Do information security standards expose organizations to shared vulnerabilities?
Why do data breaches occur with such frequency? Recent European Commission announcement on reporting of data security breaches is definitely not the first attempt to enforce security compliance it is more of an assurance to general public in the wake of
recent data breaches (Sony) and data theft (BofA).
I am all for standards; easy to adapt, more traceable, simple to supervise, consistency in compliance and a benchmark. These very advantages are the weaknesses for standards. A professional hacker can and normally simulates the standards environment and
builds a profile of vulnerabilities for an attack. One attack model is sufficient to target all organizations complying with the standards. This situation is alarming. In addition globalization has flattened the world. It is so extensible that an attack in
northern hemisphere can have repercussions in the southern hemisphere. To put it more in perspective firewall secure rules are standards. This translates to standard set vulnerabilities. When a hacker cracks into one, the template can work in most cases for
any other firewall with similar configuration as imposed by the standards. The latency in flow of information (quite a few reasons from human failures to misalignment in technology across regions) has resulted in damage control.
Information security talks about three different types of controls, preventive, detective and corrective. Preventive controls are the most expensive to implement and in practice can never be all encompassing, A 80% coverage is deemed to be good. A safe
organization will need to be very strong on detective and corrective controls. Sony did detect, bit did not correct; the reason for the second attack. By implementing standards a compliant organization is safe ceteris paribus. The vulnerability is in 'ceteris
paribus' Security standards in addition to defining the contours for preventive controls, must define strong guidelines for detection and when detected for corrective action. This unfortunately is left to the regulators.
I am not too sure if the European Commission has only asked for data breach information and penalities if not provided in time or asked for more important information such as what efforts were made to detect and correct the vulnerabilities, followed by ethical
hacking tests to prevent recurrence of the incident.