Focused too much on perimeter protection?

Security experts at the Government Technology Research Alliance Council meeting held this week in Pennsylvania discussed the challenges facing cybersecurity professionals in 2010.  You can read the article in Government Computer News here.  Too much focus on network-layer defenses seems to be a major problem plaguing the cybersecurity community.  Heavy reliance on signature based tools means reacting to only the known, while heuristic based tools rely on past experience.  With the emergence of new and more sophisticated attacks, these types of tools are often simply not enough.  Using more sophisticated cybersecurity tools in addition to signature and heuristic based options would go a long way towards greater IT security.  It's also important to remember that threats can originate internally and many sources will suggest that internal threats, while fewer in number, often have more catastrophic consequences than external threats.  Increasing utilization of tools that don't rely on signatures or heuristics, and do not differentiate between internal or external threats can help those in both the government and commercial space stay one step ahead of emerging and unknown threats whether internal or external.

Upper Management . . . . Are you Listening Now?

On Friday, July 24th., Network Solutions, LLC announced a large data breach of customer’s payment card information.  According to Network Solutions, ”it identified unauthorized code on servers supporting some of its ecommerce merchants’ websites.  After conducting an analysis with the assistance of outside experts, we determined that the unauthorized code may have been used to transfer data on certain transactions on approximately 4,343 of our more than 10,000 merchant websites to servers outside the company. On July 13, 2009, we were informed by our outside forensic experts that the data being transferred may have included credit card information. The code may have captured transaction data on approximately 573,928 cardholders.”  Network solutions has further stated that “assuring the security and reliability of our services to customers is our most important priority. We store credit card data in an encrypted manner and we are PCI compliant. Unfortunately, any company operating in our business could have become a victim of this type of invasion. In this situation, the unauthorized code appears to have transmitted information about credit card transactions as they were being completed; it did not involve a vulnerability in the way we store data in our systems.”

Anyone who processes payment cards should read and re-read the last paragraph.  Yes, any company who processes payment cards is vulnerable to this type of attack.  While Network Solutions asserts that they are PCI compliant, they do not specify if they were PCI compliant before, at the time of, or after the breach occurred.  Even if they were PCI compliant at the time of the breach, PCI compliance does not guarantee that malicious code will not be placed on a server.  Unfortunately, it does not seem as if anyone is getting the message that simply being compliant with any type of regulation is enough.  Compliance should be viewed as a bare minimum to protect IT systems and information.  While the costs associated with responding to breaches is high, the hit to the breached firm’s reputation is likely even more costly.

Management is still not realizing the potential liability that they face when IT systems are not secured well.  Certainly there are effective controls that can be put into place to greatly reduce or even eliminate the potential of malicious code being placed into a firm’s IT infrastructure.  These controls are almost certainly less expensive then the losses that are incurred by a firm when a breach occurs.  I believe that the problem lies in the fact that many C-level executives do not fully comprehend IT and the vital role that it plays in their business success or failure.  Given the relative recency of  IT playing a vital role in companies, it will take some time before business school curriculum catches up to the current realities that companies face.  It will also take time for grads with a firm grasp of the role IT plays in business to reach the upper management ranks.  Hopefully, in the meantime, with the rise of greater publicity and costs surrounding breaches,  IT will be able to get the attention of management with the message that compliance simply isn’t enough.

A Great Article on PCI Compliance-or Lack Thereof

I ran across this article in the Washington Post.  I think it sums up PCI compliance problems very succinctly.

Here is the link:

http://voices.washingtonpost.com/securityfix/2009/04/the_number_scale_and_sophistic.html

Payment Processors . . . . Are you Listening?

While compliance with PCI DSS is certainly a worthy goal for any business that processes credit card payments, meeting the DSS criteria should be the absolute minimum that a company does to protect payment card data.  Unfortunately, many companies see PCI certification as their end goal.  They view PCI compliance as simply being able to meet each section of the DSS.  The harsh reality is that PCI certification is a “snapshot” of a company’s systems at one point in time.  Maintaining compliance is an ongoing process and simply doing all that is required by the Digital Security Standards may not be enough, and really isn’t.  

    Think about it, how many changes occur to your systems on a daily basis?  How many attacks are there against your systems everyday?  How long does it take you currently to investigate and remediate changes, whether malicious of not, to your systems?  How long does it take for someone to steal payment card data?  How many customers do you lose each minute your server is down and not able to process card data?  

  

   Recent data breaches at companies such as Heartland Payment Systems dramatically illustrate how vulnerable companies are.  If the 9th. largest payment processor in the world, a business that should have the resources to adequately secure their data, can fall prey, what about your company?  The exponential rise of malicious code being introduced on a daily basis should also give you pause.  The Symantec Global Internet Security Threat Report for 2008 details this quite nicely.  Zero day attacks frequently slip through your networks defenses.  Finding ways to stop them should be a pressing issue for anyone involved in IT security.

   

  Being able to not only instantly detect, but also instantly respond to IT changes is going to be crucial going forward in order to secure valuable data.  As IT personnel are asked to do the same amount of work (or more) with less resources, automating processes becomes even more important.  Data breaches don’t always happen between 9 and 5, and if the hacker is smart, probably won’t.  Who is responding to potentially malicious changes at 3 a.m.?  In many cases, probably no one.  If this isn’t a scary thought that should make every information security person cringe, I don’t know what will.  The future of data security lies in automating processes so that changes are identified and remedied in real-time, without human intervention.  The net results are that systems stay compliant and most importantly, data stays safe.