To start, far too many security professionals will jump at the chance of only using scare tactics to preach about the latest and greatest tool against <fill in the blank> attack, forgetting that security practices are only here because of the organizational risk that precedes them. Even the most secure environments are such in the first place to protect something so valuable the loss of it would cause extreme business loss or worse, loss of life. When was the last time you saw a perimeter fence, 802.1X authentication, AES encryption, and WIPS sensors deployed to protect the new gaming console in your neighbor's house? Probably never. In fact, you'd be hard pressed to find that kind of wireless security even in major corporations or government facilities.

There are numerous regulations like HIPAA, PCI, SOX, GLBA, and others in place to help explain and enforce security, but enforcement is harder than one might think. The answer to the "what's my benefit" question is often difficult to sell to upper management. Providing a clearly defined vision for real security that fits within the business goals is simply a requirement, as the farther one gets from the technical aspects, often the less they understand the real need. Security professionals cannot be effective just being tech gurus. A certain level of business acumen and negotiating skills are also needed. Sometimes the simple "we're required to" just doesn't have the effect one would imagine. Additionally, policies often have much gray area. Anyone who has the painful task of understanding policy compliance knows that far too often, compliant does not equal secure. Take for example the below excerpt from the PCI Data Security Standard which can be found at https://pcisecuritystandards.org

4.1.1 For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:

• Use with a minimum 104-bit encryption key and 24 bit-initialization value
• Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology,VPN, or SSL/TLS
• Rotate shared WEP keys quarterly (or automatically if the technology permits)
• Rotate shared WEP keys whenever there are changes in personnel with access to keys
• Restrict access based on media access code (MAC) address.

Gray area number one comes from the highlighted content above. The problem here is if WEP is being used, then WPA/WPA2 cannot be. It may be used on another segment of the wireless network, but you can't have WPA/WPA2 protect the same data transmission that WEP is. This simply confuses the average reader, including the upper level decision makers. The second gray area comes with the recommendation of rotating WEP keys quarterly. Even very long WEP keys can be broken in the matter of minutes...probably under five - which is well documented. This gives the attacker months of having a valid key to abuse. Lastly we toss in the use of access control lists based on MAC addresses. It takes all of oh... 10 seconds to circumvent this security mechanism. In the end, many in upper management or executive positions are left with the assumption that since they comply with a certain industry policy or standard, that they are reasonably secure, which is clearly not the case here.

Now does this mean these "policies are useless" ? Hardly. Please don't take this as bashing of PCI and the like. Policies like PCI and HIPAA definitely have a need, and even their gray areas are needed due to restrictions in something I like to call "the Real World". Some organizations simply cannot implement truly strong security practices due to cost - at least not overnight. Maybe they can in their five year plan - which is something security professionals have to take into account when building their organizational specific security policies. Blanket hard-line security policies are of no use if they do not fit the business they are written for or are otherwise unenforceable.

Let's take for example the healthcare industry. On one hand you have HIPAA requiring healthcare and related insurance providers to secure protected health information (PHI) transmissions; yet on the other hand you have numerous software and hardware vendors that simply don't have to comply with the same rules. Luckily many vendors already do, or have it in the planning stages because they don't want to lose out on the business. However, you might assume that since your organization as a health care provider has to comply with HIPAA that the nice shiny new medical cart on wheels complies too, but oh no, it doesn't have to. Not only that, making some devices capable of using complicated 802.1x authentication or strong encryption like AES is harder than one might think. Luckily here the money game brings everyone on board eventually. Still though, replacing $5,000 medical carts simply because they can only do WEP encryption is not going to happen. We may need to find a way to meet in the middle for now, say for example, to use strong authentication and encryption in areas where the legacy devices just won't be and simply monitor the weak segments very diligently.

So what's the point of all of this? Security for the sake of security? No, the point is helping the decision makers - the people with the buying power, understand the value security brings to their organization. Sometimes all it takes is a scare tactic (print out an article on TJX for example), but true value comes from a shared vision of promoting the business as the best there is in your given industry. You are providing another reason for customers to come your way to do business, as well as saving your company embarrassment and revenue when - not if, you come under attack. It can be a hard envelope to push, and a different one in almost every case, but it is achievable. All thanks to a little creativity from you and a nudge from the higher powers like HIPAA, PCI, SOX and the others. It's up to security professionals to educate those around them and to explain the value they and their recommendations bring to their organization.

Comments (0)

Subscribe to this comment's feed

Name

Comment

Write the displayed characters

Add Comment