In this post, we get insights from Jacob Ansari, Manager at Schellman & Company, Inc. He will present “Hunting Paper Tigers: A Security-First Approach to Compliance” at the North America Community Meeting in Las Vegas.
What’s the danger in believing there is a “complete state” of security?
Jacob Ansari: Security is a difficult thing to pin down; it’s often not tangible, but arises out of other factors like lack of complexity, clearly defined functions and outputs, handling error conditions properly, and the like. In reality, things like changes to the organization trying to secure itself or changes to the threats it faces make the actual security something that doesn’t stand still. So the idea that we can engineer a security solution that’s complete and done and never needs any more attention doesn’t really work.
What do you mean when you say there’s latitude with some PCI DSS requirements? What are organizations doing wrong when approaching these requirements?
Jacob Ansari: Many PCI DSS requirements give latitude in how the organization meets its objective. Requirement 10.6 tells us to review logs, but doesn’t say what tools or methods to use. Requirement 12.2 says to perform a risk assessment, but doesn’t point to one specific method. The goal of this is to allow organizations to do the things that make sense for their needs. Different web application frameworks and components can require different code review techniques, for example, and the standard allows for that. Unfortunately, many organizations will do the thing that is the easiest for them and assert that the PCI DSS doesn’t require more, rather than do what will actually address the threats to their organization.
Why shouldn’t organizations focus all security efforts on an annual assessment?
Jacob Ansari: The annual assessment is merely the measurement that occurs at a point in time for what that organization should do all year. The threat of an attack or a security incident doesn’t follow along one’s assessment schedule, and too many organizations regard their assessor as their largest threat or see their need to obtain a validated status with PCI DSS as the primary security objective. This vastly discounts actual attackers and the actual fallout from an incident.
You discuss threat modeling in your presentation- can you explain a little bit about what this entails?
Jacob Ansari: Pen testing is where the rubber meets the road, it’s that moment of truth when you can see if all the effort you’ve put into your security is actually effective. When done effectively, it can catch errors in design and identify areas of weakness before they’re exploited.
What are some common obstacles organizations face in creating effective security methods?
Jacob Ansari: The obstacles to implementing good security are the same obstacles that get in the way of other business problems: lack of leadership and priority. This manifests as lack of budget or time or things like competing interests prevailing or simple ignorance of the situation, but the ultimate root of this arises from a want of leadership.
Want to learn more? Attend Jacob’s session at this year’s North America Community Meeting in Las Vegas on September 20th- 22nd.