Will the Real Enemy of Security Please Stand Up?
CSO - A very heated reaction has followed the interview I conducted yesterday with Robert Carr, CEO of Heartland Payment Systems. One reader even said the resulting Q&A made his "blood boil."
Why the outrage? Because Carr did something a lot of people find unacceptable. He threw someone else under the proverbial bus for his company's failure to keep customer credit and debit card numbers out of evil hands. Specifically, he thrust an angry finger at the QSAs who came in to inspect the security controls Heartland had in place to meet the requirements of PCI security.
In the article, [ Heartland CEO on Data Breach: QSAs Let Us Down] Carr said, "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn't even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, 'You've got to be kidding me.' That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can't reconcile that."
That one comment brought down the house, and not in a favorable way.
"I just read Bill Brenner's interview with Heartland Payment Systems' CEO Bob Carr and truthfully, my blood is boiling," Mike Rothman, SVP of strategy at eIQnetworks and chief blogger at Security Incite wrote in a counterpoint piece CSOonline ran today. "Basically, he's throwing his QSA under the bus for the massive data breach that happened under his watch. Basically, because the QSA didn't find anything, therefore he should be off the hook. I say that's a load of crap."
Since the Q&A's publication, my Twitter stream has been gushing with likeminded comments. Here are a few of my favorites, with the identities protected:
- "So all I have to do is QSA-shop and then throw them under the bus later in an interview? That's awesome!"
- "QSA output is only as good as the information/honesty, integrity of the client!"
- "Let's see, a captain try blaming the USCG for a faulty inspection after a maritime mishap. Would quickly be an EX-captain. #PCI #HPS #BS"
I agree with the notion that too much blame has been dumped on the QSA and that in most cases a security audit is only as good as the honesty of the client. Clearly, Heartland's security weaknesses were extensive and the responsibility must ultimately rest with everyone up and down the Heartland chain of command.
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!