Monday, June 22, 2015

Canadian International Company gets fraudulently PCI certified

The PCI-DSS standard started off as a great idea.

Awhile back I crossed paths at a conference with one of the original creators of the PCI standard and his comments towards his child now teenager haunt me to this day.

Short version - Devastation at what this great idea has become, a cash cow for auditing firms with results that are far from ideal.

Here is a concrete example: A large Canadian and International firm hires a PCI attestation partner.  The company is Canadian based, yet their attestation partner is far far away.

Why is that ?

Far from the heart, far from the mind.

Intrusion testing is an important part of the PCI standard, yet every honest security specialist will tell you that the results are far from perfect, since no detailed guidelines exists as part of PCI, any chimpanzee can perform anything and call it an Intrusion Test and voila, compliance.

So this Canadian company needs to get some application testing done, and their TRUE compliance when you take everything into account is a failure.

So how do they ensure they PASS their PCI audit.   A 3 step process.  Simple really.

1) You hire a firm (surprisingly one that does not even have penetration testers on staff), who sub contracts the job to really qualified individuals.  This gives you great references to fall back on and distances you from any liability.

2) You provide only limited information about what is being tested, and you control the scope to limit the visibility of what is being tested.

3) You get a report that you have performed a penetration test, and passed it, and submit that to your attestation partner, who in turn does not have the responsibility to understand your ecosystem and pass judgement on the validity of the results.

Bang, attested!

Is that not awesome !

The fact that the individuals testing the application had no clue what they where testing, and had crippling information (as in non) is not taken into account.  The fact that the individuals who did the testing are not proud of it is not taken into account either.

How often does this happen?   Way more often then you think!

So as a society, how do we fix this.    Accountability.  Today, accountability simply is not part of the game.  When a manager gets caught with his/her hand in the cookie jar, they often get a promotion.  Why a promotion... simple, the person who hired them rarely has the courage to pull the plug, it would make them look like they hired the wrong person. 

The US government has shown us this at an unthinkable level.  Bailing out billion dollar companies with tax payer funds.  Having the managers take the money and basically run with it.  When companies are caught doing something nasty, they get fines.  Who pays the fines, the shareholders....   I still find it hard to grasp that heads don't roll and that the ones paying the penalties, absorbing the impact, is so infrequently the ones who cause it. In fact, it is even more insulting when you realize the salaries that these folks are getting.

The word for today is Accountability.  

If we encourage and reward bad behaviour, which is what enterprises are doing today, we are certain to keep going through scandals and abuses.

Everyone knows that bad press only lasts a few weeks, so take the money and run.

Sorry, I'm a little more medieval.  I would tune into a channel that broadcasts the penalties being handed out, or the heads being chopped off if you will.

Being good in business has become being good at bending the truth (what normal people call lying).

Am I the only one that longs for the days when delivering a quality service or product was the main objective ?   I know Zig Zigglar thought that helping others was the way to success, turns out a lot of people want to cut out the middle man and just help themselves.

So, to any CEO or board member happy to have heard that your enterprise is now PCI compliant I tell you this:

You have been lied to.  How does it feel to know the truth ?  Do you feel "accountable" !

I can already hear some cry babies whining that I can't be saying that no one is truly PCI compliant, to that I say, MAY I AUDIT YOU ?   And if you FAIL at any degree, ANY of the PCI requirements, can you agree to give me your car, your house, and you bank account ?

I think not right....

I asked that question "who here is truly PCI compliant" at the respectable and large Bankers Association meeting.... no one raised their hands.

Case close, your all just playing along.

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...