While the numerous laws, regulations and standards meant to address information security have helped advance the cause of infosec, they have also provided new challenges for adequately securing an organization.
It's true that regulations have brought high-level attention, as well as increased budgets and support for some areas of information security, but they have also focused many of these resources solely on compliance and not on ensuring adequate security for current threats. Another problem is laws typically do not keep up with the rapid pace of change in technology, which further complicates the relationship between compliance and information security.
In this tip, we will examine some of the ways compliance has advanced information security, some of the challenges compliance has brought with it to information security, and how security pros can convince compliance managers there is a need to go beyond what they might think is required in order to adequately secure an organization.
How compliance has advanced information security
Compliance has helped advance information security primarily by forcing executives to think about how their enterprises are secured, and then provide budgets and managerial support to bring security measures about. Laws and regulations have also helped minimally to educate the public about information security, and data breach laws have served to notify affected consumers when certain types
While compliance mandates will never stop a zero-day attack, the defense-in-depth efforts mandated by compliance could potentially minimize the impact of such an attack. Many laws have included requirements for comprehensive information security plans and risk assessments, and thus have helped put in place the foundation necessary to layer more focused security controls to stop or minimize the impact of attacks, malware or other threats.
Challenges to information security from compliance
The most dangerous attackers are not deterred by the security investments organizations make to achieve compliance. In fact, an organization overly focused on compliance that doesn’t adequately secure its systems may actually help an attacker. A good example is the antivirus software mandated by PCI DSS and other regulations; while compliance demands the use of this antivirus, the effectiveness of traditional signature antivirus has decreased over the years. Thus, while organizations have been required to spend some of their budgets on less-effective antivirus, largely for the sake of maintaining PCI compliance, those same organizations could have spent that money on new and innovative antimalware detection and prevention products that included functionality beyond traditional signatures.
Beyond the mandates
As pointed out in the 2011 Verizon Data Breach Investigations Report: “Unfortunately, breaching organizations still doesn’t typically require highly sophisticated attacks.” Organizations should first ensure they have a security plan in place that covers all of the compliance-mandated basics, then layer additional security controls.
If you are just starting to implement mandated security controls, you should first try to identify how to use those controls to prevent or minimize the effects of security incidents in your environment. In significant security incidents, or following security evaluations like penetration testing and user awareness testing, you should perform a root cause analysis to determine what security controls failed and what updates are necessary for the controls to protect against future incidents. Adequately securing a system should meet the compliance requirements, but could also include monitoring and testing of the security controls to ensure their effectiveness. The security controls that are required for compliance, but are less effective than other products on the market (such as the antivirus discussed above) should be re-evaluated to determine if there is a creative solution to meet the compliance requirement that will also secure the system.
Another important aspect of threat mitigation involves an information security risk assessment to decide if the risk of new threats is high enough to warrant diverting resources from compliance. Organizations can triage potential threat vectors by first examining how a security incident utilizing the new vector could impact their compliance program. A data breach resulting from a lost or stolen laptop or from a new threat vector is still a data breach.
Also, evaluate whether existing controls can be extended or augmented to stop or minimize the threat. For example, to minimize the potential effects of the recent SecurID breach, you could limit source IPs for authentication so only approved IPs are used, or only allow remote access from approved IPs using SecurIDs. It may not even be necessary to divert resources from compliance if the new threat vector can be mitigated by existing controls. If the threat is to your organization’s “secret sauce,” i.e., proprietary intellectual property or highly sensitive data, and falls outside of the controls you currently have in place for compliance or otherwise, you might want to find ways to justify expanding your compliance and security program to include adequately securing this essential information. As much as compliance is a proverbial stick for enforcing information security in an enterprise, so too is the threat of a devastating loss of intellectual property or data.
While compliance has helped information security by focusing executives' attention, budget and support on some areas of information security, it has focused much of information security’s resources solely on a “check-box” compliance methodology and not necessarily on ensuring proper security for current threats. This focus on compliance, however, can be redirected to better address current information security threats, like a zero day, by extending and applying the broad compliance requirements to include appropriate information security controls that will help manage these threats, along with the basic information security mandated by compliance.
About the author:
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.
This was first published in July 2011