Compliance != Security

We have so many compliance regulations and auditors now that information security should be getting exponentially better every year. PCI just came out with a new standard, HIPAA received an overhaul recently, and who knows how many other NIST standards are being re-written and re-worked. This is not the case; we see compliant entities are hacked all the time. Worse, they are hacked with what seems like the same old techniques. Disclaimer: I know some talented auditors and they understand where the pitfalls and shortcomings are, do not blame the auditors.

I understand, and sympathize, with the fact that some you have to be compliant to some organization. I also believe that compliance was (is) a good idea and that it means well. What appears to happen is that compliance becomes something you can purchase. We also believe that a compliance-based certification makes our auditor an expert. Business owners want to know "How secure can I be for n dollars?" "How much will it cost to be secure in area x?" For some reason we (security dudes) have not adequately conveyed, (or maybe we have) that this is not a static black and white area. Threat and attack vectors shift and change from day to day, hour to hour, and sometimes form one minute to the next. Is there an effective way to combat this without bankrupting your organization? Can this be done without implementing a police state on your users? Yes, it can. Can you be "hacker proof,” ever relax, and do things the same way you always have? No, you cannot. Working together with the right information security personnel, policies, procedures, and technical controls, you can bring balance to the force.

When preparing for an audit, remember that an auditor can be used to enhance your security posture. One organization I have seen in the past viewed an auditor as an enemy and spent weeks planning how to lie and hide things. It would have been less expense and effort to be compliant. The auditor you choose, or is chosen for you, can also determine your security posture. An auditor with experience as a penetration tester is likely to ask better questions when using the unfortunate checklists. An auditor who is only trained to observe a checklist may view things differently. For example, firewalls are typically required by compliance mechanisms. An auditor thinking like a hacker is used to overcoming and bypassing firewalls and may choose to audit your rule set or assist with configuration changes. You may have a best-of-breed monster firewall but if you have 700 exceptions then you may be leaking data. Web proxies are another good example. You may have every user flowing through a proxy to prevent abuse, drive-by downloads, and policy enforcement. An auditor with a penetration testing background may think to ask how many SSH tunnels (users possibly bypassing the proxy) are exiting your network where a standard auditor may not think of this. Remember, not all CISA, CISM, and QSAs are created equally. If you need an auditor, send me an email I know several excellent folks that are also active pen testers.

Next, make sure you do prepare for compliance, or certification & accreditation audits. How you prepare is critical. While you should make sure you are prepared for the auditor's checklist, do not stop there. Do not assume an attacker will be using that checklist or that the creator of that checklist thinks like an attacker. As a best practice, have an independent third party red team your environment. Penetration testing from multiple perspectives can provide excellent insight concerning your security posture. Being tested externally and internally from black\white\crystal box perspectives will provide you with a comprehensive understanding of where you stand. When I say third party I mean completely not affiliated with your organization. If you are a govt agency, I am not referring to your agency's IG or internal audit. Hire people who will think like a bad guy but are not part of your blue team efforts. There are several reasons for not using your own people; I will list a few here:


Your people are familiar with your culture and environment. While this can be a good thing, it can skew results by overlooking points of failure or vulnerability.
Pride may come into play. How forthcoming will your people be in pointing out issues in a program they have spent years "perfecting."
A third party does not stand to lose (or gain) from your organization's internal culture. (Performance reviews, bonuses, profit sharing, etc.)
A third party will see if your paper policy is effective. A policy without a control is an exercise in writing and awareness.

I am sure there are more but my ADHD has kicked in and I lost interest.

Most importantly, remember that threat and attack vectors change rapidly. You passed your audit today, you got red teamed and remediated every single finding; good job but remember what the attacker could not break yesterday they can today. Information security is a never-ending profession and requires constant vigilance and dedication. Make sure you (and/or your team) are constantly learning. Stay on top of new threats and attacks by listening to the security researchers out there. If you and your people are behind, get some training and/or hire some consultants to get you up to speed. The only thing that will make you secure is you and your team.