 Greetings, folks. PCI 2.0. I still feel really dirty. We're talking about PCI at DEF CON. What the fuck? I mean, seriously, what the fuck? Again, this is the worst part. Last year, a few of you actually saw the beginning of this in the hacker space at Shmukan. And then here, man, this is disgusting. Somebody is sodomizing the fun of our industry. It's Bob Russo. And a few other people. So, I don't know what the state of Twitter is, and I don't know where my pants are, and my cell phone is in my pants, and that's how I follow Twitter. We intended to have another screen up with the Twitter thing so that you could all be making fun of us, but it turns out that we only use the second screen for the game show thing. These people don't need Twitter or another screen to make fun of us. Good point. All heckling must be done live, and in person, feel free to heckle on Twitter if AT&T has any packets moving for your phone. So, yeah, compliance is changing the way companies do security. That's changing the way we attack them and the way we defend them. I need to make a quick disclaimer before getting to the official disclaimer. PCI is awesome. Just as Stig's are awesome, CIS standards are awesome, because it got me an awesome, cool job this year with the cool company making even more money, having even more fun drinking at DEF CON. And any of you that aren't making more money, haven't got a new job, aren't having fun in the business or doing it wrong, I don't know how long it's going to last. We should have some fun with this while it lasts. But moving on, PCI at DEF CON again. Hey, raise your hand if you saw the PCI DEF CON talk last year. I'm sorry. Wow. So, here we are. This is a bunch crap. You know who we are. Sexy Dave Shackelford, Josh Corman. Mercurial who's always on stage somewhere. Alex Hutton and Martin McKay. Usual disclaimers. We do not speak for our employers, clients. Yada, yada, yada. The dog will back me up as long as I take her out for bagels and coffee in the morning and she's more interested in the bagels. These are our opinions, facts are as we see them. We are not lawyers. The XQSAs on this stage are not your XQSAs, however, as I like to remind them, QSA. PCI is kind of like the blood in Macbeth. You can pretend to wash it off but you never come clean. So, deja vu all over again. Here we are again. Last year we talked about a lot of PCI issues. This year we want to give you something to move forward with. What's changed? 2.0, baby. Three-year cycle. That gives us time to get thoroughly owned. Nothing has changed, Jack. Wait, no. There's a new number. No, I've looked at the numbers. Look, I'm a product manager for a company and when we make big changes we shift like a decimal point and stuff because it tells people that something happened that we're proud of our work. And the PCI council is some smart people who are incestuous with the scanning industry. Oh, shit. No, Jack, Jack, Jack, remember the PCI panel doesn't, I mean the PCI council does not work like other corporations. When they change to 2.0 they say we're going to freeze things exactly like they are right now for three years and not change a thing. If only Congress worked that way because, you know, PCI council when they're bought they stay bought. So what is new in 2.0, Martin? Nothing? Very, very little that's of importance other than the things that are not actually written in the PCI 2.0. Wasn't there some, some virtualization? I mean that's new technology, right? I'm waiting for the working, I'm working for the working group on OS2 Warp is almost done, right? So last year 2.0 was new, it was fresh, it was sexy, it was frustrating, it was lacking in concrete guidance. Thankfully mobile devices don't count, none of us carry anything more powerful than laptop we got issued by corporate two years ago in our pocket. If we knew where our pants were, we'd know where our pockets were. So where the hell are we now? Do you want my pocket? Do you know where that's been? Speaking of which. Okay, so, go ahead. Wrong way. I know, I don't know. So who wants to talk? Mr. Corman. Mr. Corman, do you have any opinions about PCI? So without rehashing everything, I mean I'm just a level set. About a year and a half ago I compared PCI to the No Child Left Behind Act for IT security. And then we had a bunch of debates and dialectics and I think we did some pretty good discussion. We got, you know, I created an enemy, mic'd on, then we hugged it out for charity and now we're pals. And no tongue. No tongue. But we, I think we advanced the discussion a lot. We took it from blind hatred or blind faith to some sort of informed discussion. But the other guy who did the Verizon DVIR is going to say some more things. But I had three slides from this year's DVIR. So first off, if Bob Bruce is going to stand on the deck of an aircraft carrier, this is the mission accomplished flag. He will fly behind him. And basically it's because if you look at the sheer number of British records each year, the high was 2008 with 360,000. And yes, there's selection bias and yes, it's just Verizon and U.S. Secret Service and Alex will cover that. But we dropped a hundred fold in two years. That's three, 360 million. Wait, no, wait, wait for it. No, no, wait for it. So, wait for it. So although we dropped from 360 million breached records down to 3.8 billion, that's a hundred fold drop. But I might need to remind you that my mother-in-law's credit card as a record counts the same as the F-35 joint strike fighter plans. So this has led lots of fanboys to say mission accomplished. PCI is working. Now there's all sorts of things that we don't have enough data for. But another fact is the street price of a credit card has dropped about a hundred fold as well. It's not causation, but you know, we have to look at this in the big picture. So click one more time, please. I'm supposed to do my job. So thanks to the really good work that now that we're measuring things and capturing what we can, I did a little year-to-year comparison. So the number of breaches went way up. We went from 141 to 761. And at the same time, the number of records went way, way down. Well, that's important, Josh. So right now, everybody think about risk. Risk is both impact records and frequencies. Risk has nothing to do with PCI. Now we're just trading records for greater frequency. A huge increase in frequency. So lots more failures but lots smaller, which should make us feel good. But when you dive into the types, and this is really important, the intellectual property went from 10 fails to 41. National security data went from 1 to 20. You can read for yourself, right? So some of these higher value targets, I usually draw a continuum. On one end is highly replaceable. And on the other end is irreplaceable. And credit cards tend to be fairly replaceable, low value. So there are shifts and there are changes and we know about them because the DBIR is measuring them and we're looking for year-to-year trends. But I didn't get comfort and mission accomplished. I saw that there's some much more serious failures. One more, I think. So, you know, in parallel, we keep talking about is it working or isn't it? But the scope of PCI is regulated card data. In parallel with that, we saw a lot more intellectual property theft, whether it was Google Aurora, you know, or Cyber Kit and Killing APT Nonsense. RSA Security is a big fricking deal, right? I just killed several cats. You know, in parallel with PCI being debated or isn't it working, I think it's an irrelevant question because we now have much more serious espionage on the one hand which has nothing to do with PCI. And we have the anonymous and low-sec debate like we had earlier today, which is they could care less that your PCI compliant. So it's a slight, it's a small slice of the overall risk management that's taken way too much of our risk time and budget. So with that, I'll transition to, well, no, seriously, because I mean, you know, well, and Josh and I have had our discussions here, but I mean, despite the catastrophic loss of people's PlayStation network access, realistically, you know, impact to me has to have some more tangible meat to it. So we'll hold that thought for a minute. It's Alex's slide next. So it's not all bad, and you can hand me the pig if you want, but the truth is as much as we hate to admit it, PCI really has kind of moved us forward. There are a bunch of people that would do nothing if it weren't for the threat. And so it's moved us forward. And we can't forget that. And one of the things that we can't forget that, yeah, but Jack, Jack, I mean, I've looked at some of the data and 2010 versus 2011, I don't actually, I should say 2009 versus 2010. I think we've put moving that I don't that's entirely possible. We could have. There was some movement and you know, one of the things that needs to be said and Mike's not here. One of the points that gets made by people that defend PCI and they have a valid point is that if I am an irresponsible merchant, you as a responsible merchant can get sodomized by my bad practices because I lose a bunch of credit cards and somebody uses them at your shop. You're out the money because as Mr. Arlen pointed out eloquently last year, this is not an egalitarian system. This is a group of thugs hoodlums. I think Jamie is criminals. I think it's important to note that the people who promulgate the problem and the problem is a system that was designed in the 50s in order to make it easy to pay for your restaurant and hotel meals when you're away from your home is no longer sufficient when you have to wow, that's a weird echo. Really weird when you have to deal with the monitors are coming in and out. If anyone in AV cares, the monitors are coming in and out. I think they're doing that to us on purpose. The issue though really is that the system was designed from an IT perspective in the dawn of time and no significant movement has been made to take advantage of any new technology. You can say that adding CVV was a real win and CVV2 is so much better. But 16 digits plus expiry, plus CVV, plus whatever other fraud controls we try to tack on to the back end, you still have to pick up a copy of the operating regulations and look at them and say, you know what, every time someone in this casino asks me to see photo ID to go with my Visa card, they're violating their merchant agreement, it makes me want to scream my frickin' head off because they're not paying attention to the operating agreement, why the hell are they going to pay attention to PCI? They've created this situation where the only way that you can acquire the problem is by being one of their customers and the only way you can acquire the solution to their problem is by being one of their customers. I know people who do this. They also offer you cement shoes as an option. Can I ask a question to the crowd before we let Alex say intelligent things? Everybody down with that? Not that this isn't intelligent, of course, but I'm just curious. Oh, nice, nice. So because I think it's important to level set. I think it's easy for a bunch of people to get up on a panel and kind of rant about something and go, ah, this sucks, and you know, we're all kind of disgruntled, ranty security people. But just to get a show of hands, if anybody's brave enough, would any of you actually go so far as to say that the institution of compliance mandates such as PCI with its structure and everything else has somewhat improved perhaps your budgeting ability and or potentially your entire security program? That's a pretty damn good number, actually. I mean, that which goes to say that just getting up here and bitching about the existence of it is not probably a great idea. So Alex? Thanks, Dave. One of the cool things about my last job was I got to be neutral. I got to play actual researcher, which was kind of hot. And we took a look at a couple of things. First, we looked at incidents, right, the actual outcomes. We didn't have these masturbatory sessions about does it make you secure, not