Matt Alderman  25:18  

That was something different but anyways, yes.

Jeff Man  25:21  

Well, different but somewhat related, bad behaviors, bad things. So if we’re going to attempt to wrap this up, and obviously PCI is going to continue to come up in our discussions as we move forward as a show. Is it fair to say that PCI deserves another look, or perhaps a renewed focus? Maybe people should go back to it? As an example of basic security 101, something you should do something you should address, regardless of whether you’re technically, you know, subject to PCI? Agree? Disagree?

Matt Alderman  26:08  

I think there is a lot of good in the PCI data security standard, that gets a bad rap because it falls under the umbrella of PCI. And so to answer your question, I think if you rebranded exactly what’s in PCI, with a little broader focus than just cardholder data, it might get some renewed interest in actually helping organizations with a roadmap of how to build some of the basic security principles in your organization.

Jeff Man  26:40  

There, Scott.

Josh Marpet  26:41  

I like that.

Matt Alderman  26:47  

Scott froze, I think he’s frozen. 

Josh Marpet  26:50  

Oh, thank God, it’s not just me.

Matt Alderman  26:56  

I think the Wookie took him out.

Josh Marpet  26:59  

Wait, am I frozen?

Matt Alderman  27:00  

I think Jeff’s frozen to I think Maryland’s like…

Josh Marpet  27:02  

Ah, come on.

Jeff Man  27:04  

I’m back. I’m back. I’m back. Okay, we’re all back. What Josh? What did repeat what you were saying?

Scott Lyons  27:10  

Son of a breach – what happened?

Jeff Man  27:11  

Scott! Say something? I don’t know. We all just blanked out. 

Josh Marpet  27:15  

How about this? PCI is a great base framework. There are some improvements that need to be made. My biggest one, I think would be the continuous versus point in time. I think that’s going to be a very, very difficult step.

Jeff Man  27:35  

Well, I agree because it’s perception as much as what’s built into the requirement built into the standard. It’s how the standards implement. And I agree, it’s one of my pet peeves with how PCI is used and abused. The perception that it’s a point in time assessment. How do we get how do we overcome that? How do we get beyond that?

Josh Marpet  27:58  

Well, we have to make pentesting more automated. And I know that’s anathema to many people, but I’m sorry, it’s the truth. Pentesting is commoditizing. Pentesting is specializing. The next step is we need to automate this the basic pieces of pen tests to make them so that we can run them continuously. We need to automate a significant amount of compliance, we need to automate a significant amount of reposit evidentiary – repository checking, we need to automate a lot of these pieces to make it just as simple as antivirus. To make it as simple as vulnerability scanning, which we can do every 10 minutes. If we felt like it, nobody would care. And those pieces need to be automated. So they can be run all the time. 

Because remember, it’s not necessarily the answers you find. But the changes you discover along the way. That’s what you need to concentrate on just as configuration management, as Matt so aptly said, it’s not sexy. Nobody wants to do configuration management, it’s incredibly important. Because if I can find that there’s an entire group of my company that hasn’t been following config management, you know what, they’ve opened up a massive attack surface into my company. And I don’t think anybody would argue with that. So if I’m not monitoring for that, I’m not going to see it. We have to make all the pieces that we do as automated as possible to make them as monitorable. Is that a word? As possible? Make sense? 

Scott Lyons  29:26  

Yeah. yeah. My only question is, how many? How many PCI sayings are we at Josh? What’s our final count?

Josh Marpet  29:35  

From just Jeff, we’re at 28. 

Scott Lyons  29:39  

Oof.. 

So.. 

Jeff Man  29:43  

Drink. 

Josh Marpet  29:43  

I’m buzzed. 

Matt Alderman  29:47  

Jeff, I’m very relaxed.

Scott Lyons  29:49  

So it doesn’t matter. It let me throw my two cents in here. It doesn’t really matter what compliance regime you’re going after. If you’re not doing the basics, you’re really screwing it up. Right? And the basics are vulnerability scanning, configuration management, change management, change control, making sure that you have hardened images that you’re using and that you have a security awareness program put into your organization somewhere. So at the end of the day you’re not saying Son of a breach!

Jeff Man  30:19  

Might disagree on the particulars, but in general, yes, Scott. PCI is the basics you addressed most of them, the order might change, the preference might change, precedents might change. But I think in the interests of everybody’s liver and having a productive rest of the day, we probably should call it for this episode. I hope you guys have enjoyed the discussion. I don’t.. we didn’t set out to change your minds. But hopefully, maybe think more or think twice or think again about PCI because it is different. It is not just compliance. It’s set apart from other things that we’ve talked about and there’s a good reason for that. There’s a reason for that maybe it’s not a good reason. I’m not going to assign a value to it. But until next time, and next time we are going to be talking to Malware Jake on a very interesting topic. So tune in for that next week. Stay safe, stay isolated. If you’re going to venture out do it safely and at a safe distance and wear your masks and until next time. This is all of us for Security and Compliance Weekly. We are sloshed and we’re out.