SANS Institute security expert talks gaps in public-sector compliance - Technical.ly Baltimore

Business

Jul. 10, 2014 4:22 pm

SANS Institute security expert talks gaps in public-sector compliance

Cybersecurity industry veteran John Pescatore spoke Wednesday as part of the CyberPoint Speaker Series. "I'd rather flunk my compliance test but protect my clients' data any day of the year," he said.
John Pescatore spoke Wednesday at the CyberPoint Speaker Series.

John Pescatore spoke Wednesday at the CyberPoint Speaker Series.

(Photo by Tyler Waldman)

John Pescatore told a group of security professionals Wednesday that modern security needs to not just be strong — it needs to be user-friendly.

“The average person will accept a $3 bill as long as it looks OK,” he said during remarks for CyberPoint’s speaking series at the Legg Mason Conference Center in Harbor East. “Bad guys don’t just look at technology. They look at new and more diverse ways to do things.”

Pescatore is the director of emerging security trends for the Bethesda-based SANS Institute. His long career began in the late 1970s at the National Security Agency, followed by a stint at the Secret Service and private sector groups like Gartner.

He says, believe it or not, that many public-sector groups have low cybersecurity compliance.

A 2013 study highlighted [pdf, Page 44] the Department of Homeland Security, the Social Security Administration (based in Woodlawn, Md.) and the Department of Justice as compliance leaders — but found lax security at the Department of Agriculture, the Small Business Administration and the Department of State.

However, compliance can’t necessarily save these agencies, Pescatore said. In his very next slide, he referenced the January report of a breach of a Homeland Security web portal.

“I’d rather flunk my compliance test but protect my clients’ data any day of the year,” Pescatore said.

However, he said there must be a “balance” between after-the-fact compliance and taking expensive security measures that may even outweigh the value of the information being stolen. At the same time, Pescatore said, plenty of proactive measures could be taken, ranging from easy fixes such as regular password resets to more complex solutions like port controls, closed systems and access based on need-to-know.

Advertisement

The infamous breach of credit cards used at Target was made possible when hackers stole network credentials from an HVAC contractor, Krebs on Security reported.

Pescatore also spoke positively of the walled garden used on Apple’s iOS, which, unlike Android, limits users only to apps downloaded through its own app store.

“It’s like if you took a goldfish and you put him in a bathtub,” he said. “The users want that. People are using them for real life purposes.”

But at the same time, he said, with the rise of the so-called “Internet of things,” the IT sector “has lost control and will never get it back,” Pescatore said.

“Do we know what’s on our networks? Do we know what’s out there?” he added. “Do we know the vulnerabilities of what’s out there?”

The next CyberPoint talk will host cybersecurity researcher Peter Singer on Aug. 19.

-30-
CONTRIBUTE TO THE
JOURNALISM FUND

Already a contributor? Sign in here
Connect with companies from the Technical.ly community
New call-to-action

Advertisement

Femly wins $27,500 at Baltimore Homecoming’s Crab Tank pitch competition

Baltimore bought $20M in cyber insurance. Such policies are becoming more common

5 inspiring quotes from U.S. Rep. Elijah Cummings on education and opportunity

SPONSORED

Baltimore

Get to know SmartLogic’s culture of plants, podcasts and productive client relationships

Annapolis Junction, MD

Asymmetrik

FULL-STACK DEVELOPER

Apply Now

Annapolis Junction, MD

Asymmetrik

SOFTWARE ENGINEER

Apply Now

Annapolis Junction, MD

Asymmetrik

FRONT-END DEVELOPER

Apply Now

Xandr, AT&T’s ad company, partners with Baltimore’s clean.io

IoT security startup ReFirm Labs raises $2M

Byte Back celebrates official launch in Baltimore

SPONSORED

Baltimore

Entrepreneurs, think it’s too early to engage a legal partner? It’s not.

Philadelphia, PA

Vistar Media

QA Engineer

Apply Now

Philadelphia

Vistar Media

Sr. Software Engineer

Apply Now

Philadelphia

Vistar Media

Front End Engineer

Apply Now

Sign-up for daily news updates from Technical.ly Baltimore

Do NOT follow this link or you will be banned from the site!