secure. We looked at the outcomes. The second thing is we looked at our customers and we looked at how difficult it was for them to actually become and maintain compliance. So two separate reports that we did, really examining this stuff. These pie charts, sorry, everybody who likes Stephen Feu, these pie charts are showing you that it's not easy to become compliant. If you don't know what an Iraq is, I don't know why you're here. No, it's initial report on compliance. Okay. What these pie charts are showing is how difficult it is to even, if you say once you call, well, Martin in his past life and other QSAs and say, okay, we think we're ready for an Iraq hooray. This is what you end up with, at least with us as a QSA. Next slide. And I wrote about 10 to 20 percent of the reports that that is based on, so in a previous life. Right. So, yay, it's hard. So is it worth it? Next slide. We have no idea, right? We don't know how to measure secure. There are no secure units. We have indicators. We have shadow metrics that we can start thinking about. But it's a pain in the ass. So what we can do is look at the data. Next slide. All right. And we can look at this. Essentially, when we talk about the outcomes, we talk about what's happening in the threat landscape. Right. First, is it a targeted or opportunistic attack? Year over year, we see an 80-20 split weird way that nature works, right? We see an 80-20 split between targeted and opportunistic attacks. Yeah, it's a subjective measurement, all measurements subjective to some degree get over it. Second, we ask our incident response guys to characterize the attacks. We give them some guidelines and so forth. And generally, they're mostly moderate, low to none. Just to give you a kind of a thumbnail there. Low is something that even Josh and I could carry out. Next slide. Next slide. All right. So what do I mean? And this is where this sort of, if you start arguing with me about, well, gee, PCI doesn't mean you're secure. This is the first, it doesn't frickin' matter slide. Because what we found when we really looked at incidents is that if you have default credentials on your point-of-sale system, right, you're going to get breached. You're already breached. If you have micros anywhere in your username or password, all right, and you've got that as a point-of-sale vendor, for example. So take a look here. This is just very simple basic stuff that PCI compliance should have, go back to the opportunistic and targeted, should have, if it were in place, perhaps driven the attacker from opportunistic to targeted. So the point being 80% of the time people screwed up. We screwed up somehow. Either we didn't educate the customers, the customers got lazy because we're not educating them. We had a problem where we deployed something, there was just variants from good practices or standard practices or whatever you want to cause it. But none of this stuff is so day, right? None of this stuff is particularly tricky. Next slide. Alex, can I ask a quick question to the audience? Yeah, how many of you have been out on on the casino floor and noticed that the POS systems have been down several times? I mean not that that's unusual during DEF CON, but it might show a little bit of a microcosm of the PCI. Not just POS here though, right? It's not single point. It's not just entire corporate networks throughout the city of Las Vegas have been going down when individual systems have gone down. But it's not, according to what I've heard, it's not even just specific to us. Apparently there's five or six different casinos that their POS systems go down all at the same time for five or six hours. So what does that tell you? Maybe they have the same service provider that is really screwing up the back end. That way all the failure is in one place. That's kind of handy for us, right? Yeah. Before I advance the slide, I do want to say one thing about the simple verses. One of the things that Josh has made very clear in a variety of presentations, and several of us have, is that years ago we used to say you only had to outrun the bear and whoever you were with might be kind of fat and slow and they would feed the bear. There are too many bears now, but one of the things that this shows is you should tie your shoelaces because there's no point in tripping over your own damn shoes and making it easy for the bears. The bears like us lean and having run and healthy, you know. So there, I'll shut up. I can hear y'all repeat it. Just yell. So what is the point of PCI other than reinforcing common sense? Right. So do you remember Jack said common sense has nothing to do with PCI. Let's repeat the question. Repeat the question for everybody. Okay, so what is the point of PCI other than common sense? Other than just common sense. Well, budget. Well, that's a really complex question. Okay, within the context of establishing controls, right? If we wanted to be diplomatic about it, we would say it is to take a population that had wild variants. It's to get them some consistency and see if that actually reduces frequency or impact. Or if we were more cynical, we would say that it's just to keep the government out of the... Yeah, I wasn't going to go there, but yeah. Regulate. For the card brands. Yeah, I have no comment on that, but Jamie probably does. Jamie might have an opinion on something a little bit more sinister about what the reason of PCI was. Please be sinister. Sinister? It's actually not that hard, you know. Sinister, true. What the hawk, you know. Think about how all this started. I mean, this is my usual rant about how most of us failed to study history and therefore were doomed to repeat it. The card brands came up with a way to transfer the bulk of their liability and risk to the issuing banks. The issuing banks were not so fond of this situation, so they found a way to transfer the most of the liability and risk to the merchants. Who's next? Alright, so remember when I mentioned consistency, right, and whether or not that would affect security. So this column, I don't know if you can see this in the back guys, but it's available online and stuff. Alright, the white columns there, 0809, 010, those are when the incident response guys go in. They actually have to do a mini assessment of the environment they're in. So they go through each requirement and they just do a yeah, I would have passed here or there's no way in hell I would have passed you. Alright, so those numbers are basic, yeah, there's those are percent that would have passed. Okay, so under 2010 requirement one, install and maintain a firewall configuration to protect data, 82% of the time the incident response guy said to the card brands, there's no way you would consider these guys in compliance with just having that basic requirement set. This is what I mean when I said it ain't even close kids. My firewall is in a box in my data center and three mice live in it. Basically, the gray... Are they maintaining your change control? So let me let me jump in here. I might know a little bit about firewalls and how they're used in the real world. Not anymore. Have I ever raced that all in six weeks? Let's back up. Let's reiterate what Alex said. 18% of the time for people that came up in this this set of investigations, they had installed and maintained a firewall and configured it so that it protected their systems. Think about that for a minute. Now we like to make fun of firewalls and antivirus because they don't work and their obsolete technology and I've made this plea before. Before we give up on obsolete technology, decades-old technology, those of you who know where I work, I work with a gentleman who, well, a gentleman may be the wrong word, who wrote the first commercial firewall, first stateful packet firewall. Just once before we retire obsolete technology could we deploy it properly please? It might even work that way. Alex, I'm sorry. No, that's fine. Firewalls get me all excited. You can't tell because of what I'm wearing. Yeah, yeah. So you can see here that there is a little bit of sample weirdness between 0809 and 010 because of the nature of the merchants involved. Many more level 3, level 4 merchants in 010. But it doesn't matter. We're looking for that consistency, right? In terms of security. Now that gray bar is our PCIR data and that was at IROC, right, at initial report on compliance, were they good or not? Okay, so that is, that is yet it's difficult. How difficult is it when you want to be compliant without help? And then the other columns represent basically how difficult was it for these poor people to maintain compliance. And you can draw a lot of conclusions from that. I'm not going to draw them. I want you guys to think about them and come up and ask questions and talk about it, right? But this is, I think, really interesting data when you look at PCI itself and you divorce yourself from the fact that it doesn't protect from O-Day and that antivirus is next to useless and blotty blotty blotty that we talk about on our blogs and our podcasts and all that stuff. Thank you very much. You know, Mike Don's not here, but he made a really excellent point recently. He said when he got into PCI he thought it was going to take people who didn't care about security at all. Didn't have a roadmap for how to do it. And it would show them how to do these common sense things to your point. And now what he's concluded after having enough data is that you can't make someone who doesn't care about card data care about it. In those cases they may achieve compliance at the rock and the data showed, at least I haven't seen this year's, but last year's data showed they lapsed within one to two months after. No, that's not what it showed because it doesn't doesn't measure that. I mean... I'm quoting him, so you fix it then. If it's broken, fix it. It doesn't capture that sort of snapshot because it really does only look year over year. And I have looked at some of the data for 2010 as opposed to 2009. And that's what scares me is Mike is right. When he thought originally that PCI would give some impetus to people who didn't care or who couldn't get budget to be able to get that budget, in a lot of cases there was some movement originally. There was some movement when they first started to become PCI compliant. Unluckily, it stopped. There really hasn't been any more movement. The people who want to be secure, the people who want to be the businesses that look at security as a sales point are becoming secure. The businesses that are trying to not be secure, trying not to spend the money on PCI, are finding ways to fool the auditors, are finding ways to just ignore the whole system. Compliance hacking for the win. I would ask one thing though too. I mean, you know, we're talking about people that want to become secure. What about those that quote unquote want to become compliant? And the fact that that doesn't mean you're secure at all. I mean there's a lot of people that want to check the box. They don't want to be fined. How many people out here still think that security equals compliance? Anybody? That's a bait. That's terrible. I'm sorry. I'm sorry Marty. Was it 2004? Back when you were still young? So theoretically I'm a moderator but actually I'm an immoderator and this is where I'll jump in and don't make assumptions based on where I may have been for the past four years because I've seen a lot of other things but sometimes people cheat. One of the things that I saw that was kind of interesting was somebody had a problem with a certain piece of malware tearing their network up. Because I was familiar with the system they were running I noticed an interesting icon. They had an exclusion for IPS that excluded IPS from their NTP server. Now if you've seen H.D. Moore's talk from a couple of years ago about the interesting information that you can leak out of NTP you might think maybe that's a bad idea. But it's still just an NTP server. But I noticed it was actually the icon that the particular system they were using in this