Friday, March 19, 2010

Law and Disorder

When I look at our client base, there are two industries that are suspiciously low in the amount of security risk assessment work that we do. Typically, we have a relationship with law firms for forensics or CPA firms to assist with audits. It's rare that they actually have us perform risk assessments for their organizations. Mind you, it's not like they don't have a ton of sensitive information. In fact, you'd think 99% of their information is sensitive because another organization needed to share it with them for legal or audit purposes. One would think that sensitive information needs protection, especially if it isn't "yours." So my question is, "What makes these industries think they don’t need to conduct security risk assessments?", or more to the point, "What makes you so special?"

Part of the problem lies in the adage that "Nobody does security unless they have to." Translated, it means most organizations won't have a decent security program unless they get hit with compliance issues or a breach. What's that, you ask? “Aren't these firms subject to compliance?” I'm glad you asked that! These groups have a tendency to slip under the radar with a somewhat 'holier than thou' attitude. For example, let's look at the FTC Red Flags Rule to protect against ID theft. It's supposed to apply to companies that extend credit to persons or corporations, although the term 'creditor' is very broad in scope. When the American Bar Association realized it applied to them, they responded by suing the FTC and were granted exemption. They did the same thing when the Gramm-Leach-Bliley Act (GLBA) was passed for financial institutions and applied to lawyers who did financial planning. About the same time, the American Institute of CPAs also petitioned for Red Flag exemption. They have lobbied for exemption from the Consumer Financial Protection Agency Act of 2009 as well.

Of course, there are problems with the 'it’s not my problem' approach and we really need to read between the lines here a bit. If you look at something as basic as the FTC Red Flags Rule, it really isn't asking for all that difficult of a program - basic security, privacy, and notification. It's not like they are being asked to be ISO 27001 or PCI compliant. So why did the ABA and AICPA push back so hard? They both claim that due to the nature of their business, ID theft is very low risk. Of course, I believe they would not have pushed back if they had enough of a security program to meet the Red Flags Rule. Therefore, I'd bet most of them don't have one. They also said these things could be cost prohibitive to small CPA firms. But when it came time for an exemption to SOX 404(b) for small businesses that the CPA firms assess, the Center for Audit Quality, associated with the AICPA, fought it because that might hurt the investors that are supposed to be protected. So are we supposed to conclude they want to help the investor, but not the consumer?

Today, however, these firms are running of out wiggle room. There is an onslaught of compliance that sooner or later will be inevitable. For example, with the HITECH Act in ARRA, firms now realize they are pretty much stuck with HIPAA compliance if they handle PHI from a client as a Business Associate. They also realize that private standards, like PCI, that are enforced through contract now are unavoidable. Additionally, if firms have clients in states like Massachusetts and Nevada which have new trends in breach laws that include prevention, and not just notification, they likely are subject.

Of course, some of these compliances allow for risk-based decisions in which the firms may decide , like they did with Red Flag, that they think the organization still is low risk. I suppose it just will take some breaches to create a more sobering atmosphere. There is almost no industry that can really afford to adopt the 'it would never happen here' mentality, as we see breaches aren't just focused on financial institutions. Don't forget that the bad guys are both highly organized as well as lazy. If they recognize that there are 'soft spots' here, it could lead to some serious concentration of efforts on these gold mines of sensitive information.

The point is not to say that all law and CPA firms are ignorant of security risks and ripe for a breach. It's more to state that there is a general attitude problem that needs a big reality check. Eventually, these organizations need to increase their security posture and incorporate assessments for quality management. The early adopters will reap the benefits of understanding their risks sooner so they can minimize their risks earlier, or have more time to do so before being confronted with compliance deadlines.

Read more!

Tuesday, March 16, 2010

Changing the Landscape of Pentesting

Though I believe penetration assessments to be important in assessing an organization’s overall security posture, I think they are 1) being performed poorly and 2) the results from them are being disseminated in a wrong way. The goal of any security assessment is to help an organization become MORE secure than they were before the assessment was performed thus reducing their overall risk. Many penetration assessments are performed by identifying vulnerabilities and breaking into as many systems as possible by exploiting these vulnerabilities. The report is then issued which has the list of these vulnerabilities, a perceived risk rating, and finally recommendations on how to remediate the vulnerabilities. What many pentesters lose sight of is the objective for performing the penetration assessment to begin with: to help the client become MORE secure. This type of penetration assessment provides absolutely no value to the client and certainly does not make them any more secure.

Many pentesters don’t see an unencrypted service enabled on a firewall which protects an organization’s PCI zone and wonder “why” this service is allowed but rather how I can use this service to break into this system. The recommendation for such vulnerability would be to use a more secure service; however, what is lost is “why” the vulnerability occurred in the first place and the impact to the business if such vulnerability was exploited especially with regard to the environment in which it was discovered. A penetration assessment needs to be just as much interview based (if not more) as it does technical. Without understanding the underlying reasons as to why such vulnerabilities occurred in the first place, it is impossible to provide any other recommendations other than tactical to the client. The client will then tactically remediate the vulnerability maybe by updating a system with a specific patch or shutting down a specific service and then a year later vulnerabilities of a similar nature will resurface. Why? Because the underlying reasons as to why such vulnerabilities occurred in the first place are unknown. Is it a patch management problem? Is it a change management problem? Are there no policies and procedures or minimum security baselines preventing such vulnerabilities? Is it a management problem? Is it a line-of-business problem? Is it a combination of the above? The list goes on and on, but without trying to understand the “why” it is impossible to truly help the client. It is no longer acceptable to report that the entire compromise of an organization’s Windows domain was obtained without at least attempting to
understand “why” it was possible and how to protect against future occurrences.

Today’s market has become so diluted with companies and individuals claiming they can perform penetration assessments (if you don’t believe me attend Defcon one year). Organizations need to have a better understanding as to how these hired service providers are actually performing these assessments. If a company performs security assessments with little or no interaction with their client, be very skeptical of using this company. As the old cliche goes, you get what you pay for. Bottom line is, penetration testing is no longer for the geeky technical guy who only cares about breaking into systems or for someone who knows how to run a vulnerability scanner. It’s for professionals who truly understand security and are interested in really helping an organization reduce their overall risk.

Read more!