7 ways to work around security compliance problems

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.networkworld.com/news/2014/010614-7-ways-to-work-around-277381.html

Regulations aimed at protecting the security and privacy of organizations
and individuals are well meaning. But sometimes these standards, or how
they're interpreted, can be more than a nuisance--they can actually
contribute to weaker security.

Here are few examples, from security executives and analysts, of internal
and external compliance standards that are potentially problematic, and how
they can be addressed so that they don't cause problems while they're
trying to provide solutions.

Encryption and HIPAA

Many organizations and security executives are under the mistaken
impression that compliance with the Health Insurance Portability and
Accountability Act (HIPAA) requires encryption, and this can actually lead
to security problems, says Paul Proctor, vice president and distinguished
analyst at Gartner Inc.

In fact, HIPAA requires the appropriate use of encryption, which is quite a
different standard and can mean the difference of millions of dollars,
Proctor says. Aside from the overspending of time and energy on encryption,
the misunderstanding related to HIPAA can have a negative impact on certain
business processes, affect application performance and even cause users to
bypass certain controls because they're annoyed at security, he says.

Decisions such as over-encrypting data "tend to have a ripple effect, of
which lowering security is only one," Proctor says. "The answer is to
develop a risk management process that allows thoughtful consideration of
what you should do" to be compliant with regulations. "Organizations can
make poor decisions if they don't have a formal risk management
process--and most don't."

Password-Protected PDFs

Sometimes the regulatory environment has companies spending money on tools
that aren't effective, and makes life more difficult for customers. When
Tony Hildesheim, now senior vice president of IT at Redwood Credit Union,
was working at another organization, internal regulations mandated that no
account information be printed on any document.

"This also required that if you emailed a customer information, it had to
be in a password-protected PDF," Hildesheim says.

This caused multiple problems. "Many financial institutions truncate the
account number so that the whole number is not printed on any material,"
Hildesheim says. "Without an account number present on a piece of paper, it
is hard to help the customer, many of whom no longer can tell you their
account number."

The other issue is that with the company's email scanning solution, it was
having a difficult time scanning the password-protected PDF. "Therefore,
the security measure we put in place to ensure no data [such as credit card
numbers] is emailed out of the company is rendered useless because the
system cannot break into a PDF," Hildesheim says. "We had to change the
procedure, train the staff and fight with the audit department."

Regulations "are often written in response to a very specific or perceived
risk that may or may no longer exist, has other mitigations or whose
likelihood is so remote that it is a non-threat," Hildesheim says.

Overzealous Virus Scanning

Several years ago Proctor and other Gartner analysts were visiting a large
credit union to discuss security strategy. The firm had just experienced a
computer virus attack when a user had connected an infected PC to its
corporate network and inadvertently spread the virus.

"So they created a blunt rule that said every machine the comes into the
organization from outside had to have a full virus scan," Proctor says.
"This was done at the security desk and it took two hours for each machine.
When we showed up for our meeting we couldn't get in" because of the
delays. "The meeting was cancelled because of this silly decision. And who
knows how many pieces of the business were impacted because of this rule."

It likely had a negative impact on the organization's security posture
because of increased resentment toward security, Proctor says. The
solution, again, is to more clearly think through how compliance standards
should be implemented and their potential impact on all aspects of the
business.

Vulnerability Scoring and PCI

The PCI standard requirement for a "clean scan" is a huge burden on
businesses, says Adrian Sanabria, senior security analyst at 451 Research.
"It steals focus away from more effective risk-reduction work and
encourages a dangerously false sense of security," he says. Earlier
versions of the PCI security standards "required businesses to show that
all vulnerabilities rated a 'CVSS score of 4.0 or higher' be resolved,"
Sanabria says. "This is a hugely labor-intensive process that yields very
little return on security."

The key issue here is the ineffective nature of vulnerability scoring,
Sanabria says. "The automatic score given to a vulnerability--provided it
isn't a false positive--is often highly inaccurate," he says. "It is simply
a best guess' without some extra work to factor in each organization's
unique context. The vast majority of effort often goes into fixing
vulnerabilities that aren't a threat at all, and potentially ignoring ones
that could be critical, but were scored under PCI's threshold."

Many times larger organizations have a person entirely dedicated to
coordinating tasks and obtaining clean scans, Sanabria says. "That's one
person's time dedicated to a tiny fraction of PCI," he says. "Newer
versions of PCI have tried to correct this issue by implementing a new
requirement in which each organization applies custom rankings to each
vulnerability that affects them. Now these organizations will have to
dedicate a second person to the task of vulnerability management."

Encrypted Data Backups

One compliance effort that makes a difficult situation even more difficult
is the requirement for encrypted backups. Hildesheim knows of companies
required to maintain such backups of data.

"This sounds like a reasonable precaution if you are storing your [backup]
tapes in a public store," Hildesheim says. "But consider that management
and likelihood that seven years from today the encryption is able to be
decrypted. Never mind that the password or key would have to be stored
somewhere securely and cataloged. The encryption algorithm or software
would have to still be in a form that could decrypt the data."

This is even more confounded when regulators require that backup media be
encrypted, even if it is stored in a controlled storage vault to which only
your company has access, Hildesheim says. "One of the answers that many of
the regulators are wanting to see in place is encrypted electronic
backups," he says. "This again sounds good, until you realize that most
have a local store and offsite store which is in a shared environment, or
cloud."

Multiple International Regulations

For companies that offer their services primarily through the cloud, such
as learning and talent management solutions provider Saba, the need to
comply with a host of federal and industry regulations can create
complexities that potentially hinder security.

Saba complies with standards such as ISO27001; privacy requirements such as
Safe Harbor, EU Directive and other geographic privacy requirements; Life
Science Validation Environments; FISMA, etc., says Randy Barr, chief
security and information officer.

Some of these regulations are stricter than others and create challenges
that are important to address in order to provide adequate security, Barr
says.

For example, some require employees to work in the U.S., or have U.S.
citizenship. "It's difficult to keep track of individuals who work abroad,
and having to do so for some of the groups within our company can be
challenging," Barr says. "If Saba wasn't prepared for such regulations, our
ability to provide security across the board would be in jeopardy. It's
important that all departments take the time to understand the security
programs that we've communicated rather than just reviewing compliance
requirements and saying it must be done."

Saba is able to meet all of its customers' security requirements, Barr
says, but not without a huge amount of extra effort because of the complex
compliance requirements. It's working with the Cloud Security Alliance to
find more effective ways to comply with standards without draining
resources. In addition, it has formed a Saba Security Council to provide a
consensus-based forum to support the overall Saba Security program.
"Discussions around meeting the requirements of [regulations] are discussed
in these quarterly meetings," Barr says.

ISO Regulations and Roadblocks

The ISO/IEC 15408 regulations requiring Common Criteria testing can hinder
security, says Robert Schadey, CISO and director of infrastructure services
at 1901 Group, an IT services management provider.

"The Common Criteria guidelines and specifications developed for evaluating
the security within a product ensure that security standards are agreed
upon and [testing is] in place," Schadey says. For the most part, Common
Criteria validates the claims of vendors' security features with an
assessment of potential threats, he says.

"However, the overall length of time for testing and costs has caused a
roadblock for most of the industry," Schadey says. "Our focus has shifted
to providing a services-based approach for our federal customers. Services
are delivered via dynamic hosting environments whereby the infrastructure
layer may not be under a customer's control."

This can make it difficult to ensure that the intent of the Common Criteria
security measures are in place without analyzing each vendors' cloud
implementation against Common Criteria security functional requirements
(SFRs) and identifying the security gaps to determine if the cloud provider
is acceptable, Schadey says.

"The loss of control at the infrastructure layer can cause security
problems," he says. "The other issue that hinders security is the timeframe
it takes to test the products and have them available for selection off the
Common Criteria Products List."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.