RSSWhy suing auditors won't solve the data breach epidemic
By Angela Gunn | Published June 4, 2009, 10:26 AM
The life of a security auditor has its high points, of course -- travel, getting paid to break stuff, and more travel -- but there's a lot about that job that doesn't recommend it. You're going into someone else's place of business and trying to figure out what they're doing wrong, so you can write a big report that goes to their bosses? I don't care how personable you are, this isn't on the Dale Carnegie list of How To Win Friends.
Nor, in a disturbing number of situations, is it on the list of ways to Influence People. Take a pack of security auditors out for a beer sometime. (You will not have to ask twice, and if you get two beers in them they'll tell you about that mid-sized city whose network is end-to-end pwned right now and that international airport that has an ongoing problem with stolen IDs -- no names, of course, but plenty of other detail. After that, you'll want another beer just for yourself.) When they're done scaring you, they'll start trading tales of clients who simply refused to accept a bad audit.
No one likes to be told that his IT operation has weaknesses, let alone critical-stop problems. Some companies will retain a security firm and, when bad results start coming back, terminate the contract and send everyone home. Some companies will hire a crew and, when they get there, manage to be so disorganized and cranky that the auditors spend half their time attempting to simply get started. And some, presented with a report saying that their company isn't security-compliant, will simply ask that the report be changed.
No, it's not nice. (It's even less nice when the auditor drinking your beer mentions that a bank they recently visited did this, you bleat "it wasn't [name of my bank], was it?", and all-l-l the other security people at the table point at you and laugh. Children can be so cruel.) But it happens. Which is why a great many of us are very interested in how Merrick Bank's lawsuit against Savvis, a security auditor that gave CardSystems Solutions an inappropriately clean bill of health back in 2004 right before the company was breached to the tune of 263,000 stolen credit-card numbers and an eight-figure liability payout.
Summarizing what's known (much of it covered in Kim Zetter's excellent overview on Threat Level), in 2004 the merchant bank retained CardSystems to handle certain credit-card processes. CardSystems was certified by Savvis as meeting CISP (Cardholder Information Security Program) standards; CISP is of course the predecessor to the current PCI-DSS (Payment Card Industry Data Security Standard). CardSystems had according to Visa failed at least one previous compliance audit, but had passed when Savvis took a look in June '04. But Savvis' auditors didn't note that CardSystems was improperly storing unencrypted data; the company should never have passed that audit. Three months later, hackers got in and found the improperly stored data. Cue the lawyers.
Under those circumstances, the hue and cry to boil that dust speck sue those auditors is pretty understandable. But just as your reporter was reaching for her old and battered Net Ethicist hat and a convenient pitchfork and torch, she took a moment to ask a few auditors if they thought the situation merited a suit, and whether any good can come of it.
One security pro (who asked not to be named in this piece) compared the situation to suits in which credit-rating agencies such as Moody's and Standard and Poor's have recently been sued for providing a too-rosy picture of securities backed by sub-prime mortgages and the like. In those cases, plaintiffs are claiming among other things that the rating agencies aren't independent -- "compromised" is the word that's been thrown around -- but there's a real question as to whether a firm can be liable for, essentially, saying something of questionable accuracy.
Others point the finger at the credit-card companies. "Visa's a cheap bunch of...," said one slightly woozy contractor. (Another round, bartender.) "Figures. Trying to pass this off on an auditor." The rest of his statement was unintelligible, but we suspect he wanted to say something about how until very recently, only the company audited had the right to see the actual audit report. That's a huge loophole, only recently sort-of-closed by the PCI Security Council's requirement that they receive a copy of the audit, albeit with the name of the audited company redacted.
More coherently, Rachel James of ID Experts points out that, as many auditors will agree, the system's deeply flawed, with four-fifths of all audits controlled by a dozen large vendors, each with security products for sale. Over-emphasis on standards-based compliance leads to checking off boxes, not robust security.
And yes, she agrees, flat-out cheating happens, as we saw in a disturbing survey conducted among security managers and tech staff attending InfoSecurity Europe back in April. "Standards and procedures are wonderful tools, necessary to implement any security process or program. However, a chain is only as strong as the weakest link. In this case, the links are made of people," she blogged this week.
People who in some cases behave abominably. Savvis clearly missed some glaring problems at CardSystems, but how were they missed? Did the auditors get full and frank cooperation from CardSystems, or was management there sufficiently freaked out by blowing the previous audit that they were untruthful to the Savvis crew? That crew, by the way, had only recently been brought aboard by Savvis as part of the acquisition of Cable & Wireless USA; how was that going, and were the auditors in a position to be firm with their clients at CardSystems if the clients were obstreperous?
There are of course those who claim that compliance is just too ephemeral -- if you're compliant today and one overzealous employee stealthily installs a Wi-Fi access point under her desk tonight, you may not be compliant tomorrow morning, and heaven knows when you'll find that out. Or it's simply too hard to understand, which is true on some levels and just silly on others. Neurosurgery is hard. Calculating space-probe trajectories is hard. Compliance is just complex and occasionally tedious.
I'm personally interested right now in what I'm hearing from people working to build really top-notch, intelligence, human-comprehensible compliance matrices that businesses can use to improve communication with auditors and, even better, use to run down problems before they get into some random consultant's report to the boss. Like anyone else I want to see the bad actors weeded out of the auditing business, but before we start suing allegedly industry-certified auditors I'd like to see more scrutiny of the behavior of the company receiving the audit.
And now for something almost completely different: Having one of those days? If you don't make a habit of keeping up with the TSA's blog, you should; pound for pound, the commenters there are some of the angriest people online. Check out yesterday's post sort-of-explaining the new Secure Flight program, which will lead to a lifetime of explaining to some little ticketing-counter chippie why you don't use your middle initial on your driver's license. Then, once your head cools off, read the comments. No matter how poorly your day is going, odds are excellent that at least you're not "Blogger Bob."
Over 261 million databreaches have happened since January 1 of 2005 to current time. Having 300 million people in the US means; that your information is probably already been stolen. It would seem prudent to be proactive and have a total protected solution that is already out there for the individual, family and business.
If interested send me an email.
Score: 0
|An auditor can always find something wrong.
Score: 1
|True, but not because auditors are evil. Auditing, of any nature, is subjective. -GCH
Score: 1
|Great conversation! I am tired of hearing from companies who hire pen testers and ethical hackers, but don't invest in process improvement. Pen testing is sexy, but auditing improves security posture long term.
Sadien, your comment 'Auditing is a long term practice, not a short-term fix' is spot on! Thanks.
Score: 1
|Thx. I've been doing this for a long time. -GCH
Score: 0
|Oh..
Your statement, "There are of course those who claim that compliance is just too ephemeral" reminded me of an old video we did.
Basically, it describes how a senior executive can quickly get a feel for compliance in less than 5 minutes, by talking to their technology managers...
http://www.youtube.com/watch?v=YeiUilVlY3M
G.C. Hutson
http://www.sadien.com
Score: 0
|actually, that is pretty true.
long term professionals from the school of hard knox can visit almost any organization and gain a very good idea of the inherent problems within just a few minutes.
even if one is being escorted by a smiling executive telling jokes and pretending that everything is perfect.
Score: 0
|"When in doubt, talk to a tech." - me
Score: 0
|These companies all need and want fraud... When you sell AIR for a huge price and make the type of money they make.. it's all works out in the end...
Like your credit report it's up to the end user to protect themself.
Score: 0
|This is a great dialogue. For me, the original post, and GC's comments are right on. As the CEO of a product company that is in the business of helping health care providors ensure that they are not only compliant to the regulations around matters such as HIPAA, but are also properly archiving, and securing their data, audit is one of the clear tools in my toolbox.
The question for me, is how can I ensure that the audit practice of my business adds value to my customers. The discussions on ROI and audit are great. The temptation of course, is to become the rubber stamp for your customers, and avoiding this, takes rigor. Witness the demise of Anderson, and the near demise of other auditing partnerships who could not maintain this rigour.
I believe that the practices of technology audit, should be as detached as possible from the practice of solving the problems of finding the problems in a formal audit. I would be interested in folks thoughts on whether it is possible to mix solution and audit in a small technology firm?
Score: 0
|Amen Skip. I call it "tough love."
Specifically, I tell our clients upfront, "We're going to beat you up... just like an adversarial third-party would. It's not going to be fun. It's not going to be pretty... but you will emerge from the internal audit stronger, more streamlined and more operationally sound."
There are two major misconceptions about the auditing process...
1. Auditing is a long term practice, not a short-term fix. We, as auditors, cannot use a magic wand to make "everything ok." First we develop and refine a best-practices model. Then we audit against that model. Find the holes. Repeat.
2. Auditors and auditing results are only as effective, as the client allows them to be. If they don't follow our advice, and they get in trouble... it's rather hard to come back and blame the auditor. Additionally, using my group as an example... we could audit, review, refine and make sovereign an operation on Friday, only to have the client's staff come in on Monday, and "un-do all of our do-in's."
There is absolutely a desire to make a client happy by saying everything is "ok." As a rule, my group only says things are "ok," when things are absolutely OK.
As for your statement about separating the auditors, from the operational people... YES. YES. AND YES.
The operational people of an organization... as a rule, are good, honest, hardworking individuals who have a personal stake in things being "ok."
Unfortunately, this leads to "compliancy blindness."
The people running the operation will "see" what is "supposed" to be there... NOT what's actually there. Sometimes it's an innocent mistake. Sometimes they're covering their butt. Sometimes, it's both.
G.C. Hutson
Sadien, Inc.
http://www.sadien.com
Score: 0
|We do not get a lot of Christmas Cards.
The bigger issue for auditors is less on the liability side, and more on the sales side of our operation. In a down economy, NO ONE wants to spend money. They REALLY don't want to spend money on services that may cause them to spend MORE money.
The hardest part of auditing is convincing people that proactive auditing actually LOWERS liability, and SAVES them money.
The best quote ever, "Correction after the fact is always more expensive than prevention."
I'll say that again... it costs much, much more for FIX problems after-the-fact, than it does to prevent the same problems from ever occurring in the first place.
Sadien actually released a 1 minute video on this very topic last Monday.
http://www.sadien.com/video.html (don't worry, it's completely free)
An example ROI on proactive IT auditing (specifically in our case, software license auditing), is as follows...
For our group to completely review your entire software inventory, SAM protocol, operational model, management work-flow, generate a Priority Itemized Risk Assessment Report and help you to fix all of you liability exposure... approximately $20 a computer. (Less than anti-virus software in most cases)
A single, disgruntled employee calling the BSA to claim the $1,000,000 reward for turning in their employer... as much as $4,000 to $15,000 per computer.
$20 vs $15,000
Unfortunately, most groups either don't believe these numbers... or assume their operation is "100% compliant" and doesn't need help... or they truly think they'll never be audited by an adversarial third party.
(We have a PDF on this issue too at http://www.sadien.com/do...ense_misconceptions.pdf )
All too often, most people learn about auditing, its benefits and its cost savings... too late.
G.C. Hutson
Chief Executive and President
Sadien, Inc.
http://www.sadien.com
Score: 0
|you have a good point.
however, i think that "long term" is subjective.
most companies want "quick, easy and cheap" solutions now or at least for the next twelve months.
afterwards, a reassessment is required for the new fiscal year because in this day of age, 24, 36 or 48 month forecasts or plannings are no better than crystal ball readings.
Score: 0
|