SANS Institute security expert talks gaps in public-sector compliance

John Pescatore told a group of security professionals Wednesday that modern security needs to not just be strong — it needs to be user-friendly.

“The average person will accept a $3 bill as long as it looks OK,” he said during remarks for CyberPoint’s speaking series at the Legg Mason Conference Center in Harbor East. “Bad guys don’t just look at technology. They look at new and more diverse ways to do things.”
Pescatore is the director of emerging security trends for the Bethesda-based SANS Institute. His long career began in the late 1970s at the National Security Agency, followed by a stint at the Secret Service and private sector groups like Gartner.
He says, believe it or not, that many public-sector groups have low cybersecurity compliance.
A 2013 study highlighted [pdf, Page 44] the Department of Homeland Security, the Social Security Administration (based in Woodlawn, Md.) and the Department of Justice as compliance leaders — but found lax security at the Department of Agriculture, the Small Business Administration and the Department of State.
However, compliance can’t necessarily save these agencies, Pescatore said. In his very next slide, he referenced the January report of a breach of a Homeland Security web portal.
“I’d rather flunk my compliance test but protect my clients’ data any day of the year,” Pescatore said.
However, he said there must be a “balance” between after-the-fact compliance and taking expensive security measures that may even outweigh the value of the information being stolen. At the same time, Pescatore said, plenty of proactive measures could be taken, ranging from easy fixes such as regular password resets to more complex solutions like port controls, closed systems and access based on need-to-know.
The infamous breach of credit cards used at Target was made possible when hackers stole network credentials from an HVAC contractor, Krebs on Security reported.
Pescatore also spoke positively of the walled garden used on Apple’s iOS, which, unlike Android, limits users only to apps downloaded through its own app store.
“It’s like if you took a goldfish and you put him in a bathtub,” he said. “The users want that. People are using them for real life purposes.”
But at the same time, he said, with the rise of the so-called “Internet of things,” the IT sector “has lost control and will never get it back,” Pescatore said.
“Do we know what’s on our networks? Do we know what’s out there?” he added. “Do we know the vulnerabilities of what’s out there?”
The next CyberPoint talk will host cybersecurity researcher Peter Singer on Aug. 19.