When considering the alarming number of mega-data breaches and other such security incidents as they occur almost daily, and then compare the announced "root causes" and "used attack paths" of the incidents with the current state-of-the-art strategies to defend against attacks, I have come to conclusion that, unfortunately, security (risk, audit, and compliance, and any other assurance functions) is more often than not only "cementing" the status quo, that is the currently used processes or ways of doing business in a somewhat "secure" fashion.
For example, when POS (point-of-sale) units are in focus, then security professionals start to think / talk about:
- Network segmentation to keep the POS terminals as much as possible out of the corporate network or other locally connected networks and therefore out of the scope
- Encryption of cardholder data (Primary Account Number [PAM], cardholder name, expiration date, service code) and of sensitive authentication data (Full track data/chip, CAV2/CVC2/CVV2/CID, PINs/PIN blocks)
- No storage (do not store sensitive authentication data after authorization, even if encrypted)
- And all of the other 12 major requirements of the Payment Card Industry Security Standards Council (latest versions).
Often the security professionals may not get much further because business leaders don't want to spend the extra money needed to upgrade the infrastructure and so "accept" the risk on behalf of the unsuspicious consumers.
So basically what we're dealing with here is that the process of payments using credit cards between the consumer, the merchant, and the bank is not really secure, and both the merchant and banks need to either secure it or risk the consumer's money, data, and reputation (including that of the bank). This is why regulations and laws need to be put in place to protect the rights of the third-party consumer/customer. However, no one seems to think about better processes to perform electronic remote payments.
Another example is in the HIPAA realm with its Privacy and Security rules, further defined by the HITECH act that addresses the handling and (non)disclosure of "Protected Health Information" (PHI) of individuals. While the Privacy Rule deals with covered entities, use-cases, disclosures, and administrative requirements, compliance dates and enforcement penalties, the Security Rule describes the technical and non-technical safeguards that covered entities must install and maintain to secure individuals' "electronic protected health information" (e-PHI) -- note the emphasis, PHI transmitted orally or in writing is not covered!
The Security Rule then makes references about the typical C-I-A (Confidentiality, integrity, availability) tuple, threats, misuses, impermissible disclosures, and compliance, and then defines risk management (analysis) as the underlying security management approach to administrative safeguards, in addition to workforce training and assigning a security official. Again we have the situation that two (or more) parties deal with data affecting a third-party -- the patient/customer -- whose privacy and health information is on the hook if they mess up.
Again, the reason why laws and regulations are needed in this space -- but again, it would be great to focus on data avoidance, better processes around healthcare, and more privacy for the patient. Why do they have data stored in all kinds of data bases instead of a mobile device with military graded encryption and a key (opening access device) that only the patient (customer) has control over?
Or look at SOX and SSAE16 (former SAS70 type II) regulations; after the global community faced management oversight scandals like Enron, WorldCom and many others, stronger laws and control regimes were put in place. Another reactive model approach where first there is only limited regulation following the mantra "the free market will fix it", then big damage (in addition to the direct one) is done to third-parties such as the stockholders, owners, or other such beneficiaries of the entities whose management has not acted properly or even performed fraud, and then some re-active measure is put in place, which puts a heavy burden and lots of in-efficient efforts into the auditors and others directly involved.
And, to be fair to management -- if you're the CEO / CFO of company XYZ and you now sign a statement each year that is your "go-to-jail if someone in your organization messed up"-card, you still risk a lot regardless of how many controls you have implemented and how much integrity you stand for.
Another great example of a complete wrong approach is the misuse of the Social Security Numbers (SSNs) in the United States of America by banks, credit bureaus, insurance companies, doctors, health plans, utilities, and the many other entities for either authentication or verification purposes. Why on earth would a government-issued number that is meant to be for tax and social benefit purposes only be allowed for this kind of non-purposeful misuse and therefore only create the potential for fraud and ID-theft?
These are all reactive and ineffective controls. Instead, one should ask: "How can we make sure that processes are designed and built so that they are secure and can't be overwritten or fumbled with by management, or IT super-users, or others?" and "How can we control/access/publish financial parameters of a company (entity) that they become early-warning / leading indicators, and ensure transparency to all -- so that 'insider-trading' and similar threats are not possible by design"?
We should create systems and processes where a change is 100% detected, tracked, and managed (accounted for), so that misuse, fraud, insider-trade etc. is not possible. Insider-trading is only possible if there are "insiders" -- anyone with advanced knowledge and access to information that others don't have. In the moment we create a third-party oversight regime with stringent, transparent, effective and efficient change control mechanisms, we solve the root cause of the common problem, instead of fumbling with symptoms.
And, because we all are humans, culture and behavior will always play a big role -- it starts in school, colleges, universities, and in businesses, non-profits, and entities of all kinds. We need to educate people as to what is ethical, what integrity really means, what a human being is capable of when incentivized (either correctly or incorrectly), and continually develop, build, perform and improve our all behavior. We should also accept the fact that there is always room for improvement, and cementing the status quo is absolutely not an option. The worst statements therefore are these:
- "This is the way we operate" / "This is our 'modus operandi'" / "We've always done it this way!"
- "Who are you?" / "Then everyone could come and change it!" / "Who do you think you are?"
- "Because I want it so!" / "I am the boss!"
Should you be facing one or all of the above sentences, you know what to expect -- and you should definitely defeat them. If you're a leader, you'll influence and change that culture and behavior in your organization over time -- do not give up -- persistence pays off! So I challenge you to not accept the status quo but to instead ask the right questions, come up with new approaches and ideas, develop well-thought-through and well-designed processes, systems, and controls. That will improve security over time so that we can overcome the current crises.
Michael S. Oberlaender, MS, CISSP, CISM, CISA, CRISC, ACSE, GSNA is a subject matter expert on IT and security, and other related subjects. He is the author of C(I)SO - And Now What? and has held positions such as CSO and CISO for several large global companies. You can reach the author via firstname.lastname@example.org or via LinkedIn.
This story, "Security should no longer be 'cementing' the status quo" was originally published by CSO.