Compliance shouldn't be a primary security driver

WASHINGTON, D.C. -- Trying to be compliant or pass an audit doesn't make you more secure and doesn't protect you from attacks; conversely though, a common sense approach in security may equal regulatory compliance.

So said a Gartner analyst yesterday at the Gartner Security Summit. Amrit Williams, research director of the Information Security & Risk Group, believes that a focus on compliance is to the detriment of security overall. In particular, it may not address some threats that are increasing in scope.

"The greatest threat to us right now is the role of money as a motivator for cybercrime," Williams said. "The big threats aren't new, but they are changing and the reason is money."

Those threats include identity theft; blackmail schemes, such as data for ransom and denial-of-service threats; spam relays [70% of spam is generated by compromised machines]; and espionage.

"If there's money to be made, [attackers will] do anything they can to get it," Williams added. "These attackers will be stealthier and more difficult to prevent." He said true numbers on such attacks are difficult to determine because they often go unreported.

Read more on attacks and regulatory compliance issues

Attack uses Microsoft flaw to hold electronic files hostage

Get expert advice, tips and the latest news on regulatory compliance issues

Conference attendee Shlomi Harif believes many companies settle with their attackers to make the attack go away. Harif, the director of network systems and support for the Austin Independent School District in Texas, recounted an example he'd heard about through a Seattle-based consultant. "An ISP in Portland was getting hammered for about six months with a denial-of-service attack. They tried extra bandwidth and different providers, but nothing worked." Harif then heard the attack suddenly stopped one day, most likely because the company paid the extortionists.

"Through 2007, 80% of damage-causing events will have been preventable by effective implementations of network access control, intrusion prevention, identity and access management, and vulnerability management," according to a report released in December by Stamford, Conn.-based Gartner.

And while many of these issues are also addressed indirectly through regulatory compliance, some may fall off an enterprise's radar while resources instead go toward creating the kind of paper trails now required to show a company's data is secure.

However, Williams said focusing on these elements will go far in mitigating most network security threats. When looking at intrusion prevention, he suggests securing the network as best you can, then focusing on mobile users. For example, buy personal firewalls for all mobile clients because they are a much higher risk for bringing problems into the network. Then focus on servers and desktops.

Williams said better security is about prioritization and planning. Successful vulnerability management relies heavily on determining asset classification and threat posture, while identity and access management depends on predefined roles, controls and accountability. As for network access control, he's a proponent of "quarantine, limit, deny" for systems that may not be current with patches and antivirus signatures.

Concluded Williams: "Doing these four things will make your organization more efficient, protect against current, emerging and future threats, and help you meet regulatory compliance."

Read more on IT legislation and regulation