Nov 04 2009

I’ll do anything! Absolutely anything!

Published by at 8:49 pm under Family,General,PCI

I love my children, I really do.  Especially when they remind me of some of the life lessons I learned long ago but have forgotten from my conscious mind.  And even more importantly when those life lessons are the same lessons that can be applied to the job I do on a daily basis.  Let me tell you a short story and how that relates to security in general and PCI specifically.

As we all know, Halloween was only a few days ago and many of us have large bowls filled with candy sitting around the house.  My house is no different and like many other parents, we’ve tried limiting the intake of candy by our kids to dessert and perhaps one or two pieces of candy throughout the day.  Today was no exception, so when my children asked if they could have dessert, I told them they could have one piece of candy each.  My eldest son thought this was fine, but my youngest son spent a fair amount of time rooting around his bowl and when I finally told him it was time to make a decision, the look he gave me told me something was up.  I had him open his hand and show me what was in it; not surprisingly, he’d tried to hide a second piece of hard candy in his hand, hoping I wouldn’t catch it and he’d get two pieces of candy.  Big no-no.

I was in a fairly understanding mood, so I simply took the second took the second piece of candy away and told him he could have the first piece of candy he’d picked.  He gave me the puppy dog eyes, which I ignored and told him that he’d made his choice and had to live with it.  Rather than eat that piece of candy, he said it wasn’t what he wanted threw it back in the bowl and walked away.  A few minutes went by, we told the boys to go brush their teeth and go to bed.  Cue the histrionics!

The screams went along the lines of “I’m not going to bed without dessert!” and “I’ll do anything for dessert!  Absolutely anything!”  Which was met with “You had your chance, you made your choice, now it’s too late.”  He screamed, he cried, he screamed some more.  But Daddy can be an immovable object when his mind is set, and a tired eight year old is going to bed whether he wills it or not, so Daddy won the argument.  We’ll see if he’s learned his lesson for tomorrow night’s desert.

How does this relate to security?  Often, at least from our point of view, management is much like a spoiled eight year old who wants what they want, when they want it and the consequences be damned!  As an assessor, I hear companies tell me about a date they have to be compliant by and they’ll do absolutely anything to meet with that date.  But when you start telling them what’s going to be required to be complaint, you start hearing all the excuses as to why particular pieces are impossible, can’t we just assess on what they will be doing in the future or ignore that part of the requirements since they’ll be doing it “really soon”.    I have about as much sympathy for them as I do for my son; I’m not the one who’s missing dessert, so he can either do what he’s supposed to or miss out on his sweets.

The cry of “I’ll do anything!” only lasts until it’s time to actually do something all to often.  I use compliance as an example, but this is just a big a problem in the rest of security.  Management sees another company in their market get compromised and says they’ll do anything to avoid the same fate.  Of course, ‘anything’ only lasts until they see the actual manpower and budgetary numbers that would be required to secure the company from the same fate that befell the the competitor.  And they get extra sensitive when told that the numbers you gave them will only protect them from the vulnerability du jour and additional resources will be required to become what you’d consider reasonably secure.

PCI is much the same way.  Business think they can get away with half-way measures that almost, sort of meet with the PCI requirements, but when a QSA comes in and says, “Let me see what’s in your other hand.”, the crying begins.  “I’ll do anything to be compliant!”  Well, start by writing policies that meet the minimum standards.  “Anything but that!”  Configure your firewalls so they aren’t swiss cheese allowing almost anything any “Well, anything but those two things!”  Implement a log manager.  “Anything but …” You get the picture; the definition of anything quickly narrows from the dictionary definition of ‘anything’ to ‘the absolute minimum I can get away with’.  It’s human nature to try to get as much as possible with as little effort as possible, whether your a mega-corporation or a eight year old.

PCI isn’t difficult, it’s a pretty minimum baseline for securing your company.  Risk vs compliance arguments aside, most of the things in PCI are measures the vast majority of businesses should be doing to establish a secure infrastructure that’s capable of keeping the bad guys out or detecting when they do get in.  The people who are screaming because it’s too hard are the same people who probably wouldn’t be giving the security and IT teams the resources needed to secure the enterprise in the first place.  And much like an eight year old they’d rather scream and cry after the fact than plan ahead, follow the rules and do the right thing in the first place.

You can’t send a corporation to bed without dessert and you can’t leave them unprotected.  Just like parenting, you have to do your best and hope that it’s the right thing.  Businesses are going to be much better served by trying to look ahead at what needs to done and how to do it effectively and efficiently rather than waiting until the last minute.  It’s a mark of maturity that many businesses may never show.  And again, just like a parent, it’s our job as security professionals to try to teach the businesses we work for how to plan ahead rather than screaming “I’ll do anything” when it’s already too late.

I think it’s time for me to go raid the candy bowl.  Unless my wife says it’s already too late.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

4 Responses to “I’ll do anything! Absolutely anything!”

  1. […] principle. I’ll ask mommy and if I don’t get the answer I want I’ll ask daddy. Network Security Blog >> I’ll do anything! Absolutely anything! Tags: ( general […]

  2. PCI Securityon 06 Nov 2009 at 1:40 pm

    Your comment on policies is true. I think it is easy to meet the requirements on paper, but quite often the bigger challenge is proving you have adopted them.
    PCI compliance can be difficult to attain/maintain for some organisations as it requires a major cultural shift and committment from all levels.

  3. […] (a stand alone sysadmin like myself) he linked to a great security blog mckeay.net where I read this post. I found it oh so amusing as I’ve seen the same sort of thing at […]

  4. StrongBoxon 10 Dec 2009 at 2:08 pm

    I recently participated in a seminar on Secure Commerce Payment Data-Enterprice Payment Security which was hosted by Bill Zujewski-V.P.Product Marketing at ATG, Dave Glaser- V.P. Global Services at Cybersource and Chris Pogue- Sr. Security Consultant at Trustwave. The focal point of discussion was security of data in relation to the Order Management Lifecycle.
    To share my impressions briefly-I guess the main point of the seminar was that the PCI compliance regulations are merely a way to reduce the amount of fraud that is out there, but unless the data will actually be somehow completely eliminated the risk of theft and fraud will always exist- that is regardless if a company is PCI compliant or not. Therefore, as Mr. Dave Glaser said- it is time for a NEW approach- to work on ELIMINATING the data rather than CONTAINING IT. He called the containment approach that is practiced today
    – ” sub-optimal”.
    I guess one may say then, that the PCI regulations of today are implemented as a part of an ongoing process that is desperately trying to solve the “sensitive data pollution” issue and we will see many other attempts in the near future to prevent the “leaks” from happening.
    In me humble opinion,following PCI policies and regulations is one thing, however how to implement and change our data handling daily habits is another.
    How many of us REALLY do wash our hands after being out? Well the statistics show that unfortunately most of us DO NOT, yet I believe we all know about germs and how easily they spread and that the prevention of the spread of germs can be limited if we would follow one simple procedure- namely: washing our hands regularly. If I we would apply this tendency in human nature to simply “ignore danger” by not washing hands, to the way of handling sensitive data, the outlook for fraud prevention as long as it is handled by us, is …well, not very positive.
    Having a certificate of being “secured” from data fraud, is not and will not be enough.
    I believe that the success of data security lies in “hands” of each individual business owner, and it’s up to him/her to change the “data hygiene habits”. This can be done by implementing a secure business etiquette, using the correct and safe commerce /merchant payment solutions, secure processing companies, secure shopping carts and secure back-office softwares-that is, of course, in combination with implementation of good old-fashioned common sense. There are solutions that can ease the safety “routine” so why not use them?.

    StrongBox

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: