When Good Security Goes Bad

It's safe to say that MasterCard, through its transaction processing partner, did not intentionally compromise the account information of millions of card holders. As one of the largest credit card associations in the world, MasterCard's whole business is based on trust, and it been one of the leaders in network transaction security since the earliest days of the Secure Electronic Transactions (SET) initiative a decade ago.

Yet, intentions are not enough when good security goes bad. "I think most organizations go into security with good intentions." says Peter Stapleton, director of Computer Associates eTrust Security Management. "But if you look at organizations like MasterCard and LexisNexis, the predominant failure in all of them has not been technology. It's been a business failure."

Indeed, technology can only get you so far, and that's the problem. Locking everything down with intrusion protection systems and firewalls is all well and good, but that, Stapleton says, is not real security. And things go bad when you think that it is. "The truth is that really good security just isn't that sexy," he says. "Good security is administration. It's in how you manage the technology and in how you manage the organization."

The heart of the problem is what Stapleton calls the "tool mentality." Technologists, he says, typically think that, if there's a problem, then there's a tool to fix it. There's nothing wrong with finding the right tool for the job and IT departments could not do what they do to keep businesses running without them. The danger is when the tool becomes identified as the solution.

"Organizations will buy really good tools, but they won't necessarily have the overall business process framework to operate them in." Stapleton says. They don't have the day-to day management review and monitoring to get the most out of their technology investment."Stapleton says that, without granular, day-to-day oversight of business processes and security practices -- the kind of plodding, detail-oriented work that none really likes to do -- even the best security technology will become vulnerable. Part of that is due to the incredibly fluid nature of the threat environment. "By its very nature, security is very reactive," Stapleton says. "You don't responds to a threat until you, or someone else has been hit by it."

Once hit, you have to be prepared to respond quickly, of course, and that means knowing your systems. Indeed, Stapleton is quick to point out that, unless you know what assets you have and, more importantly, how they are being used on a day-to-day basis, you could be wide open to attack. The bottom line is that security has to extend much further than the firewall.

"Look at the MasterCard situation," Stapleton says. "CardSystems, the transaction processor, had passed all their audits, so they thought they were okay. The problem was that the audit was very network oriented; it wasn't an audit of the process vulnerabilities." And it was exactly there that the company's security had failed.

Often, the problem is as mundane as poor housekeeping and worse inter-department communication. An organization that has an exhaustive procedure for granting user accounts to new employees does itself no favors if those accounts are left open when the employee leaves. In fact, according to Stapleton, as many as half a large enterprise's user accounts might be orphaned.

"The old employee probably won't hack in using that account, but there's usually no surveillance to make sure," he says. "And in brute-force attacks, the hacker is guessing numbers. The more targets he has improves his odds of getting in."

The solution, in the specific case, is to close the loop between human resources and IT, perhaps to have some kind of monthly HR report that IT has to sign off on. More broadly, however, the solution is a question of procedural diligence, a continuous process of self-examination and self-improvement."Bad security is not just security that is technically failing, but security that does not look back on itself and improve itself on a daily basis," Stapleton says. "It's not just security, but the whole tools focus of IT: there are a lot of tools, but what are they doing for me?"

On the other hand, good security repudiates complacency. "Good security recognizes that there's no such thing [as 'good security']," Stapleton says. "It's constantly evolving and changing to meet new threats. Good security, if it really exists, is an ongoing and daily commitment to continuous review and good management."

Indeed, without that kind of commitment, it's not security at all, but a false sense of security because, at the end of the day, good security can always go bad.