[Owasp-ireland] Potential of 4.2 million credit card details stolen via cyber attack.

David Ryan dave.ryan at gmail.com
Tue Mar 25 07:55:52 EDT 2008


I think interpretation of standards leads to a level of security that is
reasonably required by the organisation interpreting them. Of course, I
assume that the organisation is interpreting them with a modicum of
expertise in the field, which may be provided via internal resources or
through external consultancy. What they end up with might be "lower" than
what is "ideal", which may not be "perfect", but may be all that particular
entity can achieve at that stage of their
iterative-information-security-management-lifecycle. This reinforces my
original point, which evidently my elaboration failed to illuminate. The PCI
standard is applicable in different ways to different entities and this is
not only reflected in the ambiguity of the language within the standard, it
is also reflected in the multi-tiered compliance and conformance
requirements laid out by the PCI themselves.

Objectivity is dead. Long live Subjectivity.

Re: "breach". Granted, it is of concern, but perhaps less so considering the
information that was lost was the card issuers and not the private
information of the customer. I was also being somewhat facetious.

On 25/03/2008, davidrook <david.rook at realexpayments.com> wrote:
>
> I fully understand that 100% security isn't realistic -  Thanks for the
> clarification though ;-)
>
> I agree that the standard will always be ambiguous but do you not feel
> that the interpretation of the standards is often what leads to a lower
> level of security than is required?
>
> My own opinion is that any breach like this is a big issue, from a
> consumers perspective if they have lost *any* data it should be a point
> of concern.
>
> Dave
>
>
> David Ryan wrote:
> > Dealing in absolutes is an error. There is no "secure". There are
> > security controls and depending on what, how, where, when, why, if,
> > biff, bam, and boom they are implemented and managed their effect is a
> > quasi-linear progression along the cost-versus-hardcore axis where
> > they intersect at the "good enough for us at this moment in time"
> > point. Compliance may equate to "good enough" security controls, but
> > suggesting there is a final resting point for IT expenditure on all
> > things security is folly.
> >
> > PCI has gone through a round of improvements and perhaps it will
> > continue to do so in the future. Whilst I don't have a history of
> > other safety standard from our recent industrialised history, I
> > imagine there are comparable observations to be made. Cars did not
> > start off with airbags and they still don't prevent people from
> > killing each other on country roads or on overpriced toll roads.
> >
> > As for the PCIDSS being ambiguous, I agree. However, I think this is
> > perhaps a necessary quality: Not all companies are equal. I would
> > suggest that VISA/Mastercard/AMEX/etc wanted to establish a baseline
> > for their own "insurance" purposes (imho and used here as a loose
> > term).  Does it raise the proverbial bar? In my experience, it
> > probably has done for some clients I've worked with and maybe not for
> > others, but again this is an example of the underlying intention
> > functioning (imho). Another example is BS7799/ISO17799 certification.
> > No doubt any future attempts to provide a super-compliance-standard
> > will end up with ambiguity too.  The point is that the organisation
> > must interpret the "ambiguity" to suit their needs and explain why
> > they have interpreted it as such to the auditor and, where applicable,
> > compliance body.  The aim could be to provide the least amount of
> > ambiguity as possible, but being overly prescriptive would perhaps be
> > more prone to failure when issues such as capabilities, economics and
> > other factors are considered.
> >
> > As for who is to blame? I'm sure they both have insurance ... *if* no
> > personal data was lost, is this such a big issue? (from a consumers
> > perspective)
> >
> > On 25/03/2008, *davidrook* <david.rook at realexpayments.com
>
> > <mailto:david.rook at realexpayments.com>> wrote:
> >
> >     I think this is another example of PCI compliance being just that -
> a
> >     compliance standard. Being compliant (as is demonstrated here and
> with
> >     TJX) does not always equate to being secure.
> >
> >     PCI is ambiguous and it could be improved to try and make
> >     companies both
> >     secure and compliant. As for who is to blame, is it not a case of 6
> of
> >     one and half a dozen of the other?
> >
> >     Dave
> >
> >
> >     Eoin wrote:
> >     > Maybe a bit slow on this one but I'd thought I'd share it
> >     >
> >     > A PCI compliant company was compromised and an estimate of 4.2
> >     million
> >     > cc numbers were obtained.
> >     > The issue arises that the company were PCI compliant and now the
> >     blame
> >     > game has ensued. The PCI assessors are being blamed, there is
> >     mention
> >     > of ambiguity regarding the PCI standard, where to apply some of
> the
> >     > technical controls etc..
> >     >
> >     > http://www.theregister.co.uk/2008/03/18/hannaford_data_breach/
> >     >
> >     >
> >     > http://www.hannaford.com/Contents/News_Events/News/News.shtml
> >     >
> >     >
> >     >
> >
> http://www.merchantcircle.com/blogs/Pre-Paid.Legal.Services.Inc.-.Ind.Associate.786-390-0581/2008/3/4.2-million-account-numbers-stolen-at-Hannaford-Bros.-Co./70643
> >     > --
> >     > Eoin Keary OWASP - Ireland
> >     > http://www.owasp.org/local/ireland.html
> >     > http://www.owasp.org/index.php/OWASP_Code_Review_Project
> >
> >     >
> >
> ------------------------------------------------------------------------
> >     >
> >     > _______________________________________________
> >     > Owasp-ireland mailing list
>
> >     > Owasp-ireland at lists.owasp.org <mailto:
> Owasp-ireland at lists.owasp.org>
>
> >     > https://lists.owasp.org/mailman/listinfo/owasp-ireland
> >     >
> >
> >     --
> >     David Rook | david.rook at realexpayments.com
>
> >     <mailto:david.rook at realexpayments.com>
>
> >     Information Security Analyst
> >
> >     Realex Payments
> >     Enabling thousands of businesses to sell online.
> >
> >     Realex Payments, Dublin, www.realexpayments.com
>
> >     <http://www.realexpayments.com>
>
> >     Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
> >     Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538
> >
> >     Realex Payments, London, www.realexpayments.co.uk
>
> >     <http://www.realexpayments.co.uk>
>
> >     1 Hammersmith Grove, London W6 0NB, England
> >     Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264
> >
> >     Pay and Shop Limited, trading as Realex Payments has its
> >     registered office at Castlecourt, Monkstown Farm, Monkstown, Co
> >     Dublin, Ireland and is registered in Ireland, company number 324929.
> >
> >     This mail and any documents attached are classified as
> >     confidential and
> >     are intended for use by the addressee(s) only unless otherwise
> >     indicated. If you are not an intended recipient of this email, you
> >     must
> >     not use, disclose, copy, distribute or retain this message or any
> part
> >     of it. If you have received this email in error, please notify us
> >     immediately and delete all copies of this email from your computer
> >     system(s).
> >
> >     --
> >
> >
> >     _______________________________________________
> >     Owasp-ireland mailing list
>
> >     Owasp-ireland at lists.owasp.org <mailto:Owasp-ireland at lists.owasp.org>
>
> >     https://lists.owasp.org/mailman/listinfo/owasp-ireland
> >
> >
>
> --
> David Rook | david.rook at realexpayments.com
> Information Security Analyst
>
> Realex Payments
> Enabling thousands of businesses to sell online.
>
> Realex Payments, Dublin, www.realexpayments.com
> Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
> Tel: +353 (0)1 2808 559 Fax: +353 (0)1 2808 538
>
> Realex Payments, London, www.realexpayments.co.uk
> 1 Hammersmith Grove, London W6 0NB, England
> Tel: +44 (0)203 178 5370 Fax: +44 (0)207 691 7264
>
> Pay and Shop Limited, trading as Realex Payments has its registered office
> at Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland and is
> registered in Ireland, company number 324929.
>
> This mail and any documents attached are classified as confidential and
> are intended for use by the addressee(s) only unless otherwise
> indicated. If you are not an intended recipient of this email, you must
> not use, disclose, copy, distribute or retain this message or any part
> of it. If you have received this email in error, please notify us
> immediately and delete all copies of this email from your computer
> system(s).
> --
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20080325/dba68eb0/attachment.html 


More information about the Owasp-ireland mailing list