CSI 2010: Compliance does not equal security

The Thursday morning keynote delivered by Jim Jaeger, director of DoD & commercial cyber solutions for General Dynamics Advanced Information Systems, underscored the fact that cybersecurity is constantly in flux, because every second of every day, approximately 200 people around the world become new internet users.

And with this explosion of users and networked devices comes the accompanying security concerns. “The cybersecurity arena is such a dynamic field. Technology moves fast, and so does the threat that we defend against”, Jaeger told the rather red-eyed audience gathered to hear him speak at 8 AM.

“Keeping pace with an advanced and persistent evolving threat requires advanced and persistent training programs”, he added. He continued by likening security pros to beat cops, responsible for protecting their own neighborhoods.

Jaeger said that contrary to General Dynamics’ reputation as a major defense contractor – namely the manufacturer of tanks for the US Army – his company is deeply involved in cyber forensic investigations, including analysis on the infamous TJX data breach. Additionally, General Dynamics provides much of the manpower for the Department of Homeland Security’s US-CERT team.

What his experience in these investigations has shown, said Jaeger, is that hacking continues to grow rapidly because it is considered to be a low-risk crime.

“Cybercriminals have found that breaking into computer networks, in many cases, is relatively easy. Anytime a human finds a low-risk proposition, with a relatively high payoff or reward, you’re going to find a very high probability of occurrence”, Jaeger said.

He added that cybercriminals are moving on down the food chain, focusing their attacks on medium to smaller-sized financial institutions, retailers, and other organizations. He cited McAfee’s data, which shows that attacks against medium-sized firms have tripled in the US between 2008–09. “The hackers clearly believe this relatively low-risk proposition is likely to pay off with mid-sized companies”, Jaeger noted.

He then went on to tout the now all-to-familiar layered approach to security based on General Dynamics’ experience with investigating breaches, and with good reason. “Any determined hacker can get into any network if you only focus on that hard, crunchy outer shell of the network”, Jaeger warned. “We are seeing way too many attacks where, once the intruder gets through whatever external barriers you have, they wonder around inside the network for days, months, and, in some cases, even years. Defense in depth is incredibly important.”

After all the background, Jaeger finally came around to the focus of his discussion – the need to go beyond compliance. “Virtually every breach we investigate, that company has been certified as being compliant within the last year” with major standards, such as HIPPA, PCI, and so on. This was the biggest lesson he’s learned from the forensic investigations his company has conducted.

In some cases the companies were being certified while the breach was occurring. “In many cases, these compliance regimes give people an incredible false sense of security”, Jaeger said, while being careful to point out that regulatory compliance still important. “But you can’t rely on the fact that you’ve been certified”, especially when certification is conducted are by companies you are paying for its services.

He tends to view compliance standards as “pillars” for sound information security, but compliance must be built on the more solid foundation of a comprehensive network security program in Jaeger’s opinion. The message he imparts: “Don’t let your corporate leadership be fooled into thinking they can rest on the fact that they’ve got the compliance box checked again this year. We all have to look at network security from a much more holistic perspective than just compliance regimes”.

What’s hot on Infosecurity Magazine?