Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

Compliance Is A Start, Not The End

100%
0%

Regulatory compliance efforts may help you get a bigger budget and reach a baseline security posture. But "compliant" does not necessarily mean "secure."

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
The Integrator
50%
50%
The Integrator,
User Rank: Apprentice
6/29/2015 | 3:55:49 AM
We need to move to continuous adaptive compliance
Current compliance regiemes are labourious, provide a snapshot of compliance and offer little value for the effort.

We need to move to automation where evidence is gathered automatiacally and once for every aspect we need to report on, so we are not manually taking screenshots for PCI, SOX, HIPPA etc.  Setup once, gather as needed and report non compliance for investigation, that way you will be as close to full compliance most of the time.

Compliance does not equal security
shalivaha
50%
50%
shalivaha,
User Rank: Apprentice
6/8/2015 | 2:59:37 AM
Re: Pending Review
yes its not the end
ramesh kumar13
50%
50%
ramesh kumar13,
User Rank: Apprentice
6/8/2015 | 2:35:56 AM
Re: Checkbox security
Noble thoughts, to be sure. But who in the Dark Reading community can honestly say that their company does not practice check box security at least some of the time?
UTIWARI
50%
50%
UTIWARI,
User Rank: Apprentice
10/24/2014 | 12:13:54 PM
Re: Checkbox security
While "checking the box" is often a requirement and companies cannot get away with not focusing on "checking the box", it may be helpful to include "checking the box" as part of overall risk management strategy and look at the compliance activity from risk lense and not overlook other aspects that may take you beyond checkbox thinking and actually take care of risks that your company is better off not being exposed to.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
10/22/2014 | 8:46:14 AM
Checkbox security
Noble thoughts, to be sure. But who in the Dark Reading community can honestly say that their company does not practice check box security at least some of the time? My guess -- it's closer to 50 percent of checkbox security practices.  Am I right or wrong?
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18954
PUBLISHED: 2019-11-14
Pomelo v2.2.5 allows external control of critical state data. A malicious user input can corrupt arbitrary methods and attributes in template/game-server/app/servers/connector/handler/entryHandler.js because certain internal attributes can be overwritten via a conflicting name. Hence, a malicious at...
CVE-2019-3640
PUBLISHED: 2019-11-14
Unprotected Transport of Credentials in ePO extension in McAfee Data Loss Prevention 11.x prior to 11.4.0 allows remote attackers with access to the network to collect login details to the LDAP server via the ePO extension not using a secure connection when testing LDAP connectivity.
CVE-2019-3661
PUBLISHED: 2019-11-14
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to execute database commands via carefully constructed time based payloads.
CVE-2019-3662
PUBLISHED: 2019-11-14
Path Traversal: '/absolute/pathname/here' vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows remote authenticated attacker to gain unintended access to files on the system via carefully constructed HTTP requests.
CVE-2019-3663
PUBLISHED: 2019-11-14
Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system.