Tuesday, January 23, 2007

Buzzword Compliance or Compensating Controls


The most recent SANS e-mail letter, this article from Computerworld on pretty minor (all things considered) security incident at federal retirement fund agency.

The voice of SANS (Pescatore in this case) remarked thusly:

This and the Nordea incident, as well as the huge TJ Maxx compromise, continue to point out how commonplace financially motivated, targeted attacks now are. Attacks change faster than regulations - tunnel vision on being compliant with regulations, whether Sarbanes Oxley, Basel, or PCI, means you will not be looking at processes and architectures that can deal with changing threats.
Pescatore, duuude. Hate the game, not the playa.

First, I don't any of those regulations really apply to the TSP, except as perhaps amusing past-times in the off season.
Secondly, what the hunh??? I really don't get how some users who got their account hijacked through the client side would have to do with a focus on regulations. About a dozen accounts, $35,000 all told. In retirement fund terms, not a whole lot. And they did find out about the incident, it is possible that some account monitoring controls were in place. So maybe the system worked. And cruising around the TSP site, it looks like they are trying to educate their users.

Unfortunately, whatever cred the TSP folks gained is blown in the following quote:

"External penetration testing has demonstrated that our system has not been breached"

Umm... ? I'd like to see the pen-test firm that signed off on that. Maybe next time you should hire some forensic analysts over for a post-incident discussion. They may give you better results.

Just because you don't have heavy super duty NAC/HIDS/NIDS two factor network with buzzwords du jour and a burled walnut interior, doesn't mean that you are so distracted by your BASEL II crossword puzzle that your accounting department doesn't notice some odd ball transfers. It's all about the compensating controls.

2 comments:

Anonymous said...

Man, I hadn't seen the EPT quote. That's rich.

BTW, my Basel 2 notebook is brushed aluminum. Walnut is *so* last century.

:)

Dutcher Stiles said...

Basel 2 is certainly the most fashionable of regulations. I think burled walnut is the exclusive province of FFIEC. Hand tooled pleather optional.