Thursday, October 10, 2013

#07: Interpreting frameworks... or 'the second opinion'

It's not everyday you're called into your bosses office with a 30 minute meeting titled 'Quick meeting'. Meetings called that rarely are.

As my colleague and I made our way to our bosses office, my paranoia set off, like any good security professional.  What did I do? What did we do?  Maybe it's about X or maybe it's about that other meeting yesterday.

Thankfully, it was none of those.  Our boss decided in his infinite wisdom, that we'd been remiss in our allowing one person to interpret what the bible, the framework that guides our actions, the PCI-DSS 2.1 framework, says.  "We may be misunderstanding certain portions, and what's worse, our relationship with our QSA is not what it should be", he says.  "We need to do better, to be better."

Silence... flabbergasted...

We thought that we'd been doing well.  Just passed our 3Q PCI milestones, and were working steadily towards implementing controls and policies that we didn't have about certain audits.  We were around CMMI Level 2 on many of these things.  No formal policy, but we were doing them.  We are working towards Level 3, 4, and 5.

So, why the re-evaluation?  Our compliance person has one idea of what PCI means, but after speaking with our QSA's superiors, we found that we may have been farther along in the PCI process than we thought.

For example, We went from 'all firewall ACLs had to be justified' to 'We must be doing regular audits on firewall logs' Which we had been doing that nearly everyday for the last 6 months.  What a pain in the ass to find out that we have been good to go.  We still plan on finding out how what is connecting to our networks, and why.

Compliance is a funny thing.  It's a gray area that I am not accustomed to.  It's 'check-box' security.  Security != Compliance, and yet making sure we are at the 'low common denominator' of security is what we do.

Now that we have some breathing room, we are finding that the 'compliance' marathon is helping us find more security related tasks that we can take ourselves beyond PCI compliance.  Which is what should be strived for... beyond compliance.  Some of our firewall ACLs are years old.  Are they still needed? Who uses them?  What's the hitcount on them?  We have revised our policies to say that anything more than 90 days old without a change in hitcount is going to put the ACL in a 'reviewable' status, and if there has been no change in 120 days, we will remove them.

If you haven't had a look at what is coming in and out of your environment, or even between your network segments, I think you should re-consider.  You may even find that white whale of issues, the dreaded 'any-any' rule... *shudders*  Gives me nightmares, especially if it's been in there for a while.

I am hoping to start some interactive content on my site soon.  I would like to go in the direction of securitytube, but maybe in a compliance bent.  Going over various compliance frameworks, methodologies, even get in the weeds with items like Meaningful Use for securing medical records. Maybe like what Vivek does for Metasploit, for his megaprimers...

Any who, that won't happen until after I get back from my holiday...  Take care, and hope you like what you see...