“There is no fate worse than being continually under guard, for it means you are always afraid”- Julius Caesar.
On March 28th, Global Payments, Inc., one of the world’s largest payment processors and a Fortune 1000 company, announced that it was the victim of a data compromise. Initial reports indicated that breach as many as 10 million credit and debit cards may have been exposed, though more recent reports put the number at about 1.5 million. The stolen data included sensitive data known as Track 2 data. Every payment card magnetic stripe contains 3 different tracks of information. Track 1 and Track 2 are used for either credit or debit card processing (in some cases both) and contains sensitive authentication data elements used for face to face transactions. Obtaining this data allows data thieves to counterfeit the actual cards and use those counterfeits for retail purchases. While Global Payments is currently damned to wear the scarlet letter of non-compliance and insecurity, they are not the first organization to be in such a position and they are in good company.
Since 2003, the Payment Card Industry has seen major data compromises victimize numerous companies such as Data Processing Incorporated (DPI), Card Systems Services Incorporated (CSSI), Heartland Payments Systems, RBS WorldPay, TJX, Hannafords and Michaels, just to name a few. Outside of the payment card industry, companies such as Sony, Epsilon, the Veterans Administration, NASA, Stratfor, RSA, Lockheed Martin, the International Monetary Fund (IMF) and others have also been breached and had data stolen. While some reading this may be shocked, those who have worked in data security for any length of time have become inured to the carnage. In a recent interview, former CyberTerrorism Czar and cyber security expert, Richard A. Clarke, stated: “…every major company in the United States has already been penetrated by China.” 1 RSA’s CEO took the stage and ominously informed the crowd: “Our networks will be penetrated. We should no longer be surprised by this.” He further stated: “The reality today is that we are in an arms race with our adversaries and right now, more often than not, they are winning.” 2 This is the unfortunate world in which U.S. corporations and government organizations find themselves today.
In 1983 the Department of Defense published the Trusted Computer System Evaluation Criteria (TSEC), more commonly known as the Orange Book. In 1995 the British Standards Institute published the BS7799, which was one of the first standards for information security management. By 1998 the standard had been adopted internationally as the ISO 17799 and then replaced in October 2005 by the ISO 27001. In 2000 Visa USA began development on the Cardholder Information Security Program (CISP.) This was a standard that incorporated 12 high-level requirements known informally as the “Digital Dozen.”
By 2006, the CISP had been adopted by all of the major card brands as the newly minted Payment Card Industry Data Security Standard (PCI DSS.) While the list of computer and data security standards continues to grow, the objectives are all similar. Each standard is intended to address a particular industry, segment or group and assure a consistent level of security within the systems, networks and applications. While many will debate the efficacy or applicability of a given standard, it is difficult to argue with the objective of ensuring a consistent, minimum level of security within each industry or segment.
That being said, there are three primary challenges with the information security paradigm of today. First, the general belief among many companies is that compliance with whichever standard is applicable to their particular company is all that is necessary for security.
The concept of risk-based information security seems to have become, to some organizations at least, an afterthought. The mindset being that “if my company is compliant with the (insert standard here,) then we are adequately secure.”
It is unfortunate, but this mentality is often inadvertently perpetuated by the very standard seeking to increase the level of security.
The second challenge comes from the standards themselves. Much like military doctrine, they are often based upon static, outdated technologies, processes and methodologies. Many of the standards, like the PCI DSS, for example, were created when the Internet was still nascent and the threatening adversaries were not as skilled, as motivated or as experienced as they are today. Quite simply, standards, while valuable, are simply tools intended to assure a minimum standard of compliance across a large population of companies and should not be viewed as dogma or doctrine for comprehensive security strategy.
Using an example from history, Napolean defeated the mighty Prussian army at the battles of Jena and Auersted in 1806. The defeat subjugated the Prussians to harsh French rule. As Clauswitz explained, the French Grande Armee, being flexible, maneuverable and fast was able to defeat the Prussian army, which was hampered by layers of bureaucratic leadership and laboring under outdated strategies and tactics. This, unfortunately, is the problem with the security posture of many companies today: Dogmatically following a rigid, often outdated, standard to secure their environment while the adversary studies the same standard and identifies weaknesses in the defense.
The final challenge is that companies are not in an arms race with their adversaries; rather they are relegated to a purely defensive strategy. The term "defense" is used to refer to a non-threatening strategy for responding to threats made by an opponent. While cybercriminal can launch a Distributed Denial of Service (DDOS) attack against a corporation, the corporation cannot legally or ethically respond in kind. This is the very definition of asymmetric threats as posited by Primerman. 3 By being placed in a purely defensive position, companies are forced to adopt the fortress mentality. When the proverbial barbarians are at the gate, their only option is simply to build a moat or a stronger gate. When they scale the walls, the companies must build higher walls. When the walls are threatened by trebuchets or catapults, they must build thicker walls. There is not option for counterattack to deter the aggressive behavior. This cycle repeats again and again until the aggressor finds a way to exploit a vulnerability in the defenses and gain a foothold.
Referencing a previous statement from RSA’s CEO in which he says: “The reality today is that we are in an arms race with our adversaries, and right now, more often than not, they are winning.” It is prudent then to ask, in light of the previous arguments, whether we are actually in an arms race? An arms race suggests that two adversaries are in a race for the most advanced and most lethal arms. These arms provide an offensive capability and deter the other side from acting in a manner contrary to their adversary’s interests. An arms race does not suggest that one side is hiding in a foxhole digging deeper and deeper in an attempt to protect their interests. In today’s environment, companies are relegated to a solely defensive position thus negating the idea of an ‘arms race’. A more accurate description would be a game of cat and mouse, in which the cat continually sharpens its claws and practices its hunting skills while the mouse can only resort to hiding or other defensive measures. Adding to this situation is the reliance upon often outdated, static standards that dictate how the mouse will hide or act. The end result is that companies will ultimately lose the game. It may not be today, it may not be tomorrow but it is a matter of time. A purely defensive position cannot be defended ad infinitum against a skilled, determined attacker. A hacker I know explained his strategy to me this way: “to keep me out of your network you have to find and fix every single vulnerability. You have limited resources. People want to go home at night and you only have so much money. I only have to find one vulnerability and all I need is time. It may take a month or a year but I will eventually find the hole.” This is the reality of cyber security today.