A discussion got started on Twitter two weeks ago about whether or not complying with standards and regulations such as PCI, HIPAA, FISMA, ISO 27001, etc worked when it comes to securing data.  A good friend of mine, Mike Smith of the Guerilla CISO Blog, offered the point of view that compliance works, it is just that we don’t have the right requirements.  It was my point of view that compliance doesn’t work and thus the point/counterpoint began.

 

Let me say that Mike and I are very good friends and we respect each other’s opinion and point of view.  That was good because we were able to focus on attacking each other’s arguments and the conversation didn’t degrade into the usual “you don’t get it and you should just listen to me because I’ve been doing this for x number of years and know what I’m talking about” that we regrettably so often see now a days.   Let me also say that Mike and I often like to play devil’s advocate in order to explore both sides of an argument.  I can say that what I’m about to relay, I honestly believe but I make no assertion with Mike’s point of view.  You’ll have to ask him if he holds that position or if he was playing devil’s advocate with me.  In the end it really doesn’t matter all that much. 

 

We took the discussion off Twitter and onto email because it is hard to develop and present arguments in the 140 character sound bites that are Twitter.   What I’m about to summarize is an email that I send laying out what I believe to be the salient points and my contention that compliance doesn’t work.  Once this is over please feel free to join the discussion – dissenting points of view are welcome. 

 

Point:

Compliance does work it is just that we haven’t done a good enough job in setting the requirements (the required elements of standards and regulations such as PCI, FISMA, ISO 27001, COBIT, etc).  Since these requirements are not directly translatable into buildable/testable requirements then they are not adequate and that is why compliance fails.  If our requirements were buildable and testable then achieving compliance would work. 

 

Counter Point:

Compliance doesn’t work because it is based on the assumption that achieving a given set of requirements will result in a secure system (or environment).  For example, installing a web application firewall or intrusion detection system will not necessarily help to secure your environment if they are not configured properly.  Standards and Regulations are often written to address the widest audience possible.  As a result many, if not all, of the requirements need to be tailored for each specific environment.   By refining the requirements you effectively reduce the applicable audience and by extension increase the number of variances that need to occur in order to widely apply the standard or regulation.  As a result you’ll still be struggling with the same issues just from a different direction.

 

In order for something to be considered a standard it must meet the balance between being applicable to a majority of its audience and be actionable.  If it is too broad then it can’t be a standard because it doesn’t provide value, if it is too narrow then it can’t be a standard because its audience is too small (i.e. it is not widely applicable).   So is it really a problem with standards?  I don’t think so. 

 

The main problem with the compliance mentality is that it has you striving to achieve a requirement which, while related to the goal, is not the actual goal of what you are trying to accomplish.  The goal that you are trying to secure information with a reasonable level of security controls.  A reasonable level of security involves much more than achieving a set of requirements within a standard.  It involves fully understanding the information lifecycle and choosing controls which correspond to how information is used and how critical it is to your organization.  By definition, standards don’t offer that. 

 

Now don’t get me wrong, I’m not advocating that we throw out standards such as PCI, FISMA, HIPAA, ISO, etc.  What I am saying is that we need to view them in the proper perspective and for what they are as opposed to what they have been portrayed as.  Standards and regulations can and do provide focus and some of the necessary elements to achieve a reasonable level of security but they do not make an organization secure in and of themselves. 

 

Is the answer to create more refined standards and regulations?  I don’t think so.  By doing so you would only make them less applicable.  What we do need to do is make sure that our approach to security not only incorporates the existing standards and regulations but goes beyond them is search of a reasonable level of security control.  (Whether a truly secure system is even possible is another topic that we can debate.)  Information Security is a journey, it isn’t a destination.  We need to foster an approach that values responsibility and reasonableness over blind compliance.  

 

Tags: Compliance, FISMA, Guerilla CISO, HIPAA, ISO 27001, Mike Smith, PCI, regulation, requirements, twitter

This week saw the release of the 2009 Data Breach Investigations Report put out by Verizon.   This one is different from last year’s report in that it only deals with 2008 as opposed to a three year period (2004-2007) like the last one.  It is also based upon firsthand evidence collected by Verizon’s investigative response teams.  This is good and it is bad.  It is good in the fact that their analysis of root causes is probably very accurate (as opposed to relying on someone else’s experiences).  On the other hand it is bad in that their analysis of industry and organization size to data breach is heavily influenced by their customer base.  As a result I am intentionally not going to pay any attention to these results/correlations. 

It is also important to recognize that all such studies are biased in some way.  It is very hard to conduct any study like this and not introduce some sort of bias be it through the wording of questions to the selection of the data set analyzed.  Rather than throw out all studies, it is important to put their findings within the proper context before applying the findings to your own decision-making process.  What follows is my attempt to do that. 

Findings of note:

·         A vast majority of data breaches come from outside the organization (43%) or from multiple sources (39%).  Multiple sources appears to be defined as a combination of external, internal, and/or partner sources. 

·         The source of external attacks comes primarily from Eastern Europe, East Asia, and North America.  During the period between 2004 and 2007, these regions accounted for 59% of the attacks; In 2008 they accounted for 82%.   Beyond the region, nearly two-thirds of the attacks could not be traced to any specific entity other than IP.  Of the one’s that were traced most were connected with some sort of organized crime.  In fact Verizon points out an amazing statistic: 91% of all compromised records in 2008 were attributed to organized crime activity. 

·         A majority of the breaches involving business partners involved the lax security practices of the partner who was administering client-side systems. 

·         Error is a significant contributing factor in nearly all data breaches.  This one is very interesting to me because if the study is accurate in this regard it means that most organizations already have the tools they need.  In other words you don’t really need that new shiny box with the binky lights on the outside to protect your network.  The error comes from misconfigurations, omissions, programming errors, process breakdowns and poor decisions.  Verizon took the time to clarify their use of the term omission.  An omission could be defined as the failure to follow through on enacted policies and/or procedures and is distinctly different from misconfigurations and programming errors.  A common problem with compliance focused security programs (my own assessment, not Verizon’s). 

·         A vast majority of organizations were either fully targeted (28%) or opportunistically targeted (44%) (Combined 72%)  A fully targeted attack is where the victim was chosen before the means to exploit them was discovered.  Opportunistic targeting involves the victim being targeted because of a known weakness or vulnerability such as running a version of software with known exploitable vulnerabilities.  Verizon provides a suggestion with which I fully concur – organizations need to determine if they will be identified as a target of choice or a target of opportunity.  If a target of choice then they need to be prepared to fend off determined and sophisticated attacks, if a target of opportunity then minimize the opportunities for exploitation. 

·         Online Data is the most frequently compromised asset by far (94% compared to End user systems 17%).  This is important from the prioritization sense.  While it is fashionable to institute elaborate means to protect offline data, mobile devices, and end-user systems the money would be better spend on securing application servers and databases first.  (Incidentally this is the only instance in Verizon’s analysis where I felt that the comparison between the percentage of breaches and the percentage of records compromised had relevance.)   

·         87% of breaches could have been avoided had the organization implemented simple (53%) or intermediate (34%) level controls.  This falls in line with the Pareto Principle (aka the Principle of Least Effort) as it applies to protecting information where in 80% of the issues can be resolved with only 20% of the effort (time and money). 

 

Now my interpretation of Verizon’s findings underscores my belief that most of what is needed to protect an organization’s information assets already exists within the organization.  The findings speak to improving change and configuration management programs along with a more complete integration of security into an organizations system development life cycle (SDLC).  It also speaks to ensuring that business partners with whom you share critical data (be it transferring it to their systems or granting them access to yours) be required to comply with the same level of security that you employ within your own environment. 

The bottom line is that these improvements do not need to cost a lot of money.  Most of them come from focusing on the basics and doing them well – over and over again. 

Tags: 2009 Data Breach Investigations Report, Data Breach, external threat, insider threat, internal threat, misconfiguration, omission, Online Data, opportunistic targeting, Pareto Principle, partner threat, poor decisions, Principle of Least Effort, Prioritization, process breakdowns, programming errors, target of choice, target of opportunity, targeted attack, third-party threat, threat source, Verizon, vulnerability, weakness

Over the past week or so I’ve been following the pirate attacks on international shipping off the east coast of Africa.  As I was listening to the news coverage a few statistics were given.  While I couldn’t write them down immediately these were the notes that I took as soon as I could pull over and find a pen. 

Every year there are approximately 80 successful pirate attacks off the coast of Somalia.  (The number of unsuccessful attacks is higher) This may sound like a lot but when you compare that with the estimated 300,000 commercial vessels that pass through this section of ocean.  That amounts to 0.027% of the traffic.  It would take 3,000 successful attacks before you would reach 1% of the estimated commercial traffic in that region.  Now I’m not sure what the statistics are worldwide but my guess is that the ratio would be about the same. 

As I was listening to the coverage I began to think about the parallels with other kinds of risk management.  It sounds cold, especially considering all of the human interest pieces the media has been doing on Captain Richard Phillips and his crew but it is no different than decisions that business leader’s make daily on how their critical information is protected.

Situations like these tend to put risk-based decisions into perspective.  The decision makers at the A.P. Moller-Maersk Group now have a different perspective on the risk of piracy than they did two weeks ago.  Now I’m not deriding the decision makers at the A.P. Moller-Maersk Group.  Up until now I would bet that their decisions were based upon quantifiable numbers and in line with their industry’s best practices.  In other words they have taken a risk-based approach that has worked. 

Worked?!? – you say.  Yes it has worked.  By all accounts some crews have been trained in how to respond to pirate attacks and thus have been successful in avoiding or thwarting the occurrence of this risk up until now.  (Another good example of this is the evasion of another pirate attack conducted against another U.S. flagged ship within the past 24 hours)  It is a common fallacy that risk management is about the elimination of risk.  Risk management is not about the elimination of risk but rather its reduction to acceptable levels.  The risk still exists though be it in a reduced form. 

This then uncovers two important concepts:

·         Risk can never be totally eliminated – it can only be managed to acceptable levels; and

·         Perception is as large an influencer of decisions as statistics and other forms of measurement. 

In the coming weeks I’ll take some time to explore these two concepts in relation to information risk management. 

Tags: best practice, Capt Phillips, Captain Richard Phillips, commerce, Maersk, maritime, piracy, pirate, risk, risk management, Somalia