IPS system was an icon for a network not an individual host. The network definition that was used for exclusions not just an IPS but also in web content filtering in some other places on this particular not customer that would be irresponsible of me. This random person happened to be 0.0.0.0 slash 0. Love that subnet. However, wait is this the pick on ISC squared or some other certification body? We could easily go there. That's fine. But it got past the auditor and so they kind of forgot that they had created an exclusion for their compromised NTP server that covered the entire network and then they were whining that having defeated all of their security systems, they were owned inside out upside down and actually the call started because their exchange server was creating too many alerts on some defensive system that we make fun of. But sometimes people cheat. Anybody in this room that has done penetration test is probably finding anybody that does defensive stuff has probably seen this. But it turns out that not every QSA cares as much as some of the ex QSAs on this panel and some of you in front of me. Some of the QSAs and this is an unpopular decision. These guys are trying to make a living. They may or may not be competent, but they may have a mortgage. They may have an ex-wife or ex-husband or two that requires, you know, support and they have bills and they need to pay them and they churn the stuff. PCI compliance has become commoditized and that drives people into cutting corners. But Jack, does the fact that people sometimes cheat on compliance change anything? Does it mean it's more effective, less effective? Does it mean anything really? Because those same people are going to cheat no matter what, aren't going to spend money no matter what. It matters if you think compliance equals security and while nobody that's here would believe that the people that have budget authority sometimes still do. But this is where I get angry. We look at it like it's no harm, no foul. But like I tend to work with a lot of sisters over the last couple years. They tend to be on Fortune 100, Fortune 500 and a guy I knew who used to do good risk management, the question I've been asking for the last two years since we started this debate is what percentage of your security budget goes to passing an audit on card data and which percentage goes towards your corporate secrets. And a Fortune 50 company has zero dollars on corporate secrets. He went from doing balanced risk management to 100% on the card data. He pays 2.6 million dollars for the assessment each year. It's not like he would have done different necessarily security controls, but it has defocused him from things that matter more. So it's not zero impact. It helped some and it was a very massive distraction to many others. No, I was just going to say this is the speed limit test to me. Right. I mean how many of you speed? There you go. Exactly. Right. So but there are in fact radar guns out there. Right. And you know this, but you still speed. And it's the same concept. You know, if there was no radar gun, what would happen? Well, hang on a second. Let's look at the economic incentive disincentive model. I mean if you if you're failing what's the cost? Eh, might get 100,000 dollars a year fine. Or you might be told that your per transaction fee is going up by 2%. I'm not paying my per transaction fee. My customers are. That fine is one tenth or one one hundredth of what it would take to fix it. Let me repeat the comment on competitiveness. You can't pass the 2% you can't pass the 2% to your customer if you want to compete with Walmart. Wow, this is commoditized. Is that what you're saying? Are you saying that? But yeah, but those guys can't compete with Walmart anyway. Well, I'm not in Walmart's market. They don't sell what I sell, so screw it. My customers are all stupid, aren't your customers stupid? All right. As outspoken as I am, I'm not going to call out any of the companies that sell Walmart grade PCI services but because everyone here knows who they are. And one of my gripes and it's safe now that some of my friends are no longer at the company that they worked for that created a cool report that would have been much more cool if it had called out who had certified them people as PCI compliant when they were breached. But that's politically incorrect. You know, a couple of times in other talks, people have talked about attribution. This morning, Josh and company were talking about attribution in a completely different context. It would really be cool to know who is certifying people PCI compliant as they are currently heavily comfortable. Hold on, Jack. I know I'm not defending former employers of anybody on the panel, but I'm not saying that it's an option to do. That shouldn't be the that shouldn't be the vendor's job, right? Everybody out here who came, who's interested in PCI, you have a right to go to the card brands and make some frickin noise. You do, honestly, you should. You have a responsibility, right? So the lack of and you should continue to the lack of transparency. You shouldn't push that on on some vendor who's doing their best to get there and has an evil legal MPR department. I'm just kidding, Brandon, you're awesome. But you should be going to the card brands and saying, where's my damn transparency? If you're really interested in me being secure or my customers being secure, then I want to see reports. Anonymization can work. We do it all the frickin or we a former employer. I did it all the frickin time, but I don't work and it's informative and it's there. They have a responsibility if they're interested in security, but that gets back to Jamie's point. But you skip past the economic incentive argument. Let me let me state the name. So Verizon has given us more data. You can make you can throw stones at Verizon for putting the the VZ name on things. But they've shared data freely. They're just because I want more data that's not politically or logically or financially feasible for them to provide. Just because I want it doesn't mean I get it. I was just expressing that. But it would be really cool if a lot of people shared a lot more data, not to sound all like new school of information security, but it'd be cool to know what the fuck is going on in our business, not just with compliance, so maybe we could make an educated decision. You, sir, I think have something to say. Well, you talk about the Walmart approach to vendors doing 17 cents an I think is the PCI validations. And I think that's an easy target to go after. But you have to remember that the PCI validation is a point in time. And the people you're working with, they want to be compliant at that time when you're on site doing the validation. After that, who knows what the hell happens? Certainly on clients you go back to year after year, they fall down during whatever time period where it's months or half a year or three quarters of a year. They fall down during that time because they're not worried about what is going to show up on their validation report. So not to get myself in trouble, but that whole validation versus ongoing compliance thing that that's that's a red frickin' herring, dude. As long as as long as they can say there's never been a breach where the customer has been PCI compliant or the victim has been PCI compliant, it is a completely red herring. And I promise you that that will continue to be the case indefinitely. That's true, but I can say I have a unicorn in my pants while not wearing pants, too. And we're talking about the PCI panel. We've kind of ignored the pen testing professionals in the room. Are there any pen testing professionals in the room? Okay. So one of the things that we've been talking about at B-Sides a lot was the pen testing execution standard, the P-Test thing. And speaking of the wall modification of this, it's really the race to the bottom to see who can make the auditor go away or what's the fastest cheapest path to I-Rock or Rock rather. People are, because it's so ill-defined on what counts as a penetration test, a quick Nessus scan is often substituted. Nessus, save as PDFs for the win. Now, one of the, I know P-Test is still controversial, but one of the reasons I like it is, it helps separate the, try to shut up, but it's not, the, check the box for minimum type person from cannibalizing the talent that real professional pen testers can bring. It starts to help articulate or support the conversation for if you saw Wendy's talk on how she'd like to be penetrated as a CISO. It helps her know what she's going to get if she really wants to focus on a more comprehensive thing. She can now use it as a framework to decide which pen tester she's going to contract with. So it lets the irresponsible jackasses who want a cheap solution to be irresponsible and cheap. And it lets someone who actually wants to use the PCI budget to drive better security. Do so. So Wendy can describe her fetishes? I was just going to, so let's, let's take what Josh, I mean Josh has a valid point, but let's take what's on the slide right now which by the way does in fact have a younger Bill Murray which everybody should of course be focused on right now. But, but let's, let's actually take that as a good example. It's so easy to, to swing the needle to, to things like you know, PTAZ and pen testing and, and you know this cutting edge thing or mobile security or, or you know, insert whole shit, dear. Look, simmer down guy. Don't, don't have a moment next to me. So what's on this slide is relevant though. Seriously, I'd love to talk cutting edge or at a conference that focuses on cutting edge, right? Somebody that spent six to seven months in their basement with a lot of Mountain Dew and a debugger, right? Get away from that. Let's go to the regular baseline crap. Patching, config management, firewalls. I mean, I think Alex's data was actually poignant. It's really relevant here. I mean, it's, it's, it's incredibly easy to point fingers and say, you know, we're, we're doing a crappy job or we're shifting blame or we're doing all these things. But who the hell is doing a great job of patching? I, I, you know, you raise, I raise my hand when you ask who's a pen testing professional. I, I like, I like breaking into places. It's great fun. And, and people ask me very commonly, you know, how are you getting in? What are you doing? How do you get in there? And I'd love to be the guy that sits up here and tells you, I am sitting in my basement and I'm developing custom exploits and like, I've got the debugger. It's really fun. No, it's actually like default passwords and that one dumb ass in ops that forgot the MSO 8 0 6 7 patch on the one box. Right. And, and you know what? We are losing because of that. Okay, but let's, let's take a look here. PCI is meant specifically to look at credit card data. Nothing else. It's not about security. So, hey, wait, wait, let me, let me, you can finish after, after I do it because like what? I'm wearing white. Except for the strawberry stains. So PCI is about card data but we need to PCI is about securing card data. PCI is awesome, but we're in Nevada. I just wanted to point out we're in Nevada. So PCI is not just about card data. It's not about security. It's about card data. That's all it's ever been about securing card data. Something about. But why are we even taking card data? I mean, why are most of these people even having access to their card data? If we really want to have something that's going to protect the card data. Don't have it. Don't have it. Don't ever let these merchants touch it. Don't ever let the merchants see it. Quite frankly, oh, yeah, then the, then the Gramleech Bliley risk is on the card brands and the banks. We still need to provide 16 digit expiry and CVV so that you can take a taxi in Azerbaijan. This is not going to change anytime soon until we're willing to admit that creating a duplicate system that does not use technology from before my parents were born is going to be useful when we switch to something that I'd like to point out as parents are old. So that's a long time ago. And WAF can save us all though. He's old too. And if we move to something new that is appropriately designed, probably not by a card company and implemented with an economic incentive that says if you want to use the old system, great. Get used to the spread between what we're charging you for interest and what the overnight rate is. Redefine usury. And we're going to make it possible for both sides to look at the situation and go, oh, heck yeah. From the employer's perspective, or not the employer, sorry. From the acceptor's perspective, we're going to make this real simple. If you want to use old style, great. It's $2 of transaction plus 2.5%. And if you want to use the new style system, it's $0.08 per transaction flat rate. But we've already seen that chip and pin is also being broken. So that's not necessarily going to save us much. You think chip and pin is a good idea when they print the same fucking 16-digit number on the chip and pin card with the same fucking mag track on the back? I'm saying we need a new system. The old one is costing us a shit ton in interest. The overnight rate is less than 1%. The average credit car rate is 22+. I think we got the 10-minute warning. And we said we were going to offer solutions. So should we shift to solutions? We should talk. But let's remind people We will solve all your problems in the next 10 minutes, in other words. Unlike last year, we are in a place that has high ceilings and good air conditioning. So the smell's better. But we also have room for a couple hundred people in the Q&A session. So I encourage you to come there. That said, last year's Q&A session was off the freaking hook. It was much better than the panel. It was much better than this. Most of us weren't there. This gentleman has an opinion, as does everyone else here, but he stood up. So I have an opinion and I have a question. We're talking about things like just patching systems, which are really, really important and relevant, by the way, with the number of people that don't even have a firewall, kind of, who are patching, you know, have it configured properly. But since we're talking about the cards a little bit now, I'd like to ask, when the fuck are we going to move away from using a physical signature? Didn't I just say that? 16 digits, expiry, CBP. You guys still use checks in this country for Christ's sake. Exactly. Same people have had debit cards for 30 years. Exactly. Exactly. I completely agree. So, okay. Once the government is not East Asia or Appland or whatever, it shows us all federal IDs. We'll just use that for signatures. Somebody just said, well, it's expensive to change out infrastructure. There's a, we'll call it the equivalent of Walgreens in the country that I'm from, who've gone through three entire iterations of pinpads in less than 18 months because of foolish business decisions. They went from the old-style pinpads to the new ones that were chip and pin, and then they realized that another branch of the same organization put out a credit card that had an RFID on it, and they couldn't use their own credit card on it, and they couldn't use their own credit card on it, and they couldn't use their own goddamn credit card in their own goddamn stores, so they changed all their pinpads again. So you know what, when the difference is 22 plus percent versus under 1 percent for the overnight rate, there's lots of money in that interest spread to take care of replacing the whole system, and remember those economic incentives matter. Debit card transactions are measured in cents per transaction, fixed price, credit card transactions are measured in a mixture of fixed price plus percentage price. Change the economic incentives in both directions. Make it so that if I use the new modern system that doesn't have every vulnerability known to man and require fraud management of hundreds and hundreds of people per issuing bank, say it's very simply to the customer I'm only going to charge you 9 percent interest. Which card is the customer going to choose to use, the old assy one or the new fancy one? I mean the solutions aren't solutions that we can execute on, they're solutions once we get to the point where as infosec professionals we're doing our fucking job. But you're saying we also need to put pressure on the PCI council and merchants to in order to enact that change. I think the only change you can do is the one that you can do. How about if we do the right thing no matter what somebody else tells us to do? How about issuing banks and the credit brands themselves? I mean let's quit dumping this on the merchants because 100,000 merchants aren't going to give everybody a minute or so to wrap up and then we'll go into the Q&A room. So you keep coming back to this point that PCI is all about the credit cards and there's plenty of other information out there that needs to be protected. And absolutely your point about hey we need to replace the whole system but that's going to take time, it's going to take money. So in the interim No problem. I'll show you how. It's cool. Whiteboard it for you. Keep your pants on. In the interim until everybody gets onboard and does that you know when steals the steal a bunch of credit card numbers it affects me, it affects my friends, my family, everybody in this room and maybe not directly but maybe just through increased cost for all the goods we buy because all that fraud permeates the system and we all pay for it. When somebody breaks into some pharmaceutical steals the intellectual property for the next Viagra doesn't affect me. So in the meantime until we can get some new system in place you know a use for having something like PCI out there to at least for the people who don't want to try to be secure but don't know how give them these guidelines I used the wrong word I'm sorry not secure but they should be already doing If they don't know how to be secure without PCI it's not going to help that much. CISP buddy. That's exactly it. There's a lot of CISPs out there. We need a unicorn chaser. Give them something to start with. No it's valid. It's a starting point and we can't deny that it's moved us forward but we're so far behind that we really need to look forward. There are a lot of people out of budget because of that. I mean the penetration testing industry is an industry because PCI requires it and with with that I really encourage everyone to follow up with us I'd like to give everybody on the panel to wrap up. This has been a follow up to what we did last year hopefully there's been more information. We will be in the Q&A room and we really want to continue the conversation we won't beat you to death with that. I'd like to start with Mr. Arlen and see if he has something to say. I doubt it because he is without opinion as are everyone here. Doing InfosecRight.com also you're all back in here at 8 o'clock in the middle of the pyramid, right? Right. Woo! Mr. Shockford. Cleveland. You guys looking at me. Jesus. Bottom line whatever. I'm one of those people that don't hit that John. That's right. Honestly I'm ambivalent. I see people that have really benefited from PCI I see people that have really benefited from just about any compliance measure shit at all and they look to get the auditors in out and move on to the next year and you know I don't think that us sitting here and having this dialogue is going to get us there either but you know in some cases I think it's a good thing so I'm going to be that you know annoyingly optimistic guy on the panel too. You know I've seen a lot of environments and there are some where people are doing PCI with the idea that it will make them secure to go beyond PCI and be secure and they're actually doing some effective work. I've seen a lot of people who just haven't been able to get the budget before PCI came along. I've also seen a lot of companies where they look at PCI and go it's another pain in our rear we're going to do the very minimum we can do to make ourselves compliant we're never going to be secure so just give us our rock and go away. So I think if you understand the limitations even a fully compliant PCI environment is then you have a baseline and if you understand it's a very low baseline only then are you able to look at the attack density how people are getting popped and prioritize how do you shift some of that budget now what Mike Don and Gene Kim and I did a lot of work on was figuring out how do you massively reduce scope and have less data to lose unless systems involved in scope and that liberates funds to do good assets so we have a lot of research and specifics behind that but the trick isn't you know looking at that as a finish line it's how do I budgetary jiu-jitsu that how do I use PCI to fund my visible ops project or how do I use it to pivot into non-card data security initiatives but if you don't realize how limited and narrow it is in the first place then those are off the table I'll end with this I can't give you guys a solution but I can tell you I can start to get at a solution and that is demand transparency around data you give smart people in this industry data and we'll start to figure stuff out but we are being kept ignorant and you have to wonder if that isn't purposefully we are debating something really quick don't move don't get all excited about them leaving yet because they're not going to our five o'clock speaker I should have looked that up before I started speaking shouldn't I that guy we're in track one yeah well thank you my password is full of fail Jason Pittman is not going to be going from five to five twenty so these guys are going to hang out till five twenty and then after that we've got another turbo talk so or you can come over to the network security podcast and watch us record episode 250 so let's let's do instead of going into the smaller room we'll do Q&A because I'd be willing to bet some of you have opinions um Martin's going to run away because he's doing the 250th episode of the network security podcast let's start Q&A here and then we'll move into the other room and or commentary yes sir let's let's dive in so one of the things that I found to be interesting about PCI I guess from a introspective kind of way what are our failures as a community is that I mean I've been a former QSA and although I've seen a lot of environments for Verizon business um is that our real challenge is operationalizing the process of security and I think one of the things that PCI shows us with these failures is that it's really hard and I'd be interested in hearing your comments on that so it was a commentary about operationalization of security and one of the things that in my past that I've done is I've always worked with smaller businesses until recent career change um and because we had to in small business we operationalized some somebody keeps giving me liquor um so anyway we did that to security in small business um part of it it's because we had to but larger enterprises kind of need to and he knows something about that I'm gonna really quick simple answer find me later though but uh the visible opps studies that wasn't about really security is about IT operational excellence showed massive deltas that the tighter you run your IT the fewer break fixes the faster there are some studies that show high correlation at least to to operationalizing IT with security in mind I was gonna say there was a study at Weiss that's backing that data up again so that's yeah well here's here's personal experience in that I once upon a time ran a whole lot of security with zero direct reports at about 187 indirect reports and by making sure that security was everybody's job um I was able to achieve a level of security proceduralization um that wasn't because you went to the security binder and looked at what to do but because it was just your dam ops binder of course we had binders then too not share point because it's yeah but I'll just throw one thing on that too I mean if I started getting up here and talking in depth about change and configuration management none of you right at least the people that are being honest and unfortunately that's the most important stuff in terms of general operable you know operas yeah operationalizing IT and security in general but I mean that's the problem we don't do a good job of that doing info sec right next next what's up Alex um I also prolonged the death of this archaic system just like James said yes what do we do um to shorten that lifespan of this broken system because it's all it's done is push the liability down let's not short we have zero percent unemployment in our industry let's not shorten this stuff let's not fix anything dammit because I love Chad I've been working with Chad for a decade I like to retire you have to have people fess up as here's how we were here's how we were screwed right and once you can say that then somebody can say well look now we know patterns in getting messed up and let's solve those and then you can start addressing real things versus crazy things so my grade four teacher Mrs. Barber had this crazy way of making sure that we were doing the right thing all the time she called it a snap quiz why do we just have them you know some day you walk in and the Spanish Inquisition shows up the PCI Inquisition shows up and says you know what we're going to find out whether or not you're compliant today they do that in the credit union sector we have audits year round I used to when I worked there yeah yeah self congratulatory reach around for the win why would we do random audits and tests when we have anonymous and loads second boo next question hi hi about that pretty dismal slide with the percentage statistics on the on the breached organizations question about the firewall thing do you have any idea whether the very low percentage of the firewall compliance was due to the organizations actually not having a firewall at all or was it because they failed to document the firewall rules as per PCI yeah we lumped all of why would you fail requirement one so it's documentation and so forth but as we just said about operations being so damned important there you go I'm not I'm not arguing that PCI sets out great operational rigor I'm just saying that's indicative two follow-ups though one is they had it they were compliant at one point prior and two is we didn't say it because we didn't have time but out of that 761 how many of them were SMBs with 11 to 100 employees 400 and some odds so a lot of that is really describing the bottom of the market level three level four and not necessarily equally applicable to like but if you go back to a higher level one level two representation yeah it's still pretty abysmal it's not 18% but it's like 40% you know okay thank you hey guys this is the last question no until we move no we have the 20 minutes we have another 15 or so but because the next one can't I got somebody waving fingers I just wanted to make a comment on the firewall thing the situation that my friend Bob told me about that I mentioned earlier that I'm a TPS with that special NTP server Bob Bob was told that they normally just enable and disable those rules for the audits and they forgot this time so that kind of focuses the that puts the spotlight on that 18% that we were talking about they passed they passed some sort of scrutiny and it doesn't have to be PCI I do want to make that PCI is not the only thing that's doing crazy things real quick if you're coming in for the password talk it's been cancelled yes the 5 o'clock talk has speaker was unable to make it so this is PCI as sexy as it is and we're going to go a little bit long and then we're going to go to the Q&A room with that sir you have an intelligent and articulate question and or comment alright so one of you mentioned that security does compliance equal security and I would say that compliance is a subset of security so if you're secure you're going to be compliant and I agree with you 100% that that's no that's not necessarily true not necessarily true no I've been in environments where we have been entirely compliant and completely unsecure and I've been in environments where we're completely secure and completely non-compliant because once you've got a set of rules that are proscriptive if you're trying to do something that's better than the proscriptive rule you're doing it wrong well there's also a perspective thing I like to say PCI has nothing to do with security for any one individual company but I don't know that we can make any sort of statement about effectiveness as we look at the population yet well that's the whole concept of compensating controls too I mean compensating controls could be ones that you're tweaking or really great ones that don't fit so you have to write a document about compensating controls if you're using two-factor authentication to explain why you don't have good passwords of course there's more to it than that I'm not defending it I'm just saying and also compensating controls involves corvettes no wait that's a different sort of compensation but you know Chris Offhat used to have a great diagram where he would show on a scale how important it was to security and you want to look for the ones that are high score for both right some are distracting from your overall security program some of them are highly affinitized and aligned with thanks good afternoon thanks for giving me the opportunity to address the panel I actually represent from a number of perspective that bottom of the barrel we have 60 people in my organization I have an IT staff that I'm I don't even know the security guy and they look at me funny when I mentioned them also IT of five individuals we've been we are also in the hospitality business so we're in that segment of the population that's had a huge amount of breaches over the past year you've changed all your default passwords on your point of sale systems and you don't use PC anywhere right please if not then sorry don't bother I've heard a lot about how PCI is awfully hard to maintain once you get it and I say that's bullshit the amount of work necessary to gain PCI is significantly higher than the amount of work to maintain it once you've gone through all the effort to if you've done it right that's a huge well for your portion of the sample right that may or may not be true but I can guarantee you from my experience with the top level one and two merchants not so much we're a top level one merchant we're also a service provider so we have to meet even more rigid standards than your top level you got 60 folks yeah and real quick not 50,000 no it's not a universally true statement if you're doing everything perfectly you still have to prove it every year I'm just saying as if it's universally true that it's hard to do no it's fucking not not if you do it right it's neither hard to do nor is it easy to do it's worthwhile to do if I had insinuated that it was universally true if I had insinuated that it was how we do it if I had insinuated that I thought it was universally true that I'm bad statistician and I apologize I think what I was stating was here was the data that showed that it is difficult now that's a misrepresentation of what that data is it's a drastic simplification of what that data is that data shows that people chose not to not that it was hard to do please don't misrepresent the data it may be easy in certain environments but I think the data is pretty clear it's a lot of people it is not but it would be good to take this into the Q&A room offline here comes the hook thank you actually that point addresses something that's been made before which is that for some organizations PCI is holding us back but sir you have a question and a microphone yeah so you're right Jack PCI's made a lot of people a lot of money I've got a client who is able to convince their QSA that their call center PCs were out of scope because they only handle one card number at a time my question sure my question is in the experience of the QSAs or ex-QSAs in the room are the folks handling the PCI compliance programs now still security folks because what I'm seeing is they're folks from the business they're folks from maybe a business ops background but they're not security folks who's you know who's writing the checks it's a mix I'll throw out the first comment it's a mix I see organizations I'm an ex-QSA don't hold it against me don't you even start over there Mr. Angry Birds you know and I got a few others in this room yeah you know she who's laughing in the front but we all have blood on our hands right but it's totally dependent on company some places it's internal audit some places it's just the security team some places it's random smatterings of IT I think that's totally a subjective thing and sometimes it's a dedicated organization agreed cool any disagreements quick quick reminder if you're here for the five o'clock talk you're shit out of luck what he said they didn't show that that one didn't show and so because PCI is so damn sexy we're going to continue with the next question sir right so you were talking about debit cards being a great solution but maybe tell behind it because my understanding of credit cards at least in the United States that's tied to my bank account you're doing it wrong I'm screwed all my thousands of dollars that are in that account are gone you know it's funny there's lots of good examples around the world of debit card implementations that work the way the United States is doing debit card implementation is by trying to tag it onto the credit card system right so anyways we've got this other system called interact and you're absolutely right it's tied to your bank account but what you've inherited in a negative way from the cards is you've inherited their risk model that says if you get violated it's all your fault the real yeah it's nice being violated the way that we do it instead is we say it's going to pop right in the next day or at the least that same day because the system I mean shit I got my first debit card when I was like seven or eight years old it's been insituated for so long that Canadians are out of the habit of carrying cash we don't do checks like the United States does not only anybody does checks like the United States does so we've got this system that is a fixed transaction cost it's always the same sort of you know chip and pin terminals that you're accustomed to it does have that tie back to your bank account so it's not a credit system it's definitely a debit system but it's not tied to the brands it's not part of that ecosystem it's not using that processing hardware it's not using this ridiculous bullshit where your credit limit is updated by the second but you may or may not find out what the transaction was for three or four days it should be real time from scratch oh yeah sorry the statement is the big thing is that there'd be protections on the account and that doesn't exist here because you're piggybacking it on a system that is broken by design and so you're inheriting all that brokenness only instead of it being with fake money that you haven't paid for yet it's with real money that you thought you had hey did you see that sign in the back that said Tim Horton sucks look over there next question hey guys so I think a lot of what you guys have been talking about is pretty applicable I think a lot of people in this room are thinking of as level one and level two merchants they think about all the PCI controls what are your thoughts in terms of the usefulness of the self-assessment questionnaire and whether or not level three and level four merchants should even be allowed to handle credit cards outside of you know what do you know what on the anytime you ask me how much I weigh I'm going to give you the best answer possible that shit that comes up on the scale is not drunk self-assessment I can lie to you as well as your QSA so any thoughts on how to solve how to solve that issue because just like my grade four teacher transparent well that and