Breach Investigations: Who's Accountable?Lawsuit Puts Focus on Roles of PCI Council, Security Firms, Buyers
Caveat emptor. No organization that suspects it's suffered a data breach ever wants to hear those words, while they're desperately seeking third-party digital forensic experts to help them investigate - and if necessary mitigate and lock down - their networks and systems.
See Also: HIPAA Audits: A Revised Game Plan
But a lawsuit recently filed against security and incident response firm Trustwave raises questions about the efficacy of the Payment Card Industry's "Professional Forensic Investigator" services that are marketed and sold by security firms, the extent to which the PCI's Security Standards Council monitors these providers, as well as the responsibilities incumbent on anyone who buys such services.
One financial fraud prevention expert stresses that it's "buyer beware" for anyone who buys any type of security product or service, including a breach investigation. "The onus really falls on the buyer to understand their need, understand what the product [or service] they are buying offers, and then make sure the contract is explicit concerning what the product will accomplish," says Shirley Inscoe, an analyst at consultancy Aite.
The contractual requirements for a firm hired to conduct a forensic investigation must be clearly laid out, Inscoe adds, noting that anyone who hires investigators should not assume that these experts will contain the compromise or prevent future compromises.
Allegation: Missed Malware, Ongoing Breach
Affinity Gaming, which operates 11 casinos across Colorado, Iowa, Missouri and Nevada, alleges in its lawsuit that Trustwave, providing a "PCI Professional Forensic Investigator" service, failed to fully eradicate and "contain" a data breach that compromised Affinity's IT infrastructure in 2013 (see Casino Sues Trustwave Over Data Breach). The suit also claims that Trustwave failed to contain the "cardholder data harvesting malware" that a subsequent investigation - by a different firm - found had been installed by attackers "on 12 systems within the PCI environment on March 14, 2013."
Affinity claims in its lawsuit that it hired Trustwave "to identify and remedy the apparent data breach," signing a contract for the security firm's "PCI Forensic Investigations" - which the company marketed as being "designed to identify if, how, what and for how long cardholder data has been compromised and to provide recommendations to increase security."
The casino contends that Trustwave failed to contain the breach, leading to Affinity hiring a second incident-response firm, FireEye's Mandiant, in April 2014, which "determined that Trustwave had failed to identify the entire extent of the breach."
The breach appears to have persisted from March 2013 until October 2013, and then again from December 2013 - while Trustwave was still conducting its investigation - until April 2014. And because Trustwave in November 2013 claimed to have "contained" the breach, when in fact it allegedly did not, Affinity argues that Trustwave left Affinity's network vulnerable and failed to fulfill the obligations of its contract.
Affinity is now seeking damages related to its monetary harm, which the casino says was "considerably in excess" of the more the $100,000 it paid Trustwave. To date, Affinity says it has spent $1.2 million of a $5 million cyber-insurance policy to offset breach-related expenses, according to the Financial Times, which first reported on the lawsuit.
Trustwave, however, tells a different story. "We dispute and disagree with the allegations in the lawsuit, and we will defend ourselves vigorously in court," Trustwave spokesman Cas Purdy tells Information Security Media Group.
Inside the PFI Program
One question raised by the lawsuit: How does a company qualify to offer forensic investigation services that meet the PCI Security Standards Council's criteria, and how are these investigators assessed and monitored?
In a nutshell, the PCI Council's Professional Forensic Investigator program sets rules and requirements relating to the eligibility, selection and performance of companies that provide digital forensic investigation services. For example, it states that investigators must work for a PCI-certified Qualified Security Assessor firm that provides a dedicated digital forensic investigation practice. The council also notes that investigations will rely on proven investigative methodologies and tools, as well as leverage relationships with law enforcement agencies to help with criminal investigations.
But here's a crucial point: professional forensic investigators should be expected to investigate - but not remediate - data breaches, the PCI Council tells ISMG.
"While we can't comment on this specific case, we can provide insight into the aim of the PCI Professional Forensic Investigator program," a PCI Council spokesman says. "It is important to note that forensic investigations are not designed to offer services that remediate breaches. Rather, forensic investigations are designed to identify the causes of breaches. The program sets high expectations for investigators and, as such, has a rigorous, ongoing quality assurance component. Our focus is maintaining the integrity of our current validated PFI listings to ensure that the PFIs listed are consistently delivering high-quality services."
Jason Broz, a management consultant at security firm SecureState, says PCI-validated PFIs are required to have specialized skills, which often include certifications that carry ethical responsibilities. "The organizations that provide these certifications, as well as the [PCI Council], all have ethics clauses which individuals are required to adhere to and sign," Broz says. With that in mind, he says PCI Council's role would best be described as "ensuring quality of resources, promoting cardholder security, and maintaining standards for protection of cardholder data."
But the PCI Council is not a regulatory or enforcement body, says Aite's Inscoe. "It would be highly unusual for an organization to regulate products offered in the market," she says. For comparison purposes, for example, she notes that in the United States, neither the Office of the Comptroller of the Currency, nor the Consumer Financial Protection Bureau, regulate companies that offer related compliance products in any way.
What's PCI Council's Oversight Role?
While experts say the PCI Council has implemented new programs that aim to more thoroughly vet QSAs and PFIs, they add that there's little the council can do to control how QSAs market their products and services, including digital forensics investigations.
Liz Garner, vice president of the Merchant Advisory Group, whose membership includes many top U.S. retailers, notes that incident responders are not in the business of solving security problems. Rather, they focus on assessing security incidents, although many businesses fail to understand that distinction. "The incident assessment is nothing more than a means by which to assign liability," Garner says. And while many companies may think they are paying incident responders to "fix the problem," Garner says they're really just paying these firms to assess the damage, not control it.
Ultimately, the breached organization is responsible for ensuring that it's secure, rather than the responsibility of the PCI Council or a vendor hired to conduct a post-breach investigation, SecureState's Broz says. "Incident response is not a clear-cut process, as there are many variables," he says. "Some of these details include the entire scope of the investigation, technical issues surrounding the breach, and whether or not the organization had a mature security program and was actively maintaining compliance. Any organization, given sufficient time, resources and expertise, can be compromised."
Scope is key. "Bigger scope, bigger check, right?" says information security consultant Claus Cramon Houmann of ImproveIT Consulting, formerly head of IT for Banque Ã-hman in Luxembourg, in a blog post. And he questions whether Affinity Gaming correctly set or understood the scope of the investigation, as its "CISO, or any kind of security personnel," should have done. "It's your responsibility as a client to ensure that the goal of the investigation makes sense," he says.
Executive Editor Mathew J. Schwartz also contributed to this piece.