[BreachExchange] Compliance vs. Cybersecurity - Duking It Out When they Should be Working Together

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 3 19:37:08 EDT 2018


What should you fear the most… hackers and malicious actors, or auditors
for that pesky compliance status? On one hand, you have those that will
steal sensitive and crucial data for personal gain. On the other, you have
a nitpicky consultant that will comb over every detail looking to fail your
compliance. It's easy to see that hackers are the worse of the two. But go
even deeper, and it is security vs. compliance.

A Tale of Two Brothers

Like two siblings, they each bring something different to the table and
must survive dinner without a shouting match. This can be a touchy subject
for some and a love/hate relationship for most, but everyone agrees; you
need both. By examining two use-case scenarios, including one real
situation, let's explain why organizations should invest in both
cybersecurity and compliance.

You can be compliant, but that doesn't mean you're secure: The Target story

When the news broke that Target had been breached and millions of credit
cards were stolen, customers, as well as company executives, were left
asking “how could this happen?” It was a good question, considering that
Target had just passed their evaluation for credit-card compliance. This is
an annual audit conducted by a qualified consultancy that checks security
and procedure on behalf of card brands like American Express, Visa, or

If the audit passed, how did this happen?

A breach was possible because it wasn't Target in the crosshairs; it was
their heating, ventilation and air conditioning (HVAC) vendor. The HVAC
vendor was compromised at some point, and the hackers responsible found
that this third-party had connectivity to the Target network for billing.
>From there, it was a matter of time before the hackers explored access and
eventually found their way into the Target core network, compromising sales
systems across the nation.

“But wait…. shouldn't the expensive, time-consuming compliance audit have
caught this?” Not necessarily. A compliance audit is a snapshot in time,
intended to examine management and responsibility since the last mandatory
audit. Compliance audits also ensure that companies are meeting the
compliance standard and enforcing it, which is often the minimum amount of
security required to achieve the goal. Also, keep in mind that present-day
security compliance standards for credit cards were still in their infancy
— the newest version of the standard didn't go into effect until January
2014.  Just because you can pass an audit, doesn't mean that you can't or
won't drop the ball when the “rubber meets the road.”

We left it where? The tale of the unsecured “bucket”

Once upon a time, data was stored within companies on their own hardware,
and it was good. Then, technology leapfrogged as the internet allowed more
connectivity and higher transmission speeds to move data back and forth.
This brings us to today, where it's possible to store your entire business
“in the cloud.” Entire enterprises moving their data out to cloud services
sounds great in theory, but the margin of error for mistakes is much
narrower. A negligent or complacent security team can sink a company, or at
least put them in financial hell as they try to sort out various lawsuits.

Side note: The cloud is just someone else's computer (end of rant)

Once upon a time, a data analytics company called Alteryx was hosting data
in the Amazon cloud, providing services to the U.S. Census Bureau and a
consumer credit reporting agency named Experian. A California cybersecurity
firm, Upguard, found that Alteryx did not abide by the security controls
that governed Experian, which resulted in leaking sensitive data for 123
Million US households from an Experian database. Experian had security, but
they didn't audit their vendors to ensure policy compliance. Funnily
enough, a loss of customer data also occurred in 2015, when Experian
reported a data breach to T-Mobile customers, and in 2013, when a Vietnam
man purchased Experian data under false pretenses. It seems you can't have
one without the other.

So, who is correct?

At the end of the day, who was right? Is security more important than
compliance, or is compliance the major focus and security follows?

Both answers are correct. There is no magic “one size fits all” solution
for rectifying issues related to cybersecurity and compliance. You still
need both brothers to have a successful dinner…err... security program. If
it were easy, some of us would be out of a job.

The recommendation is always to contact a service partner who will be able
to perform both a compliance gap and a technical control assessment. They
will be able to assist in identifying areas of improvement and produce a
solution that is custom-tailored to your needs, thus helping your
organization grow in cybersecurity and compliance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180503/39471d43/attachment.html>

More information about the BreachExchange mailing list