Misconception No.5: The “Recency” Trap

PCI in Question

The Recency Trap has even bitten compliance regulations like PCI. In my opinion, the PCI DSS (payment card industry data security standard) is one of the best efforts put forth to date to secure a company’s information systems. It isn’t perfect, but it is highly prescriptive and provides very clear guidelines on what to do (and not do) to provide a more secure computing environment when handling credit card data.

With the recent data security breaches at TJX and Stop & Shop, PCI has come under fire. After all, if both of these companies were PCI compliant, how could they have been breached so easily? There are two things to remember here:

  • Compliance does NOT equal security; and
  • The Stop & Shop breach was a carefully planned and well orchestrated attack, specifically targeted at their point-of-sale card swiping kiosks. It was anything but an easy attack.
  • The fact that the PCI standards council is coming under fire because of these attacks is a shame, and it shows again that The Recency Trap is a powerful psychological gripper.

    When people feel threatened, they want to point fingers. It’s only human to want to identify someone or something to blame for your feelings of insecurity. Unfortunately, this often drives us to make knee-jerk reactions and poorly-considered decision.

    PCI is not to blame here. In one incident it was very savvy criminals and in the other it was an organization that hid bad policies and mismanaged their applications and data.

    Falling into The Recency Trap is dangerous, but, being human, we’re all prone to the psychology. One tactic to beat the pitfalls of this psychology is threat modeling.

    Threat modeling is an important activity for risk management. It helps you identify which assets (or liabilities, as I prefer) are susceptible to particular threats. The basic concept is you define a set of possible attacks and negative scenarios to consider and then you assess the probability, potential harm, priority, and business impact of each threat.

    From this point, you can define measures that can minimize or mitigate the threats, which in turn help you make investment decisions. Threat modeling also helps prevent you from making rash decisions because you’ve got a tangible and persistent model to refer to when asked about a specific threat. In the absence of threat modeling, you are more at risk for psychological over-reaction.

    When you develop a threat model it also becomes a sustainable asset. If a new vulnerability or a new threat is detected, you can reuse your threat model to determine whether or not you are at state of heightened risk, decreased risk, or neutral.

    A basic tenet of threat modeling is threats are realized through scenarios that can be exploited via vulnerabilities; if not mitigated with appropriate countermeasures. But you’ll never know which countermeasures are best for you if you don’t analyze the system first.

    Click below for Ed’s other four articles on this topic: Over-relying on Network Defenses, Believing the Hype of Technology/Tools, Too Many People Assumptions,

    Assuming Secure Software is Costly, and Falling into the “Recency” Trap.

    Ed Adams is CEO of Security Innovation, an independent provider of application security services that include security testing and training.