There has recently been some interesting news. It seems that The Home Depot, both in the US and Canada, has experienced a breach. Recall that Target also suffered a breach not long ago
This begs the question; from a security perspective, does being compliant matter?
There are reports that the malware discovered on Home Depot systems is similar to that discovered on systems at Target. What is striking is that, according to Krebs on Security (who broke the Home Depot story), “On Tuesday, KrebsOnSecurity broke the news that Home Depot was working with law enforcement to investigate “unusual activity” after multiple banks said they’d traced a pattern of card fraud back to debit and credit cards that had all been used at Home Depot locations since May of this year.”
What is striking about this is that it appears to have been the banks who identified the problem. In other words, it’s the results of the attack that were detected before the malware.
From the perspective of the breach lifecycle, if these reports are true, something is very wrong. What this means is that the retailers who transact massive numbers of interactions with paying customers aren’t finding malware, after months of that malware residing on their systems; instead, it’s the processing entities (the banks) who are finding it.
Surely, organizations with billions in revenue, such as Home Depot and Target, are PCI DSS (Payment Card Industry Data Security Standard) compliant.
What does that mean, though?
Among other things, PCI-compliant organizations must be able to demonstrate, to the satisfaction of auditors, that their endpoint security is up-to-date. However, the efficacy of that endpoint security isn’t a consideration.
It would be extremely difficult for a standard to apply a measure of efficacy. How would they gauge efficacy? Based on neutral testing, such-as AV-Test, or by creating their own testing body?
The latter would be problematic, to say the least, and so the effectiveness of every security measure is not a consideration. Instead, it’s all about the presence of security.
At the other end of the breach lifecycle, we have breach notification laws. Again, it’s a world of ‘how can I know what I don’t know, or choose to not know, presumably unknowingly (ahem)?’ Standards such as PCI are designed to push organizations from blissful ignorance into awareness, but at the end of the day, retail is a business driven by very slim margins. Updating a Point-of-Sale system (front-end to back-end) costs money, and money spent on security impacts margins.
It seems to be the same case in retail as it is with consumer-centric cloud. Assume the compliant position, weigh the outcome of being compromised versus revenue, and cross your fingers. If you have the bulk of the market, figuring that a few houses will burn-down makes more financial sense than building fire-proof houses. That appears to be, unfortunately, the state of IT security today in retail.