PCI Lessons We Can Learn From the WikiLeaks Debacle

Thursday, January 13, 2011

PCI Guru

Fc152e73692bc3c934d248f639d9e963

I know, I know, there have been an over abundance of articles published on what we can learn from the WikiLeaks incident. 

However, after reading an interesting article in the Washington Post regarding how the WikiLeaks debacle came about, I thought there were a number of lessons that merchants and service providers could benefit. 

The WikiLeaks documents have been traced back to the Net-Centric Diplomacy database developed by the State Department as a result of the 9/11 terrorist attacks.

Everyone Had Access

Access to the Net-Centric Diplomacy database had become unmanageable.  According to the article, not only was the database accessible to State Department employees, but it was also accessible to a number of other government departments including Defense and Homeland Security. 

This project was undertaken as a result of the 9/11 attacks to make information that the State Department was collecting available to a wider audience of analysts.  While the database was only four years old in 2010, State Department officials acknowledged that over half a million people had access to the database all over the government including government contractors.

To add insult to injury, State Department personnel admitted that user management was out of control, particularly outside of the State Department.  You see the State Department took a distributed security approach for the Net-Centric Diplomacy database and designated persons at other entities to manage their users. 

Unfortunately, there appears that there was no oversight of these people nor was there a requirement for these people to justify why all of their users required access.  This distributed data security approach is very common in the business world. 

However, without oversight and periodic review, the distributed approach turns into a free-for-all with almost anyone asking for access being granted access.

Requirement 7 of the PCI DSS is all about access to cardholder data and verifying that those users continue to require access.  The user management situation with the Net-Centric Diplomacy database is why requirement 7 was put into the PCI DSS. 

What this situation points out is that if you do not have defined criteria for users that you strictly enforce for access to sensitive data, then you cannot expect to control the data and you can then probably expect to have a breach of that data somewhere down the line.

Users Responsible For Use

This is usually a good thing, but in this case it went horribly wrong.  From an IT perspective, this is exactly what an IT organization wants – user ownership of their application.  However, this is a prime example of how user ownership goes wrong.  In addition to the mismanagement of user access, users were also in control of how the database got used as well as what data went into the database. 

Based on my reading of the article, the issues documented are symptoms of a larger problem which was that it is highly likely that little to no training was provided regarding the Net-Centric Diplomacy database and how it was expected to be used.

This is a problem that is very endemic in business as well as government.  Vendors and IT departments leave training up to their end users in the mistaken belief that applications these days are intuitively obvious and all that needs to be provided is a good Help system and that the Help system explains “everything” a user needs to know to use the software. 

While users typically are responsible for developing the Help system, how many of us have complained that the help topic we are trying to find is not covered?  The problem with this approach is that it is up to the user to familiarize themselves with the software which no one ever does because the application is intuitively obvious.  If Help systems are so good, why are thousands of books published each year to explain how to use everyday applications like Microsoft Office, Oracle and Lotus Notes?

The first result of this lack of education was that information that did not belong in the database ended up in the database.  The way the input process worked for the database was to code in a mnemonic into a diplomatic message that would trigger the routing of the information into the database. 

However, no one apparently explained clearly enough what belonged and did not belong in the database.  As a result, everything was coded to go into the database whether it really did or not.  From a PCI perspective, I cannot tell you how many times that we run into applications that are being used for purposes that their vendors never anticipated. 

As a result, cardholder data ends up in fields unprotected just because someone saw a need to retain it in an application never engineered to accept it.  This is also why scoping by the organization needs to be done as cardholder data can end up all over.

The second result of this likely lack of education is that users were unaware of their responsibilities regarding the data they now were allowed access.  Obviously since the information in the database was leaked, users were not aware of their responsibilities or just did not care. 

Worse yet, since there was likely no feedback to users that might be misusing the data, they likely were unaware that what they were doing was not allowed.  In the PCI realm, this is why policies, standards and procedures are so important as well as making sure that all users are aware of them. 

While policies, standards and procedures do not in and of themselves stop a leak, most people do not want to break the rules if they are constantly made aware of them.  It is likely that users of the Net-Centric Diplomacy database were not regularly made aware of their responsibilities like PCI DSS requirement 12.6 requires.

You Need To Go Above And Beyond

Another concern that was identified was that data could be downloaded at will by any user.  While the State Department could limit downloads to thumb drives, it could not control downloads from other agencies.  Based on the article, it appears there was also no limit to the amount of information that could be downloaded.  As a result, whoever downloaded the information from the Net-Centric Diplomacy database could do so without worrying about being quickly discovered.

This is one of the biggest problems with information management today; ensuring that the information within the data store is properly used and remains in the data store.  Thanks to Microsoft, Oracle, IBM and other database vendors, access to databases can be obtained through a multitude of ways such as ODBC, direct SQL query, and directly from tools such as Microsoft Office. 

The bad news is that not all of these methods require authentication, so anonymous access can be obtained.  This is why PCI DSS requirement 7 exists; to make sure that authentication is always required in order to gain access to cardholder data.  However, we constantly run across people in organizations that are doing valuable data analysis, but are using access methods to databases containing cardholder data that do not require authentication.  In a few instances, we have run across organizations that have written access control systems for ODBC to secure their data.

The PCI DSS has a requirement to monitor the access to cardholder data in requirement 10.2.1, but there is no requirement in the PCI DSS that calls out limiting the downloading of data.  This is an area where organizations need to go above and beyond the PCI DSS. 

Most database management systems will allow you to limit the amount of data returned by any query.  While this is usually used to control runaway queries, it is also a good security practice as you can then make sure that no users can get a hold of the entire database without having to get special permission.

I am sure as time goes on, more and more of the details of how the WikiLeaks breach occurred will be revealed.  However, just what has been revealed to date can provide a lot of lessons that we should all take to heart.

Cross-posted from PCI Guru

Possibly Related Articles:
10373
Policy PCI Databases WikiLeaks Net-Centric Diplomacy
Post Rating I Like this!
591052017c12c3277d83b0b437c13302
Tom Coats SeTec astronoMy - Too Many Secrets

This shows the balance between data classification and "need to know".
1294997105
Fc152e73692bc3c934d248f639d9e963
PCI Guru The problem you find between data classification and "need to know" is that in the computer world, data is data and is organized around principles of normalization, not the prinicples of privacy or security. As a result, in order to give someone access to the information they need to get their job done, you also give them access to information that they do not need or should not even be able to see.
1295026082
591052017c12c3277d83b0b437c13302
Tom Coats It is a cruel world when your bosses place you between a rock and a hard place. The system is designed for abuse and you really have to wonder if it is isn't intentional. It seems awfully easy to put make everything a secret and then crimes can become secrets too. It has nothing to do with IT. It is and has always has been the hallmark of totalinarism, whether oral-, paper-, video- or IT-based. It will collapse eventually as sure as night follows day. But to claim that the system is inevitable or even right is just blindness.
1295248180
591052017c12c3277d83b0b437c13302
Tom Coats Getting back to PCI though, I am new to the PCI world but am amazed to see a model coming from industry that actuallly seems to be consistent. The secret is well defined, the secret is fractured and protected and used for its intended purpose and then broken enough to prevent reuse, but not so much as to break the chain of custody. That seems really cool to me.
1295248600
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.