Startups

SANS Institute security expert talks gaps in public-sector compliance

Cybersecurity industry veteran John Pescatore spoke Wednesday as part of the CyberPoint Speaker Series. "I'd rather flunk my compliance test but protect my clients' data any day of the year," he said.

John Pescatore spoke Wednesday at the CyberPoint Speaker Series. (Photo by Tyler Waldman)
John Pescatore told a group of security professionals Wednesday that modern security needs to not just be strong — it needs to be user-friendly.

“The average person will accept a $3 bill as long as it looks OK,” he said during remarks for CyberPoint’s speaking series at the Legg Mason Conference Center in Harbor East. “Bad guys don’t just look at technology. They look at new and more diverse ways to do things.”
Pescatore is the director of emerging security trends for the Bethesda-based SANS Institute. His long career began in the late 1970s at the National Security Agency, followed by a stint at the Secret Service and private sector groups like Gartner.
He says, believe it or not, that many public-sector groups have low cybersecurity compliance.
A 2013 study highlighted [pdf, Page 44] the Department of Homeland Security, the Social Security Administration (based in Woodlawn, Md.) and the Department of Justice as compliance leaders — but found lax security at the Department of Agriculture, the Small Business Administration and the Department of State.
However, compliance can’t necessarily save these agencies, Pescatore said. In his very next slide, he referenced the January report of a breach of a Homeland Security web portal.
“I’d rather flunk my compliance test but protect my clients’ data any day of the year,” Pescatore said.
However, he said there must be a “balance” between after-the-fact compliance and taking expensive security measures that may even outweigh the value of the information being stolen. At the same time, Pescatore said, plenty of proactive measures could be taken, ranging from easy fixes such as regular password resets to more complex solutions like port controls, closed systems and access based on need-to-know.
The infamous breach of credit cards used at Target was made possible when hackers stole network credentials from an HVAC contractor, Krebs on Security reported.
Pescatore also spoke positively of the walled garden used on Apple’s iOS, which, unlike Android, limits users only to apps downloaded through its own app store.
“It’s like if you took a goldfish and you put him in a bathtub,” he said. “The users want that. People are using them for real life purposes.”
But at the same time, he said, with the rise of the so-called “Internet of things,” the IT sector “has lost control and will never get it back,” Pescatore said.
“Do we know what’s on our networks? Do we know what’s out there?” he added. “Do we know the vulnerabilities of what’s out there?”
The next CyberPoint talk will host cybersecurity researcher Peter Singer on Aug. 19.

Companies: SANS Institute / CyberPoint International

Before you go...

Please consider supporting Technical.ly to keep our independent journalism strong. Unlike most business-focused media outlets, we don’t have a paywall. Instead, we count on your personal and organizational support.

Our services Preferred partners The journalism fund
Engagement

Join our growing Slack community

Join 5,000 tech professionals and entrepreneurs in our community Slack today!

Trending

Interactive timeline: top moments from Baltimore’s challenging yet inspiring year in tech

Baltimore is setting a national standard for diversifying its economy

19 tech and entrepreneurship events to check out before the holidays

Tech lab space opening in new 4MLK building, thanks to $2M in public funds

Technically Media