Lieberman Software
  Follow us on Twitter  Follow us on LinkedIn  Blog  Lieberman Software on
                            YouTube  Google Plus
February 2014      

Top of Mind

NIST Announces Security Framework... Yawn

Philip Lieberman
President & CEO

Lieberman Software

Let me start out by saying that I have a bias against compliance standards; especially those that are non-specific, not prescriptive, require voluntary cooperation for information gathering, and allow auditors to pass judgment on adequacy with little oversight or discussion. My passion has always been for implementing real security and to always be aware of the latest threats and mitigations. There is a definite place in the business world for operational standards such as segregation of duty, four eyes transactions, workflow approvals, and attestation of privilege.

I have also believed that the government has a place in setting standards for many things including appropriate national security and financial standards. But, for a standard to be effective, it must be specific, prescriptive, easy to measure, and have clear penalties for failing to comply. Some Federal and State standards are good and others seem to be a concerted plan to mow down large swaths of forests to print paper documents of little to no value for the citizen.

The recently announced NIST framework is a lot of useless and redundant verbiage that collects existing standards that have existed for at least a decade. There is nothing fundamentally new, revolutionary or even effective in the framework. One should ask the question: was Target compliant with all of these standards? The answer is most probably yes, given that they had top notch auditors following most all of these guidelines and frameworks.
So then, how did Target suffer such a devastating loss given its compliance? Target failed to implement security, but chose to implement audit compliance. Security provides real protection but requires constant investment, training, and the latest tools/skills. Audit compliance generates paper and makes money for auditors as well as providing a virtual get-out-of-jail card (which is not going to work for Target).
The real truth to know about security standards/frameworks is that hackers and nation states don’t care about the security frameworks. Given that they are generally toothless in nature (no one is enforcing them with fines for non-compliance) and the fact that they are completely generic in nature, they are essentially worthless and ineffective. Target was PCI compliant (another security framework), yet they did not implement the basics of security (changing passwords and controlling access to their networks).
The frameworks don’t force companies that are naïve about security or just cheap about the necessary investments, to get smart and invest appropriately. Generally fines and other penalties are about the only thing that gets companies to fix their security.
Security frameworks such as the NIST guidelines are pretty much self-employment documents for the large auditor firms to generate more revenue, more confusion, more fear, but not deliver real security. The standards (they are really too vague and unenforceable to be called standards) effectively create a new set of places to charge customers for arbitrary judgments as to what is “good security” and “adequate”; while criminals are breaking in wherever and whenever they want.
Ask Target: how well did security framework standards like PCI protect them? The answer is obvious if you had to get a new credit card or reset your email password. Security frameworks are no substitute for intelligent and vigilant security staff, technology and processes.

What do you think? Email me at:
. You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.

Customer Snapshot: Financial Services Firm

Customer Profile: Founded more than a century ago, this investment and wealth management firm has nearly $90 billion in assets under supervision.
Situation: The firm needed to manage its service accounts to increase security, prevent lockouts and comply with GLB and other regulatory mandates.
Solution: Lieberman Software’s Enterprise Random Password Manager was deployed to systems on the company’s cross-platform network to automatically find, track and secure privileged accounts - including service accounts.
Result: The company is now fully automating all privileged identity management operations - significantly increasing security and easing regulatory compliance audits.

“We built a list of what we wanted ERPM to accomplish and how we wanted to test it. We then spent two days putting ERPM through its paces. It fit the bill perfectly. Service account management was the main selling point."

What's New in Identity Week

Featured commentary on our
Identity Week blog this month includes:
  • Banking and the Cloud. A trend that has caught the attention of some in the technology media is the reluctance of banks to move to the cloud, despite the benefits. The reason is that over the past 15 years banks, to a large measure, have lost control of their IT environments. This situation stems from a combination of M&A and a rush to outsource IT operations...

Events / Press / Analysts
  • Honeypot Valentine. SC Magazine UK. From being drawn in by a honypot, through to being compromised, lessons from life can have parallels with what happens online suggests Calum MacLeod.
  • Exclusive Networks sharpens up reseller support service plans. MicroScope. Emerging tech distie Exclusive Networks has unveiled a new services wrap, named Passport, to help equip its partners with cross-vendor support around level one and two maintenance as well as pre-sales, training and other custom services,
  • Kaspersky Details Sophisticated 'Mask' Robber Ops. E-Commerce Times. The Mask apparently has been lurking in the shadows since 2007, but within hours of Kaspersky Lab's announcement of its discovery, the malware's operators shut down its infrastructure and slipped into the cybervoid.

Tech Tip of the Month

Get Trained on ERPM

If you are an
Enteprise Random Password Manager (ERPM) customer or authorized partner, become an ERPM Certified Professional. We offer free training classes at our headquarters in Los Angeles, CA. Here's how.

Lieberman Software Corporation respects your right to privacy, and believes any information you provide us should be protected from disclosure to others. For more information, please read our privacy policy. You are receiving this email because you have granted us permission to contact you. If you do not wish to receive email messages from Lieberman Software in the future, please click here.

Lieberman Software Corporation
1900 Avenue of the Stars, Suite 425
Los Angeles, CA  90067
           |    (01) 310-550-8575  |