Checkbox Security Fails Again

April 4, 2012 by · Leave a Comment

Regulatory compliance is often a confusing mess.  Rattling off the alphabet of compliance can often result in dizziness, headaches, and for some, a bad case of nausea.   PCI-DSS, HIPAA, HITECH, GLB, SOX, and heck, might as well throw in some state data breach notification laws as well.  Congress doesn’t want to stop there as they continue their efforts to add even more to this list of rules to live by.

Don’t get me wrong.  The rules are there for a reason (though often they arise from knee-jerk reactions to events so that our Representatives can appear to be doing something useful).  The problem is, with so many different regulations with varying definitions and requirements attempts at compliance start to resemble the traffic signal depicted to the right.   The cure for one bout of “alphabetitis” doesn’t necessarily vaccinate you for the others.  In the meantime, while you’re running around creating paperwork for compliance and checking off boxes, your ongoing security efforts essentially fall into the “to do” bucket.

Unfortunately, it has been proven time and time again that point-in-time, checkbox security is ineffective.  Unless you live in a spider hole like a Doomsday Prepper you may have noticed a recent breach of credit card data.   If you are a “prepper”, here’s a quick catch-you-up article from ABC News, April 2 -  “Experts Say Global Payments’ Breach May Not Be Only One“.

But wait!!  How could this have happened in the era of PCI Compliance? 

To be blunt, building an information security program around compliance is an approach steeped in failure.  The desire is very strong to have a favorable audit report but once that is over, the focus tends to shift away from the continuous protection of sensitive information.   As we continue to see breaches impacting organizations that have been engaged in and satisfying compliance requirements, you have to think about where the real problem lies.

Michael Mimoso was quite clear in an article “Global Payments credit card security breach exposes PCI shortcomings” where he said:

Clearly, PCI DSS continues to be a joke and a money pit that isn’t about security, but at a minimum, point-in-time compliance.

With that in mind, how do we step away from the point-in-time compliance effort and focus strictly on security.  As is often the case, let’s look at something entirely basic.  In order to protect something you have to know what it is.  Regulators and legislators aren’t helping in this regard.  Protected information is defined differently depending on the flavor of legislation you’re working with.  Wouldn’t it make sense to have a single definition of sensitive or protected information and then set in motion the defenses necessary to protect and monitor that data on an ongoing basis? If you store, process or transmit data under this one definition then you have to protect it regardless if you’re in healthcare, finance, or any industry vertical that uses such information.

I don’t think we can rely on government to help in this regard.  So, create your own matrix of sensitive information (maybe I’ll take that on as a project and post it) and then apply the SANS 20 Critical Controls or use some other framework to build a year-round, continuous information security program that protects that data all the time rather than playing the mark and erase checkbox game of compliance.  If you have deployed a solid information security program then compliance audits should, quite frankly, be a simple verification process.

 

_________________________________

Photo Credit: Stuart Miles at Freedigitalphotos
Illustration Credit: digitalart at Freedigitalphotos

Filed Under: Business and Security, National and State Privacy/Security Law · Tagged With: , , , , , , , ,

Cybersecurity Act of 2012 – Uh oh!

February 22, 2012 by · Leave a Comment

The US Government appears serious about passing The Cybersecurity Act of 2012 but it does little more than grab additional power while placing additional burden on the private sector.  While there are a few provisions that may create opportunities for improved protection of critical assets this bill essentially takes us down the path of “check mark security” which is a failing proposition.   If the goal is to eventually create state-controlled infrastructure, this is a step in that direction.

I’m inclined to agree with Gartner’s John Pascatore in his comments in a recent CSO article,  that the government already has a mechanism in place that could be used to vastly improve the ability to defend against cyber attacks.   Purchasing.   By demanding tighter security controls from software and product manufacturers as part of the US government purchasing program we tackle a major issue when it comes to securing our infrastructure.

Check mark compliance usually means an organization will do the least amount necessary in order to satisfy their regulatory compliance obligations.  That simply does not equate to applying the right security mechanism to deal with current and trending threats.  Static regulatory requirements are not agile enough to keep up with a rapidly changing and evolving cyber ecosystem.

So where does government fit in?

  • Support for education efforts and a salary schedule that attracts talent into federal agencies and the general workforce is a good thing.  As outlined in the proposed legislation, scholarship-for-service, internships, funding competitions (that should be administered through a private sector partnership), and additional training opportunities for current federal employees are all good things.
  • Improve mechanisms for information sharing among the private and public sector.

Unfortunately, creating a compliance culture leads to building incentives to do the minimal amount necessary to satisfy requirements.  It does not necessarily improve the security of critical infrastructure or information.   Using the threat of a “catastrophic cyber attack” as a guise to power-grab is irresponsible and does not solve the issue at hand.   Our legislators need to take a step back, understand what they want to accomplish and consider the unintended consequences that often accompanies their actions.

 

Photo credit:  Jeroen van Oostrom / FreeDigitalPhotos.net

Filed Under: National and State Privacy/Security Law · Tagged With: , , ,

More Legislation? Hmmm.

September 13, 2011 by · Leave a Comment

Senator Richard Blumenthal, D-Conn, introduced new legislation aimed to prevent data breaches.   The proposed legislation includes federal requirements for customer notification in the event of a breach (something most States have been requiring for years) and requiring companies to provide two years of credit monitoring service.  There are fines and program requirements for regularly testing controls and protecting information while stored.

SC Magazine Article:  New Senate Bill Aims To Prevent, Deter Data Breaches

Here’s just a few issues with this:

1.  We’re assuming the federal government can successfully patch together the existing state privacy and security requirements to make this helpful to businesses.  I’m not sure our federal government can successfully tie a pair of shoes without creating extensive knots.

2.  While requiring secure storage of sensitive information is certainly a valid idea, it doesn’t do a bit of good when sensitive information is readily copied to flash drives, laptops and other removable media.   Regaining focus on “least privilege” and reducing the ability to copy data to media that is easily lost or stolen is at least as important as storing data securely on servers.

3.  The alphabet soup of security/privacy legislation and compliance is mind boggling.  Personally Identifiable Information (PII) is defined differently depending on what piece of legislation or industry standard you’re applying.  PCI-DSS, HIPAA/HITECH, FERPA, GLB, SOX, state legislation, etc.   How about one definition to rule them all?

I’m encouraged that the government takes privacy and security seriously, but as too often the case, federal legislation is based on knee-jerk reactions to events and create such complexity that security and privacy are seldom improved.   I don’t disagree with the attempt, just wary of another set of regulations that may create more complexity without really improving the security and privacy of personal information.

Filed Under: National and State Privacy/Security Law · Tagged With: , ,

“Do Not Track” – Will it really help?

March 17, 2011 by · Leave a Comment

The FTC and White House are once again throwing their support behind a “Do Not Track” tool meant to protect user privacy on the Internet.   I think it’s easy to jump on board the good ship Privacy but anytime the federal government engages in such rule enforcement and legislation, you have to wonder what the unintended consequences might be.  Will it really make a difference?

For instance, if this models the Do Not Call list, does the collection of internet activity not apply to politicians and their election campaigns?  Or do they get a pass again?

Will it change the business model that provides free content and services?

If legislation is created and passed, will it also include funding for ant farms in Alabama or other items that have no business being in a privacy bill?

More importantly, will it really change people’s behavior? I’m not sure.  People have been giving away information about themselves for a long time whether it’s to get 3 cents off a loaf of bread or to win money in a lottery they’ve never entered.  Can you really legislate personal responsibility anyway?

I think providing a choice is a good thing.  I think it’s reasonable to inform people how their information will be used.  I’m just not sure the end result of this effort will resemble the good intentions.

Photo credit:  Mikey G. Ottawa

 

Filed Under: National and State Privacy/Security Law · Tagged With: ,

Cybersecurity Bill – DHS as Punisher

November 23, 2010 by · Leave a Comment

In an effort to be a focal point of “cybersecurity”, legislation was introduced that would allow the DHS to levy fines and other civil penalties against any companies the government decides is “critical”.  I agree that the need to protect critical infrastructure is important, but this effort by legislators creates a slippery slope and a recipe for internal conflict.

First, what is “critical”?  The use of this broad term makes me nervous.   It’s an open-ended path to abuse in my opinion.

Second, this is nothing more than an added layer of bureaucracy that adds no value to information security other than the costs associated with complying with yet one more check box.  In the long run, more money will be dumped into information security but the large bureaucracy will negate the benefits.  The last thing that should be done is inserting a slow moving beast into an environment that requires agile response to defend against new attacks.

Third, what becomes of Howard Schmidt, the Presidential appointed U.S. Cybersecurity Coordinator.  Does this role go away?  If not, what type of conflict does the appointing of a DHS Cybersecurity guru create?

This is simply a bad idea.

Filed Under: National and State Privacy/Security Law, National InfoSec · Tagged With: , , ,

More Useless Legislation

August 3, 2009 by · Leave a Comment

“File Sharing Leaks Sensitive Federal Data, Lawmakers Are Told” – Washington Post

Another politician jumps into high gear with more useless legislation and finger pointing after sensitive information was leaked via P2P software on federal computers.   Policy already dictates that P2P software shouldn’t be used but these agencies lacked the technical controls to implement the policy.  Adding legislation that merely says “don’t do it” is not the answer.  Blaming the P2P software companies for federal agencies failure to implement good security is pathetic but certainly not unusual for the political blame game.

Good endpoint security with perhaps the prudent implementation of whitelisting technology can provide the technical controls necessary to enforce such policy.

Filed Under: Should Have Known Better · Tagged With: ,