Risk
1/30/2014
01:30 PM
Tom Bowers
Tom Bowers
Commentary

Finding The Balance Between Compliance & Security

IT departments can reduce security risks by combining the flexibility of ISO 27000 with the stringent requirements of PCI. Here's how.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/31/2014 | 11:23:20 AM
Re: Take software providers to court?
That will be definitely be something to watch for -- and probably not something that will be resolved quickly. If it's a protracted litigation that ends in a settlement, we might never find out. But then again, maybe it will be the game-changer that the industry needs to address these serious security issues. (I hope so!)
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 11:18:42 AM
Re: Take software providers to court?
The term "customer" refers to those retailers that use POS systems (e.g. - Target, Neiman Marcus, Michaels...). While unlikely to make headlines, I expect those retailers to file suit against their POS suppliers for not providing them secure POS systems and placing the retailer at risk.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/31/2014 | 11:02:28 AM
Take software providers to court?
By "customers of POS systems" do you mean consumer or retailers? And by legal action, do you mean stronger enforcement of compliance regs or something else?
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 10:58:10 AM
Re: Balance Security - compliance isn't the issue
Marilyn the customers of POS systems and the government will need to put intense pressure on the POS companies to modernize. Unfortunately this will likely happen through the courts, which means a slower response. If the government is loathe to take haelth care software providers to court I see it as even less likely that they will take POS providers to court.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/31/2014 | 10:53:02 AM
Re: Balance Security - compliance isn't the issue
Tom, if not government regs, what do you think it will take for organizations-- retail, healthcare and others -- to modernize POS systems. Apparently, the ROI of dealing with a breach (cost of bad publicity, identity theft, compromised data) is still tilted towards doing nothing.
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 10:20:34 AM
Re: Balance Security - compliance isn't the issue
Drew I'd like to think that this will move point of sale (POS) systems to modernize....but I doubt it. I see great similarities with health care systems. The POS / health care software REQUIRES antiquated operating systems with full administrative privledges to run. I am familiar with a large warehouse store that only recently upgraded their POS from Windows NT to Windows XP. Some upgrade. 
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 10:15:03 AM
Re: Balance Security - compliance isn't the issue
Andrew I could not agree more that compliance is not true security. The harsh reality however, is that as a CISO I must do both. I used 27000 as shorthand for the entire 27000 series. This article is driven by the need to implement both 27000 and meet PCI requirements. PCI is very black and white, inflexible and narrowly focused. By changing my organizations focus to see credit card data as another type of sensitive data we are able to place PCI requirements in a more balanced context. Check box security (compliance) will NEVER be completely effective as it leaves gaps. 
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/31/2014 | 10:11:16 AM
Re: Balance Security - compliance isn't the issue
I think the single most important thing that might come from this breach is more urgency to overhaul the card processing system in the United States.

 
AndrewB871
50%
50%
AndrewB871,
User Rank: Apprentice
1/31/2014 | 8:10:19 AM
Balance Security - compliance isn't the issue
So often I read articles like this where compliance is compared with security.  This is always going to be a pointless debate.

This article references 27000 - which is actually the vocabularly document at the start of the series of security standards.

27001 references a Management system.  Its flexible sure, you could have very few security controls and a well thought out risk assessment with the emphasis on risk acceptance.  27001 is FREQUENTLY mistaken for its control annex - which lists a lot of controls that are sensible to implement if the risks affect you.

27002 - is a security implementation standard

27005 is a risk assessment standard

Problem - in MANY MANY business environments, there was NO security AT ALL before a compliance regime mandated it, either for a specific data type (PCI / HIPPA / SSNs etc), of for the 'infrastructure'.

Flexibility swings both ways, and in a lot of business environments is code for 'what can we get away with not doing'. 

Most security standards that are enforced with a compliance regime are asking for the right things to be done.  What then typically happens is the pre-compliance mentantality of 'how little can we do' over rides the - what happens if questions.

I'm sure we will see some epic knee jerk responses in relation to the recent breaches in the USA.  Something that neither PCI or and ISO framework would have prevented IF the business didn't commit to the appropriate controls OR decided they would accept the risk because well - very few get published.

The single most important thing that happened was that these breaches have been published, which now makes the C-level community aware of the threats.  Implementing the security frameworks  should be focused around protection of the assets that are most valuable.  Clearly in these instances mag stripe card holder data is still valuable.

As is lots of other data - so the businesses with that data in their custody must focus on keeping it safe.  The PCI is focused on card data,  married with 27001 ( a robust management system incorporating risk assessment and treatment) is a very very strong pairing.  The 27001 management system would capture why certain controls are implemented in certain ways - perhaps because a contractual requirement from PCI would apply or because the business is going to accept the risk.  The difference with a ISO management system is it makes the risk based decisions visable to all.  This in itself forces accountability and can make people think twice before they say - well I'm not going to fix that.  Especially if the risk register says CxO said - he's accepting that risk because of XYZ.

 

 

 

 
AmmarNaeem
50%
50%
AmmarNaeem,
User Rank: Strategist
1/31/2014 | 2:10:42 AM
Security
Flexibility is the key to make the balance between compliance and security. With ERP, our oganizations become more secure and flexible and more integrated
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.