Debate by ProQuest


More Info
									Debate» Compliance requirements have prevented                                                                                     THREAT OF
                                                                                                                                   THE MONTH
security professionals from stopping advanced threats.
     FOR           Imagine playing chess against                 AGAINST Not the case. The difference                              What is it?
                   an opponent who always                                          between compliance, validation                  Clampi (aka Ligats or
                   opened with the same 12                                         and security is clear. Compliance               Ilomo) is an information
                   moves. After a while, you’d                                     is a baseline minimum standard.                 theft botnet. The malcode
                   slaughter him. That’s where                                     Validation is the point-in-time                 is a multicomponent tool
                   we are today. Rule sets are key                                 review of an organization’s state               that injects code into
                   to sensible configuration, but                                   of compliance. Security, then, is               running processes, alters
                   baselines aren’t security; they              Michael Dahn       the goal of preventing the theft                the PC’s configuration and,
Nick Selby co-
founder, Cambridge force us to focus on trailing, not           payment security
                                                                                   of personal or sensitive data.                  once established, begins to
Infosec Associates
                   leading indicators. CISOs see                                   For instance, the Payment Card                  harvest and send sensitive
compliance as a great way to prop up security                                      Industry (PCI) Data Security                    information from the PC to
budgets. However, confusing security and                        Standard (DSS) has raised the bar by creating a                    its handlers.
compliance means security departments spend                     baseline of best practices for handling card data.
their resources complying, not enacting pro-                    A cycle then ensues, with hackers modifying                        How does it work?
active security. This is zero-sum: Time spent                   their attack methods, and the standard being                       Clampi is usually distrib-
doing one thing cannot be regained.                             updated. The PCI Security Standards Council                        uted via exploits in Adobe
   We advocate a better approach: compliance                    has consistently advanced the standard to meet                     client-side code. A user is
(verb) is handled by a compliance group, and                    emerging attacks, with a new focus on web                          lured into a website that
security looks at relevant metrics (including                   application attacks and wireless security, as well                 contains exploits against
state-of-compliance provided by compliance                      as plans to include virtualization and end-to-end                  known vulnerabilities in
people) from across logical and physical realms,                encryption. PCI DSS incorporates compensat-                        Flash or PDF extensions in
and from places like HR, marketing and other                    ing controls that enable large organizations                       the browser, 
To top