Does Compliance Provide a False Sense of Security?

Does Compliance Provide a False Sense of Security?

The topic of compliance and security is a hot issue amongst the cyber security community. Most organizations are aware that they need to comply with certain industry standards, but they may not realise doing so does not mean their networks are secure.  Jim Jaeger (Director of DoD & commercial cyber solutions for General Dynamics Advance Information Systems) bought the topic to the forefront of the agenda in his keynote speech at the Annual CIS Conference in 2011. He disclosed that in virtually every security breach they had investigated, the company had been recently certified as compliant. So why doesn’t compliance equal security?

Why Doesn’t Compliance Equal Security?

Compliance checklists such as PCI (Payment Card Industry) and HIPAA (The Health Insurance Portability and Accountability Act) are widely used industry standards. Although PCI standards are specific to the requirements of the payment card industry, the diversity of companies and their practices operating within this industry are vast.  As the standards have to be ‘one size fits all’ they can never accurately reflect the potential threats against each individual organization. Networks can be quickly modified to adapt to these industry wide requirements, but they will often not truly reflect the security issues of the environment. This could mean that by merely focusing on meeting the minimum requirements to comply, many organizations let the real threats to their networks go undetected and unmanaged.

Some compliance standards may state that a network must undergo a penetration test once a year and vulnerability scan once a quarter to prove it complies.  If the person carrying out the penetration test is not an expert in all the devices in the network, or if the scans are blocked whilst checking, then all potential vulnerabilities may not be reported.  However as long as the results of the test come back clear then the Quality Security Assessor, who completes the audit, can certify that organization as compliant in that area.

Even when tests are thoroughly and professionally conducted they are ‘point in time’ audits which may only be carried out once or twice a year. Configuration changes and software exploits mean new vulnerabilities can easily emerge in the intervals between manual penetration tests. While scanners are to be deployed more often, they are only effective in giving an overview of your network security and often do not provide you with the in depth security analysis that you need.

Another issue facing compliance is that technology is developing at a far greater rate than the updating of compliance standards and documentation. This means that not only are compliance standards not specific to each organizations requirements but are very often out of date. Hackers will not just use the latest compliance standards in order to navigate a way to attack your network. Hackers are dynamic in their attacks, sharing ideas between their communities. They will use any means necessary to find the vulnerabilities that compliance checks and scanners can leave exposed. In his keynote speech Jim Jaeger (of GD) stated that, ‘any determined hacker can get into any network if you only focus on that hard, crunchy outer shell of the network.’ He went on to say that the most important lesson he had learnt in recent years is how important the depth of security is when defending against breaches.

Adding to the risk of external hackers attempting to get inside your network, the threat of internal attacks is also one to consider. Employees within your organisation, or external consultants invited into your networks, also have the potential to open back doors to data and hide the evidence trail by blocking ports to prevent some tools detecting changes. Effective management of user access controls, set out by some compliance standards, can help mediate the threat. However not only can controls be manipulated, some employees need access to the network to complete their jobs. By only using point in time audits and deployment of scanners, changes implemented within the device configuration can go unnoticed until it is to too late. Remember employees may know when your audits take place and could easily pass this information on to an external body. If these are only done once a year then that leaves the attacker with a massive window of opportunity. Compliance standards have their place, but should be used as a basis for security and not the sole solution.

What is the Best Solution?

Leaders in the industry all agree that an in-depth, multi-layered, customized approach to network security is the best way to achieve optimum security. The latest Strategic Security Survey from Information Week publication (www.informationweek.com) had a response from over 900 security professions. The results suggest that those in charge of network security are making positive moves towards increasing standards.  For example the percentage of respondents who conduct their own risk assessment of cloud providers rose by 11% on the previous year and the percentage of companies who admitted to not bothering with risk assessment at all, fell by almost half compared to the last survey. 

Michael A. Davis, author of the survey and CEO of Savid Technologies, responded to the statistics with his own advice concerning security strategies. He insists that the best way is to take a ‘best practices-based approach that is customized to the environment in hand.’ Generating your own security policy that accurately reflects your organizations security issues is essential. In addition to customization, the plan must be dynamic. Security professionals must do this by constantly improving and advancing their security policy, basing it on a metrics of standards and policies set by your organization, specifically targeting the threats that are most prevalent to you. This strategy must then be continuously monitored and assessed not only according to how compliant it is, but how effective it is. It is less important that your security policy ticks a number of boxes and more important that it is successful in securing your data.

There are a wealth of security options, at many different levels. With manual penetration tests, configuration analysis tools and vulnerability scanners amongst them, it isn’t surprising that the survey also reveals that 52% listed managing the complexity of security as their greatest network security challenge. With the tighter budgets of small and medium businesses, those IT professionals in charge of security have the added complication of trying to find the most cost effective way of maintain a high level of security whilst also achieving compliance.

Titania are cyber security auditing specialist in the areas of configuration analysis and compliance auditing.  For more information contact us at enquires@titania.com or call us + 44 (0) 1905 888785