Observations from RSA – 100% compliant does not mean 100% secure

Dan Teal — Wed, 03 Mar 2010 21:08:58 +0000

Yesterday, I sat in the RSA panel titled, “Cyber Security: An Arms Race.” It was an interesting panel because, of course, cyber security is an arms race. One of the recurring comments from the audience was centered around, “Who should be responsible for defending our networks?” This is a question that has been debated for some time now. The answer kept leading back to government and compliance. However, members of the audience did not realize that one of the fundamental axioms of computer security is: Compliance does not mean secure.

We are familiar with the above statement. We all know that security compliance may increase security, but not completely provide it. A great example of this occurred in the fall of 2008 within the DOD. Systems running in the DOD networks were compliant with FIPS 140-2, common criteria, and other standards. The systems and networks were operated by a staff of trained professionals. But even with all of the compliant security measures in place, Conficker still propagated throughout the DOD networks causing over $100 million in cleanup costs.

A similar problem occurred at Heartland Payment Systems. Even though Heartland was fully PCI compliant, hackers still stole information on the 100 million credit card transactions that are processed each month.

Compliance is important, but we must remember that compliance standards may take years to create and are never updated fast enough to stay current with today’s threats. Organizations must protect against the threats of the past by being compliant. They must also defend against the threats of today by being proactive. Application whitelisting is the proactive solution against today’s threats and must become the cornerstone of any security strategy.

CoreTrace WhiteSpace» CoreTrace WhiteSpace

Observations from RSA – 100% compliant does not mean 100% secure