28
Apr
09

Security is a journey, not a means to an end

I do not know who said this, but they are right.  Threats are always changing; therefore, the tactics necessary to protect your organization’s assets are also always changing.  As a result, security is never a project that is completed; it is one of those never-ending projects.

As I stated in an earlier post about complaints that the PCI DSS always seems to be changing, the PCI DSS changes in response to the threat landscape changing.  And just when you think you have things under control, out comes a new threat that puts a hole in your ‘perfect’ security.  And so the process starts over as you come up with a plan to close the latest hole.

When threats originally started out, they were focused at the network level.  Denial of service attacks were all the rage.  Attacks used the available network services against themselves.  Any network was a potential target.  Remember that last statement.

When those services were disabled, the attacks moved up to the operating system.  However, unlike network attacks, operating system attacks were specific to an operating system.  This is why Windows captured the market on attacks.  When you own 90%+ of the market, you become the biggest target.  However, as Linux and other systems get wider adoption, it is just not good enough to write a Windows attack.

But now the situation is getting worse.  Why?  Because we have created an ideal attack environment in our desire to have every computer operate like all others.  We have created a situation that allows threats to automatically be cross platform enabled.  How?  We are migrating our applications to SQL-based databases and browser-based applications.  Thus creating the perfect attack environment because attackers can develop threats against a single environment.  This is why attacks have moved away from the network and operating system and have moved to the application with cross-site scripting and SQL injections.  And the future for attacks will continue to leverage this common environment because, in our infinite wisdom, we continue to migrate all of our applications (external AND internal) to this environment.  Remember my statement about any network being a target.  What goes around comes around and now every application is a potential target.

What was the PCI DSS response?  Requirement 6.6 was added in v1.1 to institute code reviews or the use of application firewalls.  Requirement 11.3 was changed in v1.2 to include conducting penetration testing on all external AND internal applications.

And given the voracity of insider attacks, it is likely that even more changes are coming.  After the Hannaford, RBS WorldPay and Heartland breaches, there is a call for end-to-end encryption.  While this may stymie insider attacks for a while, I am certain the attackers will find a new vector and we will start the process all over.

So, if you do not like constant change, you had better get out of the security business – NOW!  And do not let the door hit you in the posterior on your way out.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

April 2009
M T W T F S S
« Mar   May »
 12345
6789101112
13141516171819
20212223242526
27282930  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,846 other followers


%d bloggers like this: