Why suing auditors won't solve the data breach epidemic

The life of a security auditor has its high points, of course -- travel, getting paid to break stuff, and more travel -- but there's a lot about that job that doesn't recommend it. You're going into someone else's place of business and trying to figure out what they're doing wrong, so you can write a big report that goes to their bosses? I don't care how personable you are, this isn't on the Dale Carnegie list of How To Win Friends.

Nor, in a disturbing number of situations, is it on the list of ways to Influence People. Take a pack of security auditors out for a beer sometime. (You will not have to ask twice, and if you get two beers in them they'll tell you about that mid-sized city whose network is end-to-end pwned right now and that international airport that has an ongoing problem with stolen IDs -- no names, of course, but plenty of other detail. After that, you'll want another beer just for yourself.) When they're done scaring you, they'll start trading tales of clients who simply refused to accept a bad audit.

No one likes to be told that his IT operation has weaknesses, let alone critical-stop problems. Some companies will retain a security firm and, when bad results start coming back, terminate the contract and send everyone home. Some companies will hire a crew and, when they get there, manage to be so disorganized and cranky that the auditors spend half their time attempting to simply get started. And some, presented with a report saying that their company isn't security-compliant, will simply ask that the report be changed.

No, it's not nice. (It's even less nice when the auditor drinking your beer mentions that a bank they recently visited did this, you bleat "it wasn't [name of my bank], was it?", and all-l-l the other security people at the table point at you and laugh. Children can be so cruel.) But it happens. Which is why a great many of us are very interested in how Merrick Bank's lawsuit against Savvis, a security auditor that gave CardSystems Solutions an inappropriately clean bill of health back in 2004 right before the company was breached to the tune of 263,000 stolen credit-card numbers and an eight-figure liability payout.

Summarizing what's known (much of it covered in Kim Zetter's excellent overview on Threat Level), in 2004 the merchant bank retained CardSystems to handle certain credit-card processes. CardSystems was certified by Savvis as meeting CISP (Cardholder Information Security Program) standards; CISP is of course the predecessor to the current PCI-DSS (Payment Card Industry Data Security Standard). CardSystems had according to Visa failed at least one previous compliance audit, but had passed when Savvis took a look in June '04. But Savvis' auditors didn't note that CardSystems was improperly storing unencrypted data; the company should never have passed that audit. Three months later, hackers got in and found the improperly stored data. Cue the lawyers.

Under those circumstances, the hue and cry to boil that dust speck sue those auditors is pretty understandable. But just as your reporter was reaching for her old and battered Net Ethicist hat and a convenient pitchfork and torch, she took a moment to ask a few auditors if they thought the situation merited a suit, and whether any good can come of it.

One security pro (who asked not to be named in this piece) compared the situation to suits in which credit-rating agencies such as Moody's and Standard and Poor's have recently been sued for providing a too-rosy picture of securities backed by sub-prime mortgages and the like. In those cases, plaintiffs are claiming among other things that the rating agencies aren't independent -- "compromised" is the word that's been thrown around -- but there's a real question as to whether a firm can be liable for, essentially, saying something of questionable accuracy.

Others point the finger at the credit-card companies. "Visa's a cheap bunch of...," said one slightly woozy contractor. (Another round, bartender.) "Figures. Trying to pass this off on an auditor." The rest of his statement was unintelligible, but we suspect he wanted to say something about how until very recently, only the company audited had the right to see the actual audit report. That's a huge loophole, only recently sort-of-closed by the PCI Security Council's requirement that they receive a copy of the audit, albeit with the name of the audited company redacted.

More coherently, Rachel James of ID Experts points out that, as many auditors will agree, the system's deeply flawed, with four-fifths of all audits controlled by a dozen large vendors, each with security products for sale. Over-emphasis on standards-based compliance leads to checking off boxes, not robust security.

And yes, she agrees, flat-out cheating happens, as we saw in a disturbing survey conducted among security managers and tech staff attending InfoSecurity Europe back in April. "Standards and procedures are wonderful tools, necessary to implement any security process or program. However, a chain is only as strong as the weakest link. In this case, the links are made of people," she blogged this week.

People who in some cases behave abominably. Savvis clearly missed some glaring problems at CardSystems, but how were they missed? Did the auditors get full and frank cooperation from CardSystems, or was management there sufficiently freaked out by blowing the previous audit that they were untruthful to the Savvis crew? That crew, by the way, had only recently been brought aboard by Savvis as part of the acquisition of Cable & Wireless USA; how was that going, and were the auditors in a position to be firm with their clients at CardSystems if the clients were obstreperous?

There are of course those who claim that compliance is just too ephemeral -- if you're compliant today and one overzealous employee stealthily installs a Wi-Fi access point under her desk tonight, you may not be compliant tomorrow morning, and heaven knows when you'll find that out. Or it's simply too hard to understand, which is true on some levels and just silly on others. Neurosurgery is hard. Calculating space-probe trajectories is hard. Compliance is just complex and occasionally tedious.

I'm personally interested right now in what I'm hearing from people working to build really top-notch, intelligence, human-comprehensible compliance matrices that businesses can use to improve communication with auditors and, even better, use to run down problems before they get into some random consultant's report to the boss. Like anyone else I want to see the bad actors weeded out of the auditing business, but before we start suing allegedly industry-certified auditors I'd like to see more scrutiny of the behavior of the company receiving the audit.

And now for something almost completely different: Having one of those days? If you don't make a habit of keeping up with the TSA's blog, you should; pound for pound, the commenters there are some of the angriest people online. Check out yesterday's post sort-of-explaining the new Secure Flight program, which will lead to a lifetime of explaining to some little ticketing-counter chippie why you don't use your middle initial on your driver's license. Then, once your head cools off, read the comments. No matter how poorly your day is going, odds are excellent that at least you're not "Blogger Bob."