Security : Authentication : :
Inherent Flaw in Security Audits
Chief Technology Officer
Network Box USA
There is an inherent flaw in the way we conduct security audits and inspections that is, in my opinion, at the base of all the issues we are seeing every day, said Pierluigi Stella, Chief Technology Officer, Network Box USA as he provided his analysis of the Community Health Systems breach story:
Each time I receive the results of an audit from one of our clients, I can see that the auditors seem concerned, fixated even, over a few, very useless things:-
1) Were you notified of the scan which should have looked like an attack?
2) Did you turn off ICMP replies?
First things first, in the entire history of humanity, please tell me, who has even witnessed a thief making a lot of noise? Those who rattle the cage aren’t really trying to get in. At the most, they’re causing a distraction while someone else getting in via the back door. Hence, being concerned with notifications for noise scans is utterly useless and ridiculous, and doesn’t in any way assert the security posture of a network.
Were they able to get in?
That’s the real question to be asked.
Were auditors able to, in any way, find real and serious vulnerabilities on the servers protected by the perimeter defense? If not, then move on to more serious questions and stop wondering about the response to noisy scans. They waste everybody’s time and proffer zero extra security.
Secondly, will someone please tell me, what’s the big deal about ICMP?
If a server is exposed to the internet with any port, hackers will find that port sooner or later. Responding to ICMP (or not) won’t deter them in any shape or form. They’re not stupid; otherwise they wouldn’t be able to carry on so many successful attacks to begin with. Indeed, they’re very smart, and turning off ICMP is really not going to stop them. And in the meantime, it’ll cause you many headaches in other ways, which in my opinion, aren’t worth the effort.
Why am I going on a rampage against audit practices?
Because too many companies are all too worried about compliance and not sufficiently worried about security. Oddly enough, HITECH and HIPAA don’t even have official auditors because there isn’t a single authority that could take charge of inspections. In the financial institutions world, you have the FDIC, the Federal Reserve, the OCC, the NCUA if you’re a credit union; depending on what type of bank or credit union you are, you have your flavor of auditors. Now, for as much as I criticize them for worrying about things that, to me, appear to be useless, at least, they put pressure on the FIs where security is concerned, and this makes that sector the most advanced in terms of security in this country.
I’ve been in the security business for a long time and I have yet to see another sector as strongly committed and advanced in security matters as the FIs.
When will that happen for the health industry, I ask?
There’s no apparent authority to run audits and inspections. It’s always as though things happen after the fact- the health company in question loses millions of records, it gets a huge fine, then it scrambles to fix that security issue which should’ve been fixed before.
Something similar has been happening with retailers, where the authority is a private organization driven mostly by CC companies (PCI DSS). They’re getting attacked from every direction and their security has proven to be dismal.
In my opinion, what’s needed here is some sort of official authority in every sector, that can inspect the security of these companies based on stringent standards, the same way the FDIC inspects and audits financial institutions. Since companies in these other sectors don’t seem to be taking security seriously (albeit they appear to be doing so on paper), we need someone to walk in and scrutinize them carefully before all these issues occur.
Advertise your product/service here!