合规性如何导致安全漏洞（或，互联网史上最无聊的文章标题…）

John Strand //
最近有很多文章讨论合规标准X或Y是如何被破坏的。不幸的是，这往往导致人们指责标准背后那些无名无姓的人。很容易简单地说他们是傻瓜，不适合制定任何与计算机安全相关的议程。
傻瓜做傻瓜该做的事。
虽然这可能是真的，但事情远不止如此。此外，如果我们看看这些标准是如何被淡化的，我们可以学到很多东西。基本上，让我们谈谈在创建和遵守合规框架时的常见错误。顺便说一句，大部分内容是基于帮助一个相对较小的团体尝试在其有限的地理位置为特定行业定义安全标准。我写这篇文章的唯一原因是，他们遇到的许多问题也是我在客户中一再看到的相同问题。http://www.darkreading.com/analytics/hipaa-not-helping-healthcares-software-security-lagging/d/d-id/1322715

行业负担

创建或遵守合规性的第一个主要 breakdown 是强烈恐惧标准会对相关行业造成 too burdensome。很久以前，我在为 various oil companies 与政府相关的合规标准工作。这是我第一次 experience 这个问题。有很多关于过度监管石油和天然气行业会使整个过程无利可图的 hemming and hawing。这是在 2010 年 MMS 整个 scandal 爆发的 years before。更多细节请参见 Ian Urbina 的文章。但当时对我来说真正奇怪的是，那些抱怨过度负担行业的人正是那些开着“ prestige class”租赁车辆参加会议、穿着比我当时一个月工资还贵的衣服的人。这一切到底是为了什么？关键是制定合规要求的人 often under tremendous political pressure by people far more powerful than they are。

此外，即使 rampant corruption and graft 没有发挥作用，作为人类，我们有很大的 desire to make as many people as possible happy。这 often standardizes mediocrity。我们在这个行业中一次又一次地看到这一点，从七层模块到 PCI 到 HIPAA。此外，当这种情况发生时，它 often obscures the true meaning of what the compliance standards were trying to do in the first place。例如，许多合规标准 meant to be a series of guidelines and are provided to offer direction for organizations who don’t even know where to start。这些东西 quickly become the core baseline and minimum level of effort organizations strive to meet。Anything above and beyond these recommendations is often looked at as a waste of money。

对未知的恐惧

这也提出了另一点。Many of the best testers I have ever known were auditors who got sick and tired of being asked to “prove it。” That is what penetration testing provides。Proof。Not scan results。Not automated risk scores。It is about removing the shroud of the unknown and bringing clarity。
Pentest challenge accepted。

一切都是未知的

归根结底，许多现有的标准 today don’t make sense。但为什么？How does this happen？事实上，pretty easily。例如，组织中有 wide number of compliance standards that require passwords of eight characters or more。为什么？要回答这个问题，我们需要回到过去。毕竟，我们在 2015 年，我们有 self-lacing shoes and flying cars。以这个密码长度为例并真正理解它，我们必须回到 1985 年。是的，Back to the Future references are thick in this one。无论如何，NIST Greenbook 发布了，你可以在这里获取：http://csrc.nist.gov/publications/secpubs/rainbow/std002.txt 它引用了几件事。首先，它提到我们应该使用密码多长时间（大约 6 个月以上） before changing them。它还涵盖了那些时间段的密码长度。A nice, in the middle number, was eight characters。这一切都是基于在 300 baud services 上破解密码需要多长时间，即每分钟 8.5 次猜测。是的… 300 baud… 看，这就是许多合规错误发生的方式。People do not understand something and they instead rely on the previous work of others who came before。Insanity carries forward。Because no one knows better。

我们不理解的事情似乎很难

在体育中，often these mystical barriers we believe are insurmountable。Things like breaking the sub four-minute mile, which was done by Bannister in 1954。It seemed impossible, but once it is done, many follow。或者，一个更适用的例子，internal firewalls or Internet whitelisting。These two security approaches seem impossible as well。然而，如果我们以 even permissive ways 实施它们，我们 far more secure than a simple AV/Blacklisting approach。我们与许多 companies who have no desire to move to a whitelisting/firewall everything approach 合作。然而，一旦他们被 compromised，他们的态度 changed rather quickly。一旦他们开始走上 greater restriction 的道路，它 did not seem so hard。

最终，它会变得更好

尽管这看起来像是对合规 breakdown 的 long painful breakdown，但它 does get better。我们开始看到 organizations that are far more interested in doing things right than being compliant。相信我，我见过。不。真的。Stop laughing。我见过 organizations who have started to empower their security teams to do the right thing。They have proper budgets。They have security teams who are focusing on their data and not a checklist。他们是 companies who have management support at the highest levels。
他们 ever so much closer to being “secure” because they know that secure is a process, not a destination。

但首先它会变得更糟

那很好，不是吗？看起来我们可能会以 happy note 结束这篇文章。
不，我们不会。
看，在 almost every organization who gets better and moves away from trying to be compliant and instead moves to being secure, they were compromised。They learned their lessons。They touched the frying pan and found it was hot。They will do anything in their power to not make the same mistakes again。我见过一些 companies who have imported these lessons in the form of hiring a C-O from a company who was burnt。但，在他们过去的某个地方，有一个 deep dark psychological altering experience that made them learn that simply being compliant will not work。We have to strive for better。
No one dies and is at peace with the fact they made their networks compliant。
No one。

想提升技能并从 John 本人那里学到更多？你可以在下面查看他的课程！
SOC Core Skills
Active Defense & Cyber Deception
Getting Started in Security with BHIS and MITRE ATT&CK
Introduction to Pentesting

可用 live/virtual 和 on-demand。