What The CIA WikiLeaks Dump Has In Common With PCI Compliance

Posted by David Gamey on 14 Mar 2017.

In recent news, WikiLeaks exposed a huge trove of CIA documents.  Journalists and bloggers will of course have a field day with this and the general public will be spectators to another ongoing drama. From our perspective, thankfully, it sounds like WikiLeaks intends to work with vendors to fix vulnerabilities which will hopefully spare everyone from a shooting gallery of zero-day exploitation.

WikiLeaks and PCI Compliance

We, like many of you, were curious. We wondered what useful things might be gleaned from this.  In particular, how might PCI DSS, PA-DSS, PIN, and P2PE guidance hold up against the CIA’s guidance? What we found interesting was that after casting off the spy craft stuff like misdirection, misattribution, and uber-stealthy techniques, what was left could easily be taken from a PCI compliance and best practices document:

  • Don’t use proprietary crypto
  • Don’t use deprecated crypto e.g. SHA-1
  • Don’t rely solely on SSL/TLS
  • Don’t write plain text to disk
  • Don’t keep data in memory longer than needed
  • Do use end to end encryption
  • Do compress data prior to encryption
  • Do use standardized crypto libraries
  • Do use strong crypto like AES 256 in an appropriate operational mode
  • Do use strong HMAC’s and Hashes e.g. SHA-256 or better
  • Do use HMACs not hashes for integrity
  • Do use strong key management
  • Don’t use asymmetric crypto for bulk data encryption
  • Do use asymmetric crypto to exchange secret keys
  • Do use a good source of entropy for key generation
  • Don’t reuse keys for different purposes
  • Don’t use related keys
  • Do securely delete data from disk
  • Do testing against the requirements of best practice
  • Do testing on all supported program variants

Learn more