Does passing all of the required audits demonstrate a secure environment?
Sarbanes Oxley, Gramm Leach Bliley, Center for Internet Security, NIST, DFARS, HIPAA, PCI, STIGs, ... all come with a comprehensive list of what you must and must not do to comply.
If you believe they have anything to do with security: Which audit did OPM fail? or Experian?
or Yahoo? Or First American Financial? or the many thousands of
others that have reported breaches. Why haven't you read a single story about any of them failing an audit? Perhaps, because they didn't.
While working for a major US retailer we performed a White Hat attack, stealing credit cards, while
being interviewed by a PCI auditor. We told the truth and the retailer passed the audit. That evening we helped them secure their databases so it couldn't happen again.
The auditor asked if the data was encrypted ... it was. The
auditor didn't ask whether we could bypass the encryption by
querying memory.
The vulnerabilities that lead to breaches do not come with a checklist.
You will never receive a passing grade for your efforts.
You will never forget a failure if it happens on your watch.
Contact us today to learn how we can assist your
team identify and classify vulnerabilities.
|
|