Compliance Doesn't Mean Secure

by Brad Garland


Yet another breach of a major corporation and the finger pointing begins. Trustwave was cited in a class-action lawsuit as the vendor entrusted to maintain data security for Target. In a lawsuit filed on Monday, Target is alleging that Trustwave "failed to live up to its promises or to meet industry standards" - quoted from the Network World article I recently read. The industry standard they are referring to is PCI-DSS which was pushed by Visa and MasterCard to protect customer data.

What most people think of as an "industry standard" is not the only means of security you should implement throughout your network. An industry standard is more of a baseline for security rather than the best way to secure your network. PCI-DSS is one of the many compliance guidelines an organization can follow but by no means is it the only form of security you will ever need.

The Target breach underscores the reliance on such industry standards but organizations should consider more than one compliance framework and more than one security standard to go by. Most of the compliance frameworks are outdated and are generally based on best practices for IT security. FFIEC, for example, was written a decade ago but is still in use by banks today. The FFIEC does update their framework but by no means does it cover every aspect of security.

Target alleges that Trustwave performed a vulnerability scan on Sept. 20, 2013 and no vulnerabilities were found. What is not mentioned is that most vulnerability scanners are scanning for vulnerabilities that are published and well known. Most vulnerability scanners will not pick up on a zero day threat that hasn't been published and documented. So who's fault is that?

The point here is that just because you are compliant with a particular standard doesn't mean your organization is as secure as it can be. Defense in depth and layered security are some of the ways to keep your network secure. However, keep in mind there are ever evolving threats and leaving even a single hole in your defenses can lead to a security breach. One open port on a firewall, one password written down, one user divulging information to a social engineer is all it takes. Heck, the Target breach was allegedly via the HVAC vendors. Who would have thought to try that? A skilled hacker group, that's who.

Ultimately, the responsibility of security falls square on the shoulders of the organization. Compliance and security standards are simply the basic guidelines to follow and not the one stop shop for securing your organization. So when it comes to security for your organization, don't rely on one standard for everything. It takes due diligence and persistence to keep your network secure. That's why Garland Heart does a comprehensive security review for our clients and we attack it from all angles to help keep you as secure as possible.