Security Standards
In a recent briefing with Lumension, the company formed by the merger of PatchLink and SecureWave, Paul Zimski, the VP of Solution Marketing placed a great deal of emphasis on security standards. He was particularly enthusiastic about SCAP, and it isn’t hard to understand why.
We could let IT security proceed on the basis of “poster-child policy”, where the investment in IT security is driven by incidents of unlucky (or possibly poorly secured) companies suffering news worthy security breaches. However, that would be plain dumb. Apart from anything else, we have no idea in the case of TJX whether there were other security weaknesses – such as lack of logging or intruder detection technology. Right now we have no idea whether the Countrywide problem has to do with the need to data audit trails or data lock-down or the presence of keyloggers on some PCs or whatever.
SCAP, the Secure Content Automation Protocol, is part of an initiative that has been building since 2002. The idea is to have a protocol that standardizes on the format used to communicate known security vulnerabilities. At the heart of this is NIST’s National Vulnerability Database, which reports about 20 new vulnerabilities every day. If you can receive information about these vulnerabilities in a standardized way you can semi-automate a response to them.
Naturally, Lumension has a commercial interest in this protocol because of its patch management software, but there’s a higher principle involved in SCAP. If we are going to have coherent IT security then we need ways of measuring it, and one way to measure would be to know, at any point in time, which known vulnerabilities your company is at risk from and how long it will be before those doors are closed.
In fact SCAP and other security standardization initiatives, such as the PCI standards, are our best hope of getting a rational approach to IT Security within an organization. For most organizations, IT Security is tough investment to control. You can probably spend five times the current budget and still not be able to guarantee 100 percent security. The most practical approach is to based the IT Security spend on compliance audits and objective measurement such as is possible using SCAP.
I’d much appreciate it, by the way, if you’re reading this and you happen to be involved in setting IT Security standards that all anti-malware software installed will only be approved if it can gaurantee to stop 100 percent of all malware. That would pretty much ensure that whitelisting became a standard part of IT Security and that would make a big difference in many ways (for more details on this read The AVID Campaign)
Subscribe to HaveMacWillBlog in a reader
Leave a reply