transparency right let's see numbers on breaches and self-assessment and actually I think Mr. Arlen actually said it well before the concept of random audits I don't care if you do your own SAQ or whatever it is I mean however you answer the questions is fine but somebody at some point is going to show up on an ounce and check whether or not you're full of shit I think that's the right answer honestly you know not planning it and having everybody going look at our controls right I mean that doesn't work well so Mike Don who fought me on this PCI was awesome right wait a minute Mike Don fought you on something he's got a really great blog post on this so he's that chaotic mind I think is what the blog is called and he talks about not the self-assessment is a bad thing but as a great thing like as a way to possibly completely avoid this it's like sock self-adastation without the jail time and his point was if you actually care about security and it is getting in your way you should self-assess because then one of the assumptions in the self-assessment is they might cheat the system that doesn't really work anyhow like in some cases like so what they passed they failed they didn't they didn't all that really matters is failures so instead of like regulating a hypothesis of controls that might stop it you know penalize people when they fail I mean I'm not saying completely get rid of the thing but he saw that if in fact you determine your risk assessment if you if you add up all the money that the banks spend you know the processing collecting these SAQs dealing with them and then you think about all the fraud that occurs and how much that costs would it be cheaper for the banks just to give them end to end encryption and be done with it or tokenization the lemonade scope or use it the system doesn't support that remember we're talking about something it was designed 50 years ago it's not built to do that sort of thing which is why you go and have a look at how interact works it's completely different it's what we use for inter branch stuff like when I take my bank card and shove it in a different brand or different banks ABMs that's how it works it's the same thing that I run through the card reader at the grocery store it's a different system with a different set of constraints with a different set of design criteria than something that's going to work in Azerbaijan to make sure that your taxi driver gets paid and you find out that the system cleared instantly as far as your credit limit is concerned and three or four days later when eventually they get around telling you what your transactions were it's just that the system itself is fundamentally flawed so let's grab the next question but just because you mentioned end to end encryption which solves all of our problems I just wanted to bring this slide up that Alex might actually just chuckled that made my point last year 90% this year 89% of those folks that found themselves on the Verizon data breach investigations report they got the encryption bit right so the people in this room that have been saying encryption doesn't solve all your problems and maybe some of the people that have been saying stuff like encryption is sexy because it keeps the attacker from getting discovered may have a point and you a couple actually one I agree with you CISP does not make a good QSA in fact oftentimes it's the opposite a good auditor actually has to have years and years of experience and actually know what the hell they're doing it pisses me off to go in and actually clean up or audit somebody and say hey your auditor totally got it wrong last year and you've got a lot of work to do so but I think the other part of it talking about Q is bringing in processes and procedures to get trained because half of the IT staff out there doesn't know security either what do you think on that so are you saying that the self assessment is a good chance to trick your organization into training your people I think it's a good way at the C levels open to it to actually being in some help I can see that if there's no other way I mean seriously I mean if your organization doesn't give a crap to you and you're like well you'll just figure it out in the audit that's the target demographic for PCIs intended well but think about it though there's training and then there's training sitting there for an hour in front of a horrifying PowerPoint presentation that's been shoved into Adobe Captivate doesn't turn my fricking crank I'm not going to learn from that because it's not real whatever it's awesome I mean that's a good point you learn it I think where C levels won't listen to their IT staff but they'll listen to the QSA that comes in and makes the recommendations to secure their systems Yep Anybody written a QSA test? Don't remember the graphic I mean no one's stealing credit card data anymore anyhow because the street price dropped to nearly worthless so we sucked so bad that we don't have to get attacked anymore I can't talk about breaches that I may or may not know about but yeah not so much this year I was being sarcastic Oh wow Hello It's hard to tell when you are before we hear your awesome commentary which I am looking forward to I if you're here for say the 5 o'clock talk or the 5 20 talk neither of those are going to be in here so instead of wandering down to the Q&A room we will continue this here because this is kind of interesting and I know it's nowhere near as sexy as some things although this really does hammer the crap out of us but please forgive any member of this panel who runs out cross legged because they have to pee because people made us drink beer that said you are going to provide an amazing question and or comment for us so please do I have two points I wanted to bring up a discussion what is I just went through PCI level 1 the audit part we're working on our rock right now so this is pretty topical for me and the first thing is I've got my list of compliance activities I'm trying to map them to my controls and we're two person security teams so I'm the junior this is my problem how do I what of the general compliance activities should I really be focusing on to do real security instead of bullshit paperwork because I really don't want to do that and I know I have to do a certain percentage of it but really what do you guys feel as QSAs or as experienced persons we are a phone company phone company or an IVR company okay so you do you have point of sale or no no we we we process IVR calls so it passes through we don't ever store yeah okay I think any answer without us knowing your environment would be a flip answer in general though we did a mapping of security controls to efficacy like I call them PCI's chosen for you and the efficacy of many of them are in the toilet but one thing I will say is in general right now for attackers beyond just casual ones anything that gives you more visibility you know see things sooner prompt and agile response anything that fuels an OODA loop of observe-oriented decide act this is kind of the visible ops mantra I referred to earlier the parts it's funny and sad log management is a requirement and yet you can't do it it's that no one's looking at them right so if you if you just do a log management program to take a box it's fairly low low value if you use it to help improve your eyes and ears it can be fairly high value so you have to do them all anyhow the question of which ones are going to be the most useful as well for other things it to me it's more eyes and ears to inform it's from our study and it shows you threat actions so we can't describe your particular threat landscape to you but we can say in general here are large likelihood threat actions now map that to various controls there's also a report by Trustwave if you're in Europe 7 Safe in the UK is issued a report but these are also great places to go and look for data and so what I'm basically telling you is risk-based risk management well let me throw in one thing real quick I was just going to say I don't think there's anything in PCI that's just complete BS seriously there's variations there's ways to do it and so forth but you look through your 12 areas you got to have policy you got to have some encryption you got to have firewalls whether or not it's the exact language and the exact line if you don't have any of those things to begin with you've already got a problem checking the boxes and then going okay now what really gets us to the point of security is probably the best approach but if you've gotten massive gaps if you know you have no ideas if you know you don't have any sort of code review or QA process if you know you don't have any monitoring capabilities as Josh just said you've already got this weird kind of problem are you trying to be compliant or are you trying to be secure I have to do compliance to get my budget I have to do compliance to make my CEO have to do compliance to get everyone to listen to me but I want to be secure so my natural advice to you is do infosec right go through all of those basics just take the dirty dozen alone and just run them down and do them right you're going to get through that sort of step one step two says if you want to be really pedantic about it you be specifically compliant with each and every and only requirements so you run down that list of what is it I'm not a QSA 280 something 256 whatever run down that list and make sure that you've got a chunk of evidence that you can set down right next to it and say here's the requirement and just run down the list then regardless of how pedantic your QSA is you've got all the answers sitting there in front of you if you do the second way you're probably not going to be any more measurably secure than you are today you're just more measurably compliant but this is my usual rant and I'm sorry that it's my usual rant everyone's all heard it minimum code standard house really I'd like my house to not be made out of bubblegum and chewing crap and things that some guy who was paid by the house to do the towel work just do it right look at it look at the organization look at the infosec part of it as something that you have ownership in that you have pride in and do the fucking job right so had to pee really bad so I'm going to make his point and I should have made earlier the attack density is how there's a language he uses but the attack density you'll see from the spider labs reports are here they're really useful because a couple concrete pieces of ice we tend to give everybody thinks you should patch faster because you want to measure the meantime to patch and yet their data showed that zero the breaches last year involved a patch of SQL injection a lot of people try to pass specifically 6.6 with the honor with the honors yeah the prepared statements the honor system of the SDLC and I think an SDLC is good but you should try to you know social engineer your budget into you know maybe we shouldn't skip the WAF you know I'm not saying WAF fixes everything but this is an example of lots of attack there right and we cut a corner right so it might better aim how far you stretch the limits of the interpretation where did Alex oh real men can hold their urine but I guess Alex couldn't here's the other really cool awesome important thing you've got all of our things I say are usually on purpose Twitter's and you can find us all because we're findable on the internet we're in the Google you can ask questions like seriously I probably spend upwards of an hour I think we're actually connected in some way shape or form on LinkedIn that's kind of weird actually we do have a couple more people that have comments and questions I just wanted to ask one last thing and then my QSA when he came in to do our on-site audit mentioned that in PCI DSS 2.0 the auditors requirements were significantly larger in terms of evidence collection can you speak briefly to what I can expect in terms of impact on me in terms of evidence like really how much is it going to change things for us I don't know I'm not a QSA ask around though there's one in the front row okay okay awesome there you go offline she's good to know too the significant crap Alex is back so wait Alex is up there just because I have the opportunity and I first of all I have to make a disclaimer I have a cool new job I think I said that and compliance is a big part of the company that I work for that's not where it started but compliance does give us jobs but we're here people that are at this event are here because we like to break shit we like to fix stuff and sometimes there's a little little disconnect there but we have a couple more questions one of the things that we would really like to talk about is that there are some really uncomfortable if you dig in incestuous relationships between certain people that might for example be on the PCI council and certain corporations and there's some information out there that even here because some of us like things like paychecks we kind of tap dance around and with any luck we can next year we'll have made enough money that we don't need a job anymore or whatever and can do that we don't think that incestuous relationships are part of the reason that things are stacked up the way they are it's interesting with that said I'm going to shut up as long as I can is that like a conspiracy theory that you were kind of throwing out there next question next question how many planes have flown into the no wait that's a different question question please because they're like intelligent people next to me and lined up in front of the microphone but not behind you're so wearing a turban you fucking dumb American question I remember what it's called though I just got a question related to scoping scoping tier two tier three you know depends on the amount of cards you're processing if you're a multinational corporation you're going through many different gateways like say you have 500,000 in the US and you got 400,000 in Canada and then another 200,000 in Europe you're over a million at that point but they're all going through different gateways you know they're different subsidiary companies they're all tied to one parent how does PCI scope that would you be a tier two would you be a tier three magic there's a scoping sig which just stands for special interest group and they are in just a big old circle right now to the point where several of them are trying to quit well okay so so the the scoping sig initiative that started a long time ago maybe it's closed now um was fighting over things like oh if we share a DNS doesn't that make everything else that touches the DNS touch everything else so that's just going kind of nowhere right now so I would ask your QSA because really at the end of the day it's the interpretation of the person does the rock you do know that this whole thing is opinion based on your QSA's part and no one's ever bought an auditor off Arthur Anderson and again bottom line if you get an incident there's no way you're going to be like oh yeah they were compliant but they had an incident you know Chuck didn't make one of his best points he says you know you should interview your QSA because if you have to do this thing you might as well make some good use out of it so find a risk based QSA if you want somebody who's cheap and fly by night you can get that and if you want someone who's going to actually care I do want to back up a little bit about something I said about the council there are people that actually care about security that are involved with PCI I can think of one who was recently elected to something or another and he's an awesome guy and has a big green egg and makes great smoked meats but there are other people who care but it's just such a polluted situation what the there were like five angry birds in a pig Martin stole them all actually Martin had children doing a bum rush everybody who needs to or wants to go here Martin do his network security podcast if you would just kind of jump on him and sees our angry birds back completely shifting gears for just about 15 seconds two more guys we're going to get to these guys just in case you're not aware of this clothing for a political statement you're wrong it's just because I was in Dubai and it's kind of cool and comfortable but if you think I'm doing it to make fun of Middle Eastern culture you're even more wrong and I will say this that as I said in the fail panel if you get your news about the Middle East from western media sources they will fail and that said let's talk about PCI because there are two intelligent and articulate people I think it's fair to say that though PCI is a security policy is a security guideline it's definitely not the best one out there by far for the vast majority of us type 3 and 4 is it fair to say with limited funds pick another better security thing to go by pick the say on top 20 for example to Dave I'm talking to pretty much do the bare minimum to make PCI happy and then spend your money actually solving security is that a fair no no no good in our report and one of the things that the data allowed us to do was say okay yeah you know what here are basic for the first time in the industry really best practices supported by data right so here are a handful of things that you can do and again it's not just the Verizon report there's a trust rate report and so forth so I would go seek the data versus seek yet another standard the same thing is great right it's like continuously whatever your org is you've got PCI plus something else plus something else plus something else plus something else and that Venn diagram is your unique and special snowflake sure you need he was talking three and four and I was over generalizing about the simplicity of their Venn diagram you over generalize for the three and four it's much better it's often better to outsource well so here's what I've seen as a QSA and just as a like generic security guy and feel free to disagree with me because I'm in you know elbow range for a couple of you guys but I prefer more prescriptive technical tactical standards like I especially as a level three four I wouldn't say you know go latch on to ISO 27000 as a reasonable approach to getting your shit together I'd say you know what PCI is pretty good actually for you or the Sands top 20 would be pretty really freaking awesome if you had 90 s and here's some examples of things that work or you know hey guess what you know network-based access controls are okay and you should have some like those are reasonable things to kind of go around but you know I think I could we could probably have a series of jokes in this room on you know what is quote unquote best practices there's no such thing hello it's common practice it's subjective right what I'll do I won't do what's best because that costs an extra 2% and I'm not willing to spend that 2% because the other guy's not doing it you know you're in a situation where people are saying well you know if city banks not doing it why should I do it true but I think we also the metrics from Alex were only 19% are doing it right or per PCI special snowflake that does need to take into consideration shit like 27,001 or 27,005 agreed I thought you went into a seizure when I said 27,005 come on do the dance you know last paragraph question all right so I've had kind of the opportunity to have worked in different spectrums doing the pen testing working with the consulting you need to fill these microphones to be heard I'm also kind of short so so I've had the opportunity to work in a lot of different so I worked with a consulting firm where we hired really great consultants and did a lot of really good stuff we did the PCI consulting so we tried to do it the right way and I've been on the card side and understand the merchant side so I've had a lot of different experiences I guess my question to you guys is it's kind of screwed but the credit card companies and various other entities have come up with technologies such as near field right to be able to do no card number to be able to do different ways of not presenting the same way we do today but the problem is it's a global scale problem and so I guess my question is do you have even from a strongman perspective what you think would be the solution knowing that it's not the cards it's not the merchants it's not the processors not the networks it's everything watch the recording of this panel from last year I spent 10 minutes describing how to fix the problem it would take less than 2 years to convert 99 plus percent by using economic incentives and disincentives to solve the problem so that's what I'm wondering is the proposition that it requires government intervention and I think partially it does I think the only way can intervention isn't actually government intervention it's weird what we need to do is redefine usury not as a fixed percentage but as a spread against the overnight rate once we do that the problem will be a self-hammering nail you'll set it down on the desk and it'll just go thunk and remember this is in response to government intervention unfortunately though you're dealing with greed across an entire spectrum of industries we couldn't get the merchants to actually allow us to do the right thing period and so it isn't just one industry other it's a global perspective but there's no economic incentive right this was back to that whole does everybody speed question that somebody talked about the economic incentive isn't there for me to stop speeding if they fixed it so that if you do 56 miles an hour in the United States the fine car lose your license for the rest of your life nobody's going to speed it's like the Warren Buffett I know how to get a balanced budget right the way you get a balanced budget in the U.S. is you make a law that says hey if you don't pass a balanced budget you're not up for reelection again we're dealing with government intervention so you're dealing with contracting lobbyists and everything but the very simple you just say you know what if you want to use the old system that's fine we leave all of the rates in place the way they are now or maybe we jack them up a little bit for both consumer card processor and merchant and issuing bank and everybody and then we issue a new system that is unconnected to the old system it does not use credit card and you make it very simple it has a new fee structure the new fee structure is debt easy it's fixed price per transaction it's cheaper by orders of magnitude and you fix the risk to put the risk right where it fucking belongs which is back on the card you're just describing one a separate entire global infrastructure outside of internet absolutely that's just one solution there are multiple solutions we could keep the same broken there are a million different ways to do it but unfortunately we act like security is an engineering problem so what did we do we came up with a bunch of engineering answers to a non-engineering problem we had a lot of debates last year on his particular solution but the part I like about his solution is you can incentivize anything what we do is we have to make it really expensive to do it a fucked up way so quit with the backward compatibility we've used a shick shick machine lately this year yeah right and you know what probably less the point a lot of merchants still do so you're not doing it probably in the riskiest environments though so you disincentive that you say you know what yeah we're going to put in two systems and watch how quickly that old system withers and dies it'll stick around for 40 years you'll still find it in weird freaking corners of society but you know what everybody will be using the one system the good one the card brands the card brands or the processors the card brands are just they're not incentivized to disincentivize it because they're not the ones losing the money the merchants are and one of the things absolutely one of the things that comes up is why would they why would they provide a discount and we have to talk about the card brands they're not going to provide a discount they're going to charge a penalty it's greed it's about greed greed is good it's capitalist society if you boil it down square a dongle that you could jam into your iPod or Android what could possibly go wrong with that they charge more for card not present I mean that's a simple thing that we accept now but can we grab one more question this is this is going on so long I'm almost sober so we need to but remember though the cards do have an incentive they want to be the currency that's their incentive absolutely and to get to that incentive to convert more people to using cards they need to convince the United States to stop moving little tiny slips of paper around and calling that money and you know what it's not going to be that hard to do if you make it so that when you walk into the store they don't hand you one price for cash and one price for credit you know you drive by every gas station on the goddamn interstate there's two different gas prices make that shit go away asshole but god people stop watching Fox News and CNN and look at your own world from the outside because this country is functionally insane and you're all okay with it you still have to if you're going to have lenders we'll say lenders credit card companies have lenders then they have to somehow money off of those transactions look I'm not trying to advocate one way I'm just saying the reason those gas stations are not so that's why they're doing it how could you possibly take away the ability for the companies who are making those loans to make that money that's and how are you going to de- there's more money in fixed transaction cost and high transaction volume then there is but it's still a cost that's my point still a cost other than cash then there is in percentage against unbelievable amounts of fraud risk and you know what there's a cost in handling cash and most people don't realize this if you're working in work and you're handling dollar bills you're losing money every fucking day because dollar bills are sticky and they smell bad grab one more thank you very much get coins we're easy to find we're all like media whores or whatever the hell alright so I'm a media whore and I'll find anybody that you can't find on this panel but you can find them you sir look intelligent and articulate and sexy I said almost silver so one of the topics you only sort of touched on the microphone was the chosen few and so as someone who was a security vendor for years and now does consulting work for security vendors there's clearly a subset of technologies depending on the account with 11 or so that are acquired by PCI and by my account I think Gartner covered 160 subcategories of security I'd love to hear your guys' thoughts on where the 149 security categories are going to be over the next couple of years since PCI 2.0 is where it is for three more exciting years so what for the other all the folks here focused on innovation where do you see how does this impact over the next few years since I wrote that article on the chosen few I will take a first stab but the assumption we make is that those 11 things are the best 11 things out of the 189 that he said and by my assessment on perceived efficacy or NSS test labs efficacy they're some of our worst ones so every time you're picking and funding an inferior technology from the dinosaur age over something that is better it's a mistake and it's a mistake forced by the compliance stuff now I also don't think on the other side I'm not advocating that everything new and shiny and blinky is better some of those things should just go the hell away that are usually good if you do the cross section of the things that people need to do but we haven't done a separate of the wheat from the chaff to look at of these things against modern attacks in virtual environments cloud environments outsourced cloud service provider environments with lull sec type adversaries or APT kitten killing type adversaries we haven't done a vetting process we're just taking a look at it what I did see when I was an analyst covering all these new innovators is they weren't getting any spending it's a really good shit couldn't get spent and I went to the sisters I said why aren't you buying that you know you need it you know it would help your specific problem and they said well I took it to the CIO and they said if we won't get fined you don't get the economic disincentive and that's why most of these vendors steered away from stopping or solving new problems and they started to look very very similar to the PCI list and when you think about it though we've been burying technologies for that entire decade you know once upon a time in a galaxy far far away in a former life in 2003 I worked on a thing that was a day and it's been sitting on a shelf since 2005 because it was deemed not marketable and it's still better than anything you can buy today I mean it just it absolutely boggles the mind and that's one example of God only knows how many technologies were buried because they weren't deemed to be commercially option and we keep doing that with different products like antivirus and anti-malware because somehow foreign code that doesn't belong in my system running on my system is not the same thing you know every time that happens we're killing little bunnies and that's not cool but there's also no way around it and my biggest well not my biggest frustration you don't want that list holy shit we tease people who said oh my God it's moving too fast ah we don't get the innovation that's necessary to go against the fact that our attackers are innovating at a speed that we couldn't keep up with before so we've got a guaranteed arms race loss we're busy fighting a land war in Europe we have data that shows that the threat landscape are any of these things best practice? all right that by the way that's a lie I know where you're going yeah all right so um I'm gonna have to say this quickly because they don't want you to know this but the so the question was at which point of adoption and popularity does it qualify to be added as the the 12 or 13th requirement um and essentially you might recall because if you look at the WAF market before 6.6 and the WAF market after 6.6 it was market manipulation so they are terrified they're not gonna say this publicly but they are terrified of ever being accused of being market manipulators again and that's why there wasn't a single that's one of the reasons there wasn't a single new technology requirement even though there were lobbyists from the end-end encryption lobbyists from the tokenization lobbyists from data loss prevention so don't wait for the next 3-year cycle for them to be added they're not gonna be added then either because as soon as they market manipulate then they're gonna get more Fed involvement is that a 7? go ahead next question kind of switching gears we've been talking a lot about the defensive hey we've talked to you before I know I came up I couldn't get enough um Alex I was wondering what you know what's making a difference have you seen increase in our offensive capabilities over the past few years are we just letting people from Eastern Europe come and take our goodies and run you know I can't we can't derive motivation directly from the data um what I will tell you is this uh that there's a huge change in tactics it wasn't you saw the the 140 breaches and then the it wasn't like Verizon the Secret Service you know went four time you know had four times the incident responders right it wasn't like we created the the demand the demand came to us okay so that that was a significant change um in that regard I have no idea what Jack's trying to show you other than I'm it's a lot of incredible pictures that are really incredible oh my gosh that was an awesome one no just stop right there to answer your to kind of answer your question um I don't I haven't seen offense um and I don't know if that's a function because there isn't any or I don't know if that's because that there's a function that it wasn't necessary I'll I'll throw something out there actually I can't I can't this random gentleman with no knowledge whatsoever industry is going to hurt you and sorry I think I'll also thank you with I'll thank you for thank you you're I'm familiar with with the number of the processors and the acquirers and I understand that some of them have taken the responsibility to administer the self-assessment questionnaires What's your take on that, guys? Boy, Qols is going to be pissed when that happens. I don't know. Are we right back at that point where 100,000 merchants are going to be able to solve a problem that three-card brands can't? It starts to sound like we're trying to put the fix in the wrong place, and we're going to end up with a beautiful roof for a house that was supposed to be a gas station. Is the fox watching the hen house? Didn't you hear me talk about the whole RICO thing? If you're going to supply me with a problem and you're the only one who can supply me with a solution, we've got words for that. It's called RICO. Let's use it. I mean, it was supposed to be used on mobsters, but credit card companies will cheerfully throw your ass in a pair of concrete overshoes if you forget to pay them. Yes, even in Canada, although there, at least, the healthcare around the drowning is covered. I'm just randomly clicking through things in my past life. This is kind of entertaining. Can you click us some more beers up here? Seriously, be useful. Why are you people here? Oh, we have a question. There's a great story there, but there's someone here. Who knows that story quick, besides Michelle? I've heard from you guys that there is a system that works, and the transparency will help us get us there, and incentivization is part of the key of that. Not that we incentivize the people to get their transparency, so they'll realize they ought to switch the system to make more money. You get a bunch of drunk guys up on a panel, and you have them whine about it, apparently. That's Jack's solution. The real answer is that there's no desire to switch the system right now, because they're making enough money, despite the loss, that it doesn't matter. And they're getting away with pushing the liability for the flawed system down on other people's heads. Get a little sect to attack Bob Rizzo. Sorry, what? Or you could just get a little sect to attack Bob Rizzo. Yeah, sure. I was kidding. That was not a suggestion. Are you one of them? I cannot believe you said that out loud. It's not a suggestion. I think we're being kicked out. One minute? Thank you. I'm allowed to go to the bathroom in one minute. All you people that have been here for like an hour longer than you needed to be? Thank you. Thank you very much. Thanks, people. Yes, thank you very much. I've gathered these intelligent, articulate, sexy gentlemen together many times over the past couple of years, twice for DEF CON, and I'm fucking sick of this. So let's give them all a last word. Move over, see what Martin and Rich Mogul, aka the Travelocity Gnome, have to say in their 250th podcast, somehow I was excluded from participating, but I'll be judging the beard contest at six. There's all sorts of cool stuff happening tonight. I believe there is a 10,000-cent hacker pyramid. My beard was quickly eliminated last night, but that's because my beard's not really good at hacker trivia. With that, Mr. Arlen, let's give you the first last word. So you done yet? This is my second run at the last word. It is unbelievably imperative within the structure of the system that we have, that we do our damn best, and it's not sufficient just to do the job. We need to do the job well. And anybody who thinks that they can just do the job and walk away, you're a douchebag. Cut that shit out. Thank you, everyone. Are we moving down the list here? It's Miller time? Yeah. I think everything works perfectly, and we should just keep going like we're going. Josh? Say something about Lil Psyche or something. No. OK. Thank you. Beer time. Thank you.