As counterintuitive as it may seem to the average Joe, more security software often brings more vulnerabilities. Security software engineers are often focused on testing and breaking other software with tight integration points and thorough penetration tests. These engineers, however, are not often practiced or conscious towards securing their own software. Even something as basic and widely adopted as OpenSSL, which is an open source library used by millions of products, was recently discovered to have a huge security issue called Heartbleed. This vulnerability may have been known by hackers for the years since it slipped into the source code of OpenSSL on New Year’s Eve of 2011, since it was not discovered and patched until April of 2014.
Even the most basic of encryption protocols can have holes like this, so it only makes sense that large antivirus programs and complex intrusion detection software may have similar or even more grand bugs in them. Less is more when it comes to security, and proprietary versus open source each comes with tradeoffs when it comes to vulnerabilities.
As if the insecurities in software weren’t enough, many businesses add to the problem when they invest in software or hardware tools that are then never properly installed. By only partially integrating a system, such as antivirus software, but neglecting to set up automatic updates and patches, the tools become vulnerable to simple zero-day exploits. Same goes for hardware boxes and firewalls, which are often purchased but then never installed because the business does not want to be inconvenienced with the downtime that may be required for installation.
There are many industry problems that need to be addressed, such as transparency in vulnerabilities and exploits introduced to software. Companies that make security software and hardware don’t want to receive the bad press that comes with a patch that fixes a hole with their product, but this silence makes for a lack of recognition of importance. If more businesses cared about security systems and created a demand for better software and hardware, it is likely we would see a shift of providers trying to create more integrated and hassle-free products over time.
Compliance is just the starting point
Many businesses make the mistake of thinking of security and compliance as synonymous terms. While compliance does increase security through a rigid set of requirements and audits, it is more of a reporting tool and minimum set of standards set regulated by organizations such as PCI, HIPAA, or the Sarbanes-Oxley Act. Proper security measures should aim to protect you from threats by controlling how information is shared between your technology and others. Compliance on the other hand is more of a regularly scheduled demonstration to the regulatory organizations, that you are meeting a specific set of security standards that they have defined. Compliancy tests and regulations can be cumbersome to make you feel jaded towards security as a whole, but it is absolutely crucial to invest in both.
Unlike security standards, which can often be numerous and more loosely defined on a case by case basis, compliancy focuses on a set of regulations which allow for a business to execute certain actions or practices. Compliancy certificates are often awarded for passing these regulated tests, and can then give the company legal ability to process credit cards, share medical information, or go public. These standards have helped tremendously over the years, but businesses often do not audit their systems beyond these checklists or worse yet, do not follow the rules and regulations properly. To get a better feel for what you should focus on, first try and understand the following standards and practices that are currently regulated or recommended based upon industry.
Compliance for all applications
Whether your product is web, mobile, private or public; to protect yourself legally, you should protect all personally identifiable information with encryption. Even email addresses and names should be encrypted when transmitted from a client to a server. As a most basic example, all websites should be using https, and sensitive data such as passwords should be one-way encrypted when stored in a database. While these standards may not be regularly enforced, they are an industry standard and as such are expected and are actually punishable for violations in many regions.
Compliance in Healthcare Applications
The Health Insurance Portability and Accountability Act (HIPAA) defines many rules and regulations for how medical companies must carry out and enforce many aspects from administrations, to technical and physical security measures. HIPAA enforces quite an extensive list and can be very aggressive against violators, so compliancy is incredibly important. Even though HIPAA is elaborate and strict, the compliancy alone does not protect businesses from vulnerabilities, nor does it ensure that a breach will not result in violation or penalties.
All applications that accept credit cards, even in cases where the information is not stored, are subject to the Payment Card Industry Data Security Standard (PCI-DSS) regulations. Unlike HIPAA, which defines a single core set of standards, PCI compliance comes with various levels of certifications depending on certain statistics like volume of transactions. Many businesses are not even aware that they need to be PCI compliant until a breach occurs and they are surprised with a lawsuit or fine that is charged against them for violating compliance standards.
Many local and federal government agencies in various countries have their own set of compliance regulations. In the US a minimum set of standards are required under the National Institute of Standards and Technology (NIST) regulation. Some of these agencies are required to comply with the Federal Information Security Management Act (FISMA) while others, such as defense agencies, have additional standards such the Defense Information Assurance Certification and Accreditation Process (DIACAP). All agencies are then held accountable and are regularly monitored, audited and assessed by the Federal Risk and Authorization Management Program (FedRAMP).