Saturday, August 22, 2009

EXACTLY Why Data Breaches Happen...

I'm blogging on a Saturday afternoon, because as I caught up on my Breach-a-Palooza reading this morning I came across this little gem (again)... and it got me ... upset.

This is exactly what's wrong with corporations, and why we will continue to see data breaches. People like Heartland Payment Systems CEO Robert Carr obviously ...
  • don't understand their responsibility to their customer
  • don't understand security
  • don't understand the role of compliance in overall security
  • can't accept personal blame
I know it's customary in corporate space to just deflect blame - but this type of crap is ridiculous:
..."Carr opens up about his company's data security breach. He explains how, in his opinion, PCI compliance auditors failed the company,.." (Network World, 8/12/09)
That's right folks... PCI Compliance Auditors, not Heartland's pathetic security, failed.

So the next time you smash your car into someone else while drunk as hell... the car company failed you... because it's naturally not your fault, and you should not take any responsibility. This is what we're teaching people.

Another brilliant quote...
"What have you learned in recent months regarding how exactly the burglars were able to get in? What have investigators flagged in terms of the big security holes that were exploited?
Carr: "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn't even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, 'You've got to be kidding me.' That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can't reconcile that."
"
I think I'm going to be sick. Robert Carr, how do you sleep at night?

5 comments:

Acidus said...

On a pile of money, with many beautiful women.

http://www.thesimpsonsquotes.com/quotes/392.html

Raf said...

@acidus: you, sir, win the award best use of a Simpsons quote... Ever.

Jack said...

What he said:

Carr: "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem.

Why I'm Angry:

That he's blaming the people he hired to do bare-minimum compliance validation testing, for the inadequacies in his organization's security posture. You get what you pay for in this world, IMHO. If you have a group come in to certify that you are PCI compliant, but don't invest in actual security or TRAINING your security staff, then this is what happens, plain and simple.

COMPLIANCE DOES NOT EQUAL BEING SECURE!!
WAKE UP PEOPLE!!

Scott said...

Food for thought..

What motivation to boards or execs have to protect customer data?

Where do execs learn what is required to protect data?

How do execs know whether their staff are "experts" in their areas of expertise (i.e. handling customer data, PII, etc.)?

Should execs assume that their directors, line management, and staff are not experts and decide to outsource design, auditing, implementation, and review/testing of sensitive systems?

IMHO, execs are laymen and we "techies" need to remember that they have learned over the years to trust the people who advise them. The trouble comes when execs go from "trust" to "blind faith".

Michael Hamelin said...

The article disgusted me. The real problem I keep seeing over and over with PCI audits is Corporations want to limit the scope so much, the exclude 90% of the data center, only audit the internet connection (ignore the 800 leased lines behind the green curtain), and still can't tell auditors where the 'data' is.

Google+