Recently I was asked to write an article about one of the many challenges facing Penetration Testers in 2016. I decided to focus on the role that compliance plays in the process of securing corporate systems. This is not as simple as it may seem, as being in compliance with security regulations does not necessarily mean your systems are secure. Below is the text of the published article. If you would like the original publication you can find it at pentestmag.com
In January of 2011, the United States Government Accountability Office (GAO) reported to Congress that “Utilities are focusing on regulatory compliance instead of comprehensive security” and that “security requirements are inherently incomplete, and having a culture that views the security problem as being solved once those requirements are met will leave an organization vulnerable to cyber-attack.” It is not only utilities that suffer from this problem; in the last 18 months, over 150 million credit cards numbers and protected health records have been stolen from companies that had all been found compliant in their most recent assessments. Companies like Target, JP Morgan, Home Depot, and Neiman Marcus (to name only a few) have learned just how short of true security a compliant program can leave you.
In regulated industries, it has become common practice for management to assume that compliance and security are one and the same. They believe that because an auditor has marked them as being compliant, there are no further actions that need to be taken to secure their systems. The idea that because something is compliant, it must also be secure has become an inside joke among security professionals; unfortunately, those same professionals are often incapable of translating to management exactly why a compliant system is not necessarily secure.
THE ROLE OF THE PENETRATION TESTER
Most experienced penetration testers know the feeling of arriving on site to a new client and having the security administrators almost beg to have their systems compromised. They are aware of how vulnerable they are, but have been unable to secure the budget to do anything about it. They believe that the only way to do so is for the penetration test report to show management exactly how secure their compliant system is. Often times throughout the drafting of the report, the security administrators will request specific wording or recommendations that they believe will help them convince their management team that something more needs to be done.
It is no secret that many companies value third party input much more highly than they do internal recommendations. A request that has been made multiple times from a security team may sudden be fulfilled if it comes as a recommendation in a third party report. As such, it is often the responsibility of the penetration tester to identify the areas where management has been lax in assigning resources and prioritize their recommendations accordingly. If it is clear that large amounts of the security budget is being directed towards a brand new Security Incident and Event Manager (SIEM), but the security staff doesn’t have the knowledge or training to support that SIEM, it is important for the penetration tester to recognize this and recommend training for the security staff.
However, it is also important for the penetration tester to be aware of and knowledgeable about the regulations with which their client must comply. Writing a report that recommends changes that fall far outside the scope of the client’s compliance needs is as likely to create meaningful change as not writing the report at all. On the other hand, if the report can be aligned with the client’s compliance goals, it becomes far more likely that management and the security team will utilize it to achieve not only greater security, but also stronger compliance.
IF COMPLIANCE ≠ SECURITY, WHY BOTHER?
Many people question the necessity of regulations, as they do not necessarily engender true security. The thinking is that if companies are left to their own devices, they will develop a security posture commensurate with their risk. To a certain extent, this line of thinking has its merits. However, one can easily compare the security posture of the U.S. Electric Utilities (regulated by the NERC CIP Standards) to those of the U.S. Water Utilities (unregulated). Both utilities are considered Critical Infrastructure, and both face the same sort of cyber threats.
The NERC CIP standards have forced the electric industry to implement a minimum standard of security. Many utilities have taken the approach of “doing things right” as long as they have to do them for compliance. These utilities are using their compliance burden to drive budget into their security departments, and to secure upper management buy-in. The water industry, on the other hand, is often described as “The Wild West” by security experts. The lack of any regulation has led to a huge spectrum of security postures. Some utilities are taking the threats they face seriously, and have state of the art defenses in place. Other utilities still have SCADA systems directly connectable via dial-up without any authentication in place. This is not from a lack of effort on the part of the security teams at these utilities – it is often a lack of motivation, and sometimes understanding, on the part of upper management.
Compliance has given the electric utilities the motivation and justification to fight for greater budgets. Security and compliance teams can take hard numbers to upper management to show that an expenditure of $100,000 can prevent a fine of $1,000,000. Security teams in the water industry that want to spend the same amount are often left with no compelling way to justify the expenditure in terms that management is likely to understand.
WHAT CAN BE DONE TO INCREASE SECURITY AND COMPLAINCE?
It is clear that compliance does have an impact on the overall level of security that can be expected in an industry. However, it is also clear that as the compliance burden grows, companies begin to shift their focus towards meeting compliance, rather than becoming truly secure. As an independent third party, it is important for the penetration tester to maintain an objective view of the overall security posture and the machinations that have brought it about. In the end, it is the goal of every penetration to test to help the client become more secure. Often this is accomplished by demonstrating weaknesses in target systems and advising on mitigating the risk to those systems. In a regulated industry, those mitigation plans may need to align with the overall compliance goal while still reducing the overall vulnerability of the system. Through this alignment, the penetration tester provides the means for security teams to fight for and receive the funding and support that makes true security possible.
Perhaps the best way for penetration testers to accomplish this is to become an expert on the compliance burden faced by their clients. Penetration tests for the electric industry should be conducted by NERC CIP experts, penetration testers for the the health industry should be HIPAA experts, and penetration testers for the retail industry should be PCI-DSS experts. A good NERC CIP pentester could certainly find plenty of vulnerabilities in a hospital’s systems, but their report would not be nearly as complete or compelling as one written by a HIPAA expert–to say nothing of a penetration tester who has no compliance knowledge at all. The ability to custom tailor report findings towards specific compliance burdens will allow penetration testers to better serve their clients and help increase the overall level of security from compliance-driven entities.