Megamind Security Blog, by Adrian Mikeliunas, CISSP, CISA, PCI-QSA
This is an interactive “discussion board” where we can share our thoughts, rants, pet peeves or frustrations… in a fun and informal manner.
Let’s discuss security, from the top! Unless your organization (whether you work for a non-profit, multi-national corporation or government agency) is “obligated” by some government regulation or business supplier or partner to shape up and come up with some “security” money, most organizations invest the bare minimum until they get hacked and then they start rethinking. And I’m not alone venting this issue… the latest Insecure Magazine (June 2010) points out the fact that many managers of Heartland Payment Systems (one of the largest security breaches in history), knew that PCI security compliance wasn’t enough to secure Heartland against a sophisticated cyber attack, but failed to take extra precautions…”Of the breaches in 2009, 81% of vendors were not PCI compliant….” Sometimes, some executives will get top management to understand the security priorities and prepare to spend the money now or prepare to deal with the mess later and spend even more money [British Petroleum execs: are you listening?] In many industries, after unfortunate events like Enron, or the T.J.Maxx wireless cyber theft, a drastic change has to occur because someone was hurt. Law is reactionary: it changes to address recent painful events and enforce new rules. So for the last few years, public companies had to deal with Sarbanes Oxley (Sox), health providers, have to deal with HIPAA, merchants that process credit cards have to deal with the PCI Council, and the US Government had to deal with FISMA. The question is still valid: are we more secure? There are many people working in security positions that have no clue about security! Yes, you know them: the politically appointed or because they’re related to someone in top of the totem pole… So what about the bottom of the totem pole? Many software engineers know their software needs more testing but they are pressed by management to release it or else [again, it costs time and money]
So what’s my point, you may ask? Well, security is not just about firewalls, antivirus and a building badge. Those are many expressions of security technology. Security is the result of a process. A process requires people to follow procedures. These procedures are designed to mitigate or reduce risk. Just like an insurance company will give you a discount if you have an alarm system in your house or your car, a company feels that by having a security card and a badge reader or a firewall reduces the risk of physical or cyber attack. Unfortunately, in the real world, according to FBI statistics, more than half of the security incidents are inside jobs. That number does not count those “oops” moments when some system administrator rebooted the incorrect server, since no data was leaked… only a few transactions were lost forever.
This was an intro to the many topics we will cover in future sessions in this blog, from people, processes and procedures, in order to make our systems more secure… [hopefully!]
Securely,
Adrian Mikeliunas, CISSP, CISA, PCI-QSA