Login  |  Register  |  Contact

Some Answers for Jeremiah: Website Vulnerabilities

Jeremiah posted these questions on dealing with website vulnerabilities. Here are my quick answers (I have to run- sorry for the lack of links, but you can Google the examples):

Lets assume a company is informed of a SQLi or XSS vulnerability in their website (I know, shocker) either privately or via public disclosure on sla.ckers.org. And that vulnerability potentially places private personal information (PPI) or intellectual property at risk of compromise. My questions are: 1) Is the company "legally" obligated to fix the issue or can they just accept the risk? Think SOX, GLBA, HIPAA, PCI-DSS, etc.

Definitely no for intellectual property. Definitely no for SOX- SOX says you're free to make as many dumb mistakes and lose as much money as you want, as long as you report it accurately. Other laws are a toss-up, but generally there is no obligation unless there is evidence that a breach occurred. For PCI-DSS you have to remediate or document compensating controls for any network vulnerabilities at the time of your audit (and this expands to applications with 1.1), but there is no definitive requirement for immediate remediation. California AB1950 is the big question mark in this area and I'm unsure on enforcement mechanisms.

The regulations are very unclear and unhelpful here, and it's quite likely a company can accept the risk. But if a breach occurs, they may be held negligent. Take a look at the PetCo case where the FTC mandated a security program after a breach, and Microsoft/MSN. The companies were held liable for losing customer data, but not because of any of the usual regulations.

There is almost no case law that I'm aware of.

2) What if repairs require a significant time/money investment? Is there a resolution grace period, does the company have to install compensating controls, or must they shutdown the website while repairs are made?

No. Most regulations only require breach notification or remediation of flaws discovered through auditing. Reasonable person theory probably applies if there is a breach with losses and it goes to court. I've read all of the regulations- none mention a specific time period.

3) Should an incident occur exploiting the aforementioned vulnerability, does the company bear any additional legal liability?

They may carry liability due to negligence. See the cases I mentioned above.

4) If the company's website is PCI-DSS certified, is the website still be considered certified after the point of disclosure given what the web application security sections dictate?

Unknown because there are no public cases that I can find. I believe you remain certified until the next audit. In the case of Cardsystems, they were PCI certified when the breach occurred and immediately re-audited and de-certified following public disclosure of the breach. That's one problem with PCI-DSS- it's very audit-reliant and changes between audits don't directly affect certification.

5) Does the QSA or ASV who certified the website potentially risk any PCI Council disciplinary action for certifying a non-compliant website? What happens if this becomes a pattern?

No known cases of disciplinary action, but an audit insider might know of one. Disciplinary action will most likely only take place if the audit failed to follow best practices and a large breach occurs, or if there is (as you mention) a pattern. None of this is formalized to my knowledge.

I've spent a lot of time researching and discussing all the various data protection and breach disclosure regulations. Organizations generally only face potential liability if they either falsify documentation for auditing or certification, or suffer a breach and are later shown to be negligent. I am unaware of legal enforcement mechanisms if there is a known vulnerability, but no definitively unapproved disclosure of information.

This is an inherent risk of audit-based approaches to data protection.

—Rich

Posted at Tuesday 9th October 2007 4:38 am Filed under: app securitynon-geek

Previous entry: Encryption: The Maginot Line of Data Security | | Next entry: Network Security Podcast: Episode 80

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Danny Lieberman  on  10/10  at  02:31 PM

Excellent answers to questions that needed asking.I would like to add my two cents and clarify PCI DSS 1.1 in particular.

1-2) Unfortunately there is a great deal of confusion on the relationship between risk mitigation and regulation and control checklists as mandated by standards like PCI DSS 1.1.  Risk mitigation is application of countermeasures to threats that exploit vulnerabilties in order to cause damage to assets - there is always an economic element to risk mitigation and sometimes the most cost effective risk mitigation plan is to accept risk. 

4) A Web site is never PCI DSS 1.1 certified.  The merchant is certified. Only about 1,000 out of 4 million merchants require onsite audits by a Certified PCI risk assessor (these are so called Level 1-2 merchants).  Everyone else (3.999 million) do risk self-assessments.

Any merchant who does a self-assessment should take a "show me the money" approach and put the MS Word checklist aside.  The point of PCI DSS 1.1 is to improve payment card security not to make a web site compliant.  I warmly suggest taking a look at Practical Threat Analysis in order to see how to attain a cost-effective, prioritized risk mitigation plan.

Best Regards
Danny

By rmogull  on  10/10  at  10:06 PM

Danny, great comments. But I do think that despite the "intent" to improve payment card security, the reality is most organizations *do* just see it as "getting compliant" and making the auditors go away. Sad and wrong, but all too true.

I wish more people used it as a motivator for real risk assessment, as you suggest.

By Danny Lieberman  on  10/11  at  12:18 AM

Rich,
Thanks for the kind words. It appears to me that following the PCI DSS 1.1 checklist blindly can cause more damage than some threats. A client of ours, who is a Level 3 online merchant, uses a scanning service. They got a warning about potential Open Ldap vulnerabilities - I told them that the version of OpenLdap they use is patched and not vulnerable and please not to touch the Ldap setup.  Needless to say, the client didn’‘t listen, closed down some ports and their global directory services went dead in the water. Doh.

Motivation for real risk assessment will certainly take time but I see it happening for two reasons:

1) Pull from the business community:
Smaller merchants and businesses realize that when it rains - everyone gets wet. A smaller business has proportionately more to lose than a TJX and a smart small businessperson will be interested in protecting her assets, as long as it doesn’‘t cost too much. 

2) Push from the card associations:
The card associations realize that collectively, small merchants pose a sizable vulnerability in the payment processing network. They WILL be asked to step and improve their operation.

Anyhow - just my 2 cents….Danny

Page 1 of 1 pages

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: