Heartland CEO and Outrage
Bill Brenner has an interview with Robert Carr, the CEO of Heartland. It’s headlined “Heartland CEO on Data Breach: QSAs Let Us Down.” Some smart security folks are outraged, asserting that Carr should know the difference between compliance and security, and audit and assessment. Examples include Rich Mogull’s “Open Letter to Robert Carr” and Alan Shimel’s “Heartland CEO thought QSA’s would make him compliant and secure.”
Rich wrote:
It is unfortunate that your assessors were not up to date on the latest electronic attacks, which have been fairly well covered in the press. It is even more unfortunate that your internal security team was also unaware of these potential issues, or failed to communicate them to you (or you chose to ignore their advice).
One definition of insanity is to keep doing the same thing over and over and expect different results. Without disagreeing with Rich about the responsibilities of the CEO, we in infosec make lots of assertions about what other people should know. But we rarely test if our attempts to educate get through. There are lots of people who assert, correctly, that the CEO needs to know X, Y and Z. But it’s the responsibility of the people under him to communicate effectively, and reading Brenner’s interview, it’s pretty clear that Heartland’s infosec people didn’t deliver a message that sank in. What’s the message that sinks in? Real hard numbers about how often these things happen and their impact, so the CEO can allocate scarce resources based on something other than assertions that he must invest in this or that. Switching gears for a moment, Alan wrote:
Isn’t that the real travesty of our industry though? Only after the cows have run out and the barn has burned down does anyone really give a crap. Even by his own admission with what happened to him and his company, when he goes to talk to others in his industry the feeling is still it can’t happen to them. What will it take? Does every single one need to to have a security incident?
What it will take is talking about what goes wrong. That’s why I’m glad Carr is speaking out, but he’s doing so anecdotally. As Carr asks:
The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.”
Why can that malware be used in 300 attacks, and “compliance” not involve a validation that the AV in use will catch it? It’s because we don’t talk about what’s going wrong. We keep saying the same things over and over, and hoping that they’ll work differently. But here’s a prediction: if the QSAs had said “your anti-malware is missing malware that’s been implicated in 300 breaches,” that issue would have been cleaned up inside of days, either by the vendor adding signatures, or being replaced.
The outrage is that we’re still, as Carr and I put it, sweeping it all under the rug.
I took Carr’s comment on the 300 breaches as an indictment of the security profession/industry as a whole – that a particular vector was common, but neither they nor their QSA’s knew it existed.
The bottom line is that when someone gets breached, the don’t publish the details of the breach and the rest of us don’t get the benefit of learning from others misfortune. That’s a failure of the profession, not a failure of PCI, QSA’s or Heartland.
The people who build failed bridges don’t sweep their failures under the rug. They publish papers on the failure & the world learns how to build better bridges.
BTW – did Heartland ever publish a paper on how they got hacked? I’d like to learn from their failure. It’d be a heck of a lot better that waiting until it happens to me.
–Mike
It’s more a failure of our culture of blame and avoidance of blame (or litigation) that we don’t share information.
Trying not to get on either side of the discussion of Carr for the moment, I feel that we can say we’re still sweeping this under the rug not just because we’re not sharing info properly, but also because we have a lot of people in security who won’t truly have the chops to be advising about security.
If you get a lot of non-experts together trying to act as experts, you’ll have tons of holes (and this thing we call compliance and hope that it equals security).
(Then again, maybe that second thing is an offshoot of companies cheaping out on security….)