Analytics
3/12/2007
08:00 AM
50%
50%

Compliance As Kick-Starter

How SOX and PCI have actually improved enterprise security, vendors notwithstanding

Regulation is a boon to security. Without the government and other private organizations leading security around by its nose, we would be eternally trapped in the "just strap another pizza box into the rack" solutions offered by clueless vendors. There were zillions of them at RSA this year.

One problem is that many security vendors seem to be in it for the money. For example, antivirus vendors love to tie you to the gerbil wheel of virus definition updates, even though they know there are superior antivirus approaches to the ones they currently sell which would not require constant updates (or the associated recurring revenue stream).

And just about all vendors are guilty of the silver bullet myth, that is, "just buy our silvery bullet-like stuff and your security problems will miraculously disappear." The worst silver bullet offenders are the application firewall people. Talk about approaching the right problem (software security) in the wrong way (network traffic inspection)!

Fortunately there are regulations to rescue us from our own nonsense. Probably the best regulatory nose-leading has been carried out by Sarbanes-Oxley. In the first runner-up category, the credit card consortium's Payment Card Industry (PCI) standards have likewise generated great forward progress in security.

Pull Up Your SOX
Everyone knows just enough about SOX to be dangerous. I don't want to provide a tutorial here, so if you need some background on SOX, click here. In any case, the main lever in SOX is that ultimately the CEO of a public company must attest to the fact that accounting numbers are accurate or risk going to jail. It turns out that there's nothing quite like possible time in the slammer to motivate CEOs.

Here's how IT got involved (and in turn, security) at some major investment banks I am familiar with. The CEO asked the CIO whether there were software programs that touched the numbers, and if so how many there were. The CIO asked the software guys. Everyone was expecting a number back that was small, like eight. Instead they got a large number back, like 800. Oh, no! Two orders of magnitude off.

And where did those programs come from? Turns out most of them were written in-house. In fact, the 800 SOX-related applications were a subset of the 1,500 or so in-house apps. Furthermore, there were literally thousands of developers on staff building and maintaining these things. Turns out the bank is a software house.

SOX was a wakeup call for software risk. In order to attest that the numbers were accurate, the CEO had to be sure that the applications that compute and manipulate the numbers function properly. Smart execs quickly realized the exposure that software causes on the security side at the same time. Software that behaves properly in a pristine environment can fail spectacularly when maliciously attacked. The software security message hit home.

This is how more than one major software security initiative in New York got started. In the end, SOX did more good for software security than any other single activity. As it currently stands, SOX may have its share of critics, but at least SOX woke us all up about certain kinds of risks and forced us to deal with them head on.

PCI and Data Security
If you stop and think about it for a few minutes, it is fairly easy to spot a huge trend in security. Security is moving from the outside (where we protect our LANs with firewalls and intrusion detection systems) to the inside. The first step on the way in is to consider software programs that interact over the Internet. Web-based applications lead the pack. Next come more complex internal applications that involve n-tier architecture and back-end systems.

And finally, deep inside, are the data themselves. It is clear that data security is next in line for improvement as security continues to evolve. This is especially apparent given how fed up the public has become with identity theft and data loss.

The data problem is growing every day as well. Dan Geer points out that three years ago the per capita data production rate on the planet (including all of those people who make less than a dollar a day) was 800 Mbytes. That was three years ago, and data production rates are basically doubling every 18 months. It seems that the problem is getting bigger and bigger even as we're only barely coming to grips with it.

PCI standards and compliance initiatives have jump started data security in a very interesting fashion. Because they are completely driven by the credit card industry, PCI standards center around protecting credit card data. Many businesses that rely on credit card transactions for their business (think hotels, for example) are scrambling to get into compliance.

Of course wherever you find large concerns scrambling to meet industry standards, you'll also find a preponderance of vendors. The most common vendor approach is to declare that whatever their solution happens to be will magically result in compliance to PCI. "Sure, bolt on this pizza box and you're home free!"

I've seen some humdingers. My favorite was a huge company that bought a gigantic PKI solution with certificates, revocation, initiation rites, complex application APIs, and goat sacrifice, to solve its problem. Left with a big pile of new stuff and no idea how to solve the actual problem, they called some consultants. It was obvious at once that the problem could be solved with a much more elegant lightweight solution.

In the end, Cigital built a credit card data proxy server allowing the data to be cryptographically protected both in transit and at rest, while at the same time preserving the "data shape" so that the legacy back end and all the apps would still work.

Without PCI standards hovering like the sword of Damocles, it is unclear whether any progress would have been made by now on the data security front. Once again, we have a set of standards, this time not created by the government but by private industry, pushing security to do the right thing.

I think this all goes to show that you can lead a security guy to water, and you can even force him to drink!

Gary McGraw is CTO of Cigital Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.