Cybersecurity (or lack thereof) is nearly a daily news story. Many stories revolve around lack of ‘compliance’ with expected practices and regulations. Others detail how the cyber attackers apparently waltzed in and ran roughshod over a company’s or organization’s computer systems.

COMPLIANCE VS. MANAGEMENT

So what is compliance and why is it so hard? And how can cyber criminals have such an easy time breaching cyber defenses.

Compliance is about providing evidence that something exists. But most of the time an assessment of compliance is based on a snapshot of conditions at a set point in time. Too many focus on ‘passing’, e.g. trying to game things such that the appearance of compliance exists when the assessors show up. Verizon’s 2015 PCI (credit/payment card data security) Compliance report notes that 80% of PCI certified companies failed their interim assessment (performed one year after compliance assessment). Verizon notes: “The takeaway is that companies should focus on building a robust framework with security policies, procedures, and testing mechanisms, as this will increase the chance of being compliant — and customers’ data being protected — not just at the point of validation but every day of the year.” [1]

For many, cyber defense consists of a firewall and anti-virus. The firewall keeps the ‘bad guys’ at bay, and the anti-virus screens out any malware from getting delivered. This ‘moat’ style of defense was adequate back in the early days of the web, before database-backed websites and e-commerce sales took over. Once the bad guys get past the moat or break into the website, it‘s all over since there are no internal defenses to back up the moat. So we see people coming up with a lot of tools and appliances to compensate for the lack of internal defenses, such as network loggers and monitors, to provide a post-incident ‘trail’ to help determine what was attacked, what info we compromised or extracted. Log everything, surveil everything, use ‘big data’ to wade through the mountains of log data to identify what happened.

On a report on the infamous Target breach, they were PCI compliant (or so they claimed), but they had no effective internal defenses once the hackers got in [2]. Recently the FTC prevailed in a suit against Wyndham Hotels for egregious indifference in protecting customer data [3].

PROACTIVE NOT REACTIVE

All of this activity is reactive. Companies have not thought much about their business risks, their specific vulnerabilities, the types and of sources of threats. There are too many systems, acquired over the years, with too many files, too many databases, on too many servers. So we have a long list of ‘best practices’: just keep everyone out, control access, make everyone change passwords monthly etc.

The answer, as noted by Verizon, is to create a cybersecurity system – tied into the business objectives, with an inventory of critical assets and infrastructure, tailored to the organization, with a risk register of associated threats and vulnerabilities, prioritized, with specific controls identified for each. Implemented with security policies and procedures, and regularly tested for effectiveness. This allows for cybersecurity to be managed in a proactive, rather than reactive, manner.

HOW TO DEVELOP AN ‘APPROPRIATE CYBER SYSTEM

How do you develop such a system? The Federal government via NIST, has developed a process, called the Cybersecurity Framework, which guides development of cybersecurity systems [4].  CERMAcademy is developing a set of courses on using the Cybersecurity Framework which will be available in early 2016.

References

[1] Verizon 2015 PCI COMPLIANCE REPORT, http://verizonenterprise.com/pcireport/2015
[2] Report: Target failed to execute security basics, http://www.csoonline.com/article/2988504/data-breach/report-target-failed-to-execute-security-basics.html
[3] Wyndham vs. FTC: Corporate security pros need to lawyer up about data breach protection, experts say, http://www.itworld.com/article/2975834/security/wyndham-vs-ftc-corporate-security-pros-need-to-lawyer-up-about-data-breach-protection-experts-say.html
[4] NIST Cybersecurity Framework portal, http://www.nist.gov/itl/cyberframework.cfm