Risk
1/30/2014
01:30 PM
Tom Bowers
Tom Bowers
Commentary

Finding The Balance Between Compliance & Security

IT departments can reduce security risks by combining the flexibility of ISO 27000 with the stringent requirements of PCI. Here's how.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/31/2014 | 11:23:20 AM
Re: Take software providers to court?
That will be definitely be something to watch for -- and probably not something that will be resolved quickly. If it's a protracted litigation that ends in a settlement, we might never find out. But then again, maybe it will be the game-changer that the industry needs to address these serious security issues. (I hope so!)
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 11:18:42 AM
Re: Take software providers to court?
The term "customer" refers to those retailers that use POS systems (e.g. - Target, Neiman Marcus, Michaels...). While unlikely to make headlines, I expect those retailers to file suit against their POS suppliers for not providing them secure POS systems and placing the retailer at risk.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/31/2014 | 11:02:28 AM
Take software providers to court?
By "customers of POS systems" do you mean consumer or retailers? And by legal action, do you mean stronger enforcement of compliance regs or something else?
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 10:58:10 AM
Re: Balance Security - compliance isn't the issue
Marilyn the customers of POS systems and the government will need to put intense pressure on the POS companies to modernize. Unfortunately this will likely happen through the courts, which means a slower response. If the government is loathe to take haelth care software providers to court I see it as even less likely that they will take POS providers to court.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/31/2014 | 10:53:02 AM
Re: Balance Security - compliance isn't the issue
Tom, if not government regs, what do you think it will take for organizations-- retail, healthcare and others -- to modernize POS systems. Apparently, the ROI of dealing with a breach (cost of bad publicity, identity theft, compromised data) is still tilted towards doing nothing.
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 10:20:34 AM
Re: Balance Security - compliance isn't the issue
Drew I'd like to think that this will move point of sale (POS) systems to modernize....but I doubt it. I see great similarities with health care systems. The POS / health care software REQUIRES antiquated operating systems with full administrative privledges to run. I am familiar with a large warehouse store that only recently upgraded their POS from Windows NT to Windows XP. Some upgrade. 
TomBowers1812
50%
50%
TomBowers1812,
User Rank: Apprentice
1/31/2014 | 10:15:03 AM
Re: Balance Security - compliance isn't the issue
Andrew I could not agree more that compliance is not true security. The harsh reality however, is that as a CISO I must do both. I used 27000 as shorthand for the entire 27000 series. This article is driven by the need to implement both 27000 and meet PCI requirements. PCI is very black and white, inflexible and narrowly focused. By changing my organizations focus to see credit card data as another type of sensitive data we are able to place PCI requirements in a more balanced context. Check box security (compliance) will NEVER be completely effective as it leaves gaps. 
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/31/2014 | 10:11:16 AM
Re: Balance Security - compliance isn't the issue
I think the single most important thing that might come from this breach is more urgency to overhaul the card processing system in the United States.

 
AndrewB871
50%
50%
AndrewB871,
User Rank: Apprentice
1/31/2014 | 8:10:19 AM
Balance Security - compliance isn't the issue
So often I read articles like this where compliance is compared with security.  This is always going to be a pointless debate.

This article references 27000 - which is actually the vocabularly document at the start of the series of security standards.

27001 references a Management system.  Its flexible sure, you could have very few security controls and a well thought out risk assessment with the emphasis on risk acceptance.  27001 is FREQUENTLY mistaken for its control annex - which lists a lot of controls that are sensible to implement if the risks affect you.

27002 - is a security implementation standard

27005 is a risk assessment standard

Problem - in MANY MANY business environments, there was NO security AT ALL before a compliance regime mandated it, either for a specific data type (PCI / HIPPA / SSNs etc), of for the 'infrastructure'.

Flexibility swings both ways, and in a lot of business environments is code for 'what can we get away with not doing'. 

Most security standards that are enforced with a compliance regime are asking for the right things to be done.  What then typically happens is the pre-compliance mentantality of 'how little can we do' over rides the - what happens if questions.

I'm sure we will see some epic knee jerk responses in relation to the recent breaches in the USA.  Something that neither PCI or and ISO framework would have prevented IF the business didn't commit to the appropriate controls OR decided they would accept the risk because well - very few get published.

The single most important thing that happened was that these breaches have been published, which now makes the C-level community aware of the threats.  Implementing the security frameworks  should be focused around protection of the assets that are most valuable.  Clearly in these instances mag stripe card holder data is still valuable.

As is lots of other data - so the businesses with that data in their custody must focus on keeping it safe.  The PCI is focused on card data,  married with 27001 ( a robust management system incorporating risk assessment and treatment) is a very very strong pairing.  The 27001 management system would capture why certain controls are implemented in certain ways - perhaps because a contractual requirement from PCI would apply or because the business is going to accept the risk.  The difference with a ISO management system is it makes the risk based decisions visable to all.  This in itself forces accountability and can make people think twice before they say - well I'm not going to fix that.  Especially if the risk register says CxO said - he's accepting that risk because of XYZ.

 

 

 

 
AmmarNaeem
50%
50%
AmmarNaeem,
User Rank: Apprentice
1/31/2014 | 2:10:42 AM
Security
Flexibility is the key to make the balance between compliance and security. With ERP, our oganizations become more secure and flexible and more integrated
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.