RealSecurity

I can’t really explain why this bothers me so much. Does it really matter in the big scope of things? Not really. In fact, not at all, but that doesn’t change how I feel about it. Recently, PCI Security Standards Council released an updated version of the PCI DSS making it now version 1.2.1. The date on the title page says July 2009, but the properties of the MS Word version say August 10^th. The date is of no real consequence to my point, but the MS Word version is.

Just when you thought it was safe to go outside after SOX and PCI, ARRA’s HITECH regulation concerning privacy and security raises its head. And rest assured this is simply the tip of the iceberg of what is going to come. Security regulations are a fact of life. However, the implications and impacts of emerging regulations are becoming intense. HITECH provides teeth to HIPAA and introduces arguably the first nationwide breach notification law representing an evolutionary approach to regulations. How you deal with regulations moving forward need to be changed dramatically.

On Tuesday, February 17, 2009, 26 days after taking the presidential oath, President Obama signed the American Recovery and Reinvestment Act (ARRA) of 2009. A 407 page document containing no less than 23 titles in two major divisions. Needless to say there is a lot in this act. However, from an information security perspective, what really standards out is Title XIII, Health Information Technology, or more commonly known as the Health Information Technology for Economic and Clinical Health Act (HITECH).  Comprised of several parts, subtitles, and sections, this comparatively small part of ARRA adds serious teeth to HIPAA. We knew it was coming, so strap in, we’re going for a ride.

There are a lot of ways to get hacked (duh) and manipulating URLs a prevalent tool for hackers in facilitating an attack. It may not be “the” attack, but it’s a common stage in the attack vector. Links can be misleading, used in SPAM, and in XSS attacks. They can also help people legitimately make money through click-through warehouses and even by manipulating affiliate programs. Now, look at Twitter and TinyURL through these lenses and you sorta see where I’m going.

You’re a CISO and you’ve just left an executive briefing explaining various compliance gaps and risk knowing full well you don’t have enough clout, control, or fairy dust to do anything about it. Well, rest assured you’re not alone and your CEO is not the only executive that can’t seem to connect the security dots. Security experts are dropping like flies in the government with virtually all the top spots being vacated due to lack of authority.

A number of technologies are available for endpoint security and rest assured more are coming. The move toward a “work anywhere from any device” strategy is quickly gaining speed. Add to this the adoption of cloud computing, specifically SaaS, and deperimeterization activities, endpoint security has all the characteristics of skyrocketing.

Let’s face it, security can be complex and the fact that attackers are always finding something new to test the industry’s capability make it difficult to know the real capacity for a control’s effectiveness. As an industry we tend to layer things on one another applying a defense-in-depth strategy, which is a proven strategy and makes perfect since. But, do we really look at various security controls through this lens or are we just putting something in because we think it will help?

There are a number of attributes within very large organizations that tend to put them at a disadvantage concerning security. Not that these corporate characteristics are unique to large companies, but rather that highly diverse and multi-layered environments act as enablers to those elements that may knowingly or unknowingly conspire against the company as a whole. Add to this the enormous dynamics occurring in the technology and security spaces, the lethargic nature of some organizations results in adopting technologies and facilitating initiatives that are outdated before the first box is plugged in.

There are a number of practices concerning metrics and measuring security activities, and I’ve written on the importance of capability maturity in the security program (look for more articles from me on the topic of CMM in security). An increasing activity, especially in the light of recent economic pressures, is managing, monitoring, tracking, and reporting on the effectiveness of the security program in the employment of resources and budget.