Jan 16 2009

“Security first” please!

Published by at 6:31 am under PCI

While I’ve only heard of one concrete example of a situation where PCI caused a company to actually become less secure than they were before, I’ve seen multiple examples of company’s that were concentrating so hard on meeting compliance deadlines that they ignored any security measures around their network that weren’t directly related to PCI.  While this isn’t a huge problem in most cases, because PCI is generally based on ‘best practices’ (hate that term), it still left areas of the network less secure than they really need to be.

Anton Chuvakin wrote an interesting post called Tales from the “Complaince First!” World that highlights some of the dangers of the compliance first philosophy.  There is a large number of requirements in PCI calling for specific technologies, such as AV and web application firewalls, that companies are putting in place, turning on and forgetting.  While the PCI-DSS requires the technologies to be implemented and monitored, I’m sure there are QSA’s all around who’ve gotten to a company to do an assessment only to hear “We have a [insert technology here], but it’ll take me a minute to remember how to log into it.”  Great!  You have it but you haven’t monitored it in so long you can’t remember how to log in??  That makes it really useful and gives me confidence in how well you’re monitoring you other technologies.

Another point that Anton makes is about the external scanning requirements of PCI.  Your external scanning is only as good as the lower of two points:  how good the scanning vendor is and how honest/complete you are in configuring the scan engine.  Most companies aren’t going to have any control over the quality of their scans, other than chosing a new vendor if the current one is just paying lip service to scanning.  But there are a lot of companies who only scan their PCI environment or ‘forget’ to include the other couple of blocks of Internet accessible servers.  Or even worse, have servers exposed to the network they aren’t even aware of.  And just because you get a clean scan from your vendor doesn’t mean you’re secure.  If you’re not backing up your scanning vendor’s findings with your own scanning tools, you’re going to have a sense of security that may be misplaced.  Nessus is your friend.  

The point of all this is that if you’re aiming to be complaint, think about security first; it’ll make compliance easier.  Or if you have to make compliance your number one goal, follow Anton’s advice:  “…please at least make sure that ‘Security SECOND’ happens.”  I’ve seen too many companies that attain complaince and then call it a day, forgetting about other areas that aren’t covered by PCI.  You don’t want to be the next TJX, a company that was technically PCI compliant but insecure in reality.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

3 Responses to ““Security first” please!”

  1. Anton Chuvakinon 16 Jan 2009 at 10:26 am

    Congrats, Martin! You discovered the HIDDEN point in my post…

    You say:

    “other than chosing a new vendor if the current one is just paying lip service to scanning.”

    Yes, BUT the truly SCARRRRRRRY point that I was hinting at is:

    “chosing a new vendor if the current one is just NOT (!!!) paying lip service to scanning.”

    Think about it…

  2. […] and continuing to improve upon it, which is a step many organizations forget.  Didn’t I write something on this […]

  3. Tomon 28 Jan 2009 at 11:54 am

    While compliance may provide some minimum level of security, it is a pretty low bar to meet. It may be better to measure compliance and measure security risk independent of each other. An organization could definitely be insecure and also compliant with PCI and other regulations. Conversely, an organization could be adequately secured and non-compliant.

%d bloggers like this: