The Challenge of Security by Compliance

Financial services organizations are unsure ofhow to best secure their information infrastructure without disrupting their business activities.
Financial services organizations are unsure ofhow to best secure their information infrastructure without disrupting their business activities.
Many banks and financial services organizations turn to compliance as their fundamental approach to securing data and information infrastructure.
Many banks and financial services organizations turn to compliance as their fundamental approach to securing data and information infrastructure.
Josh Corman, IBM ISS
Josh Corman, IBM ISS

The concept of security by compliance provides short-term benefits to many banks and financial services organizations that are trying to establish a baseline of capabilities. It can however cause numerous challenges in the long term and actually make them less secure.

Given the ever evolving and maturing nature of the adversary community and their attacks − as well as the growing number of regulations and standards which banks and financial services organizations are being asked to comply to − organizations are unsure of how to best secure their information infrastructure without disrupting their business activities.

Starting Point

The argument that is commonly used in the finance sector, by organizations that follow a protocol of security by compliance, is that they are unsure of the best practices that are most effective for securing their data and information infrastructure. These organizations claim to be looking for guidance.

This argument is particularly applicable for banks and financial service organizations that have not implemented capabilities previously, or do not currently have the staff or knowledge available to focus on information security and risk management.

A key example of this is the Payment Card Industry Data Security Standard (PCI-DSS), which provides prescriptive guidance on capabilities and technologies an organization needs to have in place to secure credit and debit card information. The capabilities, which are prescribed by this standard, do not take a threat or risk based approach, but attempt to present industry leading and generally accepted practices which can assist organizations in their efforts to secure data and information infrastructure.

Josh Corman, a principal security strategist with IBM ISS, questions whether PCI-DSS is trying to cover too many bases.

“We aimed to raise the bar, but now we have lowered it for the top performers - and we're teaching to the tests - versus raising the maturity of risk and security programs”, he says.

Speaking at Interop Las Vegas in May of this year, Corman noted that virtualization is often a risky proposition for highly regulated, mission-critical applications, because people and processes are not ready for virtualization and the information security risks it introduces.

According to Corman, in addition to informationsecurity threats to the hypervisor and the virtual machines it controls, virtualization makes it difficult to meet strict regulatory requirements such as PCI-DSS.

"If you have a choice, I highly recommend you don't adopt virtualization for any regulated project", says Corman, adding that, “if you're going to make mistakes, it's better to do so on less critical systems”.

As a starting point, PCI-DSS will allow a financial services organization to implement fundamental technical capabilities and controls that should allow them to repel attacks from novice level adversaries who are utilizing known exploits and tools which can be easily found and downloaded from the internet.

Unfortunately, the black hat hacker community - which is currently causing a significant challenge to financial organizations - is highly advanced in its knowledge of IT systems and practices.

By using a combination of freely available utility software, as well as a range of custom hacking tools that have been developed in secret - and therefore not tackled by the security vendor industry – the hackers have been scoring some successes on the attack front.

Other industry standards such as the Federal Financial Institutions Examination Council (FFIEC) guidelines, International Standards Organization 27000 series, National Institute of Technology (NIST) 800 series, and the Information Technology Governance Institute’s (ITGI) CoBIT standard also provide functions, controls, and guidance that financial organization’s can use to establish a baseline of information security capabilities.

These allow them to enhance their information security posture while being able to demonstrate to third parties − including customers, regulators, and partners − that they are taking information security seriously and are protecting their information and associated information infrastructure.

"Information security compliance itself provides many benefits to banks and financial services organizations by ensuring they are meeting a baseline set of requirements."

All of these guidelines and standards attempt to achieve the goal of providing industry leading knowledge and generally accepted methods and practices that can assist organization’s to implement and mature their capabilities. None of these guidelines and standards, however, are intended to be the definitive authority of how banks and financial services organizations should approach information risk management and security.

The Risks

Many banks and financial services organizations turn to compliance as their fundamental approach to securing data and information infrastructure because they believe that compliance will finally allow them to answer the question, ‘Have they done enough?'

IT management professionals have become frustrated by security thought leaders, media stories, consultants, and even their own staff bewildering them with stories of potential cyberattacks that could occur.

These individuals are attempting to instill fear, uncertainty, and doubt into the business leader’s minds to try and convince them to invest in capabilities and staff that may or may not be appropriate for their organization.

Information security compliance, in the minds of many senior managers, is a credible argument they can use to address the concerns of these individuals − as well as their stakeholders and customers − to demonstrate that they are doing enough to protect their organization and their information.

Many IT management professionals are interested in doing as much or slightly more than their competitors and peers in information security and not much more. By using compliance as their measure of effort, they can demonstrate to all interested parties that they are doing what can be reasonably asked of them without investing more than a minimum amount to achieve this goal.

By using compliance as their measure of information security effectiveness, financial organizations will have a false sense of security and can be vulnerable to adversaries and attacks. In recent years this has become a key conversation point when discussing industry standards such as the PCI-DSS standard.

A number of high profile organizations such as Heartland Payment Systems, Hannaford food stores, and Network Solutions all had significant incidents in recent times where their customer data, including card data, was compromised. Each of these organizations where certified to be PCI-DSS compliant by their Qualified Security Auditors (QSAs) prior to these incidents.

These organizations all relied on the PCI-DSS standard and the associated verification audits as their proof of security, and focused their efforts on implementing the capabilities and controls prescribed by this standard.

Paul Stamp, SIEM Solutions Evangelist from RSA has an interesting perspective on this: “I went to school with a guy who was awesome at passing exams. He's now an actuary. I doubt most self-respecting IT security people want to be reduced to being the security equivalent of an actuary.”

According to Stamp, all too often vendors go to banks and talk about compliance, and then throw up a slide showing an alphabet soup of regulations and standards, with no context about what they mean or how their product can help.

Not only is this approach to security compliance confusing, he says, “but it shows a lack of understanding to customers, who are generally well educated about what these regulations and standards mean”.

“I know this is basic stuff, but it's useful to recap once in a while. I always like to break compliance requirements up into three big buckets – specific mandates, best-practices based requirements and data breach laws.”

Compliance is Not Enough

Information security compliance itself provides many benefits to banks and financial services organizations by ensuring they are meeting a baseline set of requirements. Unfortunately when they choose this method as their only approach, and align themselves to external guidelines, standards and requirements, they are highly susceptible to attacks since the adversary community also has access to this information.

"Compliance should be the natural byproduct of an effective information risk management program."
Josh Corman, IBM ISS

By carefully reviewing these guidelines and standards, adversaries can easily decipher where banks and financial services organizations are spending their time, and what information security technologies they are implementing.

With this knowledge they can circumvent an organization’s controls and launch successful attacks in areas that are not being addressed in these guidelines and standards. They can also take advantage of weaknesses in the approaches that are typically utilized to implement and operate these capabilities.

A Better Approach

Financial services organizations that rely on security by compliance to provide security for their data and information infrastructure often find themselves constantly trying to keep up with global compliance requirements without substantially increasing their information security posture.

A more effective approach is to develop capabilities and implement controls based on threat and vulnerability analysis and risk management. Threat and vulnerability analysis activities allow organization’s to understand the ways in which their business processes, data, and supporting information infrastructure can be successfully attacked and the probabilities of these attacks actually occurring.

Once they have this information they can then align it with their risk management profile to ensure they are applying the appropriate level of vulnerability management and information security capabilities to properly protect their organization.

By applying a threat and risk based approach to information security, banks and financial services organizations can more effectively protect themselves. Rather than allowing guidelines, standards, and third party organizations that do not have direct knowledge of their business processes to define what is appropriate for them, they decide what is appropriate for their needs.

Corman, summarizes this saying, "Compliance should be the natural byproduct of an effective Information Risk Management program”.

Corman continues, “If a financial services organization applies this kind of approach they are more likely to effectively protect their organization, information, and associated information infrastructure while causing minimal impact to their business processes and activities”.

A Losing Game

Security by compliance has provided banks and financial services organizations a starting point to protecting their information and information infrastructure, but has also provided them with a false sense of security.

Many of the current guidelines and standards that these organizations are scurrying to comply with do not effectively address the current attack trends including application focused attacks and insider threats.

These standards try to present themselves as best information security practices, but in reality there is no such thing. There are industry-leading practices and generally accepted guidelines and principles that are typically effective, but only an organization can define best practices that are appropriate and effective for their business requirements.

As long as banks and financial services organizations rely on compliance to measure their level of effectiveness for information security, they will always wonder why the adversaries always seem to be winning. The sooner they apply a threat and risk based approach to information security the faster they will be able to protect themselves from today’s adversaries and tomorrow’s threats.

What’s hot on Infosecurity Magazine?