Search results matching tags 'Strategy' and 'Compliance'

The InfoSec Perspective for April 2010

Logik! — Thu, 15 Apr 2010 12:11:13 GMT

It has been a busy month or so for information security.

Apple has patched a vulnerability that was showcased in a recent hacking contest, Microsoft has released a major set of fixes in its most recently Patch Tuesday, and and Oracle (which now owns Sun) has not yet committed to patching a Java vulnerability on Windows that has been exploited in only 5 days from public disclosure.

Oracle seems intent to stick to a quarterly patch schedule, which they have been able to do because the bulk of their applications are used behind the corporate firewall. Now, with Java as a major component of their software portfolio, this approach is unlikely to continue. They’ll either have to adjust the schedule for all products (which they really should consider), or put Java on its own schedule. Or, deal with lots of out-of-band Java patches. Anything but this quarterly nonsense.

On another front, due to a rash of recently vulnerabilities in its Acrobat products, Adobe is looking to enable silent, background updating of these tools to “keep users safe”. No official word yet on how enterprises will look at this approach, but I imagine there will be considerable discussion. (The comments at the end of the ComputerWorld article give just a taste of the concerns.)

Microsoft Patches:

Apple Patch:

Finally, there has been a significant increase this year in targeted attacks at high-profile Internet organizations, and there is no indication that this trend will decrease in the near future. If anything, the growth of cloud computing and outsourcing in general will present more of an opportunity for these types of attacks, because the potential payoff is substantial!

One of the biggest selling points to CIOs and business executives for cloud computing and outsourcing is that the hosting organization is better able to address security and other risk-related concerns than could the CIOs organization. While it may be true that the hosting provide *should* be more focused and have better, more trained staff to address these needs, the same kinds of politics that often prevent technologists from making or executing the right decisions (as opposed to the cheapest decisions) happen just as often in hosting provider organizations as in regular companies. It’s just that the stakes are higher.

Be sure you have a well worded contract with your Cloud Provider or Outsourcer when you decide to turn over the crown jewels of your data to an external provider. Hearing the following excuse from your provider will not bring your business back:

“Ooops, I’m sorry that the hackers from <insert suitable foreign country or government here> penetrated our defenses because we did not use quite as many layers of expensive security as requested by our security professionals. Hey, we’re not the only ones who got hit, anyway, and our auditors signed off on our environment just 3 months ago!”

I’ve previously spoken about the difference between an organization that is secure, and one that is compliant, so I won’t address that again. Suffice it to say, there is potentially a huge difference. What we need is more consciousness around security as a basic part of operations, not as some costly add-on.

If you purchase a car, you must get insurance.

Likewise, if you run an enterprise (or even a small business), you must secure that environment. And we’re not just talking about antispam and antivirus, which are just the very basic level of infosec (like locks on your car).

If there is not a change in the understanding around information security, and they fact that it is not a static state, but a very dynamic one, we will find the next 12-18 months to be horrendous in terms of security incidents and data breaches worldwide.

BTW, the reason that information security and compliance remains so expensive is that it is largely implemented in a piecemeal fashion. If it were baked into technology and business operations, the costs would naturally go down. This is true of almost every part of the technology infrastructure and operations. The things that are bolted on (Disaster Recovery and Backups) are more expensive than the things that are baked in (routing, switching and load-balancing).

If we want better security at the enterprise level, then we have to fund it. Better employee hires, better training, lab environments to test and deploy better fixes, and better practices throughout the organization. And they need to be listened to. Simply outsourcing your problems doesn’t work, especially if you’re not going to change your procedures and policies of operation.

Information Security is primarily an issue of people executing good procedures and following good policies. It is NOT primarily a matter of purchasing good technology.

Hopefully, businesses will stop paying lip service to information security, and to protecting the critical assets of their business and their clients. Hopefully. Unfortunately, I have no reason to believe that this will occur in 2010 for most organizations.

We Have Found the Enemy -- and It Is Us

Logik! — Fri, 14 Aug 2009 11:42:36 GMT

I just finished reading a provocative Computer World article about the PCI compliance process, entitled “Will the Real Enemy of Security Please Stand Up?”, and it highlights a common misconception about the role of auditing and auditors in the compliance process.

The article is a follow-up to an interview with the CEO of Heartland Payment Systems about their security breach.

Compliance, whether PCI, SOX, HIPAA or others, does not make you safe. Auditors do not make you safe. The auditing process does not make you safe. Safety is up to the organization.

This is primarily because auditing is a spot-checking process. Auditors do not review every log, every document, every account, etc… They perform statistical sample checks, and should those samples validate the procedures a company purports to follow, the auditors will move on to other areas to ensure compliance with the policies stated there. If there is a variance, of course, they will dig deeper.

Auditors cannot catch every flaw or weakness in an environment any more than police can catch every drunk driver by randomly pulling over drivers during the holidays. Certainly, spot-checking will return huge dividends in organizations which have poor security procedures or poor execution of processes, since the discrepancy between what is stated and what is accomplished will very likely show up in even a rudimentary audit. However, an organization that is closer to the making the grade, or which does all the right things around the time that the auditors will be performing their duties on-site, has a much greater chance of evading detection.

The real culprit is the organization itself.

-- It is the one that *needs* to be secure, and it is the one that needs to take security seriously.

-- It is the entity that needs to embrace a culture where security has a high enough priority and sufficient resources to deal with the ever-changing threats.

-- It is the entity that has to continue executing against its procedures even after the auditors have left.

-- It is the entity that has to ensure that its technology team is adequately trained and sufficiently staffed to deal with all areas of its operation – not just performance and scalability, but with risk mitigation.

-- It is the entity that needs to be looking out to see that new threats are mitigated in some way, and that is working with the auditors, rather than trying to give the auditors as little information as possible so that they can go away quickly.

-- It is the entity that fails to heed the oft-stated message that compliance does NOT equal security. True information security is a superset of any regulatory or industry compliance, and is an ever-moving target that requires constant vigilance.

Rather than throwing his QSA under the bus, Mr. CEO should evaluate his role in creating a culture of security and pushing security as a primary business initiative. He should consider whether he is ensuring that the right leadership, resources and focus is on the holistic security of his client’s data, or whether he simply views compliance as some expensive nuisance that he’s forced to pay for (and would like to get out of the way as quickly as possible).

The primary goal of Information Security is risk mitigation, not breach prevention. There’s a huge difference. Yes, you want to prevent as much bad stuff from happening as possible, but the more connected you are, the more avenues of attack there are. What you ultimately want to do is a combination of the following:

Prevention: stop breaches from happening as much as possible
Isolation: Compartmentalize sensitive information so that no single breach will expose all data at one time
Protection: Add layers of security, including encryption, to minimize losses or increase the time needed by attackers to get to sensitive data
Auditing: Keep logs of everything so that you can identify when any of the above have failed
Monitoring: Keep an eye on activities so that if you are breached, you can cut it off as quickly as possible, and minimize losses.

This requires overlapping resources, and is something that companies are loathe to pay for. “Didn’t we just purchase a product that does A, B, C and D? Why do we need one that does C, D, E and F?”

As long as organizations continue to view security as something that hurts their wallets, or treat it as any other investment project, and utterly fail to recognize that it is all about risk mitigation and ensuring the successful continuity of their business, they will continue to experience ever-growing breaches and get even more opportunities to blame someone else for their problems.

We have met the enemy – and it is us.

Remember: Only you can prevent ~~forest fires~~ data breaches.

We Have Found the Enemy -- and It Is Us

Anonymous — Fri, 14 Aug 2009 11:42:36 GMT

I just finished reading a provocative Computer World article about the PCI compliance process, entitled “Will the Real Enemy of Security Please Stand Up?” , and it highlights a common misconception about the role of auditing and auditors in the compliance...(read more)

The Compliance Trap

Logik! — Thu, 12 Mar 2009 20:47:00 GMT

The more things change, the more they remain the same.

Almost exactly two years ago, I posted an article about the general organizational obsession with regulatory (or industry) compliance, at the expense of proper information security. Just today, I read an article on the CIOzone that asks: Does PCI Compliance Work?

The point being made in this article is a very valid one, and one that bears repeating: The PCI DSS standard is merely a *baseline* that can help organizations identify and mitigate specific information security risks to their business, but it is not the final answer on information security in an enterprise.

If your focus is simply on attaining compliance, you are likely to end up with compliance to the letter of the law without a corresponding adherence to the spirit of the regulations. In short, you will undermine your ultimate goal of risk mitigation, and you’ll likely spend a lot of money doing so.

In the long-run, the costs for doing the very least that can be done to achieve compliance are far greater than the costs incurred by properly implementing a comprehensive information security and risk management program. Consider just a few of the following ways that minimal compliance can cost an organization:

Changes to existing compliance regulations will generate new technology costs
Becoming subject to a new compliance regulation will generates new technology costs
Minimal compliance does not necessarily improve security, thus such organizations can expect to experience more breaches which result in hard costs (fines, consumer notification, and issue remediation) and soft costs (lost consumer confidence)

Let’s get something else straight: Neither compliance nor a good security program can guarantee that an organization will not be breached. Prevention cannot be guaranteed, especially when it comes to complex organizations with elaborate customer and partner interaction. What a good security program does is mitigate risk – limit exposure, narrow the scope of attack, allow faster identification, enhance recovery time, and help to track the infiltration back to the source.

Security professionals need to constantly manage expectations that their senior managers have after spending x-thousands of dollars/euro to implement a security program. (And we’re not even going to mention that security is much more than technology – it is about people and process). Mitigate is not the same as eliminate. This simply cannot be overstated.

The bottom line is that companies that take Information Security seriously will be able to address industry or regulatory compliance more easily and more effectively than those which just focus on addressing the compliance checklist – whatever that checklist happens to contain today.

Hopefully, I’ll see a difference in approach in use by most organization two years from now, so that I won’t have to sing the same, sad song. Again.

Compliant or Secure?

Logik! — Thu, 29 Mar 2007 17:30:06 GMT

Does fulfilling your regulatory compliance requirements actually lead you to be more secure? Will your organization automatically attain compliance by pursuing a strict regimen of security practices?

In short, is the quest to be compliant complementary, unconnected or mutually exclusive with the quest to be secure?

This is the heart of a subject that I have seen discussed rather frequently of late, including in the March 2007 issue of Information Security magazine.

Whether or not it is theoretically possible to fulfill most compliance requirements by improving ones security posture, in practice the effort that most organizations make towards being compliant with one or more set of industry or government regulations detracts from their security posture on a whole -- both in funding and in focus.

For one thing, the goals of compliance are radically different from the goals of security. Compliance focuses more on accountability, whereas infosec deals more with prevention and risk mitigation. Yes, auditing is a major part of security (because not everything can be prevented), and there is some risk mitigation in compliance, but they are not the same.

And let's not forget that compliance is often ascertained by periodic auditing of sample sets. There is nothing inherently wrong with this, of course, but you can infer some interesting -- and inaccurate -- conclusions about your security posture when you take a sample of, say, 50 logs or reports for 2000 users, and try to extrapolate how secure the environment is by how compliant the sample set is.

Example: Let's say that your organization has 2000 users, each with his or her own computer system, but only 75% of those systems have antivirus installed. Today, an auditor comes by and does a spot-check of 50 of those systems and finds that 100% of the 50 systems selected have a properly configured AV product. From the auditor's standpoint, that would make the environment compliant, right? But would that actually make the network secure? Food for thought...

Now, I'm not suggesting that all aspects of compliance auditing is this rudimentary and devoid of cross-checks, but in general, auditing requires a different burden of proof than is warranted by true security. Too often, organizations aim for the least amount of work they can do to be compliant, and this results in a weakened security posture. And it doesn't help that the costs for compliance are not insubstantial, taking away resources from other infosec initiatives.

In an ideal world, applying consistent security principles within an organization in a systematic and holistic fashion would also tend to bring one into line with regulations which have security and accountability at their foundation. Unfortunately, theory and reality do not find themselves in the same ballpark very often, to the detriment of all.