Logs – A double-edged sword? Beating PCI Fines by bad security practices?
By Declan Ingram
PCI clearly states in requirement 10: “Track and monitor all access to network resources and cardholder data” And rightly so. It goes on to say “Determining the cause of a compromise is very difficult without system activity logs.”
It certainly is. Infact, for nearly all attacks where card data is at stake, it can border on impossible. Enterprise log management is hard. It is expensive, and there are few organisations that do it well. Not only that, but the organisations that do it well are also much more likely to have their general state of security much higher – meaning that (all things being equal) they are less likely to suffer a breach in the first place.
On the other hand however, organisations that do not have a good handle on their security, and do not have good logging processes and practices in place ARE more likely to be breached.
The problem arises when the investigation starts: there are no or no useful logs, there is no trusted information, there is little or no evidence of attack. Your expensive forensic tools are too focused on disk, and most attacks on card data are in memory.
The situation seems thus:
The acquiring bank/PCI will only issue fines if it can be proven that a compromise has occurred, but a non compliant company is also pretty unlikely to have logs that can be trusted, and so determining the details of an attack to provide definite evidence of exactly how a breach may have occurred to a level that could hold up under a legal scenario and to justify the fine from the bank would be even more difficult. ie; while all investigation may show that company X is bleeding card information through numerous sources, no logs means that it could be impossible to pinpoint exactly where the breach may have occurred.
Or in less words: Could a company deliberately hinder evidence gathering to avoid fines? Especially when they know they are non-compliant anyway.
I hope I’m wrong.
April 24th, 2008 at 12:41 am
[...] Logs – A double-edged sword? Beating PCI Fines by bad security practices? -Declan Ingram gives and interesting and potentially worrisome issue with logs and PCI fines. [...]
April 24th, 2008 at 9:33 am
Totally! I’ve seen it happen pretty much like that.
April 24th, 2008 at 10:27 am
Interesting point Dec!
I would like to think that once they come under the eye of the aquiring bank, they will not be able to run scott free. They may avoid the fines associated with being found to have been compromised. However for lower level merchants it is more than liklely they will be considered high risk by their acquiring bank and moved up to a level 1 merchant. So hopefully having the requirement to have an onsite audit conducted and submitting annual reports on compliance might make them pull their socks up.
April 24th, 2008 at 1:33 pm
Edifying? I shall begin this post with an all too familiar “Muhuhuhuhuhuhuahahahahahahah”…. and then follow up with the statement that I am finding my motivation slowly returning after spending some time researching, relaxing, building and wallowing in the comfort of ‘not being alone’, lurking and sometimes posting in lists like SecurityMetrics.org whereupon the best of the best butt heads and are still confounded and flustered.
Aside: Schneier/Ranum Point/Counterpoint:
“Bruce, when you and I are old coots sitting on the porch (next year) you’ll be amazed to see the current generation of kids nimbly navigating their way through software and system configurations that completely blow our minds. Relax; it’s just what progress looks like from our side of “over the hill.” Will the future be more secure? It’ll be just as insecure as it possibly can, while still continuing to function. Just like it is, today.”
Not sure if I agree, yet…. watch this space.
April 24th, 2008 at 10:26 pm
You’ve hit the nail right on the head with this one. Every major compliance regulation or directive has some section which details logging requirements (in one way or another) and this is for good reasons. Effective log management is one of the cornerstones of: meeting your compliance goals, protecting your customers information, and ensuring your business can continue to operate.
May 8th, 2008 at 5:01 am
[...] so that you won’t know what is going on. Drazen Drazic posted about not logging to avoid PCI fines last month. Obviously, neither is promoting this type of behavior, but there it is. [...]
May 8th, 2008 at 7:13 am
[...] recent post on logging being a double edged sword started some interesting discussion. Anton Chuvakin follow-ups further on his blog and [...]