News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Michael R. Farnum's picture
Michael R. Farnum

Hitting the Security Nerve

More posts | Read bio

August 13, 2009 - 9:16 A.M.

Heartland CEO gets a smackdown after his CSO interview

3 comments

If you are reading this, you probably know about Heartland Payment Systems and the credit card system breach they suffered in late '08 - early '09.  There a lot of details to be found, so I won't rehash it all.  So let's just focus on one point: Heartland had been declared PCI compliant before the breach.  And that is the focus of Robert Carr, Heartland CEO, in his interview with Bill Brenner at CSO Magazine.  He places the blame for his breach squarely on PCI DSS and the QSAs (Qualified Security Assessor) that audited Heartland's PCI compliance.  And that is why Rich Mogull got out the can opener and proceeded to open a big can of whoop-a$$

Honestly, Rich has already done a better job than I could do on explaining why Mr. Carr's statements were misguided at best.  So I will just point out a few quotes and leave you to read the interview and the post. 

From Rich:

As the CEO of a large public company you clearly understand the role of audits, assessments, and auditors. You are also fundamentally familiar with the concepts of enterprise risk management and your fiduciary responsibility as an officer of your company. Your attempts to shift responsibility to your QSA are the accounting equivalent of blaming your external auditor for failing to prevent the hijacking of an armored car.

This, folks, is the best quote in Rich's whole post, IMHO.  This clearly points out why Mr. Carr is so wrong in his interview.  This shows why I fully expect Mr. Carr to run for political office in the near future.  He is very good at shifting blame when he knows (or at least should have known) that he is at fault.  Mr. Carr had a security team.  Mr. Carr, you and your security team are responsible for this breach, not the QSAs.  They are the guards on the armored car, not the QSAs.

Another quote from Mr. Mogull:

I agree completely that this is a problem with PCI. But what concerns me more is that the CEO of a public company would rely completely on an annual external assessment to define the whole security posture of his organization. Especially since there has long been ample public evidence that compliance is not the equivalent of security. Again, if your security team failed to make you aware of this distinction, I'm sorry.

Did you catch that?  It can't be said enough: "there has long been ample public evidence that compliance is not the equivalent of security."    Of course, Mr. Carr acts like this is a revelation of some kind when he says this:

...we certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions.

Seriously, Mr. Carr?  Was that news to you??  I'm sorry, but I don't buy it.  If a CEO thinks that getting a good Report on Compliance (ROC) by a QSA means his or her organization is secure, then that CEO deserves scorn and ridicule and to be shown the door.  Of course, Mr. Carr is still there, and that is up to the board to decide.

And like Rich said, there is a problem with PCI.  Heck, there is a problem with most compliance programs.  And that problem is with auditing.  The whole auditing process is faulty.  I have been involved in many audits, and so very often the auditor has a check box mentality because the company contracted to perform the audit wants as many audits performed as possible because that equals revenue.  Also, very often the auditor is not sufficiently knowledgable in the process he or she is trying to audit (don't take that as a blanket statement that all auditors fit this mold - it is just an observation made from a lot of experience).  But in no way can the auditor be blamed when a breach happens if you have a security team.  Read these quotes from Rich to see what I mean:

Unless your QSAs were also responsible for your operational security, the only ones responsible for your breach are the criminals, and Heartland itself.

PCI compliance means you are compliant at a point in time, not secure for an indefinite future.

Also, standards like PCI merely represent a baseline of controls, and as the senior risk manager for Heartland it is your responsibility to understand when these baselines are not sufficient for your specific situation.

In Rich's defense, he really was extremely calm and thoughtful in his response.  He didn't get caustic in any way.  But as we all know, a well-reasoned argument often cuts deeper than a mouthful of hateful words.  So break out the EMT kit, Rich.  Mr. Carr needs a few wounds cleaned and dressed.

 

 

What People Are Saying

Add new comment

A better alternative to compliance

Submitted by DaveC on August 13, 2009 - 5:09 P.M.

As anyone involved in securing credit card systems in practice will tell you, PCIDSS is a bit of a joke - the proverbial lowest common denominator designed by committee. Almost all of the big public breaches in recent years have been of systems which were declared compliant.

PCI makes specific reference to obsolete technology (128-bit RC4) as well as mandating practices now known to make systems **less** secure (excessively frequent password changes), and focuses too much on audit trails (who hacked this) rather than keeping systems secure in the first place.

A PCI audit, like any audit barely scratches the surface of the security of a system, and only really indicates that the audited company is making at least a bit of an effort - it's not likely to find an obscure hole. Remember that Enron got audited annually too :-)

It's not a bad idea to have something like PCI as a mandated bare minimum, but the way to get attention on the problem is to incent companies with something they care about - money. Right now, there is little downside for a breach (just a bit of bad publicity) so why should they invest in security?

There should be a credit card industry policy, or better, a federal law, which levies significant fines (e.g. a couple of dollars per card number / identity) for these breaches ... if companies like Heartland knew they had $100m on the line, they'd take security seriously rather than viewing it as a cost center to be minimized, and would voluntarily (a) implement up-to-date security measures surpassing the PCI minimums, and (b) reduce their risk footprint by finding ways not to store as much sensitive information.

Reply | Report this comment

Check your facts

Submitted by PCI-RX on August 13, 2009 - 7:35 P.M.

Just a couple of notes to clear up some items in the previous comment that are misleading or incorrect:

-PCI v1.2, the current version, makes no reference to RC4.

-The argument that PCI focuses too much on audit trails is arguable. Logging is not only for forensics, but also should be used/monitored daily to detect suspicious or anomalous behavior that may indicate attempted intrusion. Daily log monitoring is a PCI requirement.

-Password changes do not necessarily make systems less secure. PCI has many password controls, all of which are still generally considered best practice.

-Incentives. PCI requires a qualitative and quantitative risk assessment/analysis to be conducted annually. The most common numbers used to quantify the value of compromised data are the Forrester and/or Ponemon Institute numbers, which put the cost of a breach at between $90-$305 PER compromised account. If a company is conducting appropriate risk analysis and interpreting the results with any common sense, they will likely budget and prioritize security (risk mitigation) appropriately.

Reply | Report this comment

PCI DSS != Security

Submitted by bobmorning on August 14, 2009 - 8:18 A.M.

Great article. PCI DSS is a joke. I very recently managed IT for a mid size company, all the CEO and CFO cared about was passing the PCI compliance audit and the external E&Y auditors. The fact that the System Security Plan was on the CFO desk for a year and never approved was testament to how much they cared about security.

I left because I saw the train coming right at me and I wasn't going to be made the scrapegoat for the inevitable breach.

If a company really is serious go get the NIST pub 800-53 and related docs. Do an honest risk analysis and assessment, categorize your data and infrastructure as to sensitivity, and then pick your controls and implement them.

PCI DSS is just another money making scheme that also allows CEO like Mr Carr off the hook (so they think).

Reply | Report this comment

Related Posts

"TJX hacker" indicted for huge Heartland breach: SQL inj. FAIL
Heartland breach: speculation is counterproductive and harmful
Spam culture, part 3: Nigeria (and 419 scams)
Spammer trick of the month: Delayed DNS

Today's Top Stories

IE9 to tap hardware to boost performance
Free Web apps to help organize your holidays
KT to sell iPhone in South Korea
New attack fells Internet Explorer
Google's Chrome OS hits BitTorrent
The 5 best and worst features of Google Chrome OS
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.