Breaches within the Sony’s and Epsilon’s networks in recent months has shone a light on a very real concern in the Age of Stolen Information. The government believes that more legislation and regulation will solve the security problems that plague our interconnected networks and systems.
One only has to take a quick glance the latest regulations from the Food and Drug Administration (FDA) on Medical Device Data Systems (MDDS) or the new Cyberwarfare Doctrine from the Pentagon to see the trend toward greater regulation.
But rules dictated by government fiat always lags far behind technological advances and creates a “security by compliance” culture. So what is the solution?
In my opinion, additional Federal legislation on the subject of information security breaches is unnecessary. Currently there are multiple industry regulatory regimes that cover information security best practices. At a high level here are a few:
- National Institute of Standards and Technology (NIST) Computer Security Division (800 Series) which applies across all industries.
- Payment Card Industry Data Security Standards (PCI DSS) and Sarbanes-Oxley (Section 404) for Financial
- Health Information Portability and Accountability (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) for Healthcare
- North American Electric Reliability Corporation (NERC) for Utilities
I have recently contributed to three articles that tie into my opinion on security by regulation. One was for the Chicago Tribune entitled “Security Breaches Highlight Need for Consumer Vigilance“. It covered the impact of the Walgreens, McDonald’s, Gawker security breach. Another was published for PCWorld on the Playstation Network security breach. The title of the article was “Experts on the PSN Hack: Sony Could Have Done More“. Finally, a piece just ran in InfoWorld entitled “10 Hard Truths IT Must Learn to Accept” where I discuss the security by compliance issue and how the pursuit of 100 percent compliance and security is a folly.
Legislation will not address enterprise security problems. However, if you look at what caused the PSN security breach, there were multiple issues that lead to the compromise. The chief cause appears to be that Sony was lax about routine maintenance of the infrastructure and the complete lack of internal and external communication. This includes:
- Server patching and hardening
- Monitoring the network and servers for suspicious activity
- Disjointed or missing breach response procedures
- Lack of security leadership in the organization
- Lack of breach communication plan
The best way to minimize the risk of a breach for an organization is to stay on top of standard maintenance and monitoring procedures. Keep the organizations servers patched and make sure they are hardened before putting them on the production network.
Ensure there is a security breach response plan that has been tested and communicated to the highest levels of the company. Have a single point of contact that directs communication regarding the breach to the appropriate parties. Also, ensure that the breach plan includes a robust communication plan for potentially effected customers.
Finally, there is always going to be a risk for a security breach or data loss. Systems and software are designed by humans and there will be flaws that can be exploited. Plus, social engineering will always provide a path to compromising the most secure systems due to the fallibility of the human element. Legislation will not address these factors.
Security practitioners understand that there is always a risk for a security breach. Therefore, risk assessment and risk management are a key component of a security professional’s job. Identify the most critical systems and data and implement the most robust safeguards around them. Focus monitoring efforts on these critical areas and ensure the organization’s senior leadership understands the risks, mitigation strategies and internal/external communication plans.
In my experience, compliance with multiple frameworks and regulations creates a belief in security by compliance. Organizational leadership buys into the mindset that if they have all the check-boxes marked, then they are secure and additional policies, programs and monitoring are wasted efforts. This is a critical mistake in an age when your adversaries can turn on a time and exploit your inflexibility.