compliance

Mark Kadrich. CEO of The Security Consortium. Author of End Point Security. His resume includes Symantec, Sygate and brands like AltView and Conxion. You may read more about Mark.

Mark is a person who cares for security. Not the pushing of boxes, but for the process that security is. He is also a very fun guy, and extremely knowledgeable.

Please tell us about TSC, Mark.

“TSC provides companies with testing, research, counsel and leadership services where we provide a means to balance security against business objectives. Our Pre-assessment service for PCI-DSS is a great example. It is a tool-box to identify issues early on.

We have seen in the past several cases where a company was certified as PCI-DSS compliant, and after a breach, Visa simply said ‘sorry guys, you were no longer compliant at the time of the breach’”

Mark gets animated. His voice carries the warmth of a father who cares very much for his kids. As he goes on, paying attention is very easy.

“The challenge with all standards is the fact that you get certified at a point in time. You take a shot, a benchmark of the reality, and that is what gets certified. But in business, things move quickly, and very quickly, that benchmark is left behind. Still your certification is attached to that very benchmark.

Just consider patches and updates. Imagine your certification, your PCI-DSS compliance, is stamped January 10th. Three days later, you have to update the firmware on your firewall. Or you update your servers because Microsoft has provided new updates. What happens?”

Marks take a deep breath.

“I’ll tell you what happens. You are no longer compliant! Your certification was for the snapshot, the benchmark you made January 10th. But once you’ve updated your firmware or serves, that snapshot is no longer accurate; as a result, your systems are no longer compliant to that benchmark. “

He is silent. For a fraction of a second.

“As long as you stay under the radar, you are fine. As long as you get no breaches, no one really cares. But the moment you get a breach, the very moment you need to show off to the world that you did everything you could do to prevent the breach, that is when the truth dawns upon you. You realize that you are no longer compliant. And Visa blames you, your customers blame you, and you get fined. Just imagine the costs!”

Huge numbers fly by my eyes. The unfairness of standing alone when you need the support the most ponders me. And Mark is not done yet:

“Imagine if you spend a small percentage of what you originally spent to get compliant for a pre-assessment test. You would be able to align your security to your business objectives. You would be able to identify the technology to support you and your mission. You could step up the ladder, and use the technology as a tool, an enabler, not as a slave master dictating how you should run your business.

I am a process control geek. And process is our focus at TSC. We believe that implementing the right security process is the way to achieve the best security. Technology is used to support the process, not the other way around.

Aligning the process with the business objects is the core. “

As Mark takes a short break, I imagine the challenges this approach would meet at some of the companies I visit. They truly believe that technology alone is the security saviour. And most of the time, they discover too late that technology are merely tools to enhance their internal works.

“Yes, it is a challenge. Change is always a challenge, as resistance to change exists in any organization. And often you can see that organizations put all their beliefs in the technology alone, for example by using end-to-end encryption between two locations. It makes it harder to eavesdrop, but it also enables a hacker to hide in the encrypted tunnel.”

Mark is very focused on the fact that you cannot rely on a standard alone. It must be adopted and implemented into the organization by focusing on the business objectives of that very organization. The whole purpose of the standard is to provide a framework to build processes with.

After an hour discussion, laughing and learning, I have to end the call. I get a distinct feeling that I will continue to talk and learn from Mark Kadrich. And I expect to see a lot more from him in the future. 

Today, John Sheesley amused me with his attempt to use Windows 3.1 (actually 3.11 Windows for Workgroups) as a workstation of 2008. Those of us who remembers WFW, may wonder why on earth he would do that for, but I leave it to that.

One should think that using a software that was designed only 15 - 20 years ago should be quite possible today. After all, a PC is still a PC, right?

Not so. A PC of today (2008) is based upon the same principles as back in the early 1990's, but the technology has reach a maturity point where backwards compatibility hardly exists.

Yes, you may get WfW to actually work, if you like many others keep an old 486, or even a P1/P2 in a closet nearby. The challenge will be to render it useful, as John realises:


And IE 5 is not 15 years ago - it is more like 5.

Now, why should you, a security minded reader, care about the fact that John failed this project?

Several reasons comes to mind:

• From a continuency point of view - if you rely on some old hard-/software, make sure you have the tools and systems available in case of a failure.

It is not enough to dust off the old software boxes, you need to set up a system in parallel and see that you have all the bits it takes. I even suggest you make this a routine thing - once every year, month or week - depending on the criticallity. I also suggest you start plan to change the old system for something a bit more modern.

• From a data storage point of view - if a software can become totally obsolete in less than 5 years, you need to make very sure that your backup systems; long-time storage; and other data you may require access to in the future; uses technology you are able to access.
  

If you have a bundle of old tapes from a streamer that got replaced some time back - will you be able to access that data? Also consider the long-time effect light, magnetizm and dust has on equipment. CDs and DVDs are not safe for more than 10 years storing - but even that is no guarrantee. (Opposed to the advertisments in the midle of the 1990's, claiming CDs to be the best long-term datastorage available...could last for a houndred years, they claimed...)

• From a compliance point of view - if you are obligued to store information for a periode of time - 3, 5, 7 or 10 years - you are also obligued to be able to access the same data in the future. It is your responsibility, and it is usually a good idea to plan the technology at the same time you plan what and where to store your data.

I find one of the comments to the article particularly nice:



Yes, XP, 2000 and many others will be out of date. 2000 actually did this summer, when MS pulled the support for it. Anyone remember OS/2? DOS I guess most still remember, but only hardcore, old-guys still uses it to some extent. The world (and the technology with it) moves on.

To keep up with changes, you need to keep track on what is going on, as well as on your own requirements. You are required to update once in a while, but you do not need to jump on the latest versions of everything - unless you have special requirements. It is simply a matter of balancing your needs.

One of my favorite bloggers, Rob Newby has been ranting about business, technology and compliance the past few days.
He is making one major point - NAC and Firewalls will not last forever.

Although I am certain that his posting will uproar some of the vendors, and some of the technical readers as well, I happen to agree with Rob.

Technology evolves. It changes. It adopts.
Most importantly, it must change. It should adopt. If it did not, we would still be riding rock carts like the Flintstones.

And I must admit I prefer heated, leather coated, soft seats, where I can listen to an V8 roar at my willing. Knowing that some years down the line, the V8 will be replaced by an electric engine.

With IT, it is the same thing. As it is with security. The thing on your lap is not an ENIAC, mind you!

If you take a look at the firewall, it is easy to understand as well. The port controlling (stateless) FW from the 80s is still in place in today firewalls, but is only a small part of the package. Add statefull inspection, AV&AS, webfiltering, VPN and a coffee machine, and you have the UTM of today.

With NAC, the same thing will happen. It will end up as a part of the internal security systems only. And some years down the line you no longer realize that what was key technology in 2007, happens to be only one of many technologies that takes care of your ICT systems.

The challenge of all times in a commercial world is to be able to look beyond the buzzwords. To use your own business targets, goals and challenges when you choose your strategy.

Only when you take control yourself will you be able to control your world. If you leave the decision making to vendors and buzzwords, you will find yourself a hostage of insecurity - you will never know if you are adequately secured. And that is the point of forcing compliance and governance - to put you in control, to enable you to drive your modern, secure and up-to-date car. 

So that you do not have to keep dinosaurs as pets and kicking about in your rock cart.