NIST Announces Security Framework... Yawn
President & CEO
Let me start out by saying that I have a
bias against compliance standards; especially those that are
non-specific, not prescriptive, require voluntary cooperation for
information gathering, and allow auditors to pass judgment on adequacy
with little oversight or discussion. My passion has always been for
implementing real security and to always be aware of the latest threats
and mitigations. There is a definite place in the business world for
operational standards such as segregation of duty, four eyes
transactions, workflow approvals, and attestation of privilege.
I have also believed that the government has a place in setting
standards for many things including appropriate national security and
financial standards. But, for a standard to be effective, it must be
specific, prescriptive, easy to measure, and have clear penalties for
failing to comply. Some Federal and State standards are good and others
seem to be a concerted plan to mow down large swaths of forests to
print paper documents of little to no value for the citizen.
The recently announced NIST framework is a lot of
useless and redundant verbiage that collects existing standards that
have existed for at least a decade. There is nothing fundamentally new,
revolutionary or even effective in the framework. One should ask the
question: was Target compliant with all of these standards? The answer
is most probably yes, given that they had top notch auditors following
most all of these guidelines and frameworks.
So then, how did Target suffer such a devastating loss given its
compliance? Target failed to implement security, but chose to implement
audit compliance. Security provides real protection but requires
constant investment, training, and the latest tools/skills. Audit
compliance generates paper and makes money for auditors as well as
providing a virtual get-out-of-jail card (which is not going to work
The real truth to know about security standards/frameworks is that
hackers and nation states don’t care about the security frameworks.
Given that they are generally toothless in nature (no one is enforcing
them with fines for non-compliance) and the fact that they are
completely generic in nature, they are essentially worthless and
ineffective. Target was PCI compliant (another security framework), yet
they did not implement the basics of security (changing passwords and
controlling access to their networks).
The frameworks don’t force companies that are naïve about security or
just cheap about the necessary investments, to get smart and invest
appropriately. Generally fines and other penalties are about the only
thing that gets companies to fix their security.
Security frameworks such as the NIST guidelines are pretty much
self-employment documents for the large auditor firms to generate more
revenue, more confusion, more fear, but not deliver real security. The
standards (they are really too vague and unenforceable to be called
standards) effectively create a new set of places to charge customers
for arbitrary judgments as to what is “good security” and “adequate”;
while criminals are breaking in wherever and whenever they want.
Ask Target: how well did security framework standards like PCI protect
them? The answer is obvious if you had to get a new credit card or
reset your email password. Security frameworks are no substitute for
intelligent and vigilant security staff, technology and processes.
you think? Email me at: Phil@liebsoft.com.
You can also follow me on Twitter: @liebsoft
or connect with me via LinkedIn.
Financial Services Firm
more than a century ago, this investment and wealth management firm has
nearly $90 billion in assets under supervision.
Situation: The firm
needed to manage its service accounts to increase security, prevent
lockouts and comply with GLB and other regulatory mandates.
Software’s Enterprise Random Password Manager was deployed to systems
on the company’s cross-platform network to automatically find, track
and secure privileged accounts - including service accounts.
Result: The company
is now fully automating all privileged identity management operations -
significantly increasing security and easing regulatory compliance
built a list of what we wanted ERPM to accomplish and how we wanted to
test it. We then spent two days putting ERPM
through its paces. It fit the bill perfectly. Service account
management was the main selling point."
New in Identity Week
Featured commentary on our Identity
Week blog this month includes:
- Banking and the Cloud. A trend
that has caught the attention of some in the technology media is the
reluctance of banks to move to the cloud, despite the benefits. The
reason is that over the past 15 years banks, to a large measure, have
lost control of their IT environments. This situation stems from a
combination of M&A and a rush to outsource IT operations...
Events / Press /
Valentine. SC Magazine UK. From being drawn in by a
honypot, through to being compromised, lessons from life can have
parallels with what happens online suggests Calum MacLeod.
Networks sharpens up reseller support service plans. MicroScope.
Emerging tech distie Exclusive Networks has unveiled a new services
wrap, named Passport, to help equip its partners with cross-vendor
support around level one and two maintenance as well as pre-sales,
training and other custom services,
Details Sophisticated 'Mask' Robber Ops. E-Commerce Times.
The Mask apparently has been lurking in the shadows since 2007, but
within hours of Kaspersky Lab's announcement of its discovery, the
malware's operators shut down its infrastructure and slipped into the
Tech Tip of the Month
Get Trained on E/RPM
If you are an Enteprise/Random Password
Manager (E/RPM) customer or authorized partner,
become an E/RPM Certified Professional. We offer free training classes
at our headquarters in Los Angeles, CA. Here's