Friday, August 22, 2008

Regulations Attack

I recently published top eight trends for 08’ (, however one topic in particular has caught my attention, why are “Regulations” being attacked?

At DefCon 16 I had the opportunity to meet some really interesting people who had different perspectives on security. However, for the first time in DefCon history (to my knowledge) “Compliance” standards opened the conference Friday morning. I was so excited to hear what the “hackers” thought about PCI, GLBA, HIPAA etc. To my disappointment, the presenter ranted about how compliance doesn’t equal security… DUH! But what they do is provide some value and the value is called “doing something!” Hell, most companies (97%) won’t do anything at all until they are forced!

Even with these standards, millions of records are still being compromised. Let’s rant about companies losing our data, not about how bad the regulations are. Let’s face it, if companies were doing what they should, there wouldn’t be a need for regulations! I am writing an article for Information Week on Malicious Compliance in Distress, which addresses companies doing the bare minimum to become compliant, instead of appropriately securing the data. If you use these regulations as a Minimum Security Baseline, you can always add additional layers of security to these regulations. For example… PCI just calls out not using WEP, but mentions the ability to use WPA and WPA2… however as security professionals we would consider WPA and WPA2 just as bad. So by PCI standards you can be compliant, however not any more secure than if you used WEP. Use the regulations to get a new stronger encryption protocol for your wireless environment.

Let’s not attack the regulations, but the reason why they were developed! View regulations as the minimum standard. If you took a comprehensive approach to security you would comply to all the regulations anyways (ISO 27001 & 27002). So instead of bitching out regulations… use them to get funding and do the right thing :-)

1 comment:

Alex Oppenheim said...

From a Risk Management perspective, I have very similar thoughts...

One of the most common things that can be heard around the office at SecureState is, “Nobody thinks about security unless they have to.” This could quite possibly be the truest statement ever uttered in the history of time. Most businesses don’t even consider security until regulatory agencies come knocking at their door. Then, once they have an assessment performed, their only care in the world is becoming compliant, not becoming secure. They only understand that they may face a $500,000 fine if not compliant, but don’t consider the millions of dollars they could spend cleaning up after a security breach. This doesn’t even include their tarnished reputation after the media reports the breach.

My job is to build a security program for clients… to make them secure. I create things like patch management programs, minimum security baselines, change management programs, and incident response programs. The hardest part of this job is making businesses understand that compliance isn’t their biggest problem; it’s only an immediate concern. While becoming compliant will minimally improve their overall security posture, it is not a security program.

Take for instance, PCI compliance standards as Ken mentioned. They were created by the credit card issuers to protect customer information and data. A business, such as a hospital, can be PCI compliant because they properly protect customer information in accordance with the standard, but that doesn’t mean a hacker can’t steal your trade secrets, business plans, financial records, or other types of confidential data. Conversely, with a sound security program in place, malcontents will have a hard time getting in to steal anything, including your customer credit card data.

It’s like trying to plug a dam with a piece of chewing gum. It may temporarily stop the leak, but it does nothing for the strength and integrity of the dam. Eventually, your town is going to be washed away.