The CardSystems blame game

Don't shoot me, I'm only the consultant

  • alert
  • submit to reddit

High performance access to file storage

When a client retains a consultant or an auditor to perform services, the client has a right to expect (and in fact to put into the contract) a level of professionalism, knowledge, and expertise commensurate with the standards of the industry (assuming, of course that there are such standards.)

Toward this end, companies should be aware that, with some exceptions, you do get what you pay for. If your consultants show up with purple hair, pierced eyebrows, their resume indicates the name "acid rain" and includes three prior arrests for computer hacking under "qualifications," you may think twice about giving that individual the keys to the financial network - or, at least giving them the only keys. (I can see the flames I will get from the hacker community already.) However, you should look for a level of expertise and knowledge commensurate with the tasks included in the Statement of Work. Price is, of course, a major consideration for selecting consultants, security services, or auditing, but let's face it, it is performance at a particular price that you are seeking.

Hiring a consultant?

One area where the consultant/client relationship inevitably breaks down is in the areas of vaporware on the one hand, and mission creep on the other. Vaporware is when the consultant claims expertise in every field of endeavor, and in reality has little ability to perform on any of them. You know the type . Whatever you ask them to do, they say, "Oh yes, we do that..." Consulting... sure. Incident response... of course. Forensics.. it's like a second language to me... COBOL, GNU, Linux, Unix, Windows, Mac, Sega, Amiga, Atari, OS2, Ada... sure we do all that.

Now, to be sure, there are consultants who have multiple areas of expertise, both broad and deep. Just make sure you check out all their relevant qualifications. Hold your consultants to their promises as well. The marketing materials and sales slicks may be just that: slick. What matters is what is in the contract. Almost every contract contains the clause "This contract is the entire agreement between the parties, and the parties are not relying on anything else..." If you are relying on something else (like the salesperson's promise that the beta he showed you will be in production in two weeks) then put that assumption in the contract!

Mission creep is when the consumer of the consulting services says the four words a consultant always hates, "oh by the way." Invariably, the scope of the project differs from that which was assumed by the parties. The network diagrams provided to scope the task date to the previous millennium (that is, 1,000 AD), and now the marketing guys want to add new things to the task. All of that is fine, but it may end up costing you more if it is not expressly in the Scope of Work.

Define the consulting terms

In the Fourth (that is technically the first) Star Wars movie, the Imperial Storm Troopers confront young Luke and Obi Wan Kenobi seeking R2D2 and C3PO, the droids with the stolen plans to the Death Star. Under questioning, Sir Alec Guiness as Obi Wan dismissively waves his hand announcing "you don't need to see his papers... these aren't the droids you are looking for. Move along..." While we don't know all the facts (OK, we don't know ANY of the facts) it is likely that something like this happened in the CardSystems case. The security consultants were likely told that they didn't have to worry about the computers that contained the historical data. After all, it was just for "research purposes," and was not part of the payments processing that they were auditing.

Each party to the consulting agreement makes assumptions about the scope of the work, what the other side knows and doesn't know, and what they expect. A well executed contract and deliverable makes these assumptions clear.

Finally, companies need to understand what exactly they are buying when they retain either a consultant or an auditor. They are NOT buying a guarantee that they will not be hacked, or even a guarantee that every vulnerability has been found and abated. Or, if they are buying that, they certainly are underpaying! They must also understand that the value of the final product is dependent upon the consultant being given access to all critical systems (and the systems upon which they depend), and on full, honest and truthful answers from staff about how things are actually done. I am reminded of my trips to the dentist, where the hygienist inevitably asks if I floss after every meal, and I, with a straight face, invariably lie that I do so religiously. Do you think the hygienist can tell?

The quality of the report will be dependent upon the quality of the cooperation, but competent consultants (like competent hygienists) should understand that there is a disparity between observation and reality.

These issues are sure to become more significant as companies, under pressure from laws like Sarbanes Oxley, HIPAA, GLBA and the card industry CISP standards rely on consultants with expertise in these areas to help the navigate the shoals of Scylla and Charybdis. In the name of full disclosure, I should point out that my employer is one of these companies.

What does a security audit provide?

Companies that retain consultants or auditors are entitled to put their security auditors to the test - and to rely on their findings and recommendations. They are entitled to honest appraisals based upon appropriate and agreed upon standards. They deserve consultants that are responsive, professional, and deliver what they have promised. However, all parties must understand that security is a journey, not a destination. Ultimately, it is the client - the bank, the hospital, the insurance company, the credit card processor and not the consultant or auditor - that has the relationship with their customer, that is a fiduciary of their customer's information, and whose reputation suffers from a breach of security.

It behooves all parties to know what they are buying and selling in a professional services contract. And remember, the only "guarantees" in life are death and taxes, and I am not even that sure about death.

© SecurityFocus Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Related stories

Visa cuts CardSystems over security breach
Typosquatters hijack US credit report site
How much does a security breach actually cost?
Unauthorised research opened door to MasterCard breach
MasterCard hack spawns phishing attack
MasterCard fingers partner in 40m card security breach

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.