Risky Business: Addressing Risk Management Aversion
When I think of information security in the broadest sense, I immediately think of managing and mitigating risk. I know of no more appropriate way in which to view our discipline and have for years and years (largely due to my diverse background in both research and consultancy organizations), struggled to understand why there is opposition to this point of view. Risk management is a widely accepted discipline within other industries, namely finance, but also within enterprise operational business models (often referred to as ‘enterprise risk management’ or ‘fiduciary risk management’). It pains me to know end that today, in the year 2010, there is still such an egregious misunderstanding of risk management within business. It worries me that there is so much opposition to asking and answering three very simple, yet insightful questions about one’s enterprise environment.
It troubles me deeply that there are so many misgivings with respect to the benefits associated and derived from proper management of risk and the establishment of a solid, comprehensive risk posture from which a security program and framework can be derived to meet the needs of the organization as a whole and on individual levels amongst business units and individual contributors. Recently I engaged in a thought provoking conversation with the talented and engaging Mr. Dan J. Molina during which a substantial amount of time was dedicated to discussing this very matter. During the conversation we discussed in no specific order many of the points, which are debated (some with greater degrees of merit than others), within our industry regarding risk management:
- Risk is inherent in all things; nothing worth doing (or not doing) can be said to be devoid of risk
- To understand risk one must embrace, not run from it
- Risk can be empowering if one takes the time to explore it or devastating if one ignores it
- Neither men or organizations of men (in business, government, or life), can eliminate risk; they can only work to manage it via mitigation with the hope of minimizing impact
- Too many people mistakenly equate risk management with compliance – the two are not mutually exclusive however they are by no means the same thing
- Risk management is hard and as a result of it being hard it is undesirable by many, as it requires. EFFORT!
- Risk management is an impossible or unrealistic ideal – Ranum / Schneier debate…it’s rubbish
- The practice of managing risk does not require the invocation of a ‘new school of thought’; there is nothing wrong with the schools of thought present and accounted for today or yesterday; adoption is a not dependent on the cohesive nature of the school of thought
- It is both irresponsible and fool hardy to operate as though risk does not require managing or that it is not present in all things
10. There is no way to force risk management into effect regardless of how compelling the data supporting it (actuarial data, circumstantial data etc.) is or might be
The discussion of these points gave way to another discussion on whether or not there was merit in simply ‘feeling secure’ as opposed to being secure and having to demonstrate a state of security vis a vis evidence of a mature risk posture.
We then discussed the importance of feeling secure as it relates to the demonstration of security vis a vis evidence of risk posture as they relate to the state of being secure. For many ‘feeling secure’ as Bruce Schneier has pointed out in the past, is as or more important than actually demonstrating security via hard fact and unilaterally. I tend to agree with Schneier on this point that many would be comfortable operating under the belief that they are secure (regardless of whether or not it had been substantiated via qualitative and quantitative means), by virtue of how they feel as opposed to actually knowing they are secure. In essence the argument boils down to a collective delusion, which finds everyone sharing the same experience; the same reality regardless of its accuracy. This of course is dangerous at best and potentially cataclysmic at worst.
So how do we change the perceptions of risk management within our industry? That is the question! There are many ways to begin, though none are trivial. The process requires us to view, as industry professionals, the subject of risk management as a legitimate discipline or not. This is something, which cannot be legislated, nor can it be faked. One either believes or sees the realities associated with being able to manage risk in qualitative and quantitative terms or they do not. It is as simple as that. Risk management exercises (provided they are under taken), are unique to the individual organizations endeavoring to learn from the process. These organizations rely on transparency and accuracy of data otherwise their yield is worthless as it neither reflects fact nor sustains it. Open, honest discourse related to the data brought to bear is essential to this process. Should this be found to be lacking, then the entirety of the process must be called into question with any and all data points being held under close scrutiny. This blog posting is not, in any way, meant to trivialize the process of risk management or over simplify the challenges associated with it. By no means is it! It is however, meant to be a catalyst for thought; a morsel for consideration which hopefully will (ideally), lead to more mature discussions and (God willing), help remedy the madness which clouds and obstructs our collective vision.
Cloud Computing and Security
This post is the first in a series of an in-depth review of some of the security challenges we see with cloud computing. In the following post you’ll find some very high level concerns we have regarding the innovations around cloud computing. More detailed analyses of the various cloud offerings will follow in the coming days and weeks.
Cloud computing has introduced a whole world of possibilities for everyone from the largest enterprise looking to reduce operational expenses down to the individual consumer wanting a place to store their summer vacation pictures. At first glance, the entire concept of cloud computing is a fantastic way to lower data center costs, reduce the number of personnel required to manage a system, save on software licenses and to eliminate the need to purchase a product or service that is not within your core competency.
My guess is that every enterprise is looking for some way to leverage “the cloud” in some form or fashion and the numbers of advertisements for web-based services geared to the small business and consumer are all over the mainstream media. All of these services are promising a lower cost, easier to manage solution or promising a “quicker” something whether it be a tax return or “anywhere” access to files. This generation of computing promises to be great, except for one thing: security.
By definition, security in the cloud computing infrastructure is not possible. That said, nothing is completely secure and risk free except maybe that computer that’s not plugged in and has no users or operating system but then what good is that other than to serve as a paperweight or to hold a floor down? Anyhow, ever since I was an “InfoSec toddler” three things have been driven in to my head:
1 – Confidentiality
2 – Integrity
3 – Availability
Those three simple words describe everything we need to know about security, no matter whether we call it network security, system security, IT security or that all encompassing term – information security. As I said in an earlier post on Cassandra, security is all about protecting information; I agree that it is no fun when a computer is infected with malware which causes the owner to have to rebuild a hard drive or worse, an “outbreak” occurs across multiple systems. It is bad when a gateway device or web server goes offline because of a DoS attack. However, in both of these cases if information isn’t compromised, it can be classified as an internal security event and not a reportable security incident. In fact, if it were not for the above tenets of information security, the attacks that compromised a browser flaw (a vector that was predicted by members of Cassandra Security in 2006 and 2007 to have severe implications to the security of our information) would have been nothing more than a patch event from a security perspective. Again, the time has not come to protect your critical information, it has always been here it’s just becoming more complex with advancements in technology. I would even argue that some forms of cloud computing, specifically Web 2.0 and collaboration, have led to the critical nature of the recent IE exploit that affected so many companies.
Security is all about protecting information and it has been so since the ancient Greeks would shave and tattoo a message to a slave’s head and send them across enemy lines to deliver that message. Whether we call it steganography or encryption, they found a way to protect information that needed to be delivered between two points. Yes, that person may have been at risk or, if that person was killed then the message didn’t get delivered, but there was limited harm because the enemy didn’t have the “key” to decipher the message.
This brings me back to my original point, by definition information security can not be assured in a public cloud computing environment and here’s why: the customer is still the data owner and they are ultimately the organization responsible for the CIA of their information. The act of transferring this information to someone else’s facility does not change that, rather it makes it more difficult.
Confidentiality is difficult at best and not possible at worst. In a public cloud environment, one must ask the vendor if they can guarantee the confidentiality of your data. In order to accomplish this they would have to do a few things:
- Ensure that all data is encrypted in motion and at rest
- Ensure that your data is not hosted on the same servers as other customers (While this changes a bit if all data is encrypted, there are still many concerns about keeping containers separate that affect the confidentiality or your information)
- Ensure that no unauthorized personnel have access to any of your data (This includes the hosting company’s employees. Are they insiders in your organization? Are they authorized access to your trade secrets, intellectual property and/or customer data?)
- Ensure that you manage the encryption keys, because it is possible they could make an error and use the same public/private key pair for more than two customers
- Ensure that access can be confirmed to only come from your organization
Integrity is a bit easier than confidentiality of the data is encrypted and can only be accessed by your organization, however how does the hosting company guarantee that only your organization is accessing the data or application.
- Ensure that no data can be manipulated outside of the application, if applicable
- Ensure that no data can be accessed or modified by other than authorized employees of your organization
- Ensure that the data can not be intercepted, read or modified while in transit either across the network or to a remote backup facility, should one exist
Availability is probably the most difficult because while you might have a service level agreement in place with the provider for access to their systems, you may have at least two other parties involved; those being the ISPs of the respective organizations. Can you get a guarantee from all of those organizations that your data is going to be available when you expect it to be available?
- What happens if you need access to information regarding a research project and the cloud service provider is experiencing an outage outside of their control?
- Are they hosting your data across multiple servers or systems? While this may help the availability issue within the cloud provider, it could violate the confidentiality and integrity principles above.
- Are you buying your processing time in “slices”? This too could affect availability.
While this is not all encompassing of the security complexities introduced by the cloud computing initiatives, it should give an organization plenty to think about the next time they hear the advertisement that says “My cloud is secure.” I’m not advocating to not leverage the cloud, rather quite the opposite, educate yourself before exploring the benefits of cloud computing. Stay tuned for specific research papers on the security concerns in the various types of cloud computing and the services offered in that environment.
It’s the People, Stupid!
Everybody knows it takes people, process and technology to achieve enterprise information security. Let’s keep our priorities straight in 2010: don’t lose sight of the people who want your enterprise to succeed.
Consider your information security priorities this year. Are you creating a culture of mistrust or empowerment? Are your information security challenges primarily technology problems, process problems or people problems? If your goal in 2010 is primarily to leverage the latest technologies to improve the security of your organization, you may be looking at it backwards.
For most of us, there is no security without trust. If you’re an intelligence operative in a hostile environment, you have techniques for establishing a certain level of security without the need to trust the people around you, since in fact none of them can be trusted. But this isn’t the world you and I live in (and even a spy in the most dangerous of situations has to be able to trust someone). Instead, we live in a corporate world of employees, employers, business partners and competitors. And in our world, without trust we have nothing. No progress, innovation, no commerce, no fun.
Like our brave spies working abroad, we can’t afford to trust everyone around us implicitly. But neither can we achieve any kind of meaningful success if we explicitly mistrust everyone. For all of Apple’s legendary (and perhaps overblown) sense of secrecy, you know deep-down that Steve Jobs trusts Jon Ive, and you know that Ive has to trust the people who work for him. We simply cannot create great things without trusting one another. I can’t overstate this, but let me try: no meaningful human collaboration is possible without trust.
Then why are we here? Information security professionals exist to prevent (and clean up after) situations where that vital trust has been abused. We are “CIA” officers of another kind, focused on confidentiality (keep valuable information away from people I don’t trust to access it), integrity (protect my information from those who might damage or destroy it) and availability (make sure the people I trust can access the information they need, whenever and wherever they need it). We infosec folks have a reputation for saying “no,” for getting in the way of business, for putting up walls and barriers. But executives can also place too much emphasis on secrecy and confidentiality. Long ago I worked for someone who believed that the merest act of sharing precious information causes it to lose its value (we all know how that turned out for Hollywood: if you don’t provide a convenient way for people to get music, TV shows and movies from you legally, The Scene is standing by to make it easy for your customers to get what they want–and you’ll get nothing. I digress). On the contrary, information must be shared, collaborated on, improved and productized before it can deliver business value. And you can’t do these things unless you have some measure of trust for the people involved in that process.
If one looks at it this way, whence does information risk arise? It all comes down to the people acting on the information (with only a parenthetical nod to process and technology). If Alex uses his personal webmail account to transmit sensitive information to a business partner because he thinks that’s the most effective way for him to do his job, it’s not because Alex can’t be trusted; in fact, it’s up to you to praise Alex’s ingenuity, then educate him and make it possible for him to choose a less risky way of creating value. If, on the other hand, Barry uses his personal webmail account to transmit sensitive information to a competitor, you have an employee you need to get rid of. How do you solve the Barry problem without demoralizing and alienating Alex? Do you actually have a Barry problem, or is that merely your operating assumption?
Some years ago I was given an after-hours private tour of Pixar Animation Studios. As we passed a table stacked high with posters promoting an upcoming film, I asked whether I could have one of the posters. My friend and guide politely declined, explaining that he didn’t know who the posters were for and that taking one would not be appropriate. No cameras, no inventory database, no security guard, no next-generation poster-loss-prevention technology, not even a locked cabinet was necessary for my friend to come to this decision–just a passionate, empowered and trustworthy employee making sound judgments on behalf of the company he loves. Do you have employees like that? Who believe in what your company does and are that invested in its success? If you’re always thinking about Barry, looking for the perfect suite of technologies to prevent your ignorant or malicious users from wrecking everything, you introduce the new risk that Alex, once passionate and bright-eyed, will feel besieged in a labyrinthine fortress of controls and suspicion. And without Alex you have nothing.
Everything comes down to trust. If your employees aren’t trustworthy, you don’t have a small IT problem, you have a big HR problem. Start with Alex: create and maintain a culture of trust, where employee priorities and company priorities are aligned, where creativity, passion and diligence are rewarded, where everyone is bought into the mission and feels a genuine responsibility to carry it out and make the enterprise succeed. Establish and socialize sensible policies and practices (controls too, where you need them) which promote trust instead of undermining it. Then focus on what IT does best, which is to give your people powerful tools to empower them to use information to fuel your enterprise’s success. Not only will your passionate, trustworthy employees create more value in such a climate, you’ll develop a culture where Barry won’t stand a chance. Go Alex!
Will Irace works for a vendor offering next-generation information security technology. 
eReaders and Corporate Information
I love my Kindle, I really do. I can carry two or three books, magazines, newspapers or whatever with me when I travel, without the added weight of dead trees in my bag. There may be someone reading this who prefers a Nook, but feels the same way I do regarding eReader portability and functionality.
They are versatile, they are light weight, they don’t take much time to turn on and, if you’re savvy, you can put just about any document on it outside of what’s available over the respective wireless networks. And therein lies the problem.
- The nook and the Kindle both support PDF, JPG, BMP and GIF file formats
- The Kindle allows you to send an attachment to a unique email address which is assigned to your device, it will be converted to PDF and sent over the air to your device
- Both the nook and the Kindle can be mounted as a hard drive on your computer
The traveler, productive and efficiency side of me says “Hey, that’s great, I don’t have to boot a computer anymore if I can put a document in PDF format.”
But the security side of me says “Big problems to come in 2010 and beyond.”
Outside of the username and password assigned to the wireless store account, neither of these devices have any sort of access control or authentication mechanism nor do they have any sort of file security or encryption. Therefore, there’s no way to prevent “just anyone” from picking it up, turning it on and reading whatever is on it.
However, there really isn’t a reason to have authentication or any other sort of security on them, right? Simply stated, they don’t need them because they’re intended to devices of convenience for the avid reader. However, business people are always looking for ways to become more efficient.
Very recently, I’ve had conversations with colleagues and friends, during which one asked if documents other than books could be read on the Kindle. His idea is that he will load it up with documents that he needs to review while on airplanes. Great idea in concept, maybe not so much in practice depending on the nature of the information.
The other already had a plan, he was thinking about getting one and one of the plans he had was to put user guides, documentation and other materials related to technology he sells on his eReader. Another good idea in theory, but again this could lead to problems down the road.
I’m sure much of this material will benign and my hope is that the folks I work with in the security industry will show better judgement than to put confidential information on their devices. But what about those not the security industry with the same ideas of eReaders being a model of efficiency for travel? That’s what concerns me.
Generally speaking, most people who will find the ability and convenience of putting documents on these devices won’t even think about the security implications of their actions.
The potential problem that exists is not only the device owner either, it’s anyone who could be configured to send email to the device. In my case, I can set up users or entire domains to be authorized to send a document to my Kindle to be converted to PDF and sent to my device. This happens automatically when I turn on the wireless connection and the device synchs to the Amazon servers. However, I have no way to control what’s being sent to the device. Sure, I can delete it if it looks like it doesn’t belong or looks out of the ordinary, but the risk of confidential data being placed on the device still exists.
The ability to put documents on my Kindle is great, it really is. I love the fact that I’m not restricted to only paid content from Amazon. In theory, I could read and grade student papers during terms when I’m teaching. I can review draft documents intended for public use. Imagine the creative use cases for eReaders in business, they are quite extensive.
This is the problem that information security professionals will face in the coming year and beyond as more people buy eReaders. My years old theory about personal technology in the work place still holds true today, any consumer technology that becomes cheap enough for it to be widely used in the workplace creates a security risk. Primarily because the owners of these devices bring them into the work place thinking it will make their jobs easier or use them as a convenience. The risk introduced by these devices can be attributed to the fact that the users of IT are quite smart; they do what they are allowed to do, in the environments the are allowed to do “it”, with the knowledge and education they are provided.
Because of the ease of interoperability and the challenges associated with managing enterprise infrastructures, many personal technology devices have been introduced into the work place over the years. These include; iPods/MP3 players and their use as a hard drive (I know at least one person who has two iPods – one for music and one as a hard drive backup), mobile phones and their cameras and video/audio recording capabilities, high capacity USB drives, watches with USB drives and portable document and business card scanners. In 2010, I believe we will see the eReader revolution take off as a personal technology device that is introduced into the work place.
The job of the information security professional is only getting tougher and even if companies are primarily concerned about minimum compliance standards, it’s time to start paying attention to where your data and information is being stored. Because in my opinion, it’s only a matter of time before one of your employees leaves an eReader on an airplane, in the security line or in a hotel room and that eReader very well might contain some information critical to your business that is not intended for public viewing.
First, I’m a fan of Social Networking and I was not expecting a re-direct to another site. Although this was temporary it was frustrating. After doing some poking around and speaking with my good friend and colleague, Will Gragido, I stumbled across this article that gave a little more insight into the issue. According to Claudine Beaumont, Technology Editor of the Telegraph UK, “visitors to Twitter.com were automatically redirected to another web page, which displayed a green flag and English and Arabic writing: This site has been hacked by the Iranian Cyber Army,” read the message. “The USA thinks they control and manage Internet access, but they don’t. We control and manage the Internet with our power, so do not try to the incite Iranian people.” First, I don’t categorize this as a hack but a compromise/Cyber Noise like a DDoS attack. I would have been impressed if they tagged the web site directly. The sophistication to pull this off is on the level of a “Script Kiddie”. The tools are freely available on the Internet that my 11 year old could pull off with the a few Google queries. I guess the Iranian Cyber Army has not been keeping up with the news lately. The US Gov’t ceded control of ICANN to the World for more information please check out the link: http://bit.ly/6KSuny .
The good thing is the people at Twitter were able to correct the issue very quickly as I mentioned, the level of sophistication and 
indirect control was minimal. Additionally, Twitter had another breach early this summer for more information on that please check out: http://bit.ly/2lUzNM. I don’t think this is going to be the last time and I’m sure other Social Networking sites have increased their security/posture/awareness. Lastly and more importantly, the Iranian Military has seized control of an oil field in Northern Iraq, link to Reuters: http://bit.ly/7H7TC5. With that said, although this is purely speculation a Cyber attack/message less then 24 hours before a physical attack. Could these be tied together…not sure but interesting though. Everyone’s thoughts and comments are welcomed.
Critical Infrastructure Part I Trains and Transit Systems Revised Edition 120509 ready for download!!!
Critical Infrastructure Part I Trains and Transit Systems Revised Edition 120509
We at Cassandra Security are pleased to release a new, and revised version of the first installment of a seventeen part series of papers dedicated to critical infrastructure and key resources. Look for Critical Infrastructure Part II: Drinking Water and Water Treatment to be released in the very near future in addition to other publications from Cassandra Security.
Seeing Tomorrow Today,
Cassandra Security
The Rosie Scale and Stopping Stupid
Ok, girls and boys, gather round the campfire, because it’s story time here at Camp Cassandra. A long time ago, and in an office building far far away, I worked in the I.T. department at the corporate headquarters of a large telecommunications company. I liked my job, and the people I worked with were, generally speaking, pretty easy to deal with. There was, however, one person who’s name struck fear into the hearts of everyone on not only my team, but my entire department. This person wasn’t feared because she occupied a position of great authority, or had corporate political clout, or social connections. This person was feared by my colleagues in the I.T. Department for one reason and one reason alone; she might have been the dumbest person to ever sit down in front of a keyboard, and her name was Rosie. The people in my department knew that when Rosie called, it was more likely than not to consume the better part of a day. A visit to Rosie’s desk became a hazing event, in fact – the desktop support people reveled in sending new techs, oblivious to Rosie’s reputation, just to see the look of horror on their faces when they got back into the bullpen where we all sat.
This is not to say that Rosie was bad at her job – she was certainly competent at whatever it was that she was there to do, or they wouldn’t have kept her around. She also wasn’t a rude or unpleasant person to deal with – quite the contrary, in fact. She was actually quite a smart and witty person, but put her in front of a computer and her IQ would drop by an order of magnitude. Rosie had the tragic touch – she could cause a blue screen of death by walking PAST a computer. She once single-handedly took down the entire company’s network of email servers for an afternoon, in a single act of “wow, I didn’t know that would happen.” (if you’re curious about how she accomplished this, she did it by sending an email containing a 200MB attachment addressed to all 90,000 people in the company, and inadvertently exposed a serious flaw in the message size limit mechanism built into Microsoft Exchange 5.5 in the process.) Rosie could break a computer like no one else I’ve seen before or since. She’d have made a great QA engineer, if she could only tell anyone with any degree of specificity what the heck it was that she was doing when her computer went up in a mushroom cloud. Training Rosie on how to properly use her machine was a pointless exercise – it was like trying to fill a bucket that had a hole in the bottom. Rosie could make an abacus crash. She might have been the reason Microsoft invented Bob. The term “stupefyingly stupid” seems redundant, but it’s really not all that far off the mark. We’re talking weapons-grade stupidity here.
One night, after many beers and while swapping war stories at happy hour, a few of us decided to come up with a (admittedly imprecise) metric of end-user technology ability, which became known as The Rosie Scale. It’s been a few years, but from the best I can recall, the Rosie Scale looked something like this:
0 – Alan Turing
1 – Tim Berners-Lee, Dennis Ritchie, Steve Wozniak, Grace Hopper
2 –Linus Torvalds, Larry Wall
3 – Sysadmins, clueful developers, QA folks and support people
4 – Your average MCSE bootcamp graduate
5 – Your average corporate end user
6 – Your average AOL user (hey, it was the late 90s)
7 – Algae
8 – bellybutton fluff
9 – a bag of hammers, a box of rocks
10 – Rosie
Now, the sad thing is that Rosie is by no stretch of the imagination a unique individual. In fact, I’m willing to bet that among those reading this who’ve done end-user facing support for any length of time, a fair percentage have already given themselves whiplash from nodding in acknowledgement. We’ve all known our own Rosie, and we’ve got the emotional scars to prove it.
And this brings me to the moral of this little story. I came across this article earlier tonight and thought it worth a mention. This article discusses something that’s fairly well-established among I.T. Security professionals: that the biggest threat to the enterprise isn’t from the outside – it’s from the inside. Typically, the threat is from insiders who are not only acting without malice, but more than likely acting without the knowledge of why what they’ve done was bad in the first place. A colleague of mine once told me that he thought that 90% of IT security with regard to the endpoint was “stopping stupid,” and I couldn’t possibly agree more. Think about it: Most endpoint-based malware prevalent in the wild these days relies, at least in part, on social engineering; taking advantage of the end user’s trust or lack of sophistication. In fact, DLP, which has almost overnight become an endpoint must-have, is almost ALL “stopping stupid” – again protecting the end user from doing something dumb, like copying data including orders for troop movements to an unencrypted USB stick and then losing it in a nightclub in Cornwall, like this guy did. This person wasn’t acting with malice, and didn’t intend to compromise the data to which he was entrusted. He was being stupid, and worse yet didn’t know how stupid, and got caught out for it – but only because the person who found the USB stick turned it over to a newspaper rather than to the UK Ministry of Defense.
And this brings me back to my old friend Rosie. For the IT people out there, I want you to close your eyes, and think about your Rosie, the least-sophisticated, error-prone, “oh I wasn’t supposed to click on that attachment?” user you have. When viewed in the light of “stopping stupid”, this is the person you have to worry about the most.
I’ve noticed something recently: that we, as an industry, talk a good game when it comes to internal threats (the above-linked article being an example of that) but it still seems that we have a bit of a blind spot when it comes to providing actual protection, focusing more on direct attacks from external sources. As much as we worry about Eastern European or Asian organized crime gangs, or foreign government spies, or some kid sitting in their basement with too much time on his hands, anti-social tendencies, and a full bottle of Ritalin, the real threat is sitting in your office right now. The well-meaning but clueless person in your company who just doesn’t understand the consequences of what they are doing (in other words, your Rosie) is a bigger threat than all of those people combined, because they’re the ones holding the door open for the guys who are acting with malice.
And, your Rosie is the only thing standing between you and your organization’s next outbreak or data breach. If that doesn’t scare the pants off you, you’re in the wrong business.
The Payment Card Industry Data Security Standard (PCI DSS) is not the devil incarnate but comes under scrutiny (for good reason – a great deal of which has less to do with the standard itself and more to do with the organizations wrestling with it along with the credit card corporations themselves), likely as often as the devil himself. Before PCI was PCI, before there was this digital equivalent to “reefer madness”, where fear, uncertainty and doubt solely relegated to the world of the payment card and their affiliated merchants and provider – banking environments seemed to permeate every fiber of the tapestry of the Information Technology and Information Security worlds, all the bigs – Visa, MasterCard, American Express, Discover Card (aka Discover Financial Services), Diners Club and JCB International, all had their own ‘ways’ of assessing the security posture of their vendor / provider networks. Some were more inclusive and detailed than others. That is a fact.
It was ugly, it was cumbersome, it was ineffective and it warranted change as the credit card corporations and their affiliated banking partners were experiencing fraud and exploitation in a variety of ways from a variety of sources, which ultimately led to a convergence occurring within that world. A convergence which would have impact upon us all for years to come…like chocolate and peanut butter only not as good. Initially this did not seem like a bad thing. In fact, I happen to believe it was necessary in small scale to aid in jump starting awareness. I am proud to be personally acquainted with the primary architect of the original draft of the first PCI standard and know where his mindset was when he drafted it. I know his intentions were pure with respect to this standard. Furthermore, I also know that he did and does not believe the PCI DSS to be a legitimate replacement for sound risk management practice but rather a starting point for many organizations, which had no bearing point. Fair enough. I think we can all accept that, at least those of us who are intellectually honest. What happened? Why all the hub-bub? How did something which started out with solid intentions turn into this new and creative form of audit water torture which often yields little in the way of sound risk posture aside from gaining PCI accreditation…for what that is worth…I’m guessing the folks at Hannaford Supermarkets, Heartland Payments and Choicepoint (parts I & II) know what I’m talking about.
The PCI Standards are easily had these days as are lists of authorized assessors however, just because they are easily had (both the ‘standard’ and the assessors) does not mean they are effective. In many respects, PCI reminds me of the early days of HIPAA, the difference being that with PCI people actually being penalized for failing to comply. Sort of a novel idea really however I believe that that regulatory and auditing criteria (standards) – important as they are, in and of themselves do not meet the needs of enterprises small and large; private or public in our world today. What can meet these needs? (cue drum roll): Well designed business centric risk management security programs and frameworks. Are they trivial? No. No, they are not. However, neither is PCI, or HIPAA for that matter and whereas both PCI and HIPAA fall into the Sisyphean category in my view of the world, Risk Management does not, additionally, if undertaken risk management initiatives will provide an enterprise with a wealth of information which PCI never would (sorry guys), not on its best day. So the question (or one of them anyway), becomes: Why continue to divert time, effort, resources (personnel and budget), into something so one dimensional when a properly designed risk management based security program can address these and every other regulatory and compliance concern you’re presented with. The bit gods must be crazy…let’s read on.
I believe that the only way to rescue the hearts and minds (and ledger books!) of those responsible for budgets within industry is through demonstration of the intrinsic value of risk management (e.g. enterprise risk management, fiduciary risk management and information security risk management working in concert). This demonstration must be ubiquitous and comprehensive in scope to the enterprise in question touching all areas of the business: customers, business partners, P&L, revenue streams, brand preservation etc. This is something that I feel passionately about as do others within our industry. The fact is that as times and circumstances change (for better or worse), so too will budgets (for better or worse), and if initiatives such as PCI are not reconsidered (given the current volume of spend being seen as a direct result of meeting or achieving compliance with the standard) — in both scope and value, we may very well run the risk of encouraging and incurring new and previously unforeseen risk via new threat vectors previously not considered nor addressable due to a lack of budget (capital or operational), for investment in innovative technologies, processes and people.
I will be giving a talk on Sunday evening at ToorCon 11 in San Diego with Will Gragido. We will be talking about “Cyber Criminals Don’t Sleep, So Why Does Our Industry?”. The focus of the discussion will address APT’s. The Advanced Persistent Threat is nothing new but seems to be overlooked or not really talked about. What is our security industry doing to uncover the threat? What vendors are really taking the challenge one step further? I would encourage you to check out our presentation live at ToorCon on Sunday evening. After the conference, I will post the entire presentation on Cassandra with the speaker notes in detail. Stay tuned…
