Compliance, Audit and You

I love compliance, however I personally don't enjoy complying however (it's the Libertarian in me). I love aiding people and organizations in understanding compliance initiatives and their relevance to business which ultimately influences the quality of life you and I enjoy in one way or another. I love discussing and strategizing convoluted risk based frameworks wherein one can account for various and sundry policies, regulations, standards and laws and still maintain and ensure an optimized operational security model. That is and will always be a passion of mine stemming back to my earliest days in this industry while in the military and on through my many years in management consultancy work. I love Audit too. That's right I said it. I love conducting audits and inquiries into how and why businesses elect to do what they do while ensuring things are done in a secure manner. I love verifying controls (manual or programmable), while cross referencing internal and external controls in order to look for discrepancy. Additionally, I love working with organizations to amend those areas which are they are found to be lacking in.

Auditing and assessing are key factors in ensuring compliance, I believe that goes without saying. They are the tools used to verify the statements asserted by organizations about how they govern their enterprise, to what to degree and for what ultimate goal / outcome. So why is it that so many in the industry view them as being hampers to their jobs and points of grief? Often you'll see (whether in blogs, or in print or on panels), people speaking with disdain regarding compliance and audit initiatives. That ramble on about them as though they were some looming evil on the event horizon for which they must gird themselves or face eradication. It is an over dramatization to say the least, and a gross demonstration of intellectual dishonesty to assert these things (compliance initiatives, compensating controls, grc, etc.) are "stupid" or "lame" or not important. I feel as though these folks are missing the big picture with respect to the role and importance of this type of work. It's necessary and its not going away. You can look to append blame on various parties but in the end what matters is performing the due diligence required to not only meet the expectation of the governing bodies and auditors but also to ensure that the environment is secure with respect to people process and technology.

And what about you? Will you allow yourself to be swept up in the madness that is being espoused by some regarding compliance and audit. Viewing these activities as painful, gut wrenching wastes of time, or will you too champion the importance of such initiatives and activities thusly aiding bringing about a new era of maturity and awareness in the information secuirty community. The choice is yours...and mine!

Data Breaches: Heartland Payment Systems ...Is There An End Sight?

On January 20, 2009 Heartland Payment Systems (Princeton, NJ), reported what promises to be the largest data breach in history to date. For those of you who are not aware of Heartland Payment Systems or their core business, they are in the business of payments processing. One might ask why this is important given that breaches and disclosures occur with an eerie frequency. I believe it's important for two reasons (though I am not limiting myself to these):

1. The size of the breach the subsequent weight of the breach warrant it being deemed and considered 'important' especially given the nature of the data and the business in which Heartland is involved


2. The nature of the alleged perpetrators warrant it being deemed important as this further undscores what many in the information security research community have been asserting for quite sometime; that the motive for enterprise / system compromise has changed and so to have the players involved (a 'global cyber fraud operation')

I am not surprised by the fact that breach occurred. I am suprised that in the age of regulation & compliance (especially in the financial industry), that accurate measures were not taken to ensure the risk posture prior said breach occured. It is, of course, speculation on our part to assume that said measures were not undertaken (PCI DSS 2.0 anyone?), however in light of the breach the logical conclusion is that either the measures leveraged were insufficient (good enough security simply not being good enough) or that the level of sophistication associated with the exploit superceded the mitigative solutions in place within the enterprise be they located on the host or within the enterprise. Just who and what this 'global cyber fraud operation' is has yet to be determined and / or disclosed but regardless of who they are it is important to note that their activity was not indiscriminate and their potential to profit from the compromise was worth the risk associated with their potential apprehension. Regardless of what occurred, the end result is that Heartland, a well respected entity in its industry has reported a breach. According to Robert H.B. Baldwin Jr, Heartland's president and CFO, they believe the breach is contained and are co-operating with the US Secret Service and Department of Justice. Heartland asserts that, no merchant data or cardholder Social Security Numbers, unencryped personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. This is a good thing however only time and due diligence (along with the contracted services of forensics experts), will tell tale in the end. Additionally it is assumed that non of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms. Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.

Heartland's breach is of course not unique but should serve as a reminder that 'good enough' security is often not simply 'good enough' and that there is no subsitute for a defense in depth strategy executed against a well articulated and exhaustively tested risk based framework.

http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP

http://www.snl.com/irweblinkx/file.aspx?IID=4094417&FID=7231254

House Keeping -- A Note From the Team

Apologies on behalf of the team here for delays in between posts. Much has been underway here at 'Not Another S3CUR1TY Blog' and as such much good is to come of it. Look for entries coming soon on profiteering from the threat landscape, the revolution of evolutionary ideas in malware, breaches and lack of technological involvement to cause them to be successful, and a host of other compelling features, commentaries and yarns. Additionally, look for featured contributors and guest authors to come!

10 Tech People You Should Know -- Networkworld January 5, 2009

Earlier this month Network World posted a supplemental article titled “Ten Tech
People You Should Know” -- http://www.networkworld.com/supp/2009/outlook/010509-tech-people-to-know.html?page=4

This list brought together an impressive list of industry leaders, shapers, dreamers and thinkers. The list included:

John Chambers, CEO, Cisco Systems
Paul Maritz, CEO, VMware
Mike Neil, General Manager of virtualization strategy, Microsoft
Steven Sinofsky, Senior Vice President of the Windows and Windows Live engineering group, Microsoft
The Google triumvirate: Eric Schmidt, CEO; Larry Page, president of products; Sergey Brin, president of technology
John Lilly, CEO, Mozilla
Sheryl Sandberg, COO, Facebook
Joshua Corman, principal security strategist, IBM Internet Security Systems division
Amit Jasuja, vice president of product development for identity management, Oracle
Kenneth Brill, executive director, Uptime Institute

Some of these people are quite familiar, others less so however no less important by virtue of their inclusion on this list. Josh Corman falls into this latter category. Many in the industry and no doubt several reading this blog today do not know who Josh is or why he’s on this list. I encourage them all to get to know Josh’s work and name as they’ll be seeing more of both to come. I know Josh both personally and professionally. In fact, he’s not only my friend but a trusted confidant and sounding board of ideas. He’s dedicated, articulate, and sincere in his work and relationships. Josh and I first became acquainted while being in the employ of Internet Security Systems (ISS), now IBM Internet Security Systems where Josh still resides. We quickly became friends and tight colleagues and I’m proud of his achievement as I believe he’s worked diligently to arrive in this position. It’s an honor to be nominated and included amongst such names in the industry; it is, I imagine both humbling and exhilarating. Josh and I spoke about his inclusion and on the list and I wanted to publicly give him the credit he deserves and say job well done. Josh, you deserve it and I couldn’t be happier for you! Keep up the good work, the industry needs more folks to take up the charge and challenge that which is considered the ‘standard’ in order to ensure that we faint not in our endeavors and struggles to secure ourselves and our futures. Kudos Josh!

For more on some of Josh’s work see the following link:

http://www.networkworld.com/news/2008/050108-interop-dirty-security-secrets.html

NEW BLOG!!!

We've changed the name of the blog! It's no longer Veritas et Aeuqtias however we still think that is a cool statement and may use it in some other capacity later. The spirit behind that name will live on here however we felt it needed to go because:

1. That name is too hard for people to remember
2. It sounds like a religious blog
3. It sort of sucks
4. People don't speak Latin regularly anymore and if mistyped it takes you to a video game site

Having said that, the new name is 'Not Another S3CUR1TY Blog' and we dig it; we're hoping you do as well. In the spirit of newness and a fresh start this initial post will be short and sweet. The goal of this blog is to provide a fresh insight into the information security, risk management and threat landscapes accordingly while insuring the highest degree of integrity and professionalism. Having said that, that doesn't mean there isn't room for humor and / or interesting observations which your author(s) will no doubt interject from time to time. As this is the 'kick off' entry, we're keeping it short and sweet with the intent being that we'll have lots to discuss and comment on in 2009 and beyond!