What to Expect When You're NOT Expecting: 7 Steps of a Professional Forensic Investigator

Wednesday, October 02, 2013

Stephen Marchewitz


The 7 Steps of a Professional Forensic Investigator

A bad day

You receive a letter from your favorite payment brand, which states that your organization has experienced a breach of Card Holder Data. A copy of the letter has also been forwarded to your merchant bank; as a courtesy. Typically you have a week to respond to their request to have a PCI Forensic Investigator (PFI) determine how the breach occurred. Notice that you are pretty much guilty until proven innocent, and to select your vendor of choice, you are directed to the PCI PFI list.  Once you have chosen a vendor based on aligned interests and specialty, they’ll get to work stepping you through to a report to the payment brands.   

1. PCI Gap, Data Flow and Network Architecture

The PFI Company will ask for various documents before the investigation begins, like network diagrams, penetration test results, ASV scans and current SAQ or Report on Compliance (RoC). By the way, your current QSA that attests to your RoC cannot perform the investigation; this would be a conflict of interest.

The PFI investigator will conduct a PCI Gap of your current environment to the PCI-DSS requirements. In order to facilitate this gap, the investigator will perform a data flow for all CHD systems. This includes external providers that you may use throughout the payment processing. The investigator will map the data flows to the underlying infrastructure, ultimately creating a detailed map of the PCI environment and associated controls.

Remember, the investigator cannot rely on information from your QSA or company resources exclusively. The investigator must conduct an independent analysis and be assured that the scope of the environment is completely known and understood.

Key point: Many times clients think that it is the QSAs job to “find” the PCI data, and that companies can hide or take systems out of scope without the QSA knowing. While there is some truth to this, if the investigator finds that the company has excluded (knowingly or unknowingly) systems from the PCI environment, the investigator will immediately inform the client of the violations and document for future follow-up by the payment brands.


2. Collect Evidence

Once the environment is known, the investigator will start to collect evidence from the systems/devices that are suspected to be involved in the breach. There are a variety of ways that evidence can be collected, but any method employed must follow the PFI requirements. Typically, the investigator will use acquisition tools to create a bit by bit capture of the entire operating system. Yes, this includes mobile applications and Point of Sale terminals.


3. Preliminary Report

The investigator is responsible for keeping the payment brands informed of all proceedings in the investigation and preparing formal reports, including a preliminary report. The purpose of the preliminary report is to notify the payment brands of any major nonconformity to PCI-DSS and to provide an opinion as to how CHD was compromised. The company may or may not see this report.


4. Analysis

Of course once the evidence is collected, detailed analysis must be conducted. While most of this is done offsite at the investigator’s lab, some involvement from the company might be needed. The investigation includes both manual and automated tools to perform detailed analysis.


5. Containment Strategy 

Once the proceeding steps are performed, the investigator will develop a containment strategy. The containment strategy outlines all the required controls needed to mitigate the current breach, in addition to any PCI-DSS controls that were found to be deficient. The implementation of the containment strategy can be done by the company, or another firm; however, a detailed project plan will need to be developed and supplied to the payment brands for review and acceptance.


6. Containment Verification Services

Once all the recommendations have been implemented, the PFI investigator must perform various assessment services to ensure that everything has been done in accordance to the containment strategy. Typical services include ASV scans, penetration testing, wireless assessments and host interrogation reviews.


7. Final Report Issuance

Once the verification services are completed and the company is PCI compliant, a final report will be issued to the payment brands for review. This concludes the PFI investigation.


Is That It?

Not quite. Throughout the process, additional credit cards may have been compromised or more could have been reported stolen. The merchant bank may impose fines and other penalties on the company, including making the company conform to PCI-DSS as a level 1 merchant.  Unlike other incidents that you may respond to, the PFI’s intent is not to prove your innocence, but rather to determine if there is any evidence of vulnerability that allowed the breach to happen.


So What’s a General Cost & Time That I Can Expect?

If you have ever been through PCI compliance, you know that it is not cheap. However, it beats the alternative of not being compliant and experiencing a breach. Given the size and complexity of your organization, costs can be high, especially when you include penalties and fines. While everything depends on the company, the typical PFI investigation will take three months, with costs ranging from $50 - $250k. 


Hopefully this helps the community understand the process, time and overall cost of a CHD breach. All information contained in this article is for the purposes of awareness and education. If you have experienced a breach, contact a PFI company immediately. 

Possibly Related Articles:
PCI DSS Security Awareness
PCI Investigation data breach Forensic
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.