PCI analysis: Marcus Ranum on why PCI DSS sets the bar too lowDate: Jun 12, 2014
"I think you need to look at this in the broader perspective," Ranum says, "which is that the bar was extremely low prior to PCI and SOX and some of these kinds of standards that came out, and they've pushed the bar up. So, we're off the floor -- we're maybe two feet off the ground. It's going to make it a little bit harder [to compromise] the mom-and-pop shops.
"Attackers going after Target, they're going to be fairly sophisticated and the defenses at Target are fairly sophisticated. What we really have to remember is that there are zillions of mom-and-pop stores out there that basically had no system logging, that had no segregation between their credit card systems.
"It's a low-level baseline. I used to describe PCI as the stuff that anyone in their right mind would have been doing all along. Once we've gotten everybody in line with all the sensible stuff that they should have already been doing, then we can start focusing on what's the next place to go."
Below is a transcript of the video.
Robert Richardson: Hi, I'm Robert Richardson. I'm the editorial director at SearchSecurity and with me is Marcus Ranum who is the CSO at Tenable. And we were talking off camera a minute ago in the general vicinity of the target hacks and the state of PCI in general and I guess the question I have is some people have said that if a really quite PCI-compliant company like Target who appears to have taken a lot of safeguards gets hacked, doesn't that say the PCI is not all it's cracked up to be?
Marcus Ranum: Well, I think you need to look at this in the broader perspective, which is that the bar was extremely low prior to PCI and SOX and some of these kinds of standards that came out. And they've pushed the bar up, so we're off the floor, we're maybe two feet off the ground and it's going to make it a little bit harder for the mom-and-pop shops.
Attackers going after Target, those are going to be fairly sophisticated and the defenses at Target are fairly sophisticated. What we really have to remember is that there's zillions of mom-and-pop shops out there that had no system logging, that had no segregation between their credit card system that basically had no security. So we've pushed things in the right direction.
Richardson: So is the idea then that we need to crank it up another notch and get three feet off the floor? There's sort of two versions. One is PCI is the wrong approach, or compliance in that sense is the wrong approach, or that we've made a start, but it'll take us a long time to get to something really meaningful.
Ranum: Well, again I think it's a low-level baseline. I used to describe PCI as the stuff that anyone in their right mind would have been doing all along. And once we've gotten past that, once we've had everybody in line with all the sensible stuff that they should have already been doing, then we can start focusing on what's the next thing, what's the next place to go. Maybe it's a bad analogy, but think about automotive safety.
Once you've got everybody wearing their seat belts then we can start talking about front impact airbags and then we can start talking about side impact airbags, and then we can start talking about maybe not letting people who are young and stupid drive extremely powerful cars. We have to approach these problems as a moving target because that's what they are.
Richardson: This could mean that Target was the target. Right? There's a certain irony there. But I guess in terms of the automotive analogy, yeah, we never got to a point where we somehow expected that people wouldn't still die in automobile accidents.
Ranum: Right and that's the thing. Nobody is sitting there and saying, "Oh, geez! You know, this guy died in an automobile accident. Let's throw automotive safety completely out the window and go back to the 1960s where your face hit the dashboard every time you drove into the ditch after you'd had a couple of beers too many."
I think we're pushing things in the right direction. There's a tremendous amount of waste and there is also a lot of . . . What is it that the economists like to say? Unforeseen externalities and strange responses. It has created industries that maybe we really don't need like the mass of penetration testing industry. I'm not a big fan of that, but there's all kinds of stuff that comes along with it and I think that will really sort itself out in time. As we get enough of this going we'll be able to learn what works and what doesn't, and hopefully we'll be able to focus on it.
Richardson: Quick question. If you could add one thing to PCI, one element, what would it be?
Ranum: Ooh! Well, I think the one element I would want to see people add would be better capabilities for understanding the degree to which an exposure happened when it was happening, which I don't want to use the word forensics, but this boils down to not just having system logs but to having some kind of activity logs in your transaction system so that you could see how many transactions were exposed during the course of a breach. And the big organizations that are taking this stuff seriously like Target, they have that kind of information. It's the people who are kind of lower on the spectrum that don't have that.
And then the other problem is, I think, most organizations really don't have the forensic response capabilities to be able to pull things together and do that kind of analysis. So right now, that's become a huge market for sort of an outsourced business model.
Richardson: Well, it'll be interesting to see where it goes. In the meanwhile, Marcus Ranum, thank you so much for joining us.
Ranum: Always a pleasure.