Compliance shouldn't be a primary security driver

By Shawna McAlearney, News Editor 08 Jun 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

WASHINGTON, D.C. -- Trying to be compliant or pass an audit doesn't make you more secure and doesn't protect you from attacks; conversely though, a common sense approach in security may equal regulatory compliance.

So said a Gartner analyst yesterday at the Gartner Security Summit. Amrit Williams, research director of the Information Security & Risk Group, believes that a focus on compliance is to the detriment of security overall. In particular, it may not address some threats that are increasing in scope.

"The greatest threat to us right now is the role of money as a motivator for cybercrime," Williams said. "The big threats aren't new, but they are changing and the reason is money."

Those threats include identity theft; blackmail schemes, such as data for ransom and denial-of-service threats; spam relays [70% of spam is generated by compromised machines]; and espionage.

"If there's money to be made, [attackers will] do anything they can to get it," Williams added. "These attackers will be stealthier and more difficult to prevent." He said true numbers on such attacks are difficult to determine because they often go unreported.

Conference attendee Shlomi Harif believes many companies settle with their attackers to make the attack go away. Harif, the director of network systems and support for the Austin Independent School District in Texas, recounted an example he'd heard about through a Seattle-based consultant. "An ISP in Portland was getting hammered for about six months with a denial-of-service attack. They tried extra bandwidth and different providers, but nothing worked." Harif then heard the attack suddenly stopped one day, most likely because the company paid the extortionists.

"Through 2007, 80% of damage-causing events will have been preventable by effective implementations of network access control, intrusion prevention, identity and access management, and vulnerability management," according to a report released in December by Stamford, Conn.-based Gartner.

And while many of these issues are also addressed indirectly through regulatory compliance, some may fall off an enterprise's radar while resources instead go toward creating the kind of paper trails now required to show a company's data is secure.

However, Williams said focusing on these elements will go far in mitigating most network security threats. When looking at intrusion prevention, he suggests securing the network as best you can, then focusing on mobile users. For example, buy personal firewalls for all mobile clients because they are a much higher risk for bringing problems into the network. Then focus on servers and desktops.

Williams said better security is about prioritization and planning. Successful vulnerability management relies heavily on determining asset classification and threat posture, while identity and access management depends on predefined roles, controls and accountability. As for network access control, he's a proponent of "quarantine, limit, deny" for systems that may not be current with patches and antivirus signatures.

Concluded Williams: "Doing these four things will make your organization more efficient, protect against current, emerging and future threats, and help you meet regulatory compliance."

This story originally appeared on our sister site SearchSecurity.com.

Tags: Information technology laws,  Compliance strategies and best practices,  Enterprise information security management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information technology laws Health care security, HIPAA compliance on deck for CIOs in Obama era Avoiding gotchas of security tools and global data privacy laws Information security and IT governance guides for CIOs E-discovery and litigation guide for CIOs Document retention and disposal strategy Top 10 reasons to give thanks you're in IT PCI compliance deadlines have retailers scrambling Customized e-discovery tool lightens law firm's litigation load Firms bridging the gap between IT and the law Avoid lawsuit nightmares: New rules of engagement for e-discovery Compliance strategies and best practices Email archiving solutions and strategies for enterprise CIOs Miscues abounded in Boston email retention policy, practices Health care security, HIPAA compliance on deck for CIOs in Obama era Enterprise risk management solutions for CIOs Addressing compliance requirements in cloud computing contracts Avoiding gotchas of security tools and global data privacy laws Information security and IT governance guides for CIOs CIO turns to identity and access management to solve business problem Log management tool, SIM boxes combine to form security architecture Economic downturn hits IT budgets Enterprise information security management Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary