Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/3/2015
10:30 AM
Kevin E. Greene
Kevin E. Greene
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Compliance & Security: A Race To The Bottom?

Compliance is meaningless if organizations don't use it as a starting point to understand and mitigate risks within their environment.

Compliance has been a buzzword in the cyber security industry for quite some time now. Many organizations have dedicated teams with the sole purpose of ensuring that their systems are in compliance with industry-regarded best practices, standards, and guidelines. We race toward compliance not fully understanding to what extent it impacts our overall security posture. Along this race many fail to realize that compliance doesn't necessarily lead to systems being more secure.

We've seen from Target and others that you can be in compliance with industry-regarded best practices, standards, and guidelines, and still be compromised. Compliance doesn't always lead to tighter security controls; often it's a checklist to ensure that at the least, minimum security practices are being followed and implemented. As long as you can provide and produce artifacts or documentation, and be able to speak intelligently with some understanding of risk management, you can zip through the compliance process with flying colors. As an industry, we have to move past checklists, and doing "just enough" to provide the necessary security protection commensurate to protect sensitive data.

In the federal government the first thing people want to know is...has the system been C&A'd (certification and accreditation process)? This is the formal process of evaluating, testing, and examining security controls for an information system against a federal standard or industry mandated best practice. Having led and participated on many C&A teams, I became extremely frustrated with this checklist or checkbox approach. Oftentimes the teams would be comprised of individuals with very limited technical knowledge and system experience conducting the compliance review. This leads to information systems passing the compliance tests, but failing majorly from a security protection perspective.

When I led and participated in C&A teams, I would integrate different assessment activities into the process to add more technical depth. These included things like application threat modeling, penetration testing, source code and security architecture reviews. Unfortunately, most compliance reviews are focused on the network and the host, and often neglect application security. Taking a more holistic approach by incorporating additional security and technical assessment activities into the C&A process significantly enhances the overall quality, completeness and thoroughness of the evaluation, testing and examination of security controls.

As the threat landscape continues to evolve, our security practices must become more comprehensive and in-depth. While the compliance process provides organizations with a framework for validating security controls, organizations must develop and implement supplemental guidance to go above and beyond compliance to ensure that security controls are adequate to both protect sensitive information and help reduce the attack surface that often expose vulnerabilities in information systems.

[Find out more about why Compliance Is A Start, Not The End in this Dark Reading video]

We are seeing an increasing level of attacks against major corporations. Many of these security incidents can be traced back to software flaws (poorly developed software), where an attacker crafts and delivers malware to exploit vulnerable systems using spear phishing techniques. Studies have suggested that 91% of Advance Persistence Threats (APT) can be attributed to spear phishing attacks.

One of the drawbacks about achieving compliance is that the process offers a snapshot of a point in time, and does not reflect the fact that networks and information systems are constantly changing. Can organizations meet the requirements to achieve compliance? Absolutely! Compliance doesn’t mean security, and security doesn’t mean compliance. However, compliance and security complement each other. In the context of security, compliance should provide a way for organizations to verify and validate whether or not security controls are operating as intended.

Compliance is meaningless if organizations are not able to use compliance activities as a means to better understand risks within their environment. Just as the risk management process helps organizations effectively evaluate situational awareness, compliance helps organizations develop a baseline picture of their overall cyber readiness.

Every organization needs a starting point, and compliance can provide that initial baseline to evaluate and shape your security posture. What I would like to see evolve in organizations is the concept of continuous compliance or continuous monitoring. I mean true “continuous” compliance or monitoring where at any point in time I can check the pulse of my security posture and have an on-demand capability that can truly be proactive, in real-time, and preventative all at the same time. That would truly give our cyber capabilities a huge boost in protecting against potential adversaries and attackers that engage in on-going reconnaissance looking for vulnerable systems they can own.

Kevin Greene is a thought leader in the area of software security assurance. He currently serves on the advisory board for New Jersey Institute of Technology (NJIT) Cybersecurity Research Center, and Bowie State University's Computer Science department. Kevin has been very ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
10 Notable Security Acquisitions of 2019 (So Far)
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...
CVE-2017-10723
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows it...