3 minutes
Compliance with industry standards may not be enough.
This article was adapted from a post originally published on the Garland Heart blog and is republished with permission.
With each breach of security at a major corporation, the finger pointing begins anew.
In the wake of the Target breach, for example, Trustwave was cited in a class-action lawsuit as the vendor entrusted to maintain data security for Target. According to this article in Network World, the lawsuit alleged that Trustwave “failed to live up to its promises or to meet industry standards.” The industry standard referred to is PCI-DSS, which was pushed by Visa and MasterCard to protect customer data.
There’s a key lesson here for credit unions. And it’s this: What most people think of as an “industry standard” is not the only means of security you should implement. An industry standard is more of a baseline, not necessarily the best way of responding to a potential problem. PCI-DSS is one of the many compliance guidelines an organization can follow, but by no means is it the only form of security you will ever need.
The Target breach underscores the reliance on such industry standards, but organizations should consider more than one compliance framework and more than one security standard to go by. Most of the compliance frameworks are outdated and are generally based on best practices for IT security.
Guidance on this from Federal Financial Institutions Examination Council, for example, was written a decade ago but is still in use by banks today. FFIEC does update its framework, but by no means does it cover every aspect of security.
Target alleges that Trustwave performed a vulnerability scan on Sept. 20, 2013, and no vulnerabilities were found. What is not mentioned is that most vulnerability scanners are scanning for vulnerabilities that are published and well known. Most vulnerability scanners will not pick up on a zero-day threat that exploits a previously unknown vulnerability in a computer application. So who’s fault is that?
The point here is that just because your credit union is compliant with a particular standard doesn’t mean you are as secure as you can be. Defense in depth and layered security, which combines multiple mitigating security controls to protect resources and data, are some of the ways to keep your network secure.
However, keep in mind that there are ever-evolving threats. Leaving even a single hole in your defenses can lead to a security breach. One open port on a firewall, one password written down, or one user divulging information to a social engineer is all it takes. Heck, the Target breach was allegedly via the HVAC vendors. Who would have thought to try that? A skilled hacker group, that’s who.
Ultimately, the responsibility of security falls square on the shoulders of the credit union itself. Compliance and security standards are simply the basic guidelines to follow and not the one-stop-shop for securing your organization.
So when it comes to security, don’t rely on one standard for everything. It takes due diligence and persistence to keep your network secure.
Eric English, CISSP, is security consultant for Garland Heart, Wylie, Texas.
