PCI 2.0: Still Compromising Controls and Compromising Security
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 122 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/40617 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 1929 / 122
3
5
10
11
12
22
23
24
30
31
32
38
43
46
47
49
51
54
56
59
60
62
71
73
76
84
85
88
92
93
96
97
98
104
106
109
112
113
115
119
00:00
Process capability indexHacker (term)TwitterState of matterProduct (business)Coefficient of determinationImage warpingSpacetimeGame theoryProcess (computing)LaptopTouchscreenCausalityPoint (geometry)CountingDecimalData managementMereologyStandard deviationGroup actionCycle (graph theory)Computer-assisted translationDialectLevel (video gaming)Set (mathematics)
05:38
Term (mathematics)Multiplication signData managementProgram slicingComputer-assisted translationSlide ruleInformation securityInformationProcess capability indexNumberPairwise comparisonQuicksortRow (database)TwitterShift operatorAnnihilator (ring theory)PlastikkartePlanningPhysical systemCategory of beingSoftwareFrequencyOrder (biology)Group actionPoint (geometry)Physical lawContinuum hypothesisInsertion lossCatastrophismSelectivity (electronic)Meeting/Interview
11:16
Characteristic polynomialFrequencyProcess capability indexSchmelze <Betrieb>Metropolitan area networkCurvatureLink (knot theory)Pointer (computer programming)Information securityGUI widgetDreizehnCurve fittingIcosahedronDew pointMenu (computing)NP-hardDialectSpecial linear groupPoint (geometry)Term (mathematics)Interpreter (computing)CausalityTouch typingMathematicsDirect numerical simulationMultiplication signPressureInformationCircleVulnerability (computing)Level (video gaming)Standard deviationPlastikkarteData managementSystem callConfiguration spacePhysical systemDirection (geometry)Process (computing)Goodness of fitTraffic reportingMixture modelObservational studyWhiteboardComputer virusSeries (mathematics)Intrusion detection systemDifferent (Kate Ryan album)Software testingSpectrum (functional analysis)Self-organizationMetric systemBit rateRange (statistics)Channel capacityGeneric programmingNumberRight angle2 (number)Hydraulic jumpMaxima and minimaType theorySource codeHypermediaStatement (computer science)CASE <Informatik>1 (number)OvalBitIncidence algebraLine (geometry)Graphics tabletAntivirus softwareWeb applicationInheritance (object-oriented programming)Data structureMereologyEndliche ModelltheorieDesign by contractChemical equationPhysical lawCloud computingPropositional formulaRow (database)CoprocessorScaling (geometry)FrequencyDependent and independent variablesInformation technology consultingMetreControl engineeringDigitizingDew pointInformation securityNoise (electronics)Personal identification numberSoftwareProcess capability indexNP-hardPerspective (visual)Flow separationDatabase transactionAbsolute valueInternetworkingEntire functionVirtual machineServer (computing)Population densityCall centrePatch (Unix)Operator (mathematics)Data centerFront and back endsExclusive orCodePie chartWeb 2.0Electronic mailing listRandomizationPublic key certificatePasswordQuicksortContent (media)Disk read-and-write headDefault (computer science)Group actionLikelihood functionComputer iconCuboidExploit (computer security)ImplementationFormal languageFirewall (computing)IP addressEncryptionBounded variationLoginRegular graphCycle (graph theory)Computer programmingGreatest elementGateway (telecommunications)Ultraviolet photoelectron spectroscopyMultitier architecturePlanningTheoryRule of inferenceEvent horizonLimit (category theory)Decision support systemWebsiteForm (programming)Shape (magazine)EmailGoogolCross section (physics)TwitterVenn diagramInjektivitätAuthorizationFood energySocial engineering (security)BlogDecision theoryReal-time operating systemWeb crawlerMeasurementSet (mathematics)Integrated development environmentSign (mathematics)Roundness (object)Heegaard splittingDampingContext awarenessNatural numberAttribute grammarRadical (chemistry)SubsetEqualiser (mathematics)Acoustic shadowExecution unitReal numberGradientCross-correlationControl flowSlide ruleDirac delta functionEnterprise architectureThumbnailOpen sourceMassVideo gameLatent heatGodData storage devicePiElectronic signatureAndroid (robot)Mobile appSoftware protection dongleBoiling pointDiscounts and allowancesPerturbation theoryExistenceMarginal distributionHacker (term)PhysicalismStatisticsDigital photographyData conversionSinc functionRegulator geneMoment (mathematics)Lie groupArmFrustrationBranch (computer science)Radio-frequency identificationInsertion lossProduct (business)Total S.A.Figurate numberChief information officerInternet service providerVirtualizationProjective planeVolume (thermodynamics)Equivalence relationCategory of beingIterationPoint cloudDreizehnPort scannerStorage area networkMetropolitan area networkFunctional (mathematics)Loop (music)Mobile WebState observerValidity (statistics)Constraint (mathematics)AreaClient (computing)State of matterAverageHypothesisToken ringArithmetic meanParameter (computer programming)TrailOrder (biology)CurvatureDiagramAuthenticationDivisorPresentation of a groupWave packetProbability density functionLogical constantStaff (military)Sound effectProcedural programmingConsistencyProper mapSampling (statistics)Device driverHookingVariety (linguistics)Service (economics)Pattern languageMalwareMomentumBarrelled spaceMotion captureSoftware frameworkWordMixed realityMoore's lawPolar coordinate systemAddress spaceLecture/Conference
Transcript: English(auto-generated)
00:00
Greetings folks. Um, PCI 2.0. I still feel really dirty. Um, we're talking about PCI at DefCon. What the fuck? I mean seriously what the fuck? Again, this is the worst part. Um,
00:23
last year a few of you actually saw the beginning of this in the hacker space at Shmukon and then here, um, man, this is disgusting. Somebody's, somebody is sodomizing, uh, the fun of our industry. It's Bob Russo. Uh, and, and a few other people. Uh, so, I don't know
00:45
what the state of Twitter is and I don't know where my pants are and my cell phone is in my pants and that's how I follow Twitter. So, uh, but. Well, we, we'd intended to have another screen up with the Twitter thing so that you could all be making fun of us, but it turns out that we only use the second screen for the game show thing and. These people
01:03
don't need Twitter or another screen to make fun of us. Good point. All heckling must be done live and in person. Feel free to heckle on Twitter if AT&T has any packets moving for your phone. So, yeah. Compliance is changing the way companies do security. That's changing the way we attack them and the way we defend them. Um, I need to
01:26
make a quick disclaimer before we get into the official disclaimer. PCI is awesome. Uh, DISA STIGs are awesome. Uh, CIS standards are awesome because it got me an awesome cool job this year with a cool company making even more money. Having even more fun, um,
01:43
drinking at Def Con. And any of you that aren't making more money, haven't got a new job, aren't having fun in the business or doing it wrong. Um, I don't know how long it's gonna last. We should have some fucking fun with this while it lasts. Um, but moving on, PCI at Def Con again. Hey, raise your hand if you saw the PCI Def Con talk last year.
02:06
I'm sorry. Wow. So, here we are, this is a bunch of crap, you know who we are. Sexy Dave Shackleford, Josh Carman, Mercurial, who's always on stage today. somewhere. Uh, Alex Hutton and, uh, Martin McKay. Uh, usual disclaimers, we do not speak
02:28
for our employers, clients, yada, yada, yada. The dog will back me up as long as I take her out for bagels and coffee in the morning and she's more interested in the bagels. Uh, these are our opinions. Facts are as we see them. We are not lawyers. The ex-QSAs on
02:42
this stage are not your ex-QSAs. However, as I like to remind them, QSA, um, PCI is kind of like the blood in Macbeth. You can pretend to wash it off, but you never come clean. So deja vu all over again. Here we are again. Last year we talked about a lot
03:04
of PCI issues. This we, this year we want to give you something to move forward with. What's changed? 2.0 baby, three year cycle. Um, three year cycle. That's, that gives us time to, uh, get thoroughly owned. Nothing has changed. Um,
03:23
wait, no, it's, there's a new number. No, I've looked at the numbers. Look, I'm a product manager for a company and when we make big changes, we shift like it like a decimal point and stuff because it tells people that something happened that we're proud of our work. But the peace and the PCI
03:41
council is some smart people who are incestuous with the scanning industry. Oh shit. Um, no, Jack, Jack, Jack, remember the PCI panel doesn't, I mean the PCI council does not work like other corporations. When they change to 2.0, they say we're going to freeze things exactly like they are right now for three years and not change a thing. If only Congress worked
04:04
that way cause you know, PCI council, when they're bought, they stay bought. So what is new in 2.0 Martin? Nothing? Very, very little that's of importance other than the things that are not actually written in the, um, PCI 2.0.
04:22
Wasn't there some, some virtualization? I mean that's new technology, right? I'm waiting for the, uh, the working, I'm working for the, the, the working group on OS2 warp is almost done, right? So last year 2.0 was new, it was fresh,
04:41
it was sexy, it was frustrating, it was lacking in concrete guidance. Uh, um, thankfully mobile devices don't count. Um, none of us carry anything more powerful than a laptop we got issued by corporate two years ago in our pocket. If we knew where our pants were, we'd know where our pockets were. Um, so where the hell are we now? Do you want my pocket? Do you know where that's
05:08
been? Speaking of which. Okay, so. Go ahead. Wrong way. Wrong way. I know, I don't
05:20
know. So, uh, who, who wants to talk? Uh, Mr. Korman. Mr. Korman, do you have any opinions about PCI? So, without rehashing everything, I mean, I'm, uh, just a level set. Um, about a year and a half ago, I compared PCI to the No Child Left Behind Act for IT security. And then, uh, we had a bunch of debates and dialectics and I think we did
05:41
some pretty good discussion. We got, you know, I created an enemy, Mike Don, then we hugged it out for charity and now we're pals and. No tongue. No tongue. Um, but we, um, I think we advanced the discussion a lot. We took it from blind hatred or blind faith to some sort of informed discussion. But, um, the other guy who did the Verizon DBIR is going to say some more things, but I have three slides from this
06:02
year's DBIR. So first off, if Bob Bruce is going to stand on the, the deck of an aircraft carrier, this is the mission accomplished flag. He will fly behind him. And basically it's because if you look at the sheer number of breached records each year, um, the high was 2008 with 360,000 and yes there's selection bias and yes it's just
06:21
Verizon and US Secret Service and Alex will cover that. But we dropped 100 fold in two years. That's, that's three. 360 million. Wait, no, wait, wait. No, no, wait for it. So. Wait for it. So although we dropped from 360 million breached records down to 3.8 million, you know, that, that's 100 fold drop. Um, but remind, I might need to
06:42
remind you that my mother in law's credit card as a record counts the same as the F-35 Joint Strike Fighter plans. So this has led lots of fanboys to say mission accomplished, right? PCI is working. Now there's all sorts of things that we don't have enough data for, but another fact is, you know, the street price of a credit card has dropped
07:02
about 100 fold as well. It's not causation, but, you know, we have to look at this in the big picture. So click one more time. Please. I'm supposed to do my job? So thanks to the really good work that, now that we're measuring things and capturing what we can, I did a little year to year comparison. So the number of breaches went way
07:22
up. We went from 141 to 761. And at the same time, the number of records went way, way down. Well, that, that's important, Josh. So right, everybody think about risk. Risk is both impact records and frequency. Risk has nothing to do with PCI. Now we're just trading, um, records for a greater frequency, a huge increase in
07:43
frequency. So lots more failures, but lots smaller, which should make us feel good. But when you dive into the types, and this is really important, the intellectual property went from 10 fails to 41. National security data went from 1 to 20. It's, you can read for yourself, right? So some of these higher value targets, um, I used to usually draw a
08:02
continuum on one end is highly replaceable, and on, on the other end is irreplaceable. And credit cards tend to be fairly replaceable, low value. So there are shifts and there are changes, and we know about them because the DBIR is measuring them, and we're looking for year to year trends. But I didn't get comfort and mission accomplished, I saw that there's some much more serious failures. One more, I
08:24
think? So, you know, in parallel, we keep talking about is it working or isn't it, but the scope of PCI is regulated card data. Um, in parallel with that, we saw a lot more intellectual property theft, whether it was Google Aurora, you know, or cyber kitten killing APT nonsense. Um, RSA security is a big frickin' deal, right?
08:45
I just killed several cats. You know, we, in parallel with PCI being debated, or isn't it working, I think it's an irrelevant question, because we now have much more serious espionage on the one hand, which has nothing to do with PCI. And we have, um, the
09:02
anonymous and low sec debate like we had earlier today, which is, they could care less that you're PCI compliant. So it's a slight, it's a small slice of the overall risk management that's taken way too much of our risk time and budget. So with that, I'll transition to, uh, well, Alex. No, seriously, because I mean, you know, well, and Josh
09:24
and I have had our discussions here, but I mean, despite the catastrophic loss of people's PlayStation network access, realistically, you know, impact to me has to have some more tangible meat to it, so we'll, uh, we'll hold that thought for a minute. Uh, it's Alex's
09:47
slide next. So it's not all bad, and you can hand me the pig if you want, but the truth is, as much as we hate to admit it, um, PCI really has kind of moved us forward. Um, there are a bunch of people that would do nothing if it weren't for the
10:03
threat, um, and so it's moved us forward. And we can't forget that. And one of the things we can't forget that, um. Yeah, but Jack, Jack, I mean, I've, I've looked at some of the data, and 2010 versus 2011, I don't, or actually I should say 2009 versus 2010, I
10:23
think we've quit moving. That, that, that's entirely possible. We, we could have, um, we, there was some movement, and, you know, one of the things that needs to be said, and Mike's not here, but one of the points that gets made by people that defend PCI, and they have a valid point, is that if I am an irresponsible merchant, you, as a
10:43
responsible merchant, can get sodomized by my bad practices, because I lose a bunch of credit cards, and somebody uses them at your shop, you're out the money. Because, um, as Mr. Arlen pointed out eloquently last year, this is not an egalitarian system. This is a
11:00
group of, um, thugs, hoodlums. I think, I think Jamie is, criminals? I, I think it's important to note that the, the, the people who promulgate the problem, and, and the problem is a system that was designed, designed in the 50s, um, in order to make it easy to pay for your restaurant and hotel
11:22
meals when you're away from your home, um, is no longer sufficient when you have to, wow, that's a weird echo. It's really weird. Uh, when you have to deal with. The monitors are coming in and out. If anyone in AV cares, the monitors are coming in and out. I think they're doing that to us on purpose. Um, the, the, the issue though really is that the system was designed from an IT perspective in the dawn of time,
11:46
and no significant movement has been made to take advantage of any new technology. You know, you can say that adding CVV was a real win, and CVV2 is so much better, but 16 digits plus expiry plus CVV plus whatever other fraud controls we try to tack onto the
12:06
backend, you still have to pick up a copy of the operating regulations and look at them and say, you know what? Every time someone in this casino asks me to see photo ID to go with my visa card, they're violating their merchant agreement, makes me want to scream my frickin' head off. Because they're not paying attention to the
12:21
operating agreement, why the hell are they gonna pay attention to PCI? They've been one of their customers, and the only way you can acquire the solution to their problem is by being one of their customers. I, I know people who do this. They also offer you cement shoes as an option. Can I ask a question to the crowd before we let,
12:45
um, Alex say intelligent things? Everybody down on that? Not, not that this isn't intelligent, of course, but, but I'm just, I'm just curious. Oh, nice, nice. Um, so, because I think it's important to level set. I think it's easy for a bunch of people to
13:01
get up on a panel and kind of rant about something and go, ah, this sucks and, you know, we're all kind of disgruntled, ranty security people. Um, but, just to get a show of hands if anybody's brave enough, would any of you actually go so far as to say that the institution of compliance mandates such as PCI with its structure and everything else has
13:23
somewhat improved perhaps your budgeting ability and or potentially your entire security program? That's a pretty damn good number actually. I mean, that, which goes to say that just getting up here and, and bitching about the existence of it is not probably a great idea.
13:42
So, Alex? Thanks Dave. Uh, one of the cool things about my last job was I got to be neutral. I got to play actual researcher, which was kind of hot. Um, and we took a look at a
14:00
couple of things. First, we looked at incidents, right? The actual outcomes. We didn't have these massive inventory sessions about does it make you secure or not secure? We looked at the outcomes. Um, the second thing is we looked at, um, our customers, um, and we looked at how difficult it was for them to actually become and maintain compliance. So
14:25
two separate reports that we did really examining this stuff. These pie charts, sorry, everybody who likes Steve and Few. These pie charts are showing you that it's not easy to become compliant. If you don't know what an IROC is, um, I don't know why you're here. No, um, it's an initial report on compliance. Okay? Um, what these pie charts are
14:44
showing is how difficult it is to even, if you say, once you call, well, Martin in his past life and other QSA's and say, okay, we think we're ready for an IROC. Hooray. This is what you end up with, at least with us as a QSA. Next slide.
15:02
And I wrote about 10 to 20% of the reports that that is based on. So in a previous life, right? So, so yay, it's hard. So is it worth it? Next slide. We have no idea, right? We don't know how to measure secure.
15:22
There are no secure units. We have indicators, we have shadow metrics that we can start thinking about, but it's a pain in the ass. Um, so what we can do is look at the data. Next slide. All right. And we can look at this. Essentially, when we talk about the outcomes, we talk about what's happening in the threat landscape, right?
15:45
First, is it a targeted or opportunistic attack? Um, year over year we see an 80 20 split weird way that nature works, right? We see an 80 20 split between targeted and opportunistic attacks. Yeah, it's a subjective measurement.
16:01
All measurements subjected to some degree get over it. Second, we ask our incident response guys to characterize the attacks. We give them some guidelines and so forth. And generally they're mostly moderate low to none. Um, just to give you a kind of a thumbnail there, low is something that even Josh and I could carry out. Next slide.
16:20
80. Next slide. All right. So what do I mean? And this is where this sort of, uh, if you'd start arguing with me about, well, GPCI, PCI doesn't mean you're secure. Um, this is the first, it doesn't fricking matter slide because what we found when we, when we really looked at incidents is that if you have default credentials on
16:43
your point of sale system, right, you're going to get breached. You're already breached. If you have micros anywhere in your username or password, all right, and you've got that as a point of sale vendor, for example. So take a look here. This is just very simple basic stuff that PCI compliance should have,
17:03
go back to the opportunistic and targeted should have, if it were in place, perhaps driven the attacker from opportunistic to targeted. So the point being 80% of the time people screwed up. We screwed up somehow. Either we didn't educate the customers,
17:21
the customers got lazy because we're not educating them. We had a problem where we deployed something that was just variants from good practices or standard practices or whatever you want to call it, cause it. But none of this stuff is O'Day, right? None of this stuff is particularly tricky. Next slide. Alex, can I ask you a quick question to the audience? Yeah.
17:41
How many of you have been out on the casino floor and notice that the POS systems have been down several times? I mean, not that that's unusual during Def Con, but it might show a little bit of a microcosm of PCI. Not just POS here though, right? It's not single point.
18:03
It's not just entire corporate networks throughout the city of Las Vegas have been going down when individual systems have gone down. But it's not, according to what I've heard, it's not even just, just specific to us. Apparently there's five or six different casinos that their POS systems go
18:24
down all at the same time for five or six hours. So what does that tell you? Maybe they have the same service provider that is really screwing up the back end. That way all the failure is in one place. That's kind of handy for us, right? Yeah. Before I advance the slide,
18:42
I do want to say one thing about the simple versus one of the things that Josh has made very clear in a variety of presentations and several of us have is that, you know, years ago we used to say you only had to outrun the bear and whoever you were with might be kind of fat and slow and they would feed the bear. There are too many bears now,
19:02
but one of the things that this shows is you should tie your shoelaces cause there's no point in tripping over your own damn shoes and making it easy for the bears. Um, the bears like us, uh, lean and having run and healthy, you know, um, uh, so there I'll shut up.
19:22
I can hear y'all repeat it. Just yell. So what is the point of PCI other than reinforcing common sense? Right. So it's, do you remember Jack said common sense has nothing to do with PCI. Let's repeat the question. Repeat the question for everybody. Okay. So it's, what is the point of PCI
19:42
other than just common sense budget? Well, you know, there's, that's a really complex question. Okay. Within the context of establishing controls, right? If we wanted to be diplomatic about it, we would say it is to take a population that had wild variants.
20:01
It's to get them some consistency and see if that actually reduces frequency or impact. Or if we were more cynical, we would say that it's just to keep the government out of the, yeah, I wasn't going to go there, but yeah, regulation from the card brands. I have no,
20:20
yeah, I have no comment on that, but Jamie probably does. Jamie might have an opinion on something a little bit more sinister about what the reason of PCI was. Please be sinister. Sinister. It's actually not that hard. You know, it's sinister. True. What the Hawk, you know, think about how all this started. I mean this is my usual rant about how most of us failed to study history
20:42
and therefore we're doomed to repeat it. The card brands came up with a way to transfer the bulk of their liability and risk to the issuing banks. The issuing banks were not so fond of this situation, so they found a way to transfer the most of the liability and risk to the merchants. Who's next?
21:02
All right, so remember when I mentioned consistency, right? And whether or not that would affect security. So this column, I don't know if you can see this in the back guys, but it's available online and stuff. All right. The white columns there, Oh eight, Oh nine, Oh 10. Those are when the incident response guys go in,
21:21
they actually have to do a mini assessment of the environment they're in. So they go through each requirement and they just do a, yeah, I would have passed here or there's no way in hell I would have passed you. All right. So those numbers are basic. Yeah, there's, those are our percent that would have passed. Okay. So under 2010 requirement one install and maintain a firewall configuration to
21:44
protect data. 82% of the time, the incident response guy said to the card brands, there's no way you would consider these guys in compliance with just having that basic requirement set. This is what I mean when I said it ain't even close. Kids,
22:01
my firewalls in a box in my data center and three mice live in it. Basically the gray, are they maintaining your change control process? Let me, let me jump in here. Um, I might know a little bit about firewalls and how they're used in the real world. Uh, not in, not anymore. Um, I've ever raised that all in six weeks. Let's, let's back up.
22:25
What else? Let's reiterate what Alex said. 18% of the time for people that came up in this, this set of investigations, they had installed and maintained a firewall and configured it so that it protected their systems. Think about that for a minute.
22:44
Now we like to make fun of firewalls and antivirus because they don't work and they're obsolete technology. And I've made this plea before, before we give up on obsolete technology, decades old technology. Uh, those of you who know where I work, I work with a gentleman who, well,
23:02
our gentleman may be the wrong word, uh, who wrote the first commercial firewall for stateful packet firewall. Um, just once before we retire obsolete technology, could we deploy it properly? Please? It might even work that way.
23:20
Alex, I'm sorry. I just, firewalls get me all excited. You can't tell because of what I'm wearing. Yeah, So, um, you can see here that, uh, there is a little bit of sample weirdness between oh eight Oh nine and Oh 10 because of the nature of the merchants involved. Many more level three,
23:42
level four merchants in Oh 10 but it doesn't matter. We're looking for that consistency. Right. Um, and in terms of security, now that gray bar is our PCIR data and that was at IROC, right at initial report on compliance. Were they good or not? Okay, so that is, that is yet it's difficult.
24:02
How difficult is it when you want to be compliant without help? And then the other columns represent basically how difficult was it for these people to maintain compliance? And you can draw a lot of conclusions from that. I'm not going to draw them. I want you guys to think about them and come up and ask questions and talk about it. All right. But this is, I think really interesting data.
24:22
When you look at PCI itself and you divorce yourself from the fact that it doesn't protect from O day and that antivirus is next to useless and blah, ditty, blah, ditty, blah that we talk about on our blogs and our podcasts and all that stuff. Thank you very much. You know, Mike Dunn's not here, but he made a really excellent point recently. He said, um, when he got into PCI,
24:41
he thought it was going to take people who didn't care about security at all. Didn't have a roadmap for how to do it. And it would show them how to do these common sense things to your point. And now what he's concluded after having enough data is that you can't make someone who doesn't care about card data care about it. In those cases, they may achieve compliance at the rock and the data showed,
25:02
at least I haven't seen this year's, but last year's data showed they lapsed within one to two months after. No, that's not what it showed because it doesn't, doesn't measure that. I mean, I'm quoting him. So you, you fix it then if it's broken, fix it. It doesn't capture that sort of sort of snapshot because it really does only look year over year.
25:21
And I have looked at some of the data for 2010 as opposed to 2009. And that's what scares me is, is Mike is right. When he thought originally that PCI would give some impetus to people who didn't care or who couldn't get budget to be able to get that budget. In a lot of cases, there was some movement originally,
25:41
there was some movement when they first started to become PCI compliant. Unluckily it stopped. There really hasn't been any more movement. The people who want to be secure, the people who want to be the businesses that look at security as a sales point are becoming secure. The businesses that are,
26:03
are trying to not be secure, trying not to spend the money on PCI, are finding ways to fool the auditors, are finding ways to just ignore the whole system. Compliance hacking for the win. I would ask one thing though, too. I mean, you know, we're talking about people that want to become secure.
26:22
What about those that quote unquote want to become compliant and the fact that that doesn't mean you're secure at all? I mean, there's a lot of people that want to check the box. They don't want to be fined. How many people out here still think that security equals compliance? Anybody? That's a bait. That's terrible. I'm sorry.
26:43
I'm sorry, Marty. Was it 2004? Back when you were still young? So theoretically I'm a moderator, but actually I'm an immoderator and this is where I'll jump in and don't make assumptions based on where I may have been for the past four years because I've seen a lot of other things, but sometimes people cheat.
27:04
One of the things that I saw that was kind of interesting with somebody had a problem with a certain piece of malware tearing their network up. Um, because I was familiar with the system they were running, I noticed an interesting icon. They had an exclusion for IPS that excluded IPS from their NTP server.
27:24
Now if you've seen HD Moore's talk from a couple of years ago about the interesting information that you can leak out of NTP, you might think maybe that's a bad idea, but it's still just an NTP server. But I noticed it was actually the icon that the particular system they were using in this IPS system was an icon for a network, not an individual host.
27:43
The network definition that was used for exclusions, not just an IPS, but also in web content filtering and some other places on this particular, um, not customer that would be irresponsible of me. Um, this random person, um,
28:00
happened to be zero dot zero dot zero dot zero slash zero. Love that subnet. However, um, wait, is this the pick on ISC squared or some other certification body? But it got past the auditor and uh,
28:24
so they kind of forgot that they had, um, create an exclusion for their compromised NTP server that covered the entire network. And then they were whining that, that having defeated all of their security systems, uh, they were owned inside out upside down.
28:42
And actually the call started because their exchange server was creating too many alerts on some defensive system that we make fun of. But sometimes people cheat. Um, anybody in this room that has done penetration tests is probably find it. Anybody that does defensive stuff has probably seen this, but it turns out that not every QSA cares as much as some of the XQSAs on
29:08
this panel and some of you in front of me, some of the QSAs, and this is an unpopular decision. These guys are trying to make a living. Um, they may or may not be competent, but they may have a mortgage.
29:21
They may have an ex wife or ex husband or two that requires, you know, support and they have bills and they need to pay them and they churn the stuff. PCI compliance has become commoditized and that drives people into cutting corners. But Jack does, does the fact that people sometimes cheat on compliance change anything?
29:42
Does it mean it's more effective, less effective? Does it mean anything really? Because those same people are going to cheat no matter what, aren't going to spend money no matter what. It matters if you think compliance equals security and while nobody that's here would believe that, um,
30:01
the people that have budget authority sometimes still do. But this is where I get angry. We look at it like it's no harm, no foul. But like I, I tend to work with a lot of CISOs over the last couple of years. They tend to be on fortune 100, fortune 500 and a guy I knew who used to do good risk management. The question I've been asking for the last two years since we started this debate is how,
30:21
what percentage of your security budget goes to passing an audit on card data and which percentage goes towards your corporate secrets? And a fortune 50 company has zero dollars on corporate secrets. He went from doing balanced risk management to 100% on the card data. He pays $2.6 million for the assessment each year.
30:42
It's not like he would have done different necessarily security controls, but it has defocused him from things that matter more. So it's not zero impact. It helps some, and it was a very massive distraction to many others. I would say, okay, no, I was just going to say, I, this is the speed limit test to me, right? I mean, how,
31:02
how many of you speed? There you go. Exactly. Right? So, but there are in fact radar guns out there, right? And you know this, but you still speed. And it's the same concept. You know, if, if there was no radar gun, what would happen? Well, hang on a second.
31:23
Let's look at the economic incentive disincentive model. I mean, if you, if you're failing, what's the cost? Eh, might get a hundred thousand dollars a year fine. Or you might be told that your per transaction fee is going up for by 2%. I'm not paying my per transaction fee. My customers are, um,
31:40
that fine is one 10th or one 100th of what it would take to fix it. Am I going to repeat the comment on competitiveness? You can't pass the 2% to your customer if you want to compete with Walmart.
32:01
Wow. This is commoditized. Is that what you're saying? Are you saying that? But yeah, but those guys can't compete with Walmart anyway. Well, I'm not in Walmart's market. They don't sell what I sell. So screw it. My customers are all stupid. Aren't your customers stupid? All right. As outspoken as I am, I'm not going to call out any of the companies that sell Walmart grade PCI
32:23
services, but because everyone here knows who they are and one of my gripes and it's safe now that some of my friends are no longer at the company that they worked for that created a cool report that would have been much more cool if
32:40
it had called out who had certified them people as PCI compliant when they were breached. But that's politically incorrect. You know, a couple of times in other talks, people have talked about attribution this morning. Josh and company were talking about attribution in a completely different context. It would really be cool to know who is certifying people PCI compliant as
33:04
they are currently heavily competent. Hold on Jack. I'm not defending former employers of anybody on the panel, but I'm not saying that it's an option to do. That shouldn't be the, that shouldn't be the vendor's job, right? Everybody out here who came, who's interested in PCI,
33:22
you have a right to go to the card brands and make some fricking noise. You do. Honestly, you should. You have a responsibility, right? So the lack of, and you should continue to the lack of transparency. You shouldn't push that on on some vendor who's doing their best to get there and has a evil legal and PR department. I'm just kidding. Brandon,
33:43
you're awesome. Um, but you should be going to the card brands and saying, where's my damn transparency. If you're really interested in me being secure or my customers being secure, then I want to see reports. Anonymization can work. We do it all the fricking or we, a former employer,
34:02
I did it all the fricking time, but the monetization can work and it's informative and it's there. They have a responsibility if they're interested in security. But that gets back to Jamie's point, but you skip past the incentive argument. Let me, let me state the name. So Verizon has given us more data. You can make, you can throw stones at Verizon for putting the,
34:22
the VZ name on things, but they've shared data freely. They're just because I want more data that's not politically or logically or financially feasible for them to provide. Uh, just because I want it, doesn't mean I get it. I was just expressing that, but it would be really cool if a lot of people shared a lot more data.
34:43
Not to sound all like new school of information security, but it'd be cool to know what the fuck is going on in our business, not just with compliance. So maybe we could make an educated decision. You sir, I think have something to say. Well, you talk about the Walmart approach to vendors doing 17 since the
35:01
PCI validations. Okay. And I think that's an easy, easy target to go after. But you have to remember that the PCI validation is a point in time, right? And the people you're working with, they want to be compliant at that time when you're on site doing the validation. After that, who knows what the hell happens? Um,
35:21
certainly on clients that you go back to year after year, they fall down during whatever, you know, whatever time period where it's months or you know, half a year or three quarters of a year, they fall down during that time because they're not worried about what is going to show up on their validation report. So not to get myself in trouble, but that whole validation versus ongoing compliance thing that that's,
35:43
that's a red fricking herring dude. As long as, as long as they can say there has never been a breach where the customer has been PCI compliant or the victim has been PCI compliant. It is a completely red herring and I promise you that that will continue to be the case indefinitely. You know, like that's, that's true,
36:01
but I can say I have a unicorn in my pants while not wearing pants too. I mean we're talking about the PCI panels. We've kind of ignored the, uh, the pen testing professionals in the room. Are there any pen testing professionals in the room? Okay. So one of the things that we've been talking about at B sides a lot was the pen testing execution standard, the P test thing.
36:21
And speaking of the Walmartification of, uh, this, it's really that the race to the bottom to see who can make the auditor go away or what's the fastest, cheapest path to Iraq or rock. Rather, um, people are, because it's so ill defined on what counts as a penetration test, a quick Nessus scan is often substituted.
36:42
Save as PDF for the win. Now one of the reasons I know P test is still controversial, but one of the reasons I like it is it helps separate the, the, um, check the box for minimum type person from cannibalizing the talent that real professional 10 testers can bring.
37:01
It starts to help articulate or support the conversation for if you saw Wendy's talk on how she'd like to be penetrated as a CISO. Um, it helps her know what she's going to get. If she really wants to focus on a more comprehensive thing, she can now use it as a framework to decide which pen tester she's going to contract with. So it lets the irresponsible jackasses who want a cheap solution to be
37:24
irresponsible and cheap and it lets someone who actually wants to use the PCI budget to drive better security, do so. So Wendy can describe her finishes. I was just going to, so let's, let's take what Josh, I mean, Josh has a valid point, but let's take what's on the slide right now, which by the way does in fact have a younger Bill Murray,
37:42
which everybody should of course be focused on right now. Um, but, but let's, let's actually take that as a good example. Um, it's so easy to, to swing the needle to, to things like, you know, P test and pen testing and, and you know, this cutting edge thing or mobile security or, or, you know, insert bullshit here. Look, simmer down,
38:04
guy. Don't, don't have a moment next to me. Um, so what's on this slide is relevant though. Seriously, I'd love to talk cutting edge or at a conference that focuses on cutting edge, right? Somebody that spent six to seven months in their basement with a lot of mountain
38:22
dew and a debugger, right? Get away from that. Let's go to the, the, the regular baseline crap, patching, config management, the firewalls. I mean, I think Alex's data was actually poignant is, is really relevant here. I mean, it's, it's, it's incredibly easy to point fingers and say, you know, we're,
38:43
we're doing a crappy job or we're shifting blame or we're doing all these things, but who the hell is doing a great job of patching? I, I, you know, you raised, I raised my hand when you asked who's a pen testing professional. I like, I like breaking into places. It's great fun and people ask me very commonly, you know, how are you getting in?
39:00
What are you doing? How do you get in there? And I'd love to be the guy that sits up here and tells you, I am sitting in my basement and I'm developing custom exploits and like I've got the debugger. It's really fun. No, it's actually like default passwords and that one dumb ass in ops that forgot
39:21
the MS08 067 patch on the one box, right? And, and you know what? We are losing because of that. Okay, but let's, let's take a look here. PCI is meant specifically to look at credit card data, nothing else. It's not about security. So, Hey, wait, wait,
39:42
you can finish after, after I do cause like I'm wearing white, except for the strawberry stains. So PCI is about card data, but we need to, PCI is awesome, but we're in Nevada. I just wanted to point out we're in Nevada.
40:02
It's not about security. It's about card data. That's all it's ever been about securing target, something about secure, but why are we even taking card data? I mean, why are most of these people even having access to their card data? If we really want to have something that's going to protect the card data, don't have it, don't have it. Don't ever let these merchants touch it.
40:22
Don't ever let the merchant see it. Quite frankly, then the Gramm Leach Blythe risk is on the card brands and the banks. We still need to provide 16 digit expiry and CVV so that you can take a taxi and eyes up by Jan. This is not going to change anytime soon until we're willing to admit that creating a duplicate system that does not use technology from before my parents
40:45
were born is going to be useful. When we switched to something, I'd like to point out as parents are old, so that's a long time ago and WAF can save us all though, and he's old too. And if we move to something new that is appropriately designed, probably not by a card company and implemented with an economic incentive that
41:04
says, if you want to use the old system, great. Get used to the spread between what we're charging you for interest and what the overnight rate is, redefined usery and we're going to make it possible for both sides to look at the situation and go, Oh heck yeah. From, from the employer's perspective or not the employer, sorry,
41:21
the from the acceptors perspective, we're going to make this real simple. If you want to use old style, great. It's $2 a transaction plus 2.5% and if you want to use the new style system, it's 8 cents per transaction flat rate. But we've already seen that chip and pin is also being broken, so that's not necessarily going to save as much chip and pin is a good idea
41:40
when they print the same fucking 16 digit number on the chip and pin card with the same fucking mag track on the back. I'm saying we need a new system. The old one is costing us a shit ton in interest. The overnight rate is less than 1%. The average credit card rate is 22 plus. I think we got the 10 minute warning and we said we were going to offer solutions. So should we shift to solutions? We should talk, but let's,
42:05
we will solve all your problems in the next 10 minutes. In other words, unlike last year, we are in a place that has high ceilings and good air conditioning. So the smell's better, but we also have room for a couple of hundred people in the Q and a session. So I encourage you to come there. That said,
42:20
last year's Q and a session was off the fricking hook. It was actually much better, much better than this. Yeah. Most of us, this gentleman has an opinion as does everyone else here, but he stood up. So, so I have an opinion. I have a question. Um, we're talking about things like just, you know, patching systems, which are really, really important and relevant by the way,
42:43
with the number of people that don't even have a firewall or patching, you know, have with configured properly. Um, but since we're talking about the cards a little bit now, I'd like to ask, when the fuck are we going to move away from using a physical signature? Didn't I just say that like 16 digits expiry CBB,
43:04
you guys still use checks in this country for Christ's sake. Exactly. Same people have had debit cards for 30 years. Exactly. Exactly. I completely agree. So, okay, well, once the, once the government East Asia or app land or whatever, federal IDs, we'll just use that for signatures. Um, somebody just said, well,
43:25
it's expensive to change out infrastructure. Um, there's a, a, we'll call it the equivalent of Walgreens in the country that I'm from, uh, who've gone through three entire iterations of pin pads in less than 18 months because of foolish business decisions. They went from the old style pin pads to the new ones that were, um,
43:41
chip and pen. And then they realized that another branch of the same organization put out a credit card that had an RFID on it and they couldn't use their own goddamn credit card in their own goddamn stores. So they changed all their pin pads again. So you know what? When the difference is 22 plus percent versus under 1% for the overnight
44:02
rate, there's lots of money in that interest spread to take care of replacing the whole system. And remember those economic incentives matter. Debit card transactions are measured in cents per transaction fixed price. Credit card transactions are measured in a mixture of fixed price plus percentage price. Um, change the economic incentives in both directions.
44:21
Make it so that if I use the new modern system that doesn't have every vulnerability known to man and require fraud management of hundreds and hundreds of people per issuing bank, um, say it's very simply to the customer, I'm only going to charge you 9% interest. Which card is the customer going to choose to use? The old assy one or the new fancy one?
44:42
Let's, I mean the solutions aren't, aren't solutions that we can execute on and they're solutions that we can pressure towards once we get to the point where as infosec professionals, we're doing our fucking job. But you're saying we also need to put pressure on the PCI council and merchants to, in order to enact that change. I think the only change you can do is the one. How about if we do it, do the right thing,
45:00
no matter what somebody else tells us to do. How about issuing banks and the credit brands themselves? I mean, let's quit dumping this on the merchants because a hundred thousand. A hundred thousand merchants aren't going to develop a better solution than three card brands. Right. Let's, let's grab possible one quick question. And I'll give everybody a minute or so to wrap up and then we'll go into the Q and a room. So you, uh,
45:22
you keep coming back to this point that a PCI is all about the credit cards and there's plenty of other information out there that needs to be protected. And absolutely your point about, Hey, we need to replace the whole system, but that's going to take time. It's going to take money. So in the interim, no problem. I'll show you how it's cool. Whiteboard it for you.
45:41
In the interim until everybody gets on board and does that, you know, when, when somebody breaks in and steals the, uh, steals a bunch of credit card numbers, it affects me. It affects, you know, my friends, my family, everybody in this room. And, uh, maybe not directly, but maybe just through increased costs for all the goods we buy because all that fraud permeates the system and we all pay for it.
46:03
When somebody breaks into some pharmaceutical, steals the, uh, the intellectual property for the next Viagra doesn't affect me. So in the meantime, until we can get some new system in place, isn't there a, um, you know, a use for having something like PCI out there to, at least for the people who don't want to cheat,
46:22
who do want to try to be secure but don't know how give them these guidelines. The, okay, I use the wrong word. I'm sorry. Not, not secure, but they should be already doing, if they don't know how to be secure without PCI, it's not going to help that much. It's the SSP. That's exactly it. There's a lot of CISs P's out there.
46:43
We need a unicorn chaser. Give them something to start with. No, it's, it's valid. It's a starting point and we can't deny that it's moved us forward, but we're so far behind that we, we really need to look forward. There are a lot of people that have budget because of that. I mean the, the penetration testing industry is an industry because PCI requires it.
47:06
Um, and with, with that, I really encourage everyone to follow up with us. I'd like to give everybody on the panel a moment or so to wrap up. Um, this has been a follow up to what we did last year. Hopefully there's been more information. Uh,
47:21
we will be in the Q and a room and we really want to continue the conversation. We won't beat you to death with that. I'd like to start with Mr. Arlen and see if he has something to say. I doubt it cause he is without opinion as are everyone here. Uh, doing info sec, right.com also you're all back in here at eight o'clock for
47:42
hacker pyramid, right? Right. You guys looking at me? Jesus. Um, yeah, so you know, bottom line and whatever. I mean I, you know, I, I'm one of those people that, uh, don't, don't hit that job. Uh, you know, so I, I mean honestly I'm ambivalent. Um, I see people that have really benefited from PCI. I see people that have,
48:03
uh, I see people that have really benefited from just about any compliance measure. But, uh, I also see the flip side of that, the people that just don't give a shit at all and they look to get the auditors in, out and move on to the next year. And uh, you know, I don't think that us sitting here is, you know, and having this dialogue is going to get us there either. But, uh, you know,
48:24
in some cases I think it's a good thing. So I'm, I'm, I'm going to be that, uh, you know, annoyingly optimistic guy on the panel too. You know, I've seen a lot of environments and there are some where people are doing PCI with the idea that it will make them secure, that they're trying to go beyond PCI and be secure and they're actually doing some
48:44
effective work. I've seen a lot of people who just haven't been able to get the budget before PCI came along. I've also seen a lot of companies where they look at PCI and go, it's another pain in our rear. Um, we're going to do the very minimum we can do to make, to make ourselves compliant. We're never going to be secure.
49:00
So just give us our rock and go away. So I think if you understand the limitations and how defeatable even a fully compliant PCI environment is, then you have a baseline. And if you understand it's a very low baseline only then are you able to look at the attack density, how people are getting popped and prioritize how do you shift some of that
49:23
budget? Now what Mike Don and Jean Kim and I did a lot of work on was figuring out how do you massively reduce scope and have less data to lose unless systems involved in scope and that liberates funds to do protection of other non scope, non card data assets. So we have a lot of research and specifics behind that, but the trick isn't,
49:43
you know, looking at that as a finish line. It's how do I, you know, budgetary jujitsu that how do I use PCI to fund my visible ops project or how do I use it to pivot into non card data security initiatives? But, um, if you don't realize how limited and narrow it is in the first place,
50:01
then those are off the table. I'll end with this. I can't give you guys a solution, but I can tell you how you can start to get at a solution and that is demand transparency around data. You give smart people in this industry data and we'll start to figure stuff out, but we are being kept ignorant and you have to wonder if that isn't
50:22
purposefully. We're debating something really quick. Don't move. Okay. Don't get all excited about them leaving yet because they're not going to our five o'clock speaker who is crap. I should have looked that up before I started speaking,
50:42
shouldn't I? That guy, um, yeah, well thank you. My password is a full of fail. Jason Pittman is not going to be going from five to five 20 so these guys are going to hang out till five 20 and then after that we've got another turbo talk. So or you could come over to network security podcast and watch us a record
51:02
episode two 50 so so can we have a round of applause for at least Martin? Don't everybody run away at once. Let's, let's do, instead of going into the smaller room, we'll do Q and a because I'd be willing to bet some of you have opinions. Um, Martin is going to run away because he's doing the 250th episode of the
51:23
network security podcast. Let's start Q and a here and then we'll move into the other room and or commentary. Yes sir. Let's uh, let's dive in. Okay. So one of the things that I've found to be a kind of interesting about PCI,
51:40
I guess from a introspective kind of way, what are our failures as a community is that, uh, I mean, I've been a former QSA and although I've seen a lot of environments for Verizon business, um, is that our real challenge is operationalizing the process of security.
52:00
And I think one of the things that PCI shows us with these failures is that, is that that is the problem. It's really hard. And I've, I'd be interested in hearing your comments on that. So it was a commentary about operationalization of security. And one of the things that in my past that I've done is I've always worked
52:21
with smaller businesses until recent career change. Um, and because we had to in small business, we operate operationalized, some, somebody keeps giving me liquor. Um, so anyway, we did that to security in small business. Um, it's because we had to,
52:41
but larger enterprises kind of need to and he knows something about that. I'm going to give me a really quick, simple answer to find me later though. But, um, the visible ops studies that wasn't about really security is about it operational excellence showed massive deltas that the tighter you run your IT, the fewer break fixes, the faster, meantime it's basically like security is an accidental byproduct of really
53:03
well managed it. So there are some studies that show high correlation at least to, um, to operationalizing it with security in mind. There was a study at Weiss that's backing that data up again. So that's, yeah, well here's, here's personal experience in that. I,
53:21
once upon a time ran a whole lot of security with a zero direct reports. I had about 187 indirect reports and by making sure that security was everybody's job because I'm a nice friendly guy who buys a lot of coffee. Um, I was able to achieve a level of security proceduralization, um, that wasn't because you went to the security binder and looked at what to do,
53:42
but because it was just your damn ops binder. Of course we had binders then too, not SharePoint cause it sucks. And I'll just throw one thing on that too. I mean, if I started getting up here and talking in depth about change in configuration management, how many of you would still be fucking awake in about two minutes?
54:02
None of you, right? At least the people that are being honest. And unfortunately that's the most important stuff in terms of general opera, you know, opera, I can't even say that. Yeah. Operationalizing IT and security in general, but I mean that's the problem. We don't do a good job of that.
54:21
Doing info sec, right? Next question. Next. Chad, Sergio. What's up Alex? Hey, um, so love or hate PCI, it's kind of helped us out, but I think it's also prolonged the death of this archaic system. Just like James said, what do we do, um, to shorten that lifespan of this broken system?
54:44
Cause it's all it's done is push the liability. Let's not shorten it. We have 0% unemployment in our industry. Let's not shorten this stuff. Let's not fix anything. Damn it. Cause I love Chad. I've been working with Chad for eight decade to retire. You have to ask for transparency, right?
55:01
You have to have people fess up as here's how we were, here's how we were screwed, right? And once you can say that, then somebody can say, well look, now we know patterns in getting messed up and let's solve those. And then you can start addressing real things versus crazy things. So, so my grade four teacher,
55:21
Mrs. Barber had this crazy way of making sure that we were doing the right thing all the time. She called it a snap quiz. Why do we book audits? Pop quiz. Why don't we just have them, you know, someday you walk in and the Spanish inquisition shows up or sorry, the PCI inquisition shows up and says, you know what,
55:42
we're going to find out whether or not you're compliant today. Okay. Next they do that in the credit union sector. We have audits year round or used to when I worked there. Yeah. Yeah. Self-congratulatory reach around for the win. Why would we do random, why would we do random audits and tests when we have anonymous and low sec?
56:05
Boo. Next question. Hi. Hi. About that pretty dismal slide with the percentage statistics on the, on the breached organizations question about the firewall thing.
56:24
Do you have any idea whether the a very low percentage of the firewall compliance was due to the organizations actually not having a firewall at all or was it because they failed to document the firewall rules as per PCI?
56:42
Yeah, we lumped all of why would you fail requirement one. So it's documentation and so forth. But as we just said about operations being so damned important, there you go. I'm not, I'm not arguing that PCI sets out great operational rigor. I'm just saying if it's 18% that's indicative to two follow ups though.
57:02
One is they had it at, they were compliant at one point prior and two is, and we didn't say it cause we didn't have time, but out of that 761 how many of them were SMBs with 11 to 100 employees? 400 and some odd. So a lot of that is really describing the bottom of the market. Level three, level four and not necessarily equally applicable to large.
57:23
Yeah. But if you go back to a higher level two representation, yeah, it's still pretty abysmal. It's not 18% but it's like 40%. You know, okay. Thank you. Hey guys. So this is the last question until we move.
57:43
No, we have 20 minutes. We have another 15 or so, but because the next one can't, I got somebody waving fingers. I just wanted to make a comment on the firewall thing. The situation that my friend Bob told me about that I mentioned earlier about IPS with that special NTP server.
58:01
Um, Bob was told that, uh, they normally just enable and disable those rules for the audits and they forgot this time. So that kind of focuses the, the, the, that puts the spotlight on that 18% that we were talking about. They passed a tech,
58:21
they passed some sort of a scrutiny and it doesn't have to be PCI. I do want to make that. Yeah, but with 80 PCI is not the only thing that's doing crazy things. Wait, wait, real quick. If you're coming in for the password talk, it's been canceled. Yes. The five o'clock talk has a speaker was unable to make it.
58:44
So this is PCI as sexy as it is. And we're going to go a little bit long and then we're going to go to the Q and a room with that. Sir, you have an intelligent and articulate question and or comment. All right. So, uh, one of you mentioned that, um, security does compliance equal security. And, um,
59:03
I would say that compliance is a subset of security. So if you're secure, if you're secure, you're going to be compliant. And I agree with you a hundred percent. That's no, that's not necessarily true. Not necessarily true. I've been environments where we have been entirely compliant and completely unsecure. And I've been in environments where we're completely secure and completely
59:22
noncompliant because once you've got a set of rules that are proscriptive, if you're trying to do something that's better than the prescriptive rule, you're doing it wrong. Well, there's also a perspective thing. I like to say PCI is has nothing to do with security for any one individual company, but I don't know that we can make any sort of statement about effectiveness
59:43
as we look at the population yet. But that's, well, it's the whole concept of constant compensating controls too, right? I mean compensating controls could be really crappy ones that you're tweaking or really great ones that don't fit. So you have to write a document about compensating controls if you're using two factor authentication.
01:00:00
to explain why you don't have good passwords. Um of course there's more to it than that but uh- I'm not defending it I'm just saying. And you know also compensating controls involves corvettes. No wait that's a different sort of compensation. Uh but you know I Chris Offit used to have a great diagram where he would show on a scale of one to ten how important this was to audit and how important it was to security and you want to look
01:00:22
for the ones that are high score for both right? Some are distracting from your overall security program and some of them are highly affin- affinitized and aligned with. Alright thanks. Good afternoon. Thanks for giving me the opportunity to address the panel. I
01:00:41
actually represent um from a numbers perspective that bottom of the barrel. We have sixty people in my organization. Um I have an IT staff um that I'm technically part of even though I'm the security guy. And they looked at me funny when I mentioned I'm also IT of uh five individuals. Uh we've been um we are also in the hospitality business so
01:01:06
we're in that segment of the population that's had a huge amount of breaches over the past year. You you've changed all your default passwords on your point of sale systems and you don't use PC anywhere right please? If not then sir don't bother talking. Go somewhere and do good. I I've heard a lot about how PCI is awfully hard to
01:01:27
maintain once you get it. And I say that's bullshit. The amount of work necessary to gain PCI is significantly higher than the amount of work to maintain it. Once you've gone through all the effort to if you've done it right. That's a huge effort. Well for
01:01:47
yours for your portion of the sample right that that may or may not be true. But I guarantee you um from my experience with the top level one and two merchants not so
01:02:01
much. We're a top level one merchant. We're also a service provider. So we have to meet even more rigid standards than your top level one merchants. Yeah but you got you got sixty folks. Yeah and and real quick. Not fifty thousand. No. It's not a universally true statement. I mean if you're doing everything perfectly you still have to prove it every year. I'm just saying I'm hearing from you guys as if it's
01:02:21
universally true that it's hard to do. No it's fucking not. Not if you do it right. It's neither hard to do nor is it easy to do. It's worthwhile to do. If if I had insinuated that it was universally true. If I had insinuated that it was. If I had insinuated that I thought it was universally true then I'm a bad statistician and I apologize. Um I
01:02:43
think what I was stating was here was the data that showed an overwhelming proportion that it is difficult. Now that's a misrepresentation of what that data is. It's a drastic simplification of what that data is. That data shows that people chose not to not that it
01:03:02
was hard to do. Please don't misrepresent the data. It it may be easy in certain environments but I think the data is pretty clear that for a lot of people it is it is not. But it would be good to to take this into the Q and A room and let. Yep. Offline. Here comes the hook. Thank you. Thank you though because you do make a good point that that actually that point addresses something that's been made before which is that
01:03:24
for some organizations PCI is uh holding us back. But uh sir you have a question and a microphone. Yeah. So you're right Jack. PCI has made a lot of mo people a lot of money. Um I've got a client who was able to convince their QSA that their call center
01:03:40
PCs were out of scope because they only handle one card number at a time. My question. Sure. My question is in the experience of the QSAs or ex-QSAs in the room are the folks handling the PCI compliance programs now still security folks because what I'm seeing is they're folks from the business they're folks from an op maybe a business ops
01:04:03
background but they're not security folks. Who's you know who's writing the checks? It's a mix. I'll I'll throw out the first comment. It it's a mix. I I see I see organizations. I'm an ex-QSA. Don't hold it against me. Don't don't you even start over there Mr. Angry Birds. Um you know and and I got a few others in this room. Yeah you
01:04:22
know she who's laughing in the front. Uh huh. Um but. We all we all have blood on our hands. Right right right. But but it it it's totally dependent on company. I mean you know some places it's internal audit. Some places it's it's you know just the security team. Some places it's random smatterings of IT. I think that's totally a subjective thing. And and and sometimes it's a dedicated department. Yeah it could be.
01:04:43
This is the PCI compliance department in those 50,000 person organizations. Agreed. Cool. So uh. Any disagreements? Quick quick reminder if you're here for the five o'clock talk you're. Shit out of luck. What he said. They didn't show. That that one didn't show and so uh because PCI is so damn sexy uh we're going to continue continue with
01:05:05
the next question sir. Right so um you were talking about debit cards being a great solution but. Yeah. Maybe can you expand upon why it is and and give a little more detail behind it because my understanding of debit cards at least in the United States you know that's tied to my bank account and if it gets stolen. You're you're doing it wrong. I'm
01:05:22
screwed. All my thousands of dollars are in that that are in that account are gone. Well you know it it it's funny there's lots of good examples around the world of debit card implementations that work. The way the United States is doing debit card implementation is by trying to tag it onto the credit card system. It's right. It's silly Canadian. If the United States is doing it it's the right way. Right. So anyways.
01:05:47
We we we've got this other system called Interac and you're absolutely right it's tied to your bank account but what you've inherited in a negative way from the cards is you've inherited their risk model that says if you get violated it's all your fault. The
01:06:01
real way. Yeah it's it's nice to be touched while being violated. The the way that we do it instead is we say you know what if if that card is compromised sure the money's gonna pop out of your bank account but it's gonna pop right in the next day or you know at at the least that same day because the the system I mean shit I got my first debit
01:06:21
card when I was like 7 or 8 years old. Um it's been in situated for so long that you know Canadians are out of the habit of carrying cash. We don't do checks like the United States does. I don't think anybody does checks like the United States does. Um so we've got this system that is a fixed transaction cost. It's always the same. It's like 6 cents per transaction um for for the merchants that utilizes the same sort of you
01:06:44
know chip and pin terminals that you're accustomed to. Um it does have that tie back to your bank account so it's not a credit system it's a very definitely a debit system but it's not tied to the brands. It's not part of that ecosystem. It's not using that processing hardware. It's not using this ridiculous bullshit where your credit limit is
01:07:01
updated by the second but you may or may not find out what the transaction was for 3 or 4 days. Um you know it it's it's a different system. It's a real time system that's designed to be real time from scratch. Um. Oh yeah the sorry the the the statement is the big thing is that there be protections on the account and that doesn't exist here
01:07:22
because you're piggy backing it on a system that is broken by design. Um and so you're inheriting all that brokenness only instead of it being with fake money that you haven't paid for yet it's with real money that you thought you had. Sorry. I see that sign in the back that said Tim Horton sucks. Look over there. Next question. Next question. Hey guys um so I think a lot of what you guys have been
01:07:43
talking about is pretty applicable um I think a lot of people in this room are thinking of as level 1 and level 2 merchants. I mean think about all the PCI controls. Um what are your thoughts in terms of uh the usefulness of the self-assessment questionnaire and
01:08:00
whether or not level 3 and level 4 merchants should even be allowed to handle credit cards outside of uh. Do you know what? Back away from the microphone. Do you know what? On on on the anytime you ask me how much I weigh I'm gonna give you the best answer possible. That shit that comes up on the scale is so. I am not drunk. Self-assessment. I
01:08:23
can lie to you as well as your QSA. So any thoughts on how to solve how to solve that issue cause first of all we don't know how many level 4s are in compliance. Well that and transparency right? Let's see numbers on breaches and self-assessment. And actually I I think Mr. Arlen actually said it well before the concept of random audits.
01:08:44
I don't care if you do your own SAQ or or whatever it is. I mean however you answer the questions is fine but somebody at some point is gonna show up on announce and check whether or not you're full of shit. I I think that's the right answer honestly. You know not planning it and having everybody going look at our controls right? I
01:09:03
mean that doesn't work well. So so Mike Don who fought me on this right? He PCI was awesome right? Wait a minute Mike Don fought you on something? Shh shh shh shh. So he's got a really great blog post on this. So he's at chaotic mind I think is what the blog is called. And he talks about not not the self-assessment as a bad thing but as a
01:09:21
great thing. Like as a way to possibly completely avoid this. It's like socks self attestation without the jail time. And his point was if you actually care about security and it is getting in your way you should self-assess because then you can redirect redirect the time and budget to more important things. Because one one of the assumptions in the self-assessment is they might cheat the system that doesn't
01:09:41
really work any how. Like in some cases like so what they passed they failed they didn't they didn't all that really matters is failures. So instead of like regulating a hypothesis of controls that might stop it. You know penalize people when they fail. I mean I'm not saying completely get rid of the thing but he saw that if in fact you determine in your risk assessment it's hurting you more than it's helping
01:10:02
you. He's encouraging you to do the self-assessment. Well I'm just thinking if you if you add up all the money that the banks spend or that you know the processing is collecting these SAQ's dealing with them. And then you think about all the fraud that occurs and how much that costs. Would it be cheaper for the banks just to give them end to end encryption? Or tokenization to eliminate scope or
01:10:23
The system doesn't support that. Remember we're talking about something that was designed 50 years ago. It's not built to do that sort of thing which is why you know pulling up that example. Go and have a look at how Interac works. It's completely different. It's what we use for interbranch stuff like when I take my
01:10:41
bank card and shove it in a different branch or different banks ABMs that's how it works. It's the same thing that I run through the the card reader at the grocery store. It's a different system with a different set of constraints with a different set of design criteria than something that's going to work in Azerbaijan to make sure that your taxi driver gets paid. And you find out
01:11:01
whether or not that payment cleared instantly as far as your credit limit is concerned and three or four days later when eventually they get around to telling you what your transactions were. It's just that the system itself is fundamentally flawed. So let's grab the next question but just because you mentioned end-to-end encryption which solves all of our problems I just wanted
01:11:25
to bring this this slide up that Alex might actually just chuckled and that's all I needed that made my point. Last year 90% this year 89% of those folks that found themselves on the Verizon data breach investigations report
01:11:42
they got the encryption bit right. So the people in this room that have been saying encryption doesn't solve all your problems and maybe some of the people that have been saying stuff like encryption is sexy because it keeps the attacker from getting discovered uh may have a point. And you have a point.
01:12:00
A couple actually. One I agree with you uh SysP does not make a good QSA. In fact often times it's the opposite. A good auditor actually has to have years and years of experience and actually know what the hell they're doing. It pisses me off to go in and actually clean up or audit somebody and say hey your auditor totally got it wrong last year and you've got a lot of work to do. So but I think the other part of it talking about Q
01:12:24
or uh self assessments is it's a good opportunity for security or IT staff to bring in processes and procedures to get trained cause half of the IT staff out there doesn't know security either. What do you think on that? So are you saying that the self
01:12:40
assessment's a good chance to trick your organization into training your people? I think it's a good way at the C levels open to it to actually bring in some help so. I can see that. Yeah. If there's no other way. I mean seriously I mean if your if your organization doesn't give a crap about training your people or and and you know they're
01:13:02
like well you'll just figure it out in the audit. Yeah but that's the that's the target demographic for PCI's intended. Well but but think about it though there's training and then there's training. You know sitting there for an hour in front of a horrifying PowerPoint presentation that's been shoved into Adobe Captivate doesn't turn my frickin crank. I'm not gonna learn from that because it's not real. Whatever.
01:13:23
There's. Yeah. I mean that's a good point. You learn it. We. But I DCI where where C levels won't listen to their uh IT staff but they'll listen to the QSA that comes in and makes the recommendations to secure their systems. Yep. Anybody written a QSA test? Don't re- my heart's that shit. Big graphic I mean no one's stealing credit card data anymore anyhow cause it's the street price dropped to nearly worthless so we sucked so
01:13:44
bad that we don't have to get attacked anymore. I can't talk about breaches that I may or may not know about but yeah not so much this year. I was being sarcastic. Next. Oh wow. Hello. It's hard to tell when you are. How? Before before we hear
01:14:02
your awesome commentary which I am looking forward to I um if you're here for say the five o'clock talk or the five twenty talk um neither of those are going to be in here. So instead of wandering down to the Q and A room um we will continue this here because
01:14:22
this is kind of interesting and I know it's nowhere near as sexy as some things although this really does hammer the crap out of us but please forgive any member of this panel who runs out cross legged because they have to pee because people made us beer. Uh that said you are going to provide an an amazing question and or comment for us so
01:14:44
please do. I have I have two points I I wanted to bring up for discussion um what is I just went through PCI level one uh the audit part we're working on our rock right now so this is pretty topical for me um and the first thing is is I'm designing my I've got my list of compliance activities I'm trying to map them to my controls and we're two person
01:15:04
security team so I'm the junior this is my problem. Um how do I what of the you know general compliance activities should I really be focusing on to do real security instead of bullshit paperwork? Um cause I really don't want to do that and I know I have to do a certain percentage of it but really what do you guys feel as QSA's or as experienced
01:15:22
persons would bring the most value to an organization? Uh so you're a retailer. Um we are a phone company. Phone company? We're an IVR company. Okay so you do you have point of sale or no? No we we we process IVR calls so it passes through we don't ever
01:15:41
store. Yeah okay. I think any answer without us knowing your environment would be a flippant answer. In in general though we we did a mapping of security controls to efficacy like I call them PCI's chosen few and uh the efficacy of many of them are in the toilet um but one thing I will say is um in general right now for the for attackers beyond
01:16:03
just casual ones anything that gives you more visibility you know see things sooner prompt an agile response anything that fuels an OODA loop of observe orient decide act this is kind of a visible ops mantra I referred to earlier um the parts it it's funny it's funny and sad log management is a requirement and yet zero breaches were
01:16:23
detected via using log management it's not that you can't do it it's that no one's looking at them. Right. So if you if you just do a log management program to tick a box it's fairly low low value if you use it to help improve your eyes and ears it can be fairly high value um so I you have to do them all anyhow the question of which
01:16:42
ones are gonna be the most useful as well for other things it to me it's more eyes and ears to inform your incident response cycle. If you want some evidence based approach this is from our study um and it shows you threat actions so we can't describe your particular threat landscape to you but we can say in general here are large likelihood
01:17:06
threat actions now map that to various controls there's also a report by Trustwave if you're in Europe uh 7 safe in the UK has issued a report but these are also great places to go and look for data um and so what I'm basically telling you is what you do is you
01:17:23
do real evidence based risk management. Well let me throw in one thing real quick. Yeah. I was just gonna say I don't think there's anything in PCI that's just complete BS seriously I mean there's variations there's ways to do it and so forth but I mean you look through your 12 areas you gotta have policy you gotta have some encryption you gotta
01:17:44
have firewalls I mean whether or not it's the exact language and the exact implementation and I mean I'm not gonna get into that it's a semantic debate but that is a baseline. If you don't have any of those things to begin with you've already got a problem. Checking the boxes and then going okay now what really gets us to the point of
01:18:04
security is probably the best approach but if you've gotten massive gaps if you know you have no IDS if you know you don't have any sort of code review or QA process if you know you don't have any monitoring capabilities as Josh just said you've already got issues right so I mean go ahead and use it as a starting point right? Well but but hang on
01:18:23
we we've got this weird kind of problem are you trying to be compliant or are you trying to be secure? See I have to do compliance to get my budget. I have to do compliance to make my CEO happy. I have to do compliance to get everyone to listen to me. So what so so my natural advice to you is do infosec right go go through all of those
01:18:41
basics I mean just just take the dirty dozen alone and just run them down and do them right because if you're doing them even vaguely correctly and you've got a QSA that doesn't have their head crammed firmly up their ass you're gonna get through. That's sort of step one. Step two says if you wanna be really pedantic about it you be specifically compliant with each and every and only requirements. So you run down that
01:19:04
list of what is it two hund- I'm not a QSA 280 something? 256? Whatever. Run down that list and make sure that you've got a chunk of evidence that you can set down right next to it and say alright here's the requirement here's the response here's the requirement here's the res- and just run down the list. Then regardless of how
01:19:25
pedantic your QSA is you've got all the answers sitting there in front of you. If you do the second way you're probably not going to be any more measurably secure than you are today. You're just more measurably compliant. Um but you know th- this is my usual
01:19:40
rant and I'm sorry that it's my usual rant and everyone's all heard it before but if we just do even you know who wants to live in a minimum code standard house really? I'd like my house to not be made out of bubblegum and chewing crap and things that some guy who was paid by the house to do the towel work you know like just do it right.
01:20:03
Look at it look at look at the organization look at the the infosec part of it as as something that you have ownership in that you have pride in and do the fucking job right. So Alex had to pee really bad so I'm gonna make his point and I should have
01:20:20
made it earlier. Um the attack density is how there's a language he uses but the attack density you'll see from the spider labs reports are here they're they're really useful because a couple concrete pieces of advice we tend to give. Um everybody thinks you should patch faster because you wanna measure the mean time to patch and yet their data showed that zero of the breaches last year involved a patchable vulnerability. So we
01:20:41
were putting a lot of energy into something that wasn't attacked or exploited very often. Conversely look at number 2 there which is SQL injection. A lot of people try to pass specifically 6 dot 6 um with the uh honor with the honors yeah the prepared statements the honor system of the SDLC and I think an SDLC is good but you should try to you know social engineer your budget into you know maybe we shouldn't skip the the WAF
01:21:05
you know I'm not saying a WAF fixes everything but this is an example of lots of attack there and we cut a corner right so if you look at where the most failures have happened it may better aim how you argue stretch the limits of the interpretation. Where did where did Alex go? Oh you know real men can hold their urine
01:21:24
but I guess Alex couldn't. Yeah you're lucky. Um here here's the other really cool awesome important thing. Um you've got all of our. Embarrassing things I say are usually on purpose. Twitters and you can find us all because we're findable on the on the internets we're in the Googles. There's um. You can ask questions. Like seriously you know I I probably spend upwards of 2 hours a week just answering weird
01:21:43
crap that lands in my inbox. So feel free to ask. I think we're actually connected in some way shape or form on LinkedIn. That's kind of freaky. So yeah. It's kind of weird actually. We we do have a couple more people that have comments and questions. Um I just wanted to ask one last thing and then I'm. Okay. Um my QSA when he came in to do our on site audit mentioned that in PCI DSS 2.0 the auditor's
01:22:02
requirements were significantly larger in terms of evidence collection. Can you speak briefly to what what I can expect in terms of impact on me in terms of evidence providing or like really how much is it going to change things for us? I I don't know. I'm not a QSA. Ask around though. There's one in the front row. There you go.
01:22:24
Offline. Whoo hoo. She's good to know too. The significant crap. Alex is back. Shit. So wait. Alex is up there. Just because I have the opportunity and um I first of all I have to make a disclaimer. I have a cool new job. I think I said that and compliance is a big part of the company that I work for. Uh that's not where it
01:22:43
started. But compliance does give us jobs. But we're here. People that are at this event are here because we um like to break shit. We like to fix stuff. And uh sometimes there's a little uh a little disconnect there. But uh we have a couple more questions. One of the things that uh we would really like to talk about is that um there are some
01:23:05
really uncomfortable if you dig in incestuous relationships between uh certain people that might for example be on the PCI council and certain corporations. And uh there's some information out there that even here because some of us like things like paychecks we
01:23:26
kind of tap dance around. And with any luck um we can next year uh we'll have made enough money that we don't need a job anymore or whatever and can do that. But if you don't think that um that incestuous relationships are part of the reason that things
01:23:44
are stacked up the way they are it's interesting. With that said I'm gonna shut up as long as I can. Is that like a conspiracy theory that you were kind of throwing out there? Well I mean next question. So next question. How many planes have flown into the penta- no wait that's a different that's. Question. Question please because they're like intelligent people next to me and. Shut up. Lined up in front of the
01:24:03
microphone but not behind. You're so wearing a turban dude. Alright. It's not a turban you fucking dumb American. Question. I remember what it's called though. I just got a question related to scoping. Um it's. Scoping? Tier two tier three you know depends on the amount of uh cards you're processing. If you're a multinational
01:24:24
corporation you're going through many different gateways like say you have five hundred thousand in the US and you got four hundred thousand in Canada and another two hundred thousand in uh Europe. You're over a million at that point. But they're all going through different gateways and you know they're different um subsidiary companies that are all tied to one parent. How does PCI scope that? Is the uh would you be a
01:24:44
tier two? Would you be a tier three? Magic. There's a scoping sig which is it stands for special interest group and they are in just a big old circle right now to the point where to the point where several of them are trying to quit. Well okay so.
01:25:05
So the the the scoping sig initiative that started a long time ago maybe it's closed now um was fighting over things like oh if we share a DNS doesn't that make everything else that touches the DNS touch everything else? So that's just going kind of nowhere right now. So I would ask your QSA cause really at the end of the day it's the
01:25:22
interpretation of the person who does the rock. You do know that this whole thing is opinion based on your QSA's part. And no one's ever bought an auditor off. Arthur again bottom line if you get an incident there's no way you're gonna be like oh yeah they were compliant but they had an incident. You know Jack didn't make one of his best
01:25:42
points that I think is a best point. He says you know you should interview your QSA cause if you have to do this thing you might as well make some good use out of it. So you know. Find a risk based QSA. If you want somebody who's cheap and fly by night you can get that and if you want someone who's gonna actually help you you can get that too. That would be a QSA who's doing their job correctly. There are QSA's
01:26:02
that care. I do want to back up a little bit about something I said about the council. There are people that actually care about security that are involved with PCI. I can think of one who was recently elected to something or another. And he's an awesome
01:26:22
guy and has a big green egg and makes great smoked meats. But there are other people who care but it's just such a polluted situation. There were like five angry birds and a pig. Martin stole them all actually. Martin had children.
01:26:40
We're doing a bum rush. Everybody who needs to or wants to go hear Martin do his network security podcast if you would just kind of like jump on him and seize our angry birds back would be really appreciated. Completely shifting gears for just about 15 seconds. We're gonna get to these guys but just in case you're not aware of this if you think I'm wearing this clothing for a political statement you're wrong. It's
01:27:03
just because I was in Dubai and it's kind of cool and comfortable. But if you think I'm doing it to make fun of Middle Eastern culture you're even more wrong. And I will say this that as I said in the fail panel if you get your news about the Middle East from Western media sources you fail. And that said let's talk about PCI
01:27:22
because there are two intelligent and articulate people who have stood up in front of the microphone and the first of them has this to say. I think it's fair to say that though PCI is a security policy is a security guideline it's definitely not the best one out there by far. For the vast majority of us type three and four is it fair to say with limited funds pick another better security thing to go
01:27:46
by. Pick the Sansop 20 for example to Dave I'm talking to pretty much. Do the bare minimum to make PCI happy and then spend your money actually solving security is that a fair thing to take away from this. Yeah in I'm sorry in our report and one of the things that
01:28:01
the data allowed us to do was say okay yeah you know what here are basic for the first time in the in the industry really best practices supported by data right. So here are a handful of things that you can do and again it's not just the Verizon report there's a trust rate report and so forth. So I would go seek the data versus seek yet another
01:28:21
standard. The Sans thing is great right it's expert opinion blah blah blah. But remember though you need to be meta compliant with a number of standards simultaneously. Whatever your org is you've got PCI plus something else plus something else plus something else plus something else and that Venn diagram is your unique and special snowflake. Sure you need to. He was saying three and four and I was over generalizing about the simplicity of their Venn diagram. You over generalize? And
01:28:44
for the three and fours it's much better it's often better to to outsource a lot of security. So here's here's what I've seen as a QSA and just as a like generic security guy in a lot of capacities. Um and and feel free to disagree with me because I'm in you know elbow range for a couple of you guys. Um but I prefer more prescriptive technical tactical
01:29:07
standards. Um like I especially as a level three four I wouldn't say you know go latch on to ISO 27000 as a reasonable approach to getting your shit together. I'd say you know what? PCI is pretty good actually for you. Or or the sans top twenty would be pretty
01:29:24
good for you. Something that says hey it would be really freaking awesome if you had an IDS and here's some examples of things that work. Or you know hey guess what? You know network based access controls are okay and you should have some. Like those are are reasonable things to kind of go around. Um but you know I think I could we could
01:29:41
probably have a series of jokes in this room on you know what is quote unquote best practices. Uh there's no such thing. Hello. I figured it out. It's it's common practice. It's subjective right? No it's common. If the other guy's doing it then that's what I'll do. I won't do what's best because that costs an extra two percent and I'm not willing to spend that two percent because the other guy's not doing it. You know you're in a
01:30:03
situation where people are saying well you know if if Citibank's not doing it why why why should I do it? True but I think we all saw the metrics from Alex where only nineteen percent are doing it right. Or per PCI. So maybe that's wrong. Yeah. So. I'm
01:30:21
seeing a lot of folks. Your your organization may be that unique and special snowflake that does need to take into consideration shit like twenty seven thousand and one. Or twenty seven thousand and five. Agreed. I thought you went into a seizure whenever I said twenty seven thousand and five. Come on. Do the dance. Come on. You know it. Last one. Question. Alright. So I've had kind of the opportunity to have worked in
01:30:44
different spectrums. Doing the pen testing and working with a consulting firm. You need to fillet these microphones to be heard. Yeah yeah cause you get a little. Thank you. It is tough to hear it up here. So I've had the opportunity to work in a lot of different M's. So I I worked with a consulting firm where we hired really grey hair
01:31:01
consultants and did a lot of really good stuff. We did the PCI consulting. So I worked with a lot of different firms. So we we tried to do it the right way. And and I've been on the card side. And understand the merchant side. And so I've had a lot of different experiences. I guess my question to you guys is. We talk about the
01:31:21
infrastructure is screwed and I don't disagree. It's kind of screwed. But the credit card companies and various other entities have come up with technologies. Such as Nearfield. Right. To be able to do no card number. To be able to do different ways of not presenting the same way we do today. But the problem is it's a global scale problem. And
01:31:44
so I guess my question is. Do you have even from a straw man perspective. What you think would be the solution knowing that it's not the cards. It's not the merchants. It's not the processors. Not the networks. It's everything. Watch the recording of this panel from last year. I spent 10 minutes describing how to fix the problem. It would
01:32:02
take less than 2 years to convert 99 plus percent by using economic incentives and disincentives to solve the problem. So that's that's what I'm wondering. So is it a proposition that it requires government intervention. And I think partially it does. I think I think. Well no no. The government the government intervention isn't actually
01:32:21
government intervention. It's weird. What we need to do is redefine usury not as a fixed percentage but as a spread against the overnight rate. Once we do that the problem will be a self hammering nail. You'll set it down on the desk and it'll just go thunk. And remember this is in response to government intervention. Unfortunately though you're dealing with. Greed. Across an entire spectrum of industries. Not just
01:32:43
banking. Not just merchant. But across the entire spectrum of industries. So when I was doing PCI assessments. We we couldn't get the merchants to actually allow us to do the right thing. Period. And so so it isn't just one industry or the other. I
01:33:01
think there's no economic incentive. Right. You got the other. This goes back to that whole does everybody speed question that somebody talked about. The economic incentive isn't there for me to stop speeding. If they fixed it so that if you do 56 miles an hour in the United States. The fine is one million dollars. Lose your car. Lose your license for the rest of your life. Nobody's going to speed. It's
01:33:22
like the Warren Buffett quote. I know how to get a balanced budget. Right. The way you get a balanced budget in the U.S. is you make a law that says hey if you don't pass a balanced budget you're not up for re-election. Again we're dealing with government intervention. So you're dealing with contracting lobbyists and everything else. No but the economic incentive disincentive model is so simple. And I think
01:33:42
part of the reason that we have trouble with it is because we like complicated shit. Um it's very simple. You just say you know what if you want to use the old system that's fine. We leave all of the rates in place the way they are now. Or maybe we jack them up a little bit. For both consumer, card processor, and merchant, and issuing bank, and everybody. And then we issue a new system that is
01:34:02
unconnected to the old system. It does not use credit card numbers. The credit card doesn't even look like a credit card anymore. Whatever the hell we do. We do something else. Something new. Maybe it's one time pads because you know we can store several billion of those on a card now. Whatever it is. And you make it very simple. It has a new fee structure. The new fee structure is dead easy. It's fixed
01:34:27
and you fix the risk to put the risk right where it fucking belongs. Which is back on the cards. Right? You're just describing one. A separate entire global infrastructure outside of internet and everything. Absolutely. And that's just one
01:34:41
solution. There are multiple solutions right? We could keep the same broken infrastructure and start implementing risk pooling. There's a million different ways to do it but unfortunately we acted like security is an engineering problem. So what did we do? We came up with a bunch of engineering answers to a non-engineering problem. I mean we we had a lot of debates last year on on his particular solution but the part I
01:35:01
like about his solution is um you can incentivize anything. What we do is we have to make it really expensive to do it a fucked up way. Yeah. So so quick with the backward compatibility. Why do we have raised numbers on the fucking cards anymore? How many people have used a shik shik machine lately? I. This year. Yeah. Right? Alright. And and you know what? Probably. Probably. Bless the point. A lot of
01:35:22
merchants still do. So you're not dealing with. Probably in the riskiest environments though. So you disincentive that. You say you know what? Yeah we're gonna put in two systems. And watch how quickly that old system withers and dies. It'll stick around for forty years. You'll still find it in weird freaking corners of society. But you know what? Everybody will be using the one system. The good one. Who disincentivizes
01:35:42
it? I mean because you're not gonna get the businesses. The card brands. The card brands or the processors. The card the card brands are are just they're not incentivized to disincentivize it because they're not the ones losing the money the margins are. If no. And and one of the things that. Absolutely. One of the things that comes up is. Why would they. Yeah. Why would they provide a discount. Dance off. And we
01:36:01
have to talk about card brands. They're not gonna provide a discount. They're gonna charge a penalty. Let's. It's greed. It's about greed. Greed is good. Absolutely. It's capital of society. That's. But you know I mean it's like if you boil it down a square. A dongle you could jam into your iPod or Android. What could possibly go wrong with that? Um. They charge more for card not present. I mean that's a simple thing
01:36:24
that we accept now. But um. Can we can we grab one more question? This is this is gone on so long I'm almost sober. So we need to. But remember though. Right yeah. The cards do have an incentive. They want to be the currency. That's their incentive. Absolutely. And to get to that incentive they need to convert more people to using
01:36:43
cards. They need to convince the United States to stop moving little tiny slips of hard to do if you make it so that when you walk into the store they don't hand you one price for cash and one price for credit. You know. You drive by every gas station on the goddamn interstate. There's two different gas prices. Make that shit go away. And
01:37:03
it'll go away fast. So fast that people can't look at it rationally. And and I hate to be that foreign asshole but. God people stop watching Fox News and CNN and look at your own world from the outside. Because this country is functionally insane. And
01:37:21
you're all okay with it. And you still have to. If you're gonna have lenders. We'll say lenders. Credit card companies and lenders. Then they have to somehow pay money off of those transactions. I'm not trying to advocate one way or the other. I'm just saying. The reason those gas stations are doing that is because they pay a fee for people to be able to take their cards and what not. So that's why they're doing it. How could you
01:37:41
possibly take away the ability for the companies who are making those loans to make that money. That's that's and how are you gonna. There's there's more there's more money in fixed transaction cost and high transaction volume than there is in. But it's still a cost. That's my point. It's still a cost other than cash. Than there is in
01:38:00
percentage against unbelievable amounts of fraud risk. And you know what. Yeah. There's a cost in handling cash. And most people don't realize this. If you're if you're working in org and you're handling dollar bills. You're losing money every freaking day because dollar bills are sticky. And they smell bad. Let's grab one more. Thank you
01:38:21
very much. We're coins. We're easy to find. We're all like media whores. Or whatever the hell. Alright. So I'm a media whore. And I'll find anybody that you can't find on this panel. But you can find them. You sir look intelligent and articulate and sexy. I said almost sober. Uh. So one of the topics you only uh sort of
01:38:43
touched on. Folate the microphone. We can't hear you. Was the chosen few. Uh and um so as someone who was a security vendor for years and now does consulting work for security vendors. There's clearly a subset of technologies depending on account. 11 or so that are acquired by PCI and by my account I think Gartner covered 160 subcategories of
01:39:01
security. Love to hear your guys thoughts on where um where those other 149 security categories are gonna be over the next couple years since PCI 2 dot O is where it is for uh for 3 more exciting years. Um so what what for the other uh all the folks here focused on innovation. Where do you see uh how's this impact in the next few years?
01:39:22
Since I wrote that article on the chosen few I will take a first stab. But um the assumption we make is that those 11 things are the best 11 things out of the 189 that he said. And by my assessment on perceived efficacy or NSS test labs efficacy they're some of our worst ones. So every time you're picking and funding a an inferior
01:39:42
technology from the dinosaur age over something that is better it's a mistake. And it's a mistake forced by the compliance stuff. Now I also don't think on the other side I'm advocating that everything new and shiny and blinky is better. Um some of those things should just go the hell away. By my count out of those 158 or so. You know there's
01:40:02
probably 30 total that are usually good if you do the cross section of the things that people need to do. Um but we haven't done a a a separated the wheat from the chaff to look at. Of these things against modern attacks in virtual environments, cloud environments, outsourced cloud service provider environments with lolsec type
01:40:21
adversaries or APT kill kitten killing type adversaries. We haven't done a vetting process. We're just taking something that a bunch of people thought was a good idea in 2003 and saying it's still a good idea now. Um what I did see when I was an analyst covering all these new innovators is they weren't getting any spending. It's a really good shit. Couldn't get spent. And I went to the CISOs I said why aren't you buying that? You
01:40:43
know you need it. You know it would help your specific problem. And they said well I took it to the CIO and they said if we won't get fined you don't get any budget. So if it was on the chosen few it got spending and if it wasn't it didn't. Now some people had a little extra budget. They could buy one thing that wasn't on the chosen few. But I I saw that as a pretty big um economic disincentive and that's why
01:41:03
most of these vendors steered away from stop stopping or solving new problems and they started to look very very similar to the PCI list. And and when you think about it though we've been burying technologies for that entire decade. You know once upon a time in a galaxy far far away in a former life um in 2003 I worked on a thing that
01:41:23
smelled a lot like a web application firewall XML firewall that is better today than anything else you can buy today. And it's been sitting on a shelf since 2005 because it was deemed not marketable. And it's still better than anything you can buy today. I mean it it just it absolutely boggles the mind and that's one example of God
01:41:42
only knows how many technologies were buried because they weren't deemed to be commercially option. And and we keep doing that. We keep saying you know the the vendors come back and they say well nobody's asking for that feature. And they give us some other raging featuritis shit they've come up with or they subdivide something and say this is two different products. You know like anti virus and anti malware.
01:42:03
Cause somehow foreign code that doesn't belong in my system running on my system is not the same thing. You know every time that happens we're we're we're we're killing little bunnies and that's not cool. But there's also no way around it and and my biggest well not my biggest frustration. You don't want that list. Holy shit. Um my
01:42:23
my current frustration with with the PCI council is moving to the three year standard in an effort to appease people who said oh my God it's moving too fast. Uh huh. Uh we we don't get the innovation that's necessary to go against the fact that our attackers are innovating at a speed that we couldn't keep up with before. So
01:42:41
we've got a guaranteed arms race loss. We're busy fighting a land war in Europe. Um. And we have data that shows that the threat landscape has changed and is changing and will rapidly change and will change again. Given that PCI has stated they want to see things
01:43:00
that are best practice. Are any of these things best practice? Alright that by the way that's a lie. I know where you're going. Yeah. Alright so um I'm gonna have to say this quickly because they don't want you to know this but the uh so the question was what
01:43:23
which point of adoption and popularity does it qualify to be added as the the the 12th or 13th requirement? Um and essentially you might recall when they testified in front of Congress there were some accusations that perhaps PCI was market manipulating. Because if you look at the WAF market before 6.6 and the WAF market after 6.6 it was
01:43:45
market manipulation. So they are terrified they're not gonna say this publicly but they are terrified of ever being accused of being market manipulators again. And that's why there wasn't a single that's one of the reasons there wasn't a single new technology requirement. Even though there were lobbyists from the end to end encryption, lobbyists from the tokenization, lobbyists from data loss prevention. All three camps thought they
01:44:05
were going to be added and they were shut out. So don't wait for the next three year cycle for them to be added. They're not gonna be added then either. Because as soon as they market manipulate then they're gonna get more fed involved. Is that a seven? Go ahead. Next question. So kind of switching gears we've been talking a lot about the defensive. Hey, we've talked to you before. I know. I came up.
01:44:24
I couldn't get enough. Alex, I was wondering what you know since you know you worked with USSS on the breach report. What if our what are I mean are we playing any offense that's that's making a difference? Have you seen increase in our offensive capabilities over the past few years? Are we just letting people from Eastern Europe come in take our
01:44:45
goodies and run? You know I can't we we can't derive motivation directly from the data. What I will tell you is this. That there is a huge change in tactics. It wasn't you
01:45:01
saw the the 140 breaches and then the jump to 761. It wasn't like Verizon the Secret Service you know went four times you know had four times the incident responders. Right? It wasn't like we created the the demand. The demand came to us. Okay so that that was a significant change. Um in in that regard I have no idea what Jack's trying to
01:45:25
show you other than. I'm I'm. It's a lot of incredible pictures that are really incredible. Oh my gosh that was an awesome one. No just stop right there. But the point. To answer your to to kind of answer your question um I don't I haven't seen
01:45:40
offense um and I don't know if that's a function because there isn't any or I don't know if that's because that there's a function that it wasn't necessary. I'll I'll I'll throw something out there actually. I can't I can't. This random gentleman with no knowledge whatsoever in this street is going to make an amazing comment. Thanks Jack. I thought
01:46:03
Jack said he was so great. I was just before before that comment. I'll just say yes. Offensive yes. Oh okay. I love you too Jack. I'm familiar with uh with a number of the processors and the acquirers and I understand that some of them have taken the responsibility to administer the self assessment questionnaires to their own
01:46:22
merchants but I'm also familiar with the fact that one of them went to the council and said we'd like to do the scans on our own merchants as well. What's your take on that guys? Boy, Qualis is going to be pissed when that happens. I don't know. Are we right back at
01:46:43
that point where a hundred thousand merchants are going to be able to solve a problem that three card brands can't? It starts to sound like we're trying to put the fix in the wrong place and we're going to end up with a beautiful roof for a house that was supposed to be a gas station. Is the fox watching the henhouse? Didn't you hear me
01:47:02
talk about the whole Rico thing? If you're going to supply me with a problem and you're the only one who can supply me with a solution, we've got words for that. It's called Rico. Let's use it. I mean it was supposed to be used on mobsters but uh credit card companies will cheerfully throw your ass in a pair of concrete overshoes if you forget to pay them. Yes even in Canada. Although although there at least the um the the
01:47:26
health care around the drowning is is you know covered. So I'm just randomly clicking through things in my past life. This is kind of entertaining. Why are you people? Can you click us some more beers up here? Seriously be useful. Why are you people here? I mean.
01:47:42
Oh we have a question. There's a great story there but there's someone here. Who knows that story quick besides Michelle. So I've heard from you guys that there is a system that works and that transparency will help us get us there and incentivization is part of the key of that. How do we incentivize the people to get
01:48:01
their transparency so they realize they ought to switch the system to make more money? You get a bunch of drunk guys up on a panel and you have them whine about it apparently. That's Jock's solution. The the the real answer is that there's there's no desire to switch the system right now because they're making enough money despite the loss that it doesn't matter. And they're getting away with pushing the liability for the
01:48:25
flawed system down on other people's heads that you know. The whole sector attack Bob Russo. Sorry what? Or you could just get LulzSec to attack Bob Russo. Yeah sure. I was kidding. That was not a suggestion. Are you one of them? I cannot believe you said that out loud. It's not a suggestion. I think we're being kicked out. One minute. Thank
01:48:45
you. Okay. I'm allowed to go to the bathroom in one minute. All you people that have been here for like an hour longer than you needed to be. Thank you. Thank you very much. Thanks people. Yes thank you very much. I've gathered these intelligent, articulate,
01:49:01
sexy gentlemen together many times over the past couple of years. Twice for DEFCON and I'm fucking sick of this. So let's give them all a last word. Move over. See what Martin and Rich Mogul aka the Travelocity Gnome have to say in their 250th podcast.
01:49:20
Catch the somehow I was excluded from participating but I'll be judging the beard contest at 6. There's all sorts of cool stuff happening tonight. I believe there is a 10,000 cent hacker pyramid. My beard was quickly eliminated last night but that's because my beard's not
01:49:41
really good at hacker trivia. With that, Mr. Arlen, let's give you the first last word. You done yet? This is my second run at the last word. It is unbelievably imperative within the structure of the system that we have that we do our damn best and it's not sufficient
01:50:05
just to do the job. We need to do the job well and anybody who thinks that they can just do the job and walk away, you're a douchebag. Cut that shit out. Thank you everyone. Are we moving down the list here? It's Miller time. Yeah. I think
01:50:24
everything works perfectly and we should just keep going like we're going. Josh. Say something about Lil' Sike or something. No. Okay. Thank you. Beer time. Thank you.