Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

10 Symptoms Of Check-Box Compliance

These telltale signs show you care more about what the auditors think than what the attackers do

Security and risk pundits have long lamented the practice of going through the motions just to satisfy security regulations and standards like PCI, SOX, and HIPAA. Phoning it in may keep the auditors in check, but it won't mitigate the risks of attack. According to security and compliance pundits, the following are some of the telltale signs an organization is falling into the trap of check-box compliance.

1. Arguing over which standards are best.
Check-box-oriented organizations tend to get caught up in the regulatory minutiae so that they can't see the forest for the trees.

"Some organizations claim that they take the best of various policies and then go to work on a 'deeper policy,'" says Ron Gula, CEO and CTO of Tenable Network Security. "However, if you look closer at these sorts of things, they often target the union of various compliance standards and not the aggregation of all checks."

2. Losing sleep over an audit.
"If you are losing sleep about passing an upcoming security audit, you've got the check-box compliance disease -- and it's probably rampant in your organization," says Lamar Bailey, director of security research and development for nCircle.

As he puts it, security standards are the point of embarkation for the risk-management journey. They're not meant to be the end-all, be-all for securing an organization. They just get you started. Organizations that have a hard time even satisfying these beginner requirements should lose sleep over how insecure their systems are, not whether the auditor will break out a rubber stamp.

"These standards are like training missions in video games: They can help you acclimate, but they in no way represent the real game," Bailey says. "If you can't pass them with two hands tied behind your back, your need to quit and find another game."

[ Staying out of the checkbox compliance mentality is hard work. Recent studies show organizations are struggling to keep up with GRC See Risk And Regulatory Overload. ]

3. Putting line-of-business managers through spreadsheet hell.
If you make line-of-business managers fill in voluminous review forms, your organization is probably on the compliance-for-compliance-sake bandwagon, says Jason Garbis, vice president of marketing for Aveksa.

"Many times, enterprises approach access compliance by manually creating and emailing large, complex, and unwieldy spreadsheets," Garbis says. "If you're asking line-of-business managers to review a jargon-filled spreadsheet with hundreds of rows, chances are that this is a check-box review."

4. Viewing penetration testing as a panacea.
With so many compliance regulations requiring a penetration test, unsophisticated organizations seeking to cover only their bases view pen testing as an all-purpose security curative. If you're an organization that seeks to use pen testing instead of monitoring or vulnerability management, odds are you suffer from check-box compliance.

"If a company wanted to do the bare minimum, they could hire unsophisticated penetration testers and, when they don’t break in, claim 100 percent security," Gula says. "Of course, this type of penetration test is not a substitute for a full audit."

5. Using tools geared for forensics rather than prevention.
Unduly focusing on monitoring tools for the sake of establishing audit trails, without ever thinking about attack prevention, is a strong signal that your organization has its head so far in the regulations that it has forgotten the reason they're there in the first place.

"Most compliance regulations do not have security enforcement restrictions; they mainly focus on monitoring," says David Maman, CTO of GreenSQL. "Having a monitoring system instead of a prevention system is a modern take on closing the barn door after the cows have gotten out."

Next Page: Confusing logging and log storage with monitoring.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...