I must admit that I don’t follow this kind of news as much as some other in the industry. However I recently became aware of the ongoing legal action by Merrick Bank against the IT consulting firm Savvis for negligence and negligent misrepresentation in certifying CardSystems as CISP compliant. This in itself wouldn’t be important news in my view as companies seem to sue each other at the drop of a hat in this day and age. However the details of the case interested me enough to read a little further.
The case came back into the limelight in the past few weeks after the federal district court in Missouri transferred the case to Arizona. To give the brief 30 second overview, Savvis was retained by CardSystems in 2004 to valid their systems as CISP (Cardholder Information Security Program*) compliant. Less than a year after being given the green light by Savvis, CardSystems was breached resulting in the compromise of up to 40 Million credit card numbers. This in turn cost Merrick Bank (a customer of CardSystems) over $16 Million in costs. Not a small amount by any means.
However, this is all in the past, and there are various places on the web where you can find much more in-depth information about the breach and the case. What I want to talk about is the validity of security checks and compliance. I’m a supporter of anything that convinces management to think about security. The debate about whether the PCI standard has helped or hindered security is something I’ll leave for the people who like to argue such things. However like any security check, penetration test, vulnerability scan or audit, the results (and therefore the compliance stamp that goes with it) is only going to tell you what the security was like at a single point in time. Having regular checks can help you build a view of your security over a longer period, but you can never say 100% what the company’s exposure was between 2 of time-points.
I’ll give you an example. If company ABC requests a penetration test of their systems, the people performing the test (XYZ Labs) can only check for known issues, configuration flaws, business logic flaws, published vulnerabilities, and sometimes unpublished vulnerabilities. Even if the company requests that XYZ Labs perform a regular test every 3 months they can never be sure that between penetration tests they remain 100% secure. It comes down to the simple fact that defending a network is much harder than attacking one. It’s a simple equation. To defend your systems you need to make sure that every system in that network (or that could be attached to that network) is fully protected, patched, properly configured and monitored 24 hours a day, 7 days a week 365 days a year. For an attacker to win, they simply need to find a single system on the network that has a weakness. That could be a configuration problem, an unpublished exploit (zero-day), or a weak link (social engineering, client-side attack, test system exposed to the internet). The possible attack vectors are wide and varied. They are also not all covered by the standard scanning techniques used by most Approved Scanning Vendors.
How does this fit with Savvis, CardSystems and Merrick Bank. It’s simple. Like any other IT Consultancy, Savvis were paid to come in and review security with CISP compliance in mind. They performed that action, certified CardSystems according to the standard and moved on. Savvis were not charged with maintaining the ongoing level of security at CardSystems in a hands on role. So does this mean that Savvis are now responsible for any future security blunder made by the IT staff at CardSystems. They may, or may not have been charged with scanning the network on a quarterly basis. However as anybody who’s compared a vulnerability scan to a Penetration test knows, scanning is only part of the battle. I’m not aware of any company doing compliance checks that offers a 12 month money back guarantee on your company’s security. How could they. After all, their security checks both on the audit side, as well as vulnerability scanning or penetration testing (if performed) can only show the current state of security within that organisation. If CardSystems was like any other company, they probably even worked especially hard during the Audit periods to improve the level of security and follow the processes exactly as they should. Showing their ‘A’ game to make sure that the compliance went smoothly. Some would say that a company will never be as compliant as it is during the Audit because of this very reason. It’s easy when nobody is looking over your shoulder to fall back into bad habits. I’ll do that change control tomorrow, it’s only a test box so no need to patch it as often. We’ve all done that at one time or another through laziness or pressure from management to fit in too much work before the long weekend.
I’m not a lawyer, and I don’t play one on television either (although I am available to audition should the right role come up). However I hate to see companies, like Savvis, get blamed for something that they could well have no control over. Then again, maybe the evidence in the case proves that Savvis is to blame. I can only go on the little information I have.
* For those not in the know, the CISP requirements were incorporated into an industry standard known as Payment Card Industry (PCI) Data Security Standard
Links (further reading) .:
http://blog.subjunctive.com/ –> Grave Concerns Blog
http://www.finextra.com/community/fullblog.aspx?id=2905 –> Finextra.com