I ran across some interesting comments by Rick Davis, Digital Risk Advisors, regarding the Heartland Payment Systems breach (http://seekingalpha.com/user/365771/comments). Of course, I fully agree with Rick’s comments and observations. About the HPS situation, Rick says this:
“This is exactly the type of breach we predicted many many years ago. PCI certification is not security. Risk management in the digital world requires constant, reliable vigilance that seems to only be available one place: Tripwire Configuration Control. See the web site for details: tripwire.com/ . All changes become apparent as long as the directories and sub-systems are being watched. Malware has no place to hide in a Tripwire-managed system.”
How many cardholder records have to be compromised for long periods of time before retailers and acquiring banks accept that fact that PCI DSS is not just a fine avoidance project? Managing a PCI project to get the auditor out the door and avoid a fine is a waste of time and money for everyone involved. It is a time bomb waiting to explode—as it did in the case of Heartland Payment Systems and Hannaford Groceries (March 2008), both of whom were PCI compliant.
When will auditors start forcing these merchants to prove they alert on unauthorized change to critical system files, configuration files or content files—which is exactly what PCI DSS 11.5 requires? While some auditors may require this proof, I have not seen one who does in over three years.
Compliance can be, and should be, a byproduct of increased security. And security requires constant attention (like daily vs. quarterly or longer). Tripwire can absolutely help automate the process of continuously knowing when something is not right—and doing so is not a total waste of time and money.