This article is more than 1 year old
The CardSystems blame game
Don't shoot me, I'm only the consultant
When a client retains a consultant or an auditor to perform services, the client has a right to expect (and in fact to put into the contract) a level of professionalism, knowledge, and expertise commensurate with the standards of the industry (assuming, of course that there are such standards.)
Toward this end, companies should be aware that, with some exceptions, you do get what you pay for. If your consultants show up with purple hair, pierced eyebrows, their resume indicates the name "acid rain" and includes three prior arrests for computer hacking under "qualifications," you may think twice about giving that individual the keys to the financial network - or, at least giving them the only keys. (I can see the flames I will get from the hacker community already.) However, you should look for a level of expertise and knowledge commensurate with the tasks included in the Statement of Work. Price is, of course, a major consideration for selecting consultants, security services, or auditing, but let's face it, it is performance at a particular price that you are seeking.
Hiring a consultant?
One area where the consultant/client relationship inevitably breaks down is in the areas of vaporware on the one hand, and mission creep on the other. Vaporware is when the consultant claims expertise in every field of endeavor, and in reality has little ability to perform on any of them. You know the type . Whatever you ask them to do, they say, "Oh yes, we do that..." Consulting... sure. Incident response... of course. Forensics.. it's like a second language to me... COBOL, GNU, Linux, Unix, Windows, Mac, Sega, Amiga, Atari, OS2, Ada... sure we do all that.
Now, to be sure, there are consultants who have multiple areas of expertise, both broad and deep. Just make sure you check out all their relevant qualifications. Hold your consultants to their promises as well. The marketing materials and sales slicks may be just that: slick. What matters is what is in the contract. Almost every contract contains the clause "This contract is the entire agreement between the parties, and the parties are not relying on anything else..." If you are relying on something else (like the salesperson's promise that the beta he showed you will be in production in two weeks) then put that assumption in the contract!
Mission creep is when the consumer of the consulting services says the four words a consultant always hates, "oh by the way." Invariably, the scope of the project differs from that which was assumed by the parties. The network diagrams provided to scope the task date to the previous millennium (that is, 1,000 AD), and now the marketing guys want to add new things to the task. All of that is fine, but it may end up costing you more if it is not expressly in the Scope of Work.
Define the consulting terms
In the Fourth (that is technically the first) Star Wars movie, the Imperial Storm Troopers confront young Luke and Obi Wan Kenobi seeking R2D2 and C3PO, the droids with the stolen plans to the Death Star. Under questioning, Sir Alec Guiness as Obi Wan dismissively waves his hand announcing "you don't need to see his papers... these aren't the droids you are looking for. Move along..." While we don't know all the facts (OK, we don't know ANY of the facts) it is likely that something like this happened in the CardSystems case. The security consultants were likely told that they didn't have to worry about the computers that contained the historical data. After all, it was just for "research purposes," and was not part of the payments processing that they were auditing.
Each party to the consulting agreement makes assumptions about the scope of the work, what the other side knows and doesn't know, and what they expect. A well executed contract and deliverable makes these assumptions clear.
Finally, companies need to understand what exactly they are buying when they retain either a consultant or an auditor. They are NOT buying a guarantee that they will not be hacked, or even a guarantee that every vulnerability has been found and abated. Or, if they are buying that, they certainly are underpaying! They must also understand that the value of the final product is dependent upon the consultant being given access to all critical systems (and the systems upon which they depend), and on full, honest and truthful answers from staff about how things are actually done. I am reminded of my trips to the dentist, where the hygienist inevitably asks if I floss after every meal, and I, with a straight face, invariably lie that I do so religiously. Do you think the hygienist can tell?
The quality of the report will be dependent upon the quality of the cooperation, but competent consultants (like competent hygienists) should understand that there is a disparity between observation and reality.
These issues are sure to become more significant as companies, under pressure from laws like Sarbanes Oxley, HIPAA, GLBA and the card industry CISP standards rely on consultants with expertise in these areas to help the navigate the shoals of Scylla and Charybdis. In the name of full disclosure, I should point out that my employer is one of these companies.
What does a security audit provide?
Companies that retain consultants or auditors are entitled to put their security auditors to the test - and to rely on their findings and recommendations. They are entitled to honest appraisals based upon appropriate and agreed upon standards. They deserve consultants that are responsive, professional, and deliver what they have promised. However, all parties must understand that security is a journey, not a destination. Ultimately, it is the client - the bank, the hospital, the insurance company, the credit card processor and not the consultant or auditor - that has the relationship with their customer, that is a fiduciary of their customer's information, and whose reputation suffers from a breach of security.
It behooves all parties to know what they are buying and selling in a professional services contract. And remember, the only "guarantees" in life are death and taxes, and I am not even that sure about death.
© SecurityFocus Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.
Related stories
Visa cuts CardSystems over security breach
Typosquatters hijack US credit report site
How much does a security breach actually cost?
Unauthorised research opened door to MasterCard breach
MasterCard hack spawns phishing attack
MasterCard fingers partner in 40m card security breach
Biting the hand that feeds IT
