Recently, a well-known e-Commerce site suffered a highly-publicized data breach. The breach in and of itself was not significant. It is not unheard of that an e-Commerce site suffers a breach and resulting data compromise. What made this incident noteworthy was that the site bore a well-known indicia symbolizing that the site had been examined for vulnerabilities and was found to be "safe". What is more troubling than the apparent inconsistency between the seal and the actual level of vulnerability was the response of the scanning vendor, who said that the merchant was at fault because the breach must have occurred sometime when they had "fallen out of compliance." This is indicative of a troubling trend that has emerged in the PCI DSS compliance industry: the tendency by many to equate ÒcomplianceÓ with vulnerability scanning and a heavy reliance upon technology to address information security.
First, it should be noted that scanning is a very important component of information security. However, taken on its own scanning can lend merchants, and their acquirers, a false sense of security. Many, though not all, scanning vendors have taken to selling scanning as a panacea to the risks posed by Level 4 merchants in particular. Specifically, technology vendors have begun to sell scanning on the promise that it will bring merchants into compliance with the PCI DSS, ensure the safety of e-Commerce sites and reduce risk smaller merchants may pose to their acquirers.
It is important to undergo vulnerability scans for a number of reasons. First, requirement 11.2 of the PCI DSS requires companies to undergo such scans on a quarterly basis and whenever they have made significant changes to their infrastructure. Compliance with the standard does necessitate vulnerability scanning. Secondly, scanning reports are required for validation of compliance, as well. The scanning requirement is one of over 220 sub-requirements contained in the PCI DSS. Simply put, a clean scan provides a company with one of two validation components of a very detailed standard.
Unfortunately, the focus on scanning as compliance has overshadowed the objective of the standard - the protection of cardholder data. This errant focus has led many to equate simple scanning with reducing the compromise risk in a given merchant portfolio. A brief overview of scanning can quickly undo that perception, however.
Vulnerability scans of the type required by the PCI DSS identifies vulnerabilities at the the network layer (also referred to as Layer 3 of the OSI model). It does not identify application layer (or Layer 7) vulnerabilities. Layer 7 vulnerabilities, such as SQL injection and Cross Site Scripting (CSS), account for the majority of identified data breaches. Merchants who have attended a recent Visa training session have heard an Aegenis founder, Chris Mark state that "...over 65% of internet related data breaches are due, at least in part, to SQL Injection vulnerabilities."
Given this information, one could be forgiven for asking how a determination can be made that a site is "safe" when it appears that the testing is incomplete at best. Very simply, the designation is based on statistics. Of the myriad vulnerabilities that exist, only a small percentage is used to commonly commit "hacks." Many vulnerabilities do not provide the appropriate level of access or authority to compromise data. Knowing this, companies can scan for those vulnerabilities that are used in the vast majority of hacks. If the site is found to be free from those vulnerabilities that lead to 95% of the breaches, it can logically be deemed "safe" if "safe" means that you have statistically reduced the likelihood of a hacker access the network by 95%. It should be noted however that the standard statistics regarding "hacks" and the attacks used to perpetrate data theft within the payments industry are not always consistent.
There seems to be some blurring of the line, though, between diagnostic and preventative measures. As an example, imagine going to the doctor and the only test he or she performs is checking your blood pressure. Certainly blood pressure is a good sign to determine a variety of ailments, but it's ability to detect anything beyond the cardiovascular system is limited. One would not expect their physician to determine that they are safe from illness because their blood pressure is in the normal range. Additionally, a normal blood pressure does not indicate that one has no vulnerability to illness, only that you are not likely to be sick at that time.
In security, just as in health, the real way to decrease risk is education and implementation. A quick scan through major news stories related to a breach leads one to an obvious conclusion: though organizations may have security policies their staff often either are not aware of them or simply do not follow them. In such an environment the risk for data loss is severe, despite the fact that they may have clean scans dating back eons. Again referencing the Visa merchant training, Mr. Mark is quoted as saying: "...when I worked at a major card brand I had the opportunity to review and analyze hundreds of data compromise cases within the payments' space. I have never seen a data compromise occur because the firewall simply broke, or the intrusion detection system burst into flames. Without exception, human misconfiguration, mismanagement or error were the root cause."
The first step to really reducing risk in the merchant portfolio is ensuring that merchants are educated as to what they need to protect and how to take steps to truly reduce the risk of data compromise. Many level four merchants lack the resources to understand or address many of the requirements contained in the PCI DSS. This lack of savvy does not excuse them from compliance and the responsibility to protect data. A campaign to educate Level 4 merchants in a concise manner that addresses their concerns makes the PCI DSS a more viable standard to them.
According to Wikipedia, education can be defined as the application of pedagogy, a body of theoretical and applied research that draws from many disciplines including psychology, neuroscience, computer science, and sociology. This entails much more than pointing learners to a website (or convincing them that scanning is the solution to all their problems), but offering them a method of seeing the material in a way that impacts them directly, allowing them to engage with the material and interacting with it so as to see how it applies to them and their circumstance. Education should be an ongoing process - as circumstances or requirements change, the education should be altered to reflect the change and to ensure that the merchant maintains an awareness of those changes. Once the merchant is educated about both the standard and why compliance is important, they can implement their preventative technologies in a much more effective manner.
Lest this article be seen as an attack on scanning vendors, it should be reiterated that scanning is a critical diagnostic component of an information security program. It should be used in conjunction with a variety of other measures, such as properly configured firewalls, IDS/IPS and other preventative technologies. However, equating a clean scan to measurable risk reduction is misleading. Scanning cannot prevent a breach from occuring. It can only inform us as to the existence of certain