Checkbox Security Fails Again

April 4, 2012 by · Leave a Comment

Regulatory compliance is often a confusing mess.  Rattling off the alphabet of compliance can often result in dizziness, headaches, and for some, a bad case of nausea.   PCI-DSS, HIPAA, HITECH, GLB, SOX, and heck, might as well throw in some state data breach notification laws as well.  Congress doesn’t want to stop there as they continue their efforts to add even more to this list of rules to live by.

Don’t get me wrong.  The rules are there for a reason (though often they arise from knee-jerk reactions to events so that our Representatives can appear to be doing something useful).  The problem is, with so many different regulations with varying definitions and requirements attempts at compliance start to resemble the traffic signal depicted to the right.   The cure for one bout of “alphabetitis” doesn’t necessarily vaccinate you for the others.  In the meantime, while you’re running around creating paperwork for compliance and checking off boxes, your ongoing security efforts essentially fall into the “to do” bucket.

Unfortunately, it has been proven time and time again that point-in-time, checkbox security is ineffective.  Unless you live in a spider hole like a Doomsday Prepper you may have noticed a recent breach of credit card data.   If you are a “prepper”, here’s a quick catch-you-up article from ABC News, April 2 -  “Experts Say Global Payments’ Breach May Not Be Only One“.

But wait!!  How could this have happened in the era of PCI Compliance? 

To be blunt, building an information security program around compliance is an approach steeped in failure.  The desire is very strong to have a favorable audit report but once that is over, the focus tends to shift away from the continuous protection of sensitive information.   As we continue to see breaches impacting organizations that have been engaged in and satisfying compliance requirements, you have to think about where the real problem lies.

Michael Mimoso was quite clear in an article “Global Payments credit card security breach exposes PCI shortcomings” where he said:

Clearly, PCI DSS continues to be a joke and a money pit that isn’t about security, but at a minimum, point-in-time compliance.

With that in mind, how do we step away from the point-in-time compliance effort and focus strictly on security.  As is often the case, let’s look at something entirely basic.  In order to protect something you have to know what it is.  Regulators and legislators aren’t helping in this regard.  Protected information is defined differently depending on the flavor of legislation you’re working with.  Wouldn’t it make sense to have a single definition of sensitive or protected information and then set in motion the defenses necessary to protect and monitor that data on an ongoing basis? If you store, process or transmit data under this one definition then you have to protect it regardless if you’re in healthcare, finance, or any industry vertical that uses such information.

I don’t think we can rely on government to help in this regard.  So, create your own matrix of sensitive information (maybe I’ll take that on as a project and post it) and then apply the SANS 20 Critical Controls or use some other framework to build a year-round, continuous information security program that protects that data all the time rather than playing the mark and erase checkbox game of compliance.  If you have deployed a solid information security program then compliance audits should, quite frankly, be a simple verification process.

 

_________________________________

Photo Credit: Stuart Miles at Freedigitalphotos
Illustration Credit: digitalart at Freedigitalphotos

Filed Under: Business and Security, National and State Privacy/Security Law · Tagged With: , , , , , , , ,

Risk-based Information Security

December 28, 2009 by · Leave a Comment

How do you even start protecting your information assets if you don’t have an understanding of the risk to them?  I would venture to say… you don’t.  It’s difficult for some to get started down this path because they quickly get overwhelmed with the task at hand.  Many times, a good effort gets set aside because the level of detail gets too cumbersome to reach the finish line.  Perhaps this can help.

Organizational assets

You have to know what you have but it doesn’t have to be a lonely road to get the information.  Start with a network scanning tool to detect the systems on your network and try to understand the type of data being stored on each.  However, don’t try to perform a risk assessment on each individual system.  Group them into sensible categories based on type of data (customer, HR, financial), application type (web, database, app) or business function (web, e-mail, accounting/finance).

Find out who “owns” this data.  A department head, Director, VP, whoever is ultimately responsible for the data.  Remember, determining risk is a business responsibility and it is up to Information Security to adequately illustrate the risk and controls so that informed decisions can be made.

The Risk Rating Matrix

There are many ways that this can be done and even sample matrices you can use online.  Take your pick.   Some assign rankings for Threats, Vulnerabilities, and Impacts for each part of the security triad (Confidentiality, Integrity, Availability).  Some take into account compensating controls.    Some use liklihood of an event happening.  Some multiply their risk rating by how easy it is to detect an issue to get an overall score.

Regardless of what method works for you any method should take these suggestions into consideration:

  • If you are assigning scores in your rankings of threats, vulnerabilities, impact, etc. make sure you use an even numbered scale like 1-6.  This eliminates the “middle of the road” pick and forces one to fall on the high side or the low side.
  • Make sure each ranking number is labeled so that it is easy to understand what a 2 means versus a 5.
  • Provide an overall ranking that can be used to compare risks and prioritize them for clearer decision making.
  • Doing something is better than doing nothing.  Don’t expect perfection the first time out.

Take Action

With your rankings and priorities established in collaboration with the data owner you are in a better position to implement controls that provide value.  The acceptance of risk should be firmly in the hands of the data owner (and signed off on).   When budgets are tight, you now have the opportunity to address the biggest risks because you have taken the time to identify them.

There is no such thing as 100% security.  Reducing your risk profile by applying a measured approach to risk management is however, entirely possible.  Doing nothing is a bad choice.  Where do you want to be?

Filed Under: Business and Security · Tagged With: , , ,

Baby Steps – Information Security Process Improvement

November 13, 2009 by · 2 Comments

Organizations can quickly become overwhelmed when trying to implement a comprehensive information security program.  There are many barriers.  Cost.  Time.  Competency.   As I’ve posted before, security is an ongoing process and needs to be in order to deal with the changing business environment and evolving threat landscape.  Instead of implementing the very best (and most expensive) solutions for every security issue, I suggest a tiered approach that covers multiple areas and sets the stage for continuous improvement.

Barriers

Cost

If we buy the very top solutions for all of our security problems we will quickly run out of cash.  Throwing money at one or two issues leaves many other areas uncovered.   It may be better, especially early on in the implementation of an information security program, to spread the money around.  Provide coverage in all areas and then build up those controls that provide the most bang for the buck.

Time

The top solutions usually take more time to implement.  You need to ask yourself how great of an exposure do you have during the implementation?  Do you create a greater risk than by implementing a “lower end” solution?

Competency

I’ve seen it more than once.  An organization purchases and installs a high end and expensive solution that nobody on their staff knows how to use.  The great solution is subsequently ignored.   If nobody knows why a new process is being used or how a new product works, it’s pretty difficult to get the results you’re after.

Baby Steps

Continuous process improvement can apply to information security.  If you’re trying to implement a framework that calls for multiple controls such as ISO 27001/27002, using a multi-level approach may help reduce the paralysis that often accompanies such a large undertaking.   I suggest using a 3-tier approach.  Tier-1 is easiest to implement but is usually least effective.  Tier-3 is hardest but most effective.

tiered_security

It would be ideal if we could apply Tier-3 solutions to every problem right out of the chute but that simply isn’t feasible for most businesses.   Doing nothing is also a bad choice.  Applying Tier-1 and Tier-2 solutions at least gets the program moving and then process improvement can gradually improve the overall security posture of the business over time.

As an example, let’s look at dealing with security logs.

Tier-1

Administrators review server logs.  This is instituted through policy that requires the administrators to “regularly” review their logs.  We all know that manual review of logs is seldom done however, applying the policy at least sets the tone and expectation.  It can even start to adjust the administration culture toward reviewing logs if they don’t already do so.

Tier-2

Centralized log aggregation with automated reports.  This starts to automate the process.  Logs from systems and devices are pushed or pulled to a central logging system and now administrators review logs in this single location rather than across multiple servers.  Some scripting can be applied to automate reports.  This certainly increases the effectiveness of the log review process.

Tier-3

Commercial log analysis tool with near real-time alerts for anomalies.  This is a heavy-duty log aggregation, correlation, analysis, and reporting tool that has advanced capabilities.  It is much more expensive than a central log repository in Tier-2.  It is more complex to manage but the feature set allows for greater effectiveness.

Word of Warning

Implementing Tier-1 “just-for-now” solutions does not mean we can be lackadaisical in our information security practices.  Even basic security solutions need to incorporate good security principles.   If our business practices easily circumvent security controls then we can never be successful.   Starting small still has to be done right.

Filed Under: Business and Security · Tagged With: , , , , ,

Using a Framework to Navigate Regulatory Compliance

October 21, 2009 by · Leave a Comment

The regulatory environment overseeing the protection of sensitive information is incredibly crowded.  Sarbanes-Oxley (SOX), Graham-Leach-Bliley (GLB), the Health Insurance Portability and Accountability Act (HIPAA), HITECH, Red Flags, Payment Card Industry Data Security Standard (PCI-DSS), among a host of state laws and audit guidelines seems to provide the Fort Know of IT risk management if organizations would comply.   The reality is the complexity and costs of compliance may be a contributing factor in the overall risk management failings that appear above the fold in your local newspaper.

While large companies are better equipped to deal with the additional costs for infrastructure, tools, staff, auditors, and third-party vulnerability scanners, the small or medium sized businesses can quickly become stretched to the point of ineffective security.  There may be some paralysis when deciphering multiple regulatory obligations that often overlap or even conflict.    There are opportunity costs when small business executives spend more time dealing with compliance issues than dealing with business strategy.

The solution is not to avoid regulatory obligations.  The solution is to better manage information security and deploy best practices as simply part of the organizational culture.   The way to get there isn’t to go through check boxes for every compliance item that comes your way.  That will drive any person insane and lead to a tangled mess of interwoven security policies, procedures, technologies, etc.   What I believe is a more effective approach to compliance is the implementation of an information security management system following a framework such as ISO 27001/27002.  Many of the controls within 27002 align with the requirements in many of the compliance items so building a consolidated program based on a series of best practices will help meet compliance obligations.

ISO 27001/27002 is simply a framework that defines a security code of practice and best practices across twelve areas.  These include:  Risk assessment, security policy, governance, asset management, human resources, physical and environmental, communications and operations, access control, acquisition, development and maintenance, incident management, business continuity, and compliance.  Pay particular attention to the last one and note that compliance is just one piece of the framework of best practices.   This leads back to a previous post that risk management and information security must go beyond the simple yes or no check boxes of regulatory compliance in order to be effective.

The ability to protect sensitive information is a process that requires ongoing care and feeding in order to protect against the expensive financial and reputation damages of a  breach.  Using a framework such as ISO 27001/27002 allows for a consistent baseline which to measure and certify against.  This minimizes confusion and complexity and goes a long way toward achieving compliance across a wide-array of regulatory requirements while effectively using both technical and human resources to maximize benefit and reduce unnecessary cost.

Filed Under: Business and Security, National and State Privacy/Security Law, PCI · Tagged With